answerworks won't go away, and I have another virus already!

I've been getting so sick and tired of this virus crap. I'd
abandon windows completely if I didn't need to use Autocad
at my job. I'm running http://housecall.antivirus.com as
I type this (Luckily, I have two computers in the office,
Win 2000 Pro is on the other) - I'm on Thunderbird, the
one with the viri is Daphne. So, anyway, I was having
problems that were acting very much like a memory problem -
I was getting access violations and fatal errors, and
every time I shut down, it'd put up a window about
"program is not responding... end now?" with explorer.exe
in the title bar.

So, anyway, since I had 256MB in Thunderbird, and an old
48 MB stick on the bookshelf, I stuck it in the other memory
stick, and things did improve, for a while. Well, if I
rearranged the drives a bit, and installed Windows on
Daphne, I discovered during my diagnosis, I could have
768 MB in Daphne. Got all the drives swapped around -
well, actually, I just swapped Thunderbird and Daphne
under the desk, and moved hdd from Thunderbird to
Daphne - but then had to find a partition on Daphne
to install W2K - so this is a fresh install on an
essentially Windows-pristine computer - all I had
ever had on Daphne has been Linux. Slackware 10.0.

OK, more background - ops is our "Server." It has
a Samba server, one instance of Apache, and masquerades
the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
that I got from some website that seems to be down...
Yeah: This firewall:
---
#!/bin/bash
#
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/
#
# Copyright (C) 2001-2003 Scott Bartlett <(E-Mail Removed)>
#...
---
And the website is still timing out.

Anyways, this firewall has a "BLACKLIST" clause, but clearly
I haven't got the right malware sites blacklisted yet.

The problem is, I'm getting viruses. When Autocad wouldn't
work on Daphne, with a fresh install, even not even plugged
into the network - and this is a fresh Windows2000, WITH
format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!

Answerworks Runtime installed itself.

Again.

Not even plluggged into the fucking NETWORK! That's
black fucking magic.

So, anyway, I decided to bite the bullet, and do something
about these viruses. I haven't been able to find anything
at all on getting rid of answerworks runtime and making
it not install itself - everybody seems to like it. Problem
is, there's a correlation - every time Autocad breaks,
it turns out Answerworks has installed itself again.

So I'd like to find out how to make that go away and
not come back.

I did some serious googling on viruses and trojans and
stuff, and did come up with this:
http://www.claymania.com/removal-trojan-adware.html

I've followed their instructions to the letter, on another
fresh clean install of W2K, and while in safe mode -
incidentally, they did turn up some really vicious-sounding
stuff!

Right at this very moment, I have the W2K box (Thunderbird)
booted in "safe mode with networking", and am in the
middle of http://housecall.antivirus.com 's check, and
it reports "PE_Parite A", 9 times, Aw, FUCK! One of them
is in mamepp.exe, which is supposed to only be MAME -
Multiple Arcade Machine Emulator, so I can play Mr. Do!
and Bubble Bobble and Centipede and PacMan and Donkey
Kong! Geez, guess I'll have to look at Xmame again...
1 Worm/Trojan horse detected:
PE PARITE A File Infector

They call ordinary cookies "spyware" - heh.

Microsoft Vulnerability Check:
Oh. There's 6, but the fix for them is to go to MS's
patch page.

OK, so there's the PE PARITE.

Answerworks hasn't installed itself yet...

But on top of that, I went to run s-t-i-n-g-e-r, from
http://www.claymania.com/removal-trojan-adware.html ,
and it gave an error message: "Caution! May Be Infected!"
So I downloaded stinger again, and the one that said that
it might be infected was about 200K bigger.

So, I looked up housecalls, lessee - I should run the
other ones - but I can do that any time; I hope I've
made my point about the virus problems and that I am
trying to do something about them on my own, and not
having any damn success.

But I have a "firewall"! - oh, yeah, did I say that
their website is down?

