For Jadepond - re computer security (multipart post)

Discussion in 'Announcements & Support' started by MB-G26, Apr 23, 2004.

  1. MB-G26

    MB-G26 Canceled Lifetime Member

    Likes Received:
    Oct 9, 2001
    Missing Sharon
    (I know, TT is more appropriate, but it seems that a lot of people don't visit us there.... I will xpost this - forgive the Net faux pas for doing so.)
    In the event that you were mistaking the intrusion attempts which are commonplace on the 'Net as GT trying to "hack" your computer, please review the following. As for unauthorized changes to your desktop, "bypassing" of your firewall, etc., please review the following.

    As seen on GT/TT,, "1-stop Answers here: Spyware, Secret Installs, Popups & related", soon to be updated with the following:

    The follow is focused on users of Windows 9.x and up, and of Internet Explorer. IE 6.x users - achieve the same things but you will have to look for where 6.x puts these options w/in IE Internet Tools.

    1. DISable virtually everything in ALL "Zones" in IE-> Tools -> InternetOptions ->Security except for the "Trusted Zones", including specifically:
    A. All ActiveX entries (1st 5 entries in IE5.5)
    B. Cookies (both entries)
    C. File and Font download (one entry each)
    D. MS VM - Java Permissions (DISable java)
    E. Misc: (Access Data Source.... etc., (9 entries, including Installation of Desktop Items...)
    (set to HIGH Software Channel Permissions)
    F. DISable all scripting entries (3 java/java script entries, Active, Paste & Scripting Java Applets)
    D. Set User Authentication to "Annonymous logon"

    E. A bit outdated, but for background info re the "Zones" "Internet Explorer Security Zones, by Scott Schnoll"

    F. See "Accidental Trojan Horses - Security Problems in Windows 98 PCs" regarding ActiveX issues.

    G. It's also advisable to change the default settings in "My Computer" zone - but that can't be done straight manually since it isn't displayed like the other zones. See "Changing settings in the My Computer security zone"

    H. Put "*" (w/o quote marks) in your Trusted Zone so it will work properly. Ditto for any other sites you need the otherwise disabled functionalities for.

    I. MAKE SURE that each and every single option is DISabled or set to "HIGH" (if that is the most disabling option offered) in the Restricted Zone.

    2. DISable/UNtick the following in IE -> Tools -> Internet Options -> Advanced tab.
    A. UNtick the boxes for "Enable Install On Demand"

    3. Protect against browser high-jackers and others, including silent-download type invaders:
    A. SpywareGuard: Also free, although donations are appreciated.

    B. Browser Hijack Blaster:

    C. Go to and read the paragraphs about the "Hijack This!" program. Then go to the "Nice Files" page there and download and install the program. This will keep your homepage in IE from being hijacked.

    4. Protect against Start Page hijacks: StartPage Guard (

    5. Protect against infections of/from/by spyware: locate, download and install and keep updated the following:
    A. Spybot Search & Destroy: also at and a variety of other mirror sites. Home page:

    B. SpywareBlaster:

    C. HTAstop (in the prevention section, about 1/2 down the page) also on

    D. Robin Keir Script Trap

    E. WSH Anti-Polymorphism Patch (Wilders)
    F. DSOStop v2 (Wilders)
    G. Windows Media Player Scripting Fix v1.0 (Wilders)

    From the "monitoring" section there at Wilders, get and install:
    H. ScriptSentry or AnalogX Script Defender (depending upon whether you have MS VBS installed)
    I. DHCP Fix
    J. StartUp Monitor

    and from the "misc" section at Wilders, download and install:
    K. BHO Captor or BHOCop

    L. Obtain and install Ad-Aware, and use it as an adjunct to Spybot Search & Destroy. (It requires frequent updates and has both pay and free versions.)

    M. Considering installing EBURGER Windows Security Utility, "a menu-driven batch file utility that allows you to disable, re-enable, or otherwise configure the following aspects of Windows", and his "Windows Script (Host) Uninstaller".
    This is the same Eric Howe that brings us IE-SPYAD (see below)
    N. Consider UNinstalling Windows's "VBS Script" from Add/Remove Programs/Windows Components.

    O. Consider changing the "association" of "dangerous file types" to something harmless, like Notepad. (WSH, HTA, SHS-scrap files, MSHTA, etc.) See (Privacy Software Corporation Security Advisory, Friday, April 13, 2001, "EXE2HTML HTA Exploit Generator" - authored by the coders of commercial AT programs BOClean, IECLean, and the freeware HTASTOP.) See also: "Scrap Files Can Tear Your Up",

    6. Ensure your "bindings" are properly configured.
    (to rearrange your bindings, follow Gibson's step-by-step)

    7. DISable Windows Messenger (not the same as the other Messenger)
    A. Read and follow:

    8. Obtain and install a pop-up blocker:
    A. Review and comparison of current, popular Popup killer programs is located at

    9. Prevent 'bad' websites from effectuating things on your computer:
    A. A huge list of bad and universally-undesireable sites into the "Restricted" zone of IE. Go here: Eric Howe provides IE-SPYAD, a self-installing add-in to the IE Restricted Zone which adds a choice of undesirable websites to that zone.

