GlockTalk.com
Home Forums Classifieds Blogs Today's Posts Search Social Groups



  
SIGN-UP
Notices

Glock Talk
Welcome To The Glock Talk Forums.

 
  
Reply
 
Thread Tools Display Modes
Old 10-12-2003, 12:15   #1
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


1-stop Answers here: Spyware, Secret Installs, Popups & related

One stop info reply for all (the typical and most frequently posted problems :)

If you use IE for your browser:
1. IE -> Tools -> Internet Options -> Advanced tab.

A. UNtick the boxes for "Enable Install On Demand"
B. DISable ActiveX(ploit) for ALL "zones", or if you MUST allow it for certain sites, put those sites in the "Trusted" zone and set all ActiveX entries to "Prompt".
C. DISable all entries java & javascript for ALL zones except "Trusted", or at least set them to "Prompt" for zones other than the "Internet" zone.
D. DISable "all installation of desktop items" for ALL zones

2. Go to http://www.lurkhere.com/ and read the paragraphs about the "Hijack This!"**** program. Then go to the "Nice Files" page there and download and install the program. This will keep your homepage in IE from being hijacked.

An alternative that performs same/similar function is StartPage Guard (http://www.pjwalczak.com/spguard/index.php)

A similar and effective program is SpywareGuard:
http://www.wilderssecurity.net/spywareguard.html Also free, although donations are appreciated.

http://www.wilderssecurity.net/bhblaster.html
Quote:
Browser Hijack Blaster
Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.
3. While on the "Nice Files" page at LH, download and install Spybot Search & Destroy. Run it every few days to detect and discombobulate any spyware/crapware that you may have picked up and not realized it.

4. Go to http://www.javacoolsoftware.com/spywareblaster.html and download and install SpywareBlaster. "SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed." The program is free, and you can help support it (dev'ing and hosting it does cost money) with a donation, if you chose.

5. Go to www.wilders.org and then to their "free tools" subsection, which is at http://www.wilders.org/free_tools.htm
Download and install these:
A. HTAstop (in the prevention section, about 1/2 down the page)
B. WSH Anti-Polymorphism Patch
C. DSOStop v2
D. Windows Media Player Scripting Fix v1.0

And from the "monitoring" section there, get and install:
E. ScriptSentry or AnalogX Script Defender (depending upon whether you have MS VBS installed)
F. DHCP Fix
H. StartUp Monitor

and from the "misc" section there, download and install:
I. BHO Captor or BHOCop

"Messenger" Problems; Popup Problems & Programs

For "Messenger" popup problems, go here:
http://forums.spywareinfo.com/index.php?showtopic=1920 as this section of the forum gives information about programs that will tame the darn thing, as well as gives specific instructions to manually tame it with a step-by-step procedure for each OS.

Review and comparison of current, popular Popup killer programs is located at http://www.popup-killer-review.com/test.htm and is a pretty comprehensive site regarding the 'science' of pupups, how they function and how killer programs are defeated, and of popup killers themselves.

Oh, the *sigh* at the beginning isn't directed at you - it's directed at the scumburgers that create and foist this crap over and over again onto unsuspecting computer users.
m

PS. IE-SPYADS HAS A NEW URL. See updating post in this thread dated 8/7/04. There is an easy way to keep probably 90% of the crap sites from even being able to touch your machine to begin with: install "IE-SPYAD" - what it does is put a huge list of bad and universally-undesireable sites into the "Restricted" zone of IE. Go here: http://www.staff.uiuc.edu/~ehowes/resource.htm to read what it is and how it works. This is a good alternative to learning to use the HOSTS file to do the same thing, and some Windows OSs (Xp and 2000, I think) reportedly slow to a crawl if the HOSTS file is large.

Hazeleger.net is severely curtailing what, if any forums will remain available after 2/14-2/15/04. This post has therefore been edited to remove the reference to the various sections/forums.http://www.hazeleger.net/yabbframe.htm


(originally posted here: http://www.glocktalk.com/showthread....0&pagenumber=2)

***UPDATE: mando updates to HiJackTHIS! & CWShredder, due to new (as of 11/16/03) variant of the CWS Trojan.
Quote:
http://www.spywareinfo.com/

Update Your Copies of HijackThis and CWShredder
If you have ever downloaded HijackThis or CWShredder, it is urgent that you upgrade to the latest versions before using them again. If you mirror these programs on your own site, it is extremely urgent that you update the files.

Due to a new variant of the CWS Trojan (http://www.spywareinfo.com/~merijn/cwschronicles.html), using either HijackThis or CWShredder on an infected Win98 or WinME computer may lead to severe damage to that computer. You must update to the very newest versions of these programs before using either of them again....

To upgrade these programs, you merely delete the old files and replace them with the new. The links are below.
See the Spywareinfo URL above for download links to the updated versions.