Well, here's the whole script - it gets run during
etc/rc.d/rc.inet2, FWIW.
http://neodruid.org/rc.firewall.txt

But I had only just downloaded it and installed it
about a year ago, and forgot about it - none of the
other doze units on the LAN seem to have a virus problem,
albeit I did see on the PHBs computer, while I
was looking over his shoulder and he was showing
me something, that three times within less than
a minute, there were popup warnings that an attack
was in progress.

That's not supposed to happen!
(he evidently has some commercial live virus
blocker, but I have no money. )-

And, I've got two ethernet interfaces on my box,
and only activate one in Linux, and the other in
Windows, so that I was able to put the
DENY_OUTBOUND clause in the settings part of the
firewall. It doesn't seem to help.

I'm not going to ask somebody to teach me how to
write a firewall, and I don't think I'll ever
understand IPTABLES; and I should be asking the
Windows folks if there's something I can do to
Windows to keep that stuff out?

Also, yesterday, while doing all of those scans,
I also did Windows Update while in "safe" mode.

I also now have a broken windows explorer - blank
folders pane, AND, when I went to move the minesweeper
shortcut from start/program files/accessories/games
to start, it dragged all right, but at the start
menu, id didn't drop or prompt me or anything -
the little black bar just disappeared.

But, is there a URL of block of URLs that have been
determined to be where all those viri are coming
from, so I could blacklist them?

I think I know that sniffing for content requires
an entire proxy server, but if I can't even get
IPTABLES right, how am I supposed to configure
a proxy server?

This all has to be freeware, of course. I have
no money.

Of course, the ideal proxy server would be the
one where the defaults are everything's closed,
and I could go into a GUI and click which luser
is allowed to do what.

Essentially, I want to completely block the
internet from me, while still being able to
access the Samba server. "DENY_OUTBOUND"
doesn't seem to do that yet, and I can't
operate the free on-line scanners that
way. Then, I'd want the boss and the CFO
to have their internet access, but if possible,
block malware before it gets to them. Of course,
if a proxy server did that, then it'd be safe
for me to go to the internet in Doze - Doze
does still have the purtyer eye candy!

A list of malware IPs that should be blacklisted
would be cool.

And, presumably, it's easy to do.

Or a dead-easy, copy the script and run it and
you're safe, kind of proxy server.

There is no email server here - just HTTP port
80, is the ONLY thing I want getting through.

Oh - I could go to, is it, say, etc/services?

And just close all of the ports there?

no, that's not it - ... inetd.conf.

The only things I have uncommented in inetd.conf
on ops (the "Server") are:
time stream tcp nowait root internal
time dgram udp wait root internal
ftp stream tcp nowait root /usr/sbin/tcpd proftpd
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
auth stream tcp wait root /usr/sbin/in.identd in.identd

Any comments? (on any of this rambling dissertation?)

Thanks,
Rich

On Wed, 13 Jul 2005 21:36:28 +0000, Rich Grise wrote:

> Well, here's the whole script - it gets run during
> etc/rc.d/rc.inet2, FWIW.
> http://neodruid.org/rc.firewall.txt

FWIW, here's the ouput of iptables -L on ops (the
"server" with the "firewall".)
http://neodruid.org/iptables_-L.txt
>
> Any comments? (on any of this rambling dissertation?)

Thanks!
Rich

begin virus.scr.txt On Wed, 13 Jul 2005 21:36:28 +0000, Rich Grise wrote:

> I've been getting so sick and tired of this virus crap. I'd
> abandon windows completely if I didn't need to use Autocad
> at my job. I'm running http://housecall.antivirus.com as
> I type this (Luckily, I have two computers in the office,
> Win 2000 Pro is on the other) - I'm on Thunderbird, the
> one with the viri is Daphne. So, anyway, I was having
> problems that were acting very much like a memory problem -
> I was getting access violations and fatal errors, and
> every time I shut down, it'd put up a window about
> "program is not responding... end now?" with explorer.exe
> in the title bar.
>
> So, anyway, since I had 256MB in Thunderbird, and an old
> 48 MB stick on the bookshelf, I stuck it in the other memory
> stick, and things did improve, for a while. Well, if I
> rearranged the drives a bit, and installed Windows on
> Daphne, I discovered during my diagnosis, I could have
> 768 MB in Daphne. Got all the drives swapped around -
> well, actually, I just swapped Thunderbird and Daphne
> under the desk, and moved hdd from Thunderbird to
> Daphne - but then had to find a partition on Daphne
> to install W2K - so this is a fresh install on an
> essentially Windows-pristine computer - all I had
> ever had on Daphne has been Linux. Slackware 10.0.
>
> OK, more background - ops is our "Server." It has
> a Samba server, one instance of Apache, and masquerades
> the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
> that I got from some website that seems to be down...
> Yeah: This firewall:
> ---
> #!/bin/bash
> #
> # rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
> # http://projectfiles.com/firewall/
> #
> # Copyright (C) 2001-2003 Scott Bartlett <(E-Mail Removed)>
> #...
> ---
> And the website is still timing out.
>
> Anyways, this firewall has a "BLACKLIST" clause, but clearly
> I haven't got the right malware sites blacklisted yet.
>
> The problem is, I'm getting viruses. When Autocad wouldn't
> work on Daphne, with a fresh install, even not even plugged
> into the network - and this is a fresh Windows2000, WITH
> format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!
>
> Answerworks Runtime installed itself.
>
> Again.
>
> Not even plluggged into the fucking NETWORK! That's
> black fucking magic.
>
> So, anyway, I decided to bite the bullet, and do something
> about these viruses. I haven't been able to find anything
> at all on getting rid of answerworks runtime and making
> it not install itself - everybody seems to like it. Problem
> is, there's a correlation - every time Autocad breaks,
> it turns out Answerworks has installed itself again.
>
> So I'd like to find out how to make that go away and
> not come back.
>
> I did some serious googling on viruses and trojans and
> stuff, and did come up with this:
> http://www.claymania.com/removal-trojan-adware.html
>
> I've followed their instructions to the letter, on another
> fresh clean install of W2K, and while in safe mode -
> incidentally, they did turn up some really vicious-sounding
> stuff!
>
> Right at this very moment, I have the W2K box (Thunderbird)
> booted in "safe mode with networking", and am in the
> middle of http://housecall.antivirus.com 's check, and
> it reports "PE_Parite A", 9 times, Aw, FUCK! One of them
> is in mamepp.exe, which is supposed to only be MAME -
> Multiple Arcade Machine Emulator, so I can play Mr. Do!
> and Bubble Bobble and Centipede and PacMan and Donkey
> Kong! Geez, guess I'll have to look at Xmame again...
> 1 Worm/Trojan horse detected:
> PE PARITE A File Infector
>
> They call ordinary cookies "spyware" - heh.
>
> Microsoft Vulnerability Check:
> Oh. There's 6, but the fix for them is to go to MS's
> patch page.
>
> OK, so there's the PE PARITE.
>
> Answerworks hasn't installed itself yet...
>
> But on top of that, I went to run s-t-i-n-g-e-r, from
> http://www.claymania.com/removal-trojan-adware.html ,
> and it gave an error message: "Caution! May Be Infected!"
> So I downloaded stinger again, and the one that said that
> it might be infected was about 200K bigger.
>
> So, I looked up housecalls, lessee - I should run the
> other ones - but I can do that any time; I hope I've
> made my point about the virus problems and that I am
> trying to do something about them on my own, and not
> having any damn success.
>
> But I have a "firewall"! - oh, yeah, did I say that
> their website is down?
>
> Well, here's the whole script - it gets run during
> etc/rc.d/rc.inet2, FWIW.
> http://neodruid.org/rc.firewall.txt
>