    10. Obtain and install CW Shredder (CoolWebSearch trojan killer program)

    11. Ensure you are not using any of the phoney, purported "anti-spyware" programs detailed here:

    12. Ensure you are running a good, updated ANTI-VIRUS PROGRAM "resident". Obtain an additional AV, such as the freeware AVG6,, and while keeping the 2nd one updated DO NOT RUN IT RESIDENT - RUN IT WEEKLY ON MANUAL LOAD DEMAND.
    12(A) While good, reliable, and frequently updated free Anti-Trojan programs are much harder to find these days, SERIOUSLY CONSIDER spending the $40 for a good AT program - especially since there are reliable free AVs available. An AV program is NOT any guarantee in the least against a trojan - too much difference between the beasts. I recommend BOClean AT - about $40, and have used it for several years. While not affiliated in any way with PSC company, its coders, this is the only AT I have ever recommended.
    12(B) If you are not and will not run an AT, it would be a good idea to starting emassing the various fixes available for trojan infections. Example: SubSeven Trojan info & fix page.

    end part One
  2. MB-G26

    MB-G26 Canceled Lifetime Member

    Likes Received:
    Oct 9, 2001
    Missing Sharon
    13. Ensure you have the appropriate patches installed from ; ; . There are alternative source sites for MS's patches if for some reason you have trouble w/the MS update pages. (You will have to RE-ENABLE all the ActiveX, Java, Script, Cookies, Download, etc., settings for whatever zone the MS page you use is in.)
    D. (back up the URL or use links on page for updates for non win98 updates)

    14. Ensure your current FIREWALL is updated, if applicable, properly configured, and learn to utilize "Advanced" or "Special" Rules.
    A. Consider using a different FW if you believe the one you have is being successfully penetrated.
    (A)(1) Sygate Personal Firewall STD and PRO Version 5.5 build 2525 are released Sygate Personal Firewall STD and PRO Version 5.5 build 2525 are released. You can download from here
    If you were relying upon Zone Alarm's "alerts" for the impression you were being hacked while on GT, do some research into ZA's various downsides.... including false alerts and issues regarding alert sensitivity settings. If you have ZA and choose to go w/a different FW, thoroughly research the UNinstall steps before UNinstalling ZA.

    B. Learn to understand WHAT your FW logs are actually indicating.
    "Firewall Foresics, What Am I Seeing?"

    "Internet Firewalls: Frequently Asked Questions"

    (3) Sygate products - FireWall, forums:

    (4) Intrusion Detection Services

    (5) (firewall) Intrusion & Attack Reporting Center (helpful tips, explanations, FW help, Trojan Ports list, AV Tools, Security Patches, Security News, etc.)

    (6) FAQ
    (7) "Firewall Basics"
    (8) Firewall Exploits:
    (9) Beyond-Security's

    (10) Intrusion Detection Tools:

    15. Utilize a reporting organization for serious intrusion attempts.
    Become very familiar w/the Dshield site - it is part of the Internet Storm Center/SANS ("SysAdmin, Audit, Network, Security" Institute, established 1989) and you can also look up the IP number registration of any given IP number you see reflected in your FW log as attempting an intrusion as well as the recent logged activity pertaining to any given port number ( Both the ISC and SANS sites are WELL worth perusing. For example, see not only the graphic on the main Dshield page which depicts current threat traffic, but also the "Trends" page on Sans:

    Once you are comfortable with creating 'special' Rules for your sw FW, consider utilizizing Dshield's recommend "block list" of offending IP blocks:
    (A)(1) Download and install CVT, the a freeware reporting client which processes and sends appropriate log entries to Dshield.
    B. See "Tool leaky - Why Your Firewall Sucks"

    16. There are a variety of sites which offer free infection scanning. A word search in TechTalk will result in several threads listing these.
    B. Security Space Security Audits
    C. GRC's "Shield's Up!" Security Analysis

    D. Security Analysis Service

    E. Firewall Test, Port Scan....
    Vulnerabilities, Incidents & Fixes

    G. Port Scan Security Check

    H. Sygate Security Probe page


    17. Various utilities would be helpful to have on board, including process viewers (which will show you EVERYTHING that is running - far beyond what the TaskManager - Cntrl-Alt-Del - box shows.) There is at least one freely available at

    A. This is another free one - PrcView. There are many payware programs, also.
    18. Get to know Regedit and your Registry and the Windows Regedit program. Always, ALWAYS keep full, current, manual backups of your full registry stored on removable media.
    (A) A Registry info site:

    19. Learning to put the HOSTS file to good use is also helpful, but this is limited to certain MS OS's as a nice, fat HOSTS file does NOT play well with some OS's above 9.x
    Gorilla Design Studio Presents: Using the Hosts File
    (This site is very comprehensive and also links to basically the best HOSTS file sites I know of, so I didn't post them all individually.)

    I think you will find that after some reading of the info referred to above, the hacker incident at GT will become much more clear, and you will likely have some good ideas what actually IS altering things on your machine.

  3. troyboy30


    Likes Received:
    Aug 6, 2003
    Smyrna, GA
    and i thought i was paranoid! jesus.
  4. mindonmatter


    Likes Received:
    Dec 6, 2003
    Houston, TX
    No kidding!;P

    Forget most that crap. Forget disabling every single component of IE(Flash, ActiveX, cookies, etc) and ruining your browsing experience. Get a good firewall and antivirus program. Besides those two things, FREQUENT backups are your best friend(I'd recommend an extra hard drive and Norton Ghost). No matter what some hacker manages to do to your PC, you can always resort to your back up. Let your hair down, relax, and enjoy the internet. No one's going to jump through your PC and strangle you.