|
Korean Job Discussion Forums
"The Internet's Meeting Place for ESL/EFL Teachers from Around the World!"
|
| View previous topic :: View next topic |
| Author |
Message |
mindmetoo
Joined: 02 Feb 2004
|
 Posted: Wed Jul 14, 2004 11:28 pm Post subject: Before you resintall windows xp... |
 |
|
Oh god. What a scary last couple days. I got hit with some kind of weird back door/trojan. I have no idea how I got it. I suspect it either came from some new p2p software I downloaded or some weird anon proxy server I was using to access banned web sites. Whatever it was, it sneaked right past my virus detector (mcaffees which is crap) and my firewall (zone alarm). I automatically download all Windows security patches and religiously install them as soon as they come in (a couple years ago I'd be like 'ah I'll get around to it'... not these days).
Symptoms:
IE would only resolve to this site (http://131.215.45.71). No matter what you punched in the url bar (cnn.com, mail.yahoo.com, etc) it always went to that site. The site is oddly benign looking and traceroute seems to confirm it's a university site (Caltech I think). Weird. Using any proxy server didn't help.
Messenger stopped being able to connect to anything. Using a proxy didn't help.
Mozilla worked a bit. I got around "something" by using a proxy.
Blue screen of death (memory core dump) and when the computer came back on the bios was doing something freaky and then "no os found". Jesus. I put the XP disks in, it booted from the CD, copied a bunch of files. I aborted the install. I restarted and everything was normal (well until I hook up to the net...).
Luckily I have an old laptop HD I can swap in so I could do work via that while I tried to figure out what to do. The obvious solution was to back up my files and reinstall. Luckily, I have licensed copies of Windows XP Professional and MS Office (ah the advantages of living in Seattle... you end up knowing enough Microsofties that one can get you the latest Office for $35 from the company store).
I also have a DVD burner so I could also burn all my files to a couple DVDs.
But where to find the time... where to find the time. I'm in the middle of writing a textbook (well more like bound collection of lessons) for school and working on a sock puppet play for a class... grr.
And then a friend said "Oh try system restore." "eh?" "Yeah yeah, under start / accessories / system tools there's a program called system restore. It restores all your system dlls, exes, etc back to any point in time."
Hello.
Sure enough I tried that and it seemed to work.
So yeah. Before you reach for the install disks because some shareware program has so loaded your system with spyware it's become unusable (grokster comes to mind), try the system restore.
Whew. |
|
| Back to top |
|
 |
Demophobe
Joined: 17 May 2004
|
| Posted: Thu Jul 15, 2004 2:49 am Post subject: |
|
|
Proxies can't infect a computer.
Backdoor/Trojans don't affect browsing, they just transmit information back to a source.
"Banned web sites"?!?! You don't think you should keep that to yourself?
McAfee doesn't detect a browser hijacker, which is what you had, nor does a firewall. You got this from downloading or executing a program (or a script ran) from an unknown place or a site you shouldn't be at. Proxies won't help because the problem is in your computer.
I suppose you go to these "banned" sites with java enabled, scripts enabled, activex, etc...  Do you use IE as well?!?!
So...
Before you reinstall windows (a last measure, usually done to avoid learning), learn about security, especially if you are going to banned sites that require anonymous proxies.  |
|
| Back to top |
|
|
The Lemon
Joined: 11 Jan 2003
|
| Posted: Thu Jul 15, 2004 3:10 am Post subject: |
|
|
| Demophobe wrote: |
Proxies can't infect a computer.
Backdoor/Trojans don't affect browsing, they just transmit information back to a source.
|
48 hours ago I would have agreed with you. But a colleague just came to me for help because he clicked on one of those infected e-mails ("Open me!!") that looked like it was from a friend. The result was a "hijacked" computer that, among other things, infected explorer.exe, messed around with the registry, downloaded several trojans (about 5 different ones in all).. I spent two hours on Tuesday night thinking I could beat it with regedit, msconfig, "Hijackthis!", and finally by reinstalling Windows... No luck. The only solution that worked was reformatting the hard drive and starting over.
Anyway, this infection was a series of trojans bundled with other nasties that most definitely affected and ultimately prevented browsing of any kind (as well as phoning home with, "infected computer ready to exploit, here!"). To make matters worse, it was a Win98 system that lacked XP/2000's ability to display and cancel any running processes.
