PDA

View Full Version : Possible hacking of Spybot's 21320 Port



LDMarks
2014-02-20, 02:00
I have been using Spybot for many years, but have (today) been forced to remove it because it appears that it has been either hacked, or a vulnerability has been found.

Somehow my computer got infected and was acting as an open http proxy. HitmanPro found and closed Port 8080, but today Port 21320 was open and being used. (Someone at Northwestern monitors the traffic.) Following http://stackoverflow.com/questions/8688949/how-to-close-tcp-and-udp-ports-via-windows-command-line[/url] the process with this port open was ... Spybot.

After unistalling Spybot, IE showed now that my LAN was configured to use 21320 as a proxy. After deleting this something else is still setting that as a proxy (from Hitman), so it may be that something else is still present to hack that port, but its presence was hidden. Hitman closed that port for me (I wish I knew what it did).

I am not an IT professional, just a lowly Prof, so this might be wrong and there might still be something nasty....

Juliet
2014-02-20, 14:12
Tell ya what we can do, look for malware and remove it then change out settings and see what happens.

Which browser do you mainly use....Firefox - Google Chrome?

Use NoScript here for Firefox, https://addons.mozilla.org/en-US/firefox/addon/noscript/
Google Chrome, https://chrome.google.com/webstore/detail/notscripts/odjhifogjcknibkahlpidmdajjpkkcfn

Then, read over instructions how to change your Proxy settings. IT's an easy read with easy to follow instructions.

http://www.ehow.com/how_6376938_proxy-settings.html

~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


~~~~~~~~~~~~~`

Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)

(use correct version for your system.....Which system am I using? (http://support.microsoft.com/kb/827218))
and Tutorial http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/



Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.



Please post
Rkill log
FRST.txt and the Addition.txt

LDMarks
2014-02-20, 17:41
I will do what is suggested in a bit and post information, but separate from this I will comment that I already did most of what is suggested. A key point is that the Proxy was NOT solved/removed by what was suggested in the post. I ran rkill and it did not find the issue, neither did HitmanPro, TrendsMicro (the USB scan I think), Kaspersky, adwcleaner, JRT, Malware Bytes, NPE, Symantec (and maybe one or two others). The solution was to uninstall Spybot when the proxy appeared in the IE LAN settings. This strongly suggests that Spybot configuration files got hacked. I have these (probably) on a backup, I assume they are in Local Data or similar if someone can suggest where to look.

One thing which concerns me is that there might be a connection to the automatic proxy detection which now seems to be the Microsoft default, and I wonder if this was (or will be) set by Windows Updates.

Some comments inlined.


Tell ya what we can do, look for malware and remove it then change out settings and see what happens.

Which browser do you mainly use....Firefox - Google Chrome? Both

Use NoScript here for Firefox, https://addons.mozilla.org/en-US/firefox/addon/noscript/
Google Chrome, https://chrome.google.com/webstore/detail/notscripts/odjhifogjcknibkahlpidmdajjpkkcfn

Then, read over instructions how to change your Proxy settings. IT's an easy read with easy to follow instructions.

http://www.ehow.com/how_6376938_proxy-settings.html
This did not show anything

~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)

rkill was ran, did not repair the 21320 port issue

~~~~~~~~~~~~~`

Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)

(use correct version for your system.....Which system am I using? (http://support.microsoft.com/kb/827218))
and Tutorial http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/



Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.



Please post
Rkill log
FRST.txt and the Addition.txt

Juliet
2014-02-20, 18:29
One thing which concerns me is that there might be a connection to the automatic proxy detection which now seems to be the Microsoft default, and I wonder if this was (or will be) set by Windows Updates.
As far as I know it is a Microsoft Windows default but, now if it was set or changed under Windows Updates is a good question.
I checked to see if there was a networking forum here and did not find one. If you like I can suggest one here http://forums.whatthetech.com/index.php?showforum=128 or http://forums.pcpitstop.com/index.php?/forum/8-networking-email-and-internet-connections/ that might be able to look into this further than I can, I just don't have that knowledge.

If you would like to continue with looking for malware, let's proceed.

LDMarks
2014-02-20, 19:10
Tell ya what we can do, look for malware and remove it then change out settings and see what happens.

Please post
Rkill log
FRST.txt and the Addition.txt

Attached, I had to zip FRST.txt

LDMarks
2014-02-20, 19:13
Posting elsewhere is a thought, but those forums don't exactly look to be specific enough so let's leave it for now.