Spywareinfo.com is having hosting problems at the moment. Here's an alternative DL location:

CWSHREDDER LINK http://www.majorgeeks.com/download4086.html
CWShredder 1.59.1
Author: Merijn.org
Date: 2004-06-28
Size: 137 Kb
License: Freeware
Requires: Win All

Added 3/13/04- A growing spyware problem, incredibly, is self-proclaimed "anti-spyware" applications that actually CONTAIN spyware and often this is NOT appropriately disclosed. While not a previously-unknown problem, it IS become a rather prolific one. For examples, this article is worth reviewing:
http://news.com.com/2100-1032_3-5153485.html?tag=st_rn
Quote:
Spyware cures may cause more harm than good
Last modified: February 4, 2004, 1:21 PM PST
By John Borland
Staff Writer, CNET News.com

Web surfers battling "spyware" face a new problem: so-called spyware-killing programs that install the same kind of unwanted advertising software they promise to erase. ...
See also http://www.netrn.net/spywareblog/
"Spyware Warrior
Waging the war against spyware"
There are several areas which list phoney "anti-spyware" apps which are actually spyware themselves.
__________________
I'm doin the best that I can.
(Godsmack)

Last edited by MB-G26; 09-06-2004 at 08:37..
MB-G26 is offline   Reply With Quote
Old 10-12-2003, 12:52   #2
ArestiaFL
Makin' waffles
 
ArestiaFL's Avatar
 
Join Date: Feb 2003
Location: Florida
Posts: 48
Send a message via AIM to ArestiaFL Send a message via Yahoo to ArestiaFL
Another very effective spyware tool is Ad-Aware, downloadable from www.lavasoftusa.com. I also HIGHLY recommend you install a virus scanner. In the event you don't want to pay outlandish prices for programs that slow your computer to a crawl, go download AVG Anti-Virus for FREE (www.grisoft.com). AVG is implemented on my corporate network and has kept out Gaobot, Melissa, Swen and The BLASTER virus. I highly recommend them, they're good people, and the program sits quietly on your system eating up a mere 2 MB of virtual memory (compared to Norton at 36 and McAfee at 21).

Finally, if you have a high speed connection and aren't being a router or a firewall, PLEASE download the latest Microsoft patches from http://windowsupdate.microsoft.com! You also may want to invest in a router or firewall software. It will save you many many headaches! Good luck!
__________________
"All Your Glock Are Belong To Us"

Proud member of the NRA

"Boom-down, and you were dead, never partly dead." - The Things They Carried by Tim O'Brien
ArestiaFL is offline   Reply With Quote
Old 10-12-2003, 14:04   #3
Texas T
CLM Number 23
TX expatriate
 
Texas T's Avatar
 
Join Date: Jan 2000
Location: W7YBY
Posts: 12,095


Re: 1-stop Answers here: Spyware, Secret Installs, Popups & related

Quote:
Originally posted by MB-G26
Disclosure: I am part of the Admin at Hazeleger.net
Geez... only six people have voted. At least I got the correct answer.


T
__________________
"A gun is a tool, Marion. No better and no worse than any other tool - an axe, a shovel, or anything.
A gun is as good or as bad as the man using it. Remember that." Alan Ladd as Shane (1953)

NRA Life Benefactor Member, AMA Champion Member, AOPA Member, ARRL Member, GOA Life Member
Texas T is offline   Reply With Quote
Old 10-12-2003, 14:52   #4
NetNinja
Always Faithful
 
NetNinja's Avatar
 
Join Date: Oct 2001
Location: HotLanta, GA
Posts: 2,426
Very Nice

Nice Post MB-G26.

As always a wealth of Knowledge.
__________________
G17,G22,G30,Sig P229 Sport
Kimber CC Series 1,Kimber CCR Series 1
SA TRP Operator SA 1911A1
S&W 1911, 686, M19, 627VComp,ColtDE10mm
Anschutz 1813 Super Match
NetNinja is offline   Reply With Quote
Old 10-12-2003, 18:11   #5
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


This will be stickies when Aeolus gets to it

So definately add your 'one-stop' fix/prevention tricks and such.
m
__________________
I'm doin the best that I can.
(Godsmack)
MB-G26 is offline   Reply With Quote
Old 10-12-2003, 21:56   #6
DWavs
Moderator
 
DWavs's Avatar
 
Join Date: Feb 2000
Location: Virginia
Posts: 6,408
Send a message via ICQ to DWavs Send a message via AIM to DWavs Send a message via Yahoo to DWavs


Re: This will be stickies when Aeolus gets to it

Quote:
Originally posted by MB-G26
So definately add your 'one-stop' fix/prevention tricks and such.
m
Stickied.

David
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
...a place to discuss cigars!

TT #1
DWavs is offline   Reply With Quote
Old 10-12-2003, 22:48   #7
David_G17
/\/\/\/\/\/\/\/
 
David_G17's Avatar
 
Join Date: Oct 2002
Posts: 7,678
if none of the above work.

run linux ;a
__________________
"One handgun a month is too much."
"If you ask me, 12 handguns/year is too much."
"I'd be OK with one gun a year."
"We need the strong gun regs and enforcement Europe has."
-DU debates America's future 10/23/2005
David_G17 is offline   Reply With Quote
Old 10-14-2003, 05:32   #8
HerrGlock
CLM Number 2
Scouts Out
 
HerrGlock's Avatar
 
Join Date: Dec 2000
Posts: 64,496


Quote:
if none of the above work.

run linux
As I've often said:

Step One: Remove all Microsoft products from your computer...