There's a bunch of these going around lately - very nasty. Use extreme care with Kazaa and e-mails. And "banned websites". |
|
| Back to top |
|
|
mindmetoo
Joined: 02 Feb 2004
|
| Posted: Thu Jul 15, 2004 3:47 am Post subject: |
|
|
| The Lemon wrote: |
| Demophobe wrote: |
Proxies can't infect a computer.
Backdoor/Trojans don't affect browsing, they just transmit information back to a source.
|
48 hours ago I would have agreed with you. But a colleague just came to me for help because he clicked on one of those infected e-mails ("Open me!!") that looked like it was from a friend. The result was a "hijacked" computer that, among other things, infected explorer.exe, messed around with the registry, downloaded several trojans (about 5 different ones in all).. I spent two hours on Tuesday night thinking I could beat it with regedit, msconfig, "Hijackthis!", and finally by reinstalling Windows... No luck. The only solution that worked was reformatting the hard drive and starting over.
Anyway, this infection was a series of trojans bundled with other nasties that most definitely affected and ultimately prevented browsing of any kind (as well as phoning home with, "infected computer ready to exploit, here!"). To make matters worse, it was a Win98 system that lacked XP/2000's ability to display and cancel any running processes.
There's a bunch of these going around lately - very nasty. Use extreme care with Kazaa and e-mails. And "banned websites". |
(By banned sites I of course mean, oh, lycos.com, livejournal, blogspot... all those sites Korea has seen fit to ban because you might be able to download the beheading video.)
Anyway, yeah, things are getting really nasty out there. I run with a firewall, a virus scanner, Mozilla over IE, and I browse and email with the highest security on. I install all the patches ASAP. Even that, however, won't save you, it seems these days, especially when simply clicking on an email (vs opening an attachment), can infect you. |
|
| Back to top |
|
|
the saint
Joined: 09 Dec 2003
Location: not there yet...
|
| Posted: Thu Jul 15, 2004 3:48 am Post subject: |
|
|
I hate to rain on the OP's parade a little with some doubts about using system restore to sort out what seemed like a fatal problem. Surely whatever it was that caused that whole mess is still on the system waiting for ... well waiting for resurrection really.
Often real fixes to these kind of solutions involve first disabling system restore so that no restore points can be created by the invader. Surely, if you have resorted to system restore, there's a chance that you simply resorted to a temporary fix with something that is also infected anyway.
Just a humble minion's guess... anyone care to comment? |
|
| Back to top |
|
|
ryleeys
Joined: 22 Dec 2003
Location: Columbia, MD
|
| Posted: Thu Jul 15, 2004 3:49 am Post subject: |
|
|
I don't have a virus scanner on my computer... I use IE with average security settings... I download from eMule... I don't run a firewall.
Never gotten a virus. The only time there was a virus on this computer was when I bought it. They sold it to me with a virus, which I quickly repaired with the all encompassing deleting of partitions, reformating, flashing, and all that fun stuff.
Maybe I'm lucky... maybe I'm just careful about what I do and don't need the protection. |
|
| Back to top |
|
|
The Lemon
Joined: 11 Jan 2003
|
| Posted: Thu Jul 15, 2004 3:56 am Post subject: |
|
|
| ryleeys wrote: |
| Maybe I'm lucky... maybe I'm just careful about what I do and don't need the protection. |
Maybe a bit of both. There are infections that can do nasty things to a typical Windows machine without any action on your part to help it along. This is especially the case if you're on a local network, and/or if you don't install the usual patches regularly.
Your computer also could be infected and you just don't know it. Our campus is full of "zombied" machines that are automatically trying to infect others, and no doubt their owners have no clue that their computers are doing this.
I do think that viruses aren't as common as most people think. Media hype has led the typical uninformed user to yell "I HAVE A VIRUS!" to every computer-knowledgable person they know whenever their computer locks or crashes. They also love forwarding those dumbass virus warning e-mails. |
|
| Back to top |
|
|
mindmetoo
Joined: 02 Feb 2004
|
| Posted: Thu Jul 15, 2004 3:59 am Post subject: |
|
|
| the saint wrote: |
I hate to rain on the OP's parade a little with some doubts about using system restore to sort out what seemed like a fatal problem. Surely whatever it was that caused that whole mess is still on the system waiting for ... well waiting for resurrection really.
Often real fixes to these kind of solutions involve first disabling system restore so that no restore points can be created by the invader. Surely, if you have resorted to system restore, there's a chance that you simply resorted to a temporary fix with something that is also infected anyway.
Just a humble minion's guess... anyone care to comment? |
If it is a virus, backdoor, trojan, really obvious spyware, et al, it could well be lurking some place. My hope is if that's the case, my virus scanner/lavasoft will quickly catch up with the new definitions. A nightly scan for the next couple weeks is in order.