As far as I know it is a Microsoft Windows default but, now if it was set or changed under Windows Updates is a good question.
I checked to see if there was a networking forum here and did not find one. If you like I can suggest one here http://forums.whatthetech.com/index.php?showforum=128 or http://forums.pcpitstop.com/index.php?/forum/8-networking-email-and-internet-connections/ that might be able to look into this further than I can, I just don't have that knowledge.

If you would like to continue with looking for malware, let's proceed.

Juliet
2014-02-20, 20:19
Java 7 Update 45 (x32 Version: 7.0.450 - Oracle) <-- is out of date
Uninstall/remove older versions

Install Java:Version 7 Update 51

Please go here to http://www.java.com/en/download/windows_xpi.jsp?locale=en


http://www.java.com/en/download/help/plugin_cache.xml
clear the Java cache

~~~~~~~~~~~~~

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)



start
HKLM-x32\...\Run: [] - [X]
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {49666E02-3F1D-4082-8D00-2594D65C9293} URL =
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
C:\Users\LDM\AppData\Local\Temp\Quarantine.exe
end

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


~~~~~~~~~~~~~~~~~~~~`

Go here (http://go.eset.com/us/online-scanner) to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish


please post:
Fixlog.txt
Eset log

LDMarks
2014-02-20, 21:46
A few comments, then see attachments:
* The hosts file entries were all Spybot redirects to 127.0.0.1, which appear to be standard (deleted anyway).
* The no scripts that you suggested I install appear to be problematic, for instance the break the Java uninstall old versions and ESET won't run in Chrome (used IE).
* There is an issue with Java for both Chrome & Firefox which I've seen before. Probably OK although the verify Java in the web page no longer works.
* You did not mention ee (which I noticed was in the prior logs) -- this is just a simple linux editor as I hate vi.

The EST scanner is taking a long time (forever to scan cygwin), and I have to use my laptop to teach I class in a few minutes so have to terminate it (and rerun later). So far no threats found. The other log is attached as I have to break my internet connection.

Juliet
2014-02-20, 22:26
A few comments, then see attachments:
* The no scripts that you suggested I install appear to be problematic, for instance the break the Java uninstall old versions and ESET won't run in Chrome (used IE).
* There is an issue with Java for both Chrome & Firefox which I've seen before. Probably OK although the verify Java in the web page no longer works.

The EST scanner is taking a long time (forever to scan cygwin), and I have to use my laptop to teach I class in a few minutes so have to terminate it (and rerun later). So far no threats found. The other log is attached as I have to break my internet connection.

I didn't post the Java verify page, (I might be misunderstanding here) I posted how to clean the Java cache,
here is the Java verify page http://www.java.com/en/download/installed.jsp

Eset is a very thorough scanner that most all malware techs use including myself. No malware found when scanning previously is a good thing.

LDMarks
2014-02-21, 14:23
ESET Online reports no threats, which is what I expected and I believe I previously removed everything.


The main point of my post in the first place was to inform whoever runs SpyBot that they have a vulnerability, and in fact SpyBot can be a source of malware and/or hide an open proxy.

LDMarks
2014-02-21, 15:25
A brief expansion/clarification. Previously the Event Log was showing entries where Symantec was preventing ransom malware pages to run. Symantec was reporting that program these came from was SpyBot, and at the time I misinterpreted this as just a relay via SpyBot but I now believe it was hijacked to open a proxy. Unfortunately in the process of cleaning the old Event Log has been deleted.

I have a backup with the relevant AppData (and other) directories including much/most of the Windows directory. If someone can provide me with information about where to look I can send the information; perhaps better not on this forum but offline. I would prefer to be able to use SpyBot but currently I no longer trust it to be safe.


ESET Online reports no threats, which is what I expected and I believe I previously removed everything.


The main point of my post in the first place was to inform whoever runs SpyBot that they have a vulnerability, and in fact SpyBot can be a source of malware and/or hide an open proxy.

Juliet
2014-02-21, 15:48
I will try to contact administrators to see what we can do with this.

Juliet
2014-02-25, 22:07
After waiting days and no reply to a personal message, I did have a little feedback from a colleague

since it appears to be a university or private lan they may be configured to use a proxy. As for the port probably in a listening state, not connected out
if its a private lan at a college then its IT people can tell the poster if a proxy setting is required.

As for SpyBot

The main point of my post in the first place was to inform whoever runs SpyBot that they have a vulnerability, and in fact SpyBot can be a source of malware and/or hide an open proxy.
I have no information I can add to this.