THEN we can talk about locking it down.

DanH
__________________
Sent from my rotary phone
"The way I see it as soon as a baby is born, he should be issued a banjo!"- Linus Van Pelt
UNIX - Not just for Vestal Virgins any more
HerrGlock is offline   Reply With Quote
Old 12-25-2003, 23:02   #9
lomfs24
Senior Member
 
lomfs24's Avatar
 
Join Date: Apr 2003
Location: Montana
Posts: 4,838
Send a message via AIM to lomfs24 Send a message via Yahoo to lomfs24
I agree with David. SuSe 9 is looking good.

I downloaded and installed all the things in the original post and now I have no room left on my harddrive to do any work.
__________________
The simple believeth every word: but the prudent man looketh well to his going. ~Proverbs 14:15
lomfs24 is offline   Reply With Quote
Old 12-26-2003, 11:15   #10
CMA G21
Senior Member
 
CMA G21's Avatar
 
Join Date: Oct 2001
Location: Florida
Posts: 474


In addition to MB-G26's suggestions, you may want to consider (strongly consider!) using something other than Internet Explorer for browsing, and Outlook (or Outlook express) for email.

You might want to consider Mozilla ( http://mozilla.org/ ) or Opera ( http://www.opera.com/ ) .
CMA G21 is offline   Reply With Quote
Old 12-26-2003, 20:03   #11
lomfs24
Senior Member
 
lomfs24's Avatar
 
Join Date: Apr 2003
Location: Montana
Posts: 4,838
Send a message via AIM to lomfs24 Send a message via Yahoo to lomfs24
Anti-virus

Anti-virus software is a must. I have used and really liked f-prot on Linux. They also have versions for nearly every operating system. Windows, Linux, FreeBSD, Unix... etc.

It is very reasonalby priced and at least with the Linux version there were new definitions available every 12 to 24 hours.

They can be found at www.f-prot.com
__________________
The simple believeth every word: but the prudent man looketh well to his going. ~Proverbs 14:15
lomfs24 is offline   Reply With Quote
Old 12-26-2003, 20:30   #12
Shoeless
Gun Totin' Girl
 
Shoeless's Avatar
 
Join Date: Nov 2001
Location: Planet Earth
Posts: 10,530


Mel, you are unbelievable. Almost every post you write seems like it has hours of tedious research behind it. Girl, you are one valuable resource!

xoxo
Shoeless
__________________
Follow me on
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
or
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
View my
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
and
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
Shoeless is offline   Reply With Quote
Old 01-02-2004, 20:28   #13
streeter69
This is Kewl
 
Join Date: Nov 2001
Location: I like annoying people.
Posts: 2,883
Quote:
Originally posted by Shoeless
Mel, you are unbelievable. Almost every post you write seems like it has hours of tedious research behind it. Girl, you are one valuable resource!

xoxo
Shoeless
One BIG DITTO;f
__________________
Just when you think it can not get any hotter.
streeter69 is offline   Reply With Quote
Old 03-04-2004, 00:59   #14
Blast
'nuff said
 
Blast's Avatar
 
Join Date: Aug 2002
Location: NKY/Cincinnati area
Posts: 21,590


Your posts are highly appreciated, MB-G26. You have provided me with tools that saved my rickity old computer.;f
Keep up the good work.^c
__________________
A man should look for what is, and not for what he thinks should be - Albert Einstein
Blast is offline   Reply With Quote
Old 04-23-2004, 14:28   #15
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


UPDATE: re-arranged, expanded, and more info

The recent attempted hack of GT's servers got me thinking, as did several inquiry threads. So.... here's an expanded and rearranged update - takes more than 1 posts:

SUGGESTIONS:
The follow is focused on users of Windows 9.x and up, and of Internet Explorer. IE 6.x users - achieve the same things but you will have to look for where 6.x puts these options w/in IE Internet Tools.

1. DISable virtually everything in ALL "Zones" in IE-> Tools -> InternetOptions ->Security except for the "Trusted Zones", including specifically:
A. All ActiveX entries (1st 5 entries in IE5.5)
B. Cookies (both entries)
C. File and Font download (one entry each)
D. MS VM - Java Permissions (DISable java)
E. Misc: (Access Data Source.... etc., (9 entries, including Installation of Desktop Items...)
(set to HIGH Software Channel Permissions)
F. DISable all scripting entries (3 java/java script entries, Active, Paste & Scripting Java Applets)
D. Set User Authentication to "Annonymous logon"

E. A bit outdated, but for background info re the "Zones" http://www.nwnetworks.com/iezones.htm "Internet Explorer Security Zones, by Scott Schnoll"

F. See "Accidental Trojan Horses - Security Problems in Windows 98 PCs" http://www.computerbytesman.com/acctroj/ regarding ActiveX issues.