I've got everything backed up, so I'm prepared to do a reinstall if it comes back. But before you remove the lung with the tumor, it's always best to try something less invasive first in my opinion. |
|
| Back to top |
|
|
The Lemon
Joined: 11 Jan 2003
|
| Posted: Thu Jul 15, 2004 4:06 am Post subject: |
|
|
| mindmetoo wrote: |
| I've got everything backed up, so I'm prepared to do a reinstall if it comes back. But before you remove the lung with the tumor, it's always best to try something less invasive first in my opinion. |
My lesson of Tuesday night is if all the data's saved on a DVD or CD or something, screw trying to cure the computer and spend valuable time Googling possible solutions, rebooting, rebooting.... Just reformat, reinstall, and forget about it. Life is too short.
Besides, the computer always runs better after a reformating and a reinstall of essential applications. |
|
| Back to top |
|
|
Demophobe
Joined: 17 May 2004
|
| Posted: Thu Jul 15, 2004 4:30 am Post subject: |
|
|
| The Lemon wrote: |
48 hours ago I would have agreed with you. But a colleague just came to me for help because he clicked on one of those infected e-mails ("Open me!!") that looked like it was from a friend. The result was a "hijacked" computer that, among other things, infected explorer.exe, messed around with the registry, downloaded several trojans (about 5 different ones in all).. I spent two hours on Tuesday night thinking I could beat it with regedit, msconfig, "Hijackthis!", and finally by reinstalling Windows... No luck. The only solution that worked was reformatting the hard drive and starting over.
Anyway, this infection was a series of trojans bundled with other nasties that most definitely affected and ultimately prevented browsing of any kind
|
Well, en Masse, I guess they could flood the bandwidth, which technically isn't messing with the connection, just consuming all avaliable ports and basically blocking the way with garbage traffic.
As far as system restore, it has it's good and bad points. It's not meant for a trojan/viral fix, but for a driver/program repair. It can indeed function in the aforementioned capacity, but often with limited results and as the saint indicated, it will not delete the infected files from the system, just put them to a "before it all went to heck" state. Mostly, system restore is a registry function.
As far as not using a virus scanner and using P2P, I think it's simply cavalier. It's only a matter of time. The types of files one downloads are important here too. .AVI files will be clean. .mp3 files will be clean. All archives are risky and .exe files are out.
Yeah...let's reformat everytime something goes wrong!  And let's tear down the house if a bulb blows! And blow up the car if it runs out of fuel! Formatting is the eqivalent of all of that to computers. You WILL have problems. We should learn about the things we use, no? It really doesn't take that long.
What DOES take a long time is to get my computer back to the way I like it. Lots of tweaks, fixes and adjustments to make to get it back to what I would term "functional".
In the world of computing, a little time spent now is time saved later. In the beginning, I had to reformat too, but I can guarantee that if you don't learn, the time between fixing and formatting will never balance out.
I haven't had a problem in years....any problems at all, simply because knowledge is not only cure, but prevention.
Last edited by Demophobe on Thu Jul 15, 2004 4:39 am; edited 1 time in total |
|
| Back to top |
|
|
The Lemon
Joined: 11 Jan 2003
|
| Posted: Thu Jul 15, 2004 4:34 am Post subject: |
|
|
| Quote: |
| I haven't had a problem in years.. |
Me neither. Wasn't me who clicked on that attachment! Thus, my "cleanse the machine of a hijacking" experience is blessedly limited. |
|
| Back to top |
|
|
Dalton
Joined: 26 Mar 2003
|
| Posted: Thu Jul 15, 2004 6:03 am Post subject: |
|
|
Sounds similar to what happened to me a short while a go. My wife opened an attachment from an annoying mother of her friend who sends most everyone on the planet any joke she happens to find or get mailed from like minded people.
From this site:
cexx.org
I got Spybot S&D from which I chose to enable Teatimer and I got Spywareguard and Spywareblaster. These programs inform me when anyone tries to change my IE browser selections or add/change registry entries.
I knew I had an infection immediately because I was given a choice to accept or deny an attempt to change my homepage, search page default and 3 other things I forget.
Coolwebshredder is also a good idea as well as Adaware if you are infected. Running Window Washer after any online session will wipe nasty things sitting in history, cookies or temp files.
Get it here
Programz
I wiped my HDD and reinstalled BTW. Far easier for me than tracking down files to delete. I'm just never sure I got them all. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