LDMarks
2014-02-28, 18:59
I was away on travel, so did not see this comment.

Good try, but no, there was nothing related to the university or private lan. It was a hack of SpyBot's proxy setup, exploiting it for other purposes, 99.99% confident. As I said before, the fact that the port had been reconfigured to act as an open http proxy only showed up when SpyBot was uninstalled, otherwise it was hidden.

I would bet that there are a decent (large?) number of machines out there running SpyBot which have also been hijacked in the same way.



After waiting days and no reply to a personal message, I did have a little feedback from a colleague

since it appears to be a university or private lan they may be configured to use a proxy. As for the port probably in a listening state, not connected out
if its a private lan at a college then its IT people can tell the poster if a proxy setting is required.

As for SpyBot

I have no information I can add to this.

Juliet
2014-02-28, 20:39
the fact that the port had been reconfigured to act as an open http proxy only showed up when SpyBot was uninstalled, otherwise it was hidden.

reset the proxy settings and clear this out.

1.Go to Control Panel>Internet Options>Connections>LAN Settings
2.Uncheck "Use a Proxy server for your LAN",and click "ok"Button.
3.Restart Internet Explorer.

3. Reset the IP/DNS settings of your interent connection:

Go to Start -> Control Panel -> Double click on Network Connections.
Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

Select the General tab.
Double click on Internet Protocol (TCP/IP).
?Under General tab:
Select "Obtain an IP address automatically".
Select "Obtain DNS server address automatically".

Click OK twice to save the settings.
Reboot if you had to change any setting.

4. Flush the DNS cache:

Click the Start logo in the bottom left corner of the screen
Click on Run or press Windows Logo+R
In the command window copy/paste the following (one at a time):


ipconfig /flushdns

netsh winsock reset
Then hit enter.
Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet

LDMarks
2014-03-02, 17:17
The proxy is gone, removed some time ago. Sorry, but you are missing the point.

When Spybot was hacked, none of what you suggested in your latest post had any effect on the proxy, it was hidden and changing the LAN settings did nothing at least with what I tried then (a month or so ago). It was only after I uninstalled Spybot that the presence of the http proxy showed up.

At the time Symantec was reporting/blocking ransom attacks (in the Windows Events log) as coming from Spybot which I misinterpreted at that time. In hindsight Symantec was correct, the port Spybot uses had been hacked. My conclusion is that there is an intrinsic vulnerability in Spybot which someone needs to pay some attention to. As I said before I have a backup where I can look to see whether the vulnerability occurs via the Spybot configuration files or somewhere else if someone can suggest where to look.


reset the proxy settings and clear this out.

1.Go to Control Panel>Internet Options>Connections>LAN Settings
2.Uncheck "Use a Proxy server for your LAN",and click "ok"Button.
3.Restart Internet Explorer.

3. Reset the IP/DNS settings of your interent connection:

Go to Start -> Control Panel -> Double click on Network Connections.
Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

Select the General tab.
Double click on Internet Protocol (TCP/IP).
?Under General tab:
Select "Obtain an IP address automatically".
Select "Obtain DNS server address automatically".

Click OK twice to save the settings.
Reboot if you had to change any setting.

4. Flush the DNS cache:

Click the Start logo in the bottom left corner of the screen
Click on Run or press Windows Logo+R
In the command window copy/paste the following (one at a time):


ipconfig /flushdns

netsh winsock reset
Then hit enter.
Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet

Juliet
2014-03-02, 18:01
I believe I was missing the point and I do understand now a little bit better.
When it sank in my first thought was 'wowssa!, that's the first I've heard of anything like this.

I did find through researching that a few other tools/scanners and programs at times did use that same port but, not many.

I am glad you found this and I have sent a message, a while back, to one of the administrators here at SaferNetworking explaining there did appear to be a vulnerability in a port Spybot created and uses.

Appears I took you for a ride in malware removal trying to find an answer, I apologize, but this is what I've trained and schooled for so that was where my mind set was and the reason for my responses.

Let me ask you a question:
When you uninstall SpyBot is it possible it had left some benign entries behind, such as ones that might have had an influence in updating for the program? I have a feeling your going to say no but I felt compelled and curious and just thought I'd ask.

I know I don't have the right answer, wish I did because I do know students I have under training right now who do follow me and the logs I work will probably be surprised I admitted to not have a solution here.

Be assured, if I receive any notification back for the message I've sent I will be happy to pass them to you.

May we now proceed to remove tools/quarantine folders and view my preventive tips?