> But I had only just downloaded it and installed it
> about a year ago, and forgot about it - none of the
> other doze units on the LAN seem to have a virus problem,
> albeit I did see on the PHBs computer, while I
> was looking over his shoulder and he was showing
> me something, that three times within less than
> a minute, there were popup warnings that an attack
> was in progress.
>
> That's not supposed to happen!
> (he evidently has some commercial live virus
> blocker, but I have no money. )-
>
> And, I've got two ethernet interfaces on my box,
> and only activate one in Linux, and the other in
> Windows, so that I was able to put the
> DENY_OUTBOUND clause in the settings part of the
> firewall. It doesn't seem to help.
>
> I'm not going to ask somebody to teach me how to
> write a firewall, and I don't think I'll ever
> understand IPTABLES; and I should be asking the
> Windows folks if there's something I can do to
> Windows to keep that stuff out?
>
> Also, yesterday, while doing all of those scans,
> I also did Windows Update while in "safe" mode.
>
> I also now have a broken windows explorer - blank
> folders pane, AND, when I went to move the minesweeper
> shortcut from start/program files/accessories/games
> to start, it dragged all right, but at the start
> menu, id didn't drop or prompt me or anything -
> the little black bar just disappeared.
>
> But, is there a URL of block of URLs that have been
> determined to be where all those viri are coming
> from, so I could blacklist them?
>
> I think I know that sniffing for content requires
> an entire proxy server, but if I can't even get
> IPTABLES right, how am I supposed to configure
> a proxy server?
>
> This all has to be freeware, of course. I have
> no money.
>
> Of course, the ideal proxy server would be the
> one where the defaults are everything's closed,
> and I could go into a GUI and click which luser
> is allowed to do what.
>
> Essentially, I want to completely block the
> internet from me, while still being able to
> access the Samba server. "DENY_OUTBOUND"
> doesn't seem to do that yet, and I can't
> operate the free on-line scanners that
> way. Then, I'd want the boss and the CFO
> to have their internet access, but if possible,
> block malware before it gets to them. Of course,
> if a proxy server did that, then it'd be safe
> for me to go to the internet in Doze - Doze
> does still have the purtyer eye candy!
>
> A list of malware IPs that should be blacklisted
> would be cool.
>
> And, presumably, it's easy to do.
>
> Or a dead-easy, copy the script and run it and
> you're safe, kind of proxy server.
>
> There is no email server here - just HTTP port
> 80, is the ONLY thing I want getting through.
>
> Oh - I could go to, is it, say, etc/services?
>
> And just close all of the ports there?
>
> no, that's not it - ... inetd.conf.
>
> The only things I have uncommented in inetd.conf
> on ops (the "Server") are:
> time stream tcp nowait root internal
> time dgram udp wait root internal
> ftp stream tcp nowait root /usr/sbin/tcpd proftpd
> comsat dgram udp wait root /usr/sbin/tcpd in.comsat
> auth stream tcp wait root /usr/sbin/in.identd in.identd
>
> Any comments? (on any of this rambling dissertation?)
>
> Thanks,
> Rich


Get yourself a _REAL_ system admin


--
Tayo'y Mga Pinoy

Does any of this have anything to do with this News Group
comp.os.linux.networking ???

If so ASK an understandable question
but by all means learn how to post to newsgroups.


Rich Grise wrote:
> I've been getting so sick and tired of this virus crap. I'd
> abandon windows completely if I didn't need to use Autocad
> at my job. I'm running http://housecall.antivirus.com as
> I type this (Luckily, I have two computers in the office,
> Win 2000 Pro is on the other) - I'm on Thunderbird, the
> one with the viri is Daphne. So, anyway, I was having
> problems that were acting very much like a memory problem -
> I was getting access violations and fatal errors, and
> every time I shut down, it'd put up a window about
> "program is not responding... end now?" with explorer.exe
> in the title bar.
>
> So, anyway, since I had 256MB in Thunderbird, and an old
> 48 MB stick on the bookshelf, I stuck it in the other memory
> stick, and things did improve, for a while. Well, if I
> rearranged the drives a bit, and installed Windows on
> Daphne, I discovered during my diagnosis, I could have
> 768 MB in Daphne. Got all the drives swapped around -
> well, actually, I just swapped Thunderbird and Daphne
> under the desk, and moved