G. Advisable to change the default settings in "My Computer" zone - which can't be done straight manually since it isn't displayed like the other zones. See http://www.edensoft.com/ieak.html "Changing settings in the My Computer security zone"

H. Put "*.glocktalk.com" (w/o quote marks) in your Trusted Zone so it will work properly. Ditto for any other sites you need the otherwise disabled functionalities for.

I. ENSURE each & every single option is DISabled or set to "HIGH" (if that is the most disabling option offered) in the Restricted Zone.

2. DISable/UNtick the following in IE -> Tools -> Internet Options -> Advanced tab.
A. UNtick the boxes for "Enable Install On Demand"

3. Protection from browser high-jackers and others, including silent-download invaders:
A. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html Also free, although donations are appreciated.

B. Browser Hijack Blaster: http://www.wilderssecurity.net/bhblaster.html

C. Go to http://www.lurkhere.com/ & look at info re: "Hijack This!" program. Download is mirrored @"Nice Files" page there. Installation will keep your homepage in IE from being hijacked. It "includes a copy of StartupList, that can be run from the HijackThis interface. Updated August 15th, 2004"

4. Protect against Start Page hijacks: StartPage Guard (http://www.pjwalczak.com/spguard/index.php)

5. Protect against infections of spyware: locate, download & install & keep updated the following:
A. Spybot Search & Destroy: also at lurkhere.com and a variety of other mirror sites. Home page: http://www.safer-networking.org/ Official support forums: http://forums.net-integration.net/index.php?c=7

B. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
From http://www.wilders.org/free_tools.htm

C. HTAstop (in the prevention section, about 1/2 down the page) also on http://www.simtel.net/pub/pd/53731.shtml

D. Robin Keir Script Trap http://keir.net/software.html

E. WSH Anti-Polymorphism Patch (Wilders)
F. DSOStop v2 (Wilders)
G. Windows Media Player Scripting Fix v1.0 (Wilders)

From the "monitoring" section there at Wilders, get and install:
H. ScriptSentry or AnalogX Script Defender (depending upon whether you have MS VBS installed)
I. DHCP Fix
J. StartUp Monitor

from the "misc" section @ Wilders, download and install:
K. BHO Captor or BHOCop

L. Obtain/install Ad-Aware, and use it as a backup to Spybot Search & Destroy. Start w/their main page http://www.lavasoft.de/ (AA products require frequent updates, have pay & free versions, & are often the subject of problem complaints immediately after updates/upgrades are issued.)

M. Considering installing EBURGER Windows Security Utility, "a menu-driven batch file utility that allows you to disable, re-enable, or otherwise configure the following aspects of Windows", and his "Windows Script (Host) Uninstaller".
Quote:
*EBERGER Windows Security Utility:
NetBIOS Over TCP/IP (File & Printer Sharing)
Microsoft DCOM
Microsoft Jet security
Microsoft Windows Script
BHO's (Browser Helper Objects)
HOSTS file
There is an extensive ReadMe.txt included."
This is the same Eric Howe that writes IE-SPYAD (see below- URLs have changed as of 6/04)
Quote:
Windows Script (Host) Uninstaller
Last Updated: Apr 28 '01
"The Windows Script (Host) Uninstaller is a batch file utility that will uninstall any version of Windows Script, sometimes known as the Windows Scripting Host. It will uninstall Windows Script (Host) no matter the original source of the installation...

Windows Script 5.6 (from microsoft.com)
Windows Script 5.5 (from microsoft.com)
Windows Script 5.1 (from microsoft.com)
Windows Script 5.0 (from microsoft.com)
Visual Basic Scripting Support (any version of IE 5)
Windows Scripting Host 2.0 beta
Windows Scripting Host 1.0 (Windows 98 SE)
Windows Scripting Host 1.0 (Windows 98)
Windows Scripting Host 1.0
This batch file will NOT uninstall Windows Script (Host) from Windows ME or Windows 2000 due to the System File Protection scheme that these versions of Windows employ."
N. Consider UNinstalling Windows's "VBS Script" from Add/Remove Programs/Windows Components.

O. Consider changing the "association" of "dangerous file types" to something harmless, like Notepad. (WSH, HTA, SHS-scrap files, MSHTA, etc.) See http://www.nsclean.com/psc-exe2.html (Privacy Software Corporation Security Advisory, Friday, April 13, 2001, "EXE2HTML HTA Exploit Generator" - authored by the coders of commercial AT programs BOClean, IECLean, and the freeware HTASTOP.) See also: "Scrap Files Can Tear Your Up", http://www.pc-help.org/security/scrap.htm

6. Ensure your "bindings" are properly configured. http://grc.com/su-bondage.htm
Quote:
Network Bondage
Discipline your network bindings in the privacy of your own home.

Microsoft's networking technology is only required for sharing files and printer services with other Microsoft-based PC's. It is not needed for connecting to the Internet or for using any Internet services. ... exposing Microsoft's weak password protection system to password crackers over the Internet... .