LDMarks
2014-03-03, 18:32
No problems. I did the checks that you suggested before and I am OK that I did -- to make sure. It was also a good learning experience for me and I now have my students using some of the tools to double check my group's computers/LAN. (I know some of my PhD students have more malware on their computers, it can be almost unavoidable in a University setting with shared data -- another issue.)

Concerning any benign entries left behind when I uninstalled Spybot, no idea. It did leave a protected hosts files but some of the other tools decided to remove them.

With reservations let's go ahead with your other suggestions. I might not do everything, for instance I need to add back a few aliases into the hosts file for my linux nodes, and UAC drives me nuts.


I believe I was missing the point and I do understand now a little bit better.
When it sank in my first thought was 'wowssa!, that's the first I've heard of anything like this.

I did find through researching that a few other tools/scanners and programs at times did use that same port but, not many.

I am glad you found this and I have sent a message, a while back, to one of the administrators here at SaferNetworking explaining there did appear to be a vulnerability in a port Spybot created and uses.

Appears I took you for a ride in malware removal trying to find an answer, I apologize, but this is what I've trained and schooled for so that was where my mind set was and the reason for my responses.

Let me ask you a question:
When you uninstall SpyBot is it possible it had left some benign entries behind, such as ones that might have had an influence in updating for the program? I have a feeling your going to say no but I felt compelled and curious and just thought I'd ask.

I know I don't have the right answer, wish I did because I do know students I have under training right now who do follow me and the logs I work will probably be surprised I admitted to not have a solution here.

Be assured, if I receive any notification back for the message I've sent I will be happy to pass them to you.

May we now proceed to remove tools/quarantine folders and view my preventive tips?

Juliet
2014-03-03, 20:24
students have more malware on their computers, it can be almost unavoidable in a University setting with shared data -- another issue.)
This is not surprising. We do a lot of work on college computers.

If you feel you might have malware issues we'll continue with tools to find it, but I have a gut feeling your machine is probably clean.

Let's take steps to remove what we've already done and I'll post preventive tips you can share later with your students.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.





start
DeleteQuarantine:
end



~~~~~~~~~~~~~~

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know (http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/#)

CryptoLocker Ransomware Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information)

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 3 (http://www.mozilla.com/en-US/firefox/)
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript (http://www.noscript.net) - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

AdblockPlus, Surf the web without annoying ads!
Blocks banners, pop-ups and video ads - even on Facebook and YouTube
Protects your online privacy
Two-click installation, It's free!
click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT (http://www.mywot.com/) Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

Green should be good to go
Yellow for caution
Red to stop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/
and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ (null))


Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter (http://www.fbi.gov/cyberinvest/cyberedletter.htm)
USAToday (http://www.usatoday.com/tech/columnist/kimkomando/2006-04-13-file-sharing-woes_x.htm)
infoworld (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

*********************************************
Please read the following safe computing articles..

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)


Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

Keep a backup of your important files (http://www.geekstogo.com/2008/06/19/options-for-home-computer-data-backup-part-1/) - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

LDMarks
2014-03-05, 00:47
Thanks, done.

N.B., in the context of scientific data sharing there are some potential horrors looming; beyond college computers where the issues (with undergraduates) are obvious.


This is not surprising. We do a lot of work on college computers.

If you feel you might have malware issues we'll continue with tools to find it, but I have a gut feeling your machine is probably clean.

Let's take steps to remove what we've already done and I'll post preventive tips you can share later with your students.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.




~~~~~~~~~~~~~~

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know (http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/#)

CryptoLocker Ransomware Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information)

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 3 (http://www.mozilla.com/en-US/firefox/)
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript (http://www.noscript.net) - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

AdblockPlus, Surf the web without annoying ads!
Blocks banners, pop-ups and video ads - even on Facebook and YouTube
Protects your online privacy
Two-click installation, It's free!
click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT (http://www.mywot.com/) Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

Green should be good to go
Yellow for caution
Red to stop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/
and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ (null))


Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter (http://www.fbi.gov/cyberinvest/cyberedletter.htm)
USAToday (http://www.usatoday.com/tech/columnist/kimkomando/2006-04-13-file-sharing-woes_x.htm)
infoworld (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

*********************************************
Please read the following safe computing articles..

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)


Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

Keep a backup of your important files (http://www.geekstogo.com/2008/06/19/options-for-home-computer-data-backup-part-1/) - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Juliet
2014-03-05, 00:59
in the context of scientific data sharing there are some potential horrors looming
let's keep those computers protected!

Juliet
2014-03-09, 14:14
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.