Paging the Computeristi

Hello dears.

I've nuked a computer of a squillion viruses and various Spyware apps.

As soon as all viruses were squished one would go online with his DSL
connection and it would download some new viruses. There were a few
IRC based viruses, but no IRC client so I assume that his computer was
used as a drone whenever it was online by people with too much time on
their hands.

After a good clean (McAfee Virus Scan, Grisoft Antivirus (free),
Lavasoft AdAware and SpyBot having a go) it is now working normally. I
put on WinXP SP2 via a USB download and installed it. Turned on the
WinXP firewall and it is now 100% up-to-date and it doesn't download
anything untoward while online *on my network* via my router.

What I'm worried about is when it's on an unprotected network (ie.
plugged into his DSL modem) it might be able to connect to something
that my network didn't allow it to.

I need to be able to see what ports it is opening and trying to
connect to when it boots and goes online via the network.

Can you think of an application I can install that will monitor and
log what it tries to prod and connect to?

I wish to make sure it's in perfect working order when it first
connects to the internet at his place, and it stays that way without
being hijacked.

Buying a Mac, installing Linux isn't an option on this one I'm afraid.
He needs Windows XP.

 

tcpview from sysinternals.com will show what's hooking-up in real time.
I used it to find something on a friends machine that Symantec
completely missed.

 

In uk.rec.motorcycles, BGN amazed us all with this pearl of wisdom:

TCP view's pretty good.

It doesn't log unfortunately but it'll show you what's running and on
what port and it'll give you a resolvable IP address of where it's
going.

Google for it. It's a freebie.

 

BGN wrote:

Zone alarm will do that

Just don't let it auto configure. It will then ask permission for every app
that tries to call out.

There are probably better ones, but that will deffo do what you asked.

You'll have to stop him using IE for a start.



--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3 OMF#22
Tyger, Tyger Burning Bright (Remove rust to reply)
Alfa 116 Giulietta 3.0l (Really) Sprint 1.7 156 TS S2
Triumph Speed Triple: Black with extra black bits
www.cuore-sportivo.co.uk

 

How's it do that then?
--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3 OMF#22
Tyger, Tyger Burning Bright (Remove rust to reply)
Alfa 116 Giulietta 3.0l (Really) Sprint 1.7 156 TS S2
Triumph Speed Triple: Black with extra black bits
www.cuore-sportivo.co.uk

 

You may want to have a look for Prevx. It's an IPS that will stop things
loading to your PC. If all of your antivirus signatures are up to date, get
hold of the home user Prevx and load it. You will then stop any virus /
adware / ..... running on your PC.


J.

 

Using Zone Alarm instead of windows firewall will stop unauthorised apps
making outbound connections.

 

Not all of them, it won't - but it will stop 99%. Maybe 99.9%. Certainly
enough.

 

Do you have evidence that un-authorised apps can get out past it? Just
curious.
--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3 OMF#22
Tyger, Tyger Burning Bright (Remove rust to reply)
Alfa 116 Giulietta 3.0l (Really) Sprint 1.7 156 TS S2
Triumph Speed Triple: Black with extra black bits
www.cuore-sportivo.co.uk

 

1. Set said friend up with a regular user account so he isn't always logged
on as administrator. While this won't keep him completely safe, it will
reduce the attack threshold somewhat -- if a virus/trojan/worm needs to
write to HKLM or c:\windows\ or c:\program files\ it won't be able to.

2. Teach (by which I mean threaten) said friend to use the
non-administrative account for everything except installing applications or
running badly-behaved pieces of software that require administrative
privilege.

For lots of cool info about running windows as a non-admin, check out
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx.

Hope this helps.

 

Well now, my understanding is that all of these things do any number of
about 10 things. For instance, some Viruses use the outlook address book, so
if an application other than outlook tries to use the address book, it stops
it and checks to see if it's OK. Also a number of viruses try running or
changing different apps. These are trapped. Running an application from the
temp file is another issue that can be stopped.

I'm probably not explaining things too well, but the web site explains them
well. There is another product, which used to be from worldwide security,
but is now part of Symantec. There is no free home version of this though -
I have it running and it's good as well.

Remember these things don't remove the need for good antivirus packages.

J.

 

What happens if outlook is hijacked and is told to give over the
contents of its address book?

I take it that this application will never need any updates ever.

 

Access to the Outlook address book is controlled anyway, and has been for
some time.

Wouldn't bet on it. The site seems somewhat vague.
--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3 OMF#22
Tyger, Tyger Burning Bright (Remove rust to reply)
Alfa 116 Giulietta 3.0l (Really) Sprint 1.7 156 TS S2
Triumph Speed Triple: Black with extra black bits
www.cuore-sportivo.co.uk

 

Not sure about that, old chap. I'm no prgrammer, but it seems rather vague.
The only thing it actually details is being able to stop buffer overrun
exploits, which seems a little unlikley, IMHHHO. ISTBC of course.

--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3 OMF#22
Tyger, Tyger Burning Bright (Remove rust to reply)
Alfa 116 Giulietta 3.0l (Really) Sprint 1.7 156 TS S2
Triumph Speed Triple: Black with extra black bits
www.cuore-sportivo.co.uk

 

Any software that hijacks an AUTHORISED outbound app (like IE) will be
able to bypass ZoneAlarm.

If you're worried go over here:
http://www.grc.com/lt/leaktest.htm

and test your firewall today.

Lanky

 

That's the one I wanted. I couldn't remember the name.

 

Glad to be of service.