Understanding Adapter, Protocol, and Service Binding

The key to taming your computer's network configuration is understanding what is meant by "binding". For example, we say that a network adapter is bound to TCP/IP or that NetBEUI is bound to File and Printer sharing. ...

The process known as "binding" bridges the layer boundaries to interconnect pairs of individual components residing in adjacent layers. . . . In other words ... By default EVERYTHING [as set up by Microsoft in its OSs] on each layer is BOUND to EVERYTHING on the adjacent layer!
. . .
You don't need to be a rocket scientist to easily see why this is unsafe: The insecure Microsoft networking components the Client for Microsoft Networks and File and Printer Sharing are bound to the Internet's worldwide routable TCP/IP protocol, and the TCP/IP protocol is bound to ALL of the system adapters! Thus, anytime this system has any contact with the Internet, the machine's guts are spilling out for the whole world to access! . . .
(to rearrange your bindings, follow Gibson's step-by-step)

7. DISable Windows Messenger (not the same as the other Messenger)
A. Read and follow: (link out of date - currently culling new ones)

8. Obtain/install a pop-up blocker:
A. Review & comparison of current, popular Popup killer programs is located at http://www.popup-killer-review.com/test.htm

9. Prevent 'bad' websites from effectuating things on your computer:
A. A huge list of bad and universally-undesireable sites into the "Restricted" zone of IE. See Eric Howe's pages which provide IE-SPYAD, a self-installing add-in to the IE Restricted Zone which adds a choice of undesirable websites to that zone.
Quote:
new home page is:

Protecting Your Privacy & Security (UIUC)
https://netfiles.uiuc.edu/ehowes/www/

Note the https (SSL) instead of the standard http. The new URL for the IE-SPYAD/AGNIS page is:

IE-SPYAD/AGNIS
https://netfiles.uiuc.edu/ehowes/www/resource.htm

...you can convert the URLs ... because the internal structure of the site has remained the same. ... change [old to new] ...
http://www.staff.uiuc.edu/~ehowes/
...to...
https://netfiles.uiuc.edu/ehowes/www/
The rest of the URL remains the same.
10. Obtain and install CW Shredder (CoolWebSearch trojan killer program) http://www.spywareinfo.com/~merijn/cwschronicles.html

11. Ensure no phoney, 'pretending' "anti-spyware" programs are installed. See details here: http://www.netrn.net/spywareblog/

12. Ensure machine is running a good, updated ANTI-VIRUS PROGRAM "resident". Obtain an additional AV, such as the freeware AVG6, www.grisoft.com, and while keeping the 2nd one updated DO NOT RUN IT RESIDENT - RUN IT WEEKLY ON MANUAL LOAD DEMAND.
12(A) Good, reliable, and frequently updated free Anti-Trojan programs are almost impossible to find anymore, but SERIOUSLY CONSIDER spending the $40 for a good AT program. An AV program is NOT any guarantee in the least against a trojan - too much difference between the beasts. I recommend BOClean AT - about $40, & have used it for several years. Tho not affiliated in any way with PSC company or its coders, this is the only AT I have ever recommended. http://www.nsclean.com/boclean.html
12(B) If you won't run an AT, next best idea is implementing various fixes and work-arounds to combat trojan infections. Example: http://www.hackfix.org/subseven/ SubSeven Trojan info & fix page. Wilders.org also has a TON of 'trojan' and exploit fix tools indexed - free & downloadable, altho dated.

12(C). Anti-Virus programs (not a complete list):

(i) AVG (Anti-Virus Grisoft) www.grisoft.com
(ii) Trend Micro (including Online virus scan)
http://housecall.trendmicro.com/

13. Ensure the appropriate patches installed from http://windowsupdate.microsoft.com ; http://www.microsoft.com/windows98/d.../corporate.asp ; https://v4.windowsupdate.microsoft.com/en/default.asp . There are alternative source sites for MS's patches if for some reason you have trouble w/the MS update pages. (You will have to RE-ENABLE all the ActiveX, Java, Script, Cookies, Download, etc., settings for whatever zone the MS page you use is in.)
A. http://members.tripod.com/erpman1/
B. http://www.mdgx.com/web.htm
C. http://www.softwarepatch.com/
D. http://www.rwclements.com/upgrades/mswin98.html (back up the URL or use links on page for updates for non win98 updates)
E. http://www.techspot.com/tweaks/updates/

14. Ensure the FIREWALL is updated, if applicable, properly configured, and learn to utilize "Advanced" or "Special" Rules.
A. Consider using a different FW if you believe the one you have is being successfully penetrated.
(A)(1) Sygate Personal Firewall STD and PRO Versions. See the Sygate site for most updated version info. You may be able to download from here http://smb.sygate.com/buy/download_buy.htm
Quote:
Sygate Personal Firewall (free)
Protects against Trojans, spyware, worms and other known & unknown threats Prevents unauthorized or malicious applications from bypassing the firewall. Enables even inexperienced users to easily customize and fine-tune security policies... Easiest-to-use PC firewall and still free for personal/home use.
If you use Zone Alarm do some research into ZA's various downsides - including false alerts and issues regarding alert sensitivity settings. If you have ZA and choose to go w/a different FW, thoroughly research the UNinstall steps before UNinstalling ZA.

(B). If concerned with FW "alerts" and log entries, Learn to understand WHAT your FW logs are actually indicating.
(1) http://www.robertgraham.com/pubs/firewall-seen.html
"Firewall Foresics, What Am I Seeing?"

(2) http://www.interhack.net/pubs/fwfaq/
"Internet Firewalls: Frequently Asked Questions"

(3) Sygate products - FireWall, forums: http://forums.sygate.com/vb/

(4) Intrusion Detection Services http://www.ssimail.com/Sesintrude.htm

(5) Doshelp.com (firewall) Intrusion & Attack Reporting Center (helpful tips, explanations, FW help, Trojan Ports list, AV Tools, Security Patches, Security News, etc.) http://www.doshelp.com/sectips.htm

(6) Dshield.org FAQ http://www.dshield.org/primer.php
Quote:
Internet Primer
This introduction is intended to provide a basic understanding of how the Internet works and how this applies to firewalls.... This page will just provide a brief definition of many of the terms used on this site.

IP Address
DNS / Domain Name / Host Name
Ports
IP (Internet Protocol)
TCP (Transmission Control Protocol)
UDP
ICMP (Internet Control Message Protocol
Firewalls
(7) http://unixgeeks.org/security/newbie.../firewall.html "Firewall Basics"
(8) Firewall Exploits: http://www.iss.net/security_center/a...ts/default.htm
Quote:
"The term 'exploit' refers to a well-known bug/hole that hackers can use to gain entry into the system. This section contains extensive reference information on common exploits and intrusion methods that hackers use to break into systems."
(9) Beyond-Security's SecuriTeam.com http://www.securiteam.com/

(10) Intrusion Detection Tools: http://www.foundstone.com/resources/..._detection.htm

go to part 2
m

Last edited by MB-G26; 09-07-2004 at 13:32..
MB-G26 is offline   Reply With Quote
Old 04-23-2004, 14:29   #16
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


Part 2

15. Utilize a reporting organization for serious intrusion attempts.
(A) http://www.dshield.org/
This is an excellent site to become familiar with. It is part of the Internet Storm Center/SANS ("SysAdmin, Audit, Network, Security" Institute, established 1989) and has an IP number registration lookup interface - useful for IP numbers reflected in the FW log as attempted intrusions, as well as a recent port useage/exploit lookup. (http://www.dshield.org/reports.php) Both the ISC and SANS sites are WELL worth perusing. For example, see not only the graphic on the main Dshield page which depicts current threat traffic, but also the "Trends" page on Sans: http://isc.sans.org/trends.php.

If implemenation of 'special' Rules is desired, consider utilizing Dshield's recommended "block list" of offending IP blocks: http://www.dshield.org/block_list_info.php
Quote:
DShield.org is an attempt to collect data about cracker activity from all over the internet. This data will be cataloged and summarized [via reports through their "Fight Back" reporting and cataloging function]. It can be used to discover trends in activity and prepare better firewall rules.
http://www.dshield.org/fightback.php
Quote:
FightBack
DShield.org is now helping users to fight back against attackers. We will analyze submitted log reports and pick a number of strong cases to forward them to the ISP from which the attack originated. A copy of the abuse report will be forwarded to the user.

You have to sign up for 'Fightback'. We will not forward any of your log submissions unless you agree to by using the fightback option.

The user that submitted the log report will be copied on all correspondence. The ISP will receive all relevant log excerpts and we will include the e-mail address registered with DShield.org, in order to allow the ISP to contact the victim directly.

To sign up for the 'FightBack' program, go to the login page, log in and then check the 'FightBack' box. We'll do the rest.

Right now, the system is tailored to simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort.
(A)(1) Download and install CVT, the a freeware reporting client which processes and sends appropriate log entries to Dshield.
http://www.dshield.org/howto.php
Quote:
How to submit your firewall logs to DShield

DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.

If you use a firewall, please submit your logs to the DShield database. You may either download one of our ready to go client programs, or use our Web Interface to manually submit your firewall logs. Registration is encouraged, but is not required.
Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.
More information about how DShield works is on our home page.
(links)
Prewritten clients
Windows

DShield "Universal" CVTWIN Client
8Signs Firewall
Agnitum Outpost
AnalogX PortBlocker
Asante FriendlyNET, D-Link, U.S. Robotics, and SMC Barricade routers using RouterLog
Billion Router
BlackIce Defender
eSoft Instagate Firewall
Kerio (formerly Tiny) Personal Firewall
Kerio (formerly Tiny) Software WinRoute Pro
Kiwi Syslog Daemon
Asante FriendlyNet VR2004AC, VR2004C
Cisco ACL (IOS)
Cisco PIX
Clavister Firewall
D-Link Router
Gentek Router
IPChains
IPTables
Linksys Router
Netgear Router
Netscreen
Netopia Router
SMC Router
Smoothwall
Sonicwall
WatchGuard
Zyxel Zywall Routers
Linksys Etherfast Cable / DSL router
Microsoft ISA
McAfee Firewall
Norton Personal Firewall
Snort
Sygate Personal Firewall
Symantec VelociRaptor Firewall
Tiny Personal Firewall 4.0 and 5.0
Vicom Internet Gateway
Trend Micro PC-Cillin
VisNetic (formerlly Ambra) Firewall
Wingate Proxy Server
Windows XP Internet Connection Firewall (ICF)
ZoneAlarm
(A)(2) http://www.mynetwatchman.com/
Quote:
"myNetWatchman is a:
Security Event Aggregator
Centralized, web-based firewall log analyzer
Fully automated abuse escalation/management system
. . .
Q: I uploaded an attack report that I know is a false positive, what do I do?
A: Most escalations require multiple agents to report the same source IP address before any action is taken. Moreover, the escalation thresholds for services that generate a lot of false positives (e.g. streaming audio, file sharing, etc.) have been set to very high values.
Therefore, if you upload a false positive, don't worry about it, it will normally be filtered.
If you actually see something get escalated that shouldn't, then please send an email to support."
B. See "Tool leaky - Why Your Firewall Sucks" http://tooleaky.zensoft.com/

16. There are a variety of sites which offer free infection scanning. A word search in TechTalk will result in several threads listing these.
A. http://www.pcflank.com/scanner1.htm; http://www.pcflank.com/test.htm
Quote:
Quick Test
Stealth Test
Browser Test
Trojans Test
Advanced Port Scanner
Exploits Test
B. Security Space Security Audits http://www.securityspace.com/smysecure/index.html
Quote:
Home PC Users
Desktop Audit $9.95 USD/yr
A comprehensive audit package suitable for desktop systems not running server software. Includes a 1500+ TCP port scan and 631 vulnerability tests in the Denial of Service, Windows, Backdoors (Trojans), Firewalls, and Misc. categories.

Basic Audit ( Free ) Run Audit
Our classic port scan - scans 1500+ known service ports looking for services hackers might use to get in.

Single Test ( Free ) Run Audit
Run any of our 2088 vulnerability tests. Unlimited use
C. GRC's "Shield's Up!" Security Analysis https://grc.com/x/ne.dll?bh0bkyd2

D. Security Analysis Service http://www.vulnerabilities.org/

E. Firewall Test, Port Scan.... http://www.auditmypc.com/
Quote:
Free Online Security Check
Port Scanning Explained: http://www.auditmypc.com/freescan/readingroom/port_scanning.asp
F. http://www.cert.org/
Vulnerabilities, Incidents & Fixes

G. Port Scan Security Check http://www.sdesign.com/securitytest/index.html

H. Sygate Security Probe page http://scan.sygate.com/probe.html

REMEMBER TO DISABLE ANY FIREWALL REPORTING SERVICE/PROGRAM YOU HAVE IMPLEMENTED BEFORE DOING AN INTENTIONAL SECURITY AUDIT - YOU DO *NOT* WANT TO REPORT A FRIENDLY IP AS AN INTRUDER.

17. Various utilities would be helpful to have on board, including process viewers (which will show you EVERYTHING that is running - far beyond what the TaskManager - Cntrl-Alt-Del - box shows.) There is at least one freely available at Wilders.org

A. This is another free one - PrcView. http://www.xmlsp.com/pview/prcview.htm There are many payware programs, also.
Quote:
PrcView is a process viewer utility that displays detailed information about processes running under Windows. For each process it displays memory, threads and module usage. For each DLL it shows full path and version information. PrcView comes with a command line version that allows you to write scripts to check if a process is running, kill it, etc.
18. Get to know Regedit and your Registry and the Windows Regedit program. Always, ALWAYS keep full, current, manual backups of your full registry stored on removable media.
(A) A Registry info site: http://www.winguides.com/registry/

19. Learning to put the HOSTS file to good use is also helpful, but this is limited to certain MS OS's as a nice, fat HOSTS file does NOT play well with some OS's above 9.x
A. http://www.accs-net.com/hosts/
Gorilla Design Studio Presents: Using the Hosts File
(This site is very comprehensive and also links to basically the best HOSTS file sites I know of, so I didn't post them all individually.)

m
__________________
I'm doin the best that I can.
(Godsmack)
MB-G26 is offline   Reply With Quote
Old 05-21-2004, 17:19   #17
rhikdavis
U.S. Veteran
 
rhikdavis's Avatar
 
Join Date: Jul 2002
Location: Late Great Planet Earth
Posts: 13,366
Blog Entries: 1
Send a message via Yahoo to rhikdavis Send a message via Skype™ to rhikdavis
How much to fly you out to my place and just set my computer up. ;f
__________________
Charter OAF Member
"I don't know half of you half as well as I should like; and I like less than half of you half as well as you deserve."

"This thread didn't take long to go full retard." -Nevermore1701
rhikdavis is offline   Reply With Quote
Old 06-13-2004, 00:52   #18
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


Ah...... but I am in BabyLand.......

Quote:
Originally posted by rhikdavis
How much to fly you out to my place and just set my computer up. ;f
hehehe..... in fact, I'm temporarily at my sister's in Kali, where all things computer sometimes kinda sort work and Winblows is a rare commodity, lol!
m
__________________
I'm doin the best that I can.
(Godsmack)
MB-G26 is offline   Reply With Quote
Old 08-07-2004, 16:44   #19
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


Help in totally removing AOHell

Just came across this and thought I'd add it to the 'helpful info' list:
http://www.lurkhere.com/forum600.html
Conferences Windows 98 Family ( http://www.lurkhere.com/cgi-bin/foru...mID14&archive= )
Topic #983
"Uninstalling AOL" Jul-28-04, 09:09 AM (EDT)

Quote:
1. "RE: Uninstalling AOL"
Jul-28-04, 10:55 AM (EDT)
I would use the Add/Remove entry.
Then I would look for any AOL related folders in Explorer and run any 'unwise' or 'uninstall' files I found.

Then I'd settle in and get nice and comfy cozy for one of the most rewarding exersizes a computer user can attain, the systematic hunt and destroy of anything AOL in a System Registry.

May want to export one (a copy of the Reg) first, JIC. ...

Then, dump all your Temps and TIF's and defrag that sucker.
*******

2. "RE: Uninstalling AOL"
Jul-28-04, 11:03 AM (EDT)
LAST EDITED ON Jul-28-04 AT 11:06 AM (EDT) by ADZIRK (moderator)

This lists the step you can take. It is a bit old and may be missing some steps for AOL 8 or 9.

How To Uninstall AOL ( http://9337387.home.icq.com/main7.html )

IMHO the only way you can completely eradicate the AOL virus is to wash your hands with an antibacterial soap for 60 seconds and then perform a clean installation of Windows ... there must NOT be any AOL disks in the home or your chances of reinfection become very high.
*****
(re using IE Repair tool to fix problems after a removal of aoHell which has tampered w/other needed files) ... a file you need has been toyed with when AOL was being shutdown, shut out, or removed.

AOL does not standalone, it fusses with too many other things.
m
__________________
I'm doin the best that I can.
(Godsmack)
MB-G26 is offline   Reply With Quote
Old 08-07-2004, 18:09   #20
MB-G26
Lifetime Membership
Drivin' Blind
 
MB-G26's Avatar
 
Join Date: Oct 2001
Location: Mansfield Reformatory
Posts: 14,938


IE-Spyads users: new URLs

Jun-21-04, 05:09 AM (EDT)
Note from the much admired Mr.Eric L Howes:
Quote:
IE-SPYAD/AGNIS Home Page Moved

Hi All:

Over the past year the University of Illinois at Urbana-Champaign has been migrating all of its student and staff accounts to new servers. This weekend my time to migrate finally came (I had no choice in the matter). That means my privacy & security web site has moved to a new location at UIUC with a new URL. My new home page is:

Protecting Your Privacy & Security (UIUC)
https://netfiles.uiuc.edu/ehowes/www/

Note the https (SSL) instead of the standard http. The new URL for the IE-SPYAD/AGNIS page is:

IE-SPYAD/AGNIS
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Unfortunately, there is no automatic re-direct (or even a placeholder notice) from the old web site ( http://www.staff.uiuc.edu/~ehowes/ ). The old address is now simply broken.

At this time I have migrated all of my files, and the new web site should, for the most part, work as it did before. Most internal links within the site should work just fine, although there undoubtedly are some which are now broken and which I will be fixing over the next few days.

If you bookmarked particular pages at my site, you can convert the URLs rather easily because the internal structure of the site has remained the same. For every URL or bookmark you had before, change...

http://www.staff.uiuc.edu/~ehowes/
...to...
https://netfiles.uiuc.edu/ehowes/www/
The rest of the URL remains the same.

I will be posting this notice at many forums over the next few days. Obviously, I cannot possibly notify everyone on the Net who might be using my web site or IE-SPYAD/AGNIS. If you happen to be a regular at a particular forum and suspect that I'm not, please do pass along the new URL for my web site.

Finally, my regular email has not changed:
eburger68-AT-myrealbox.com (munged by MB)

...so if you have questions or problems with IE-SPYAD or AGNIS, you can continue to contact me at that email address with no problem whatsoever.

All the best,
Eric L. Howes
__________________
I'm doin the best that I can.
(Godsmack)
MB-G26 is offline   Reply With Quote

 
  
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT -6. The time now is 18:57.




Homepage
FAQ
Forums
Calendar
Advertise
Gallery
GT Wiki
GT Blogs
Social Groups
Classifieds


Users Currently Online: 1,032
289 Members
743 Guests

Most users ever online: 2,672
Aug 11, 2014 at 2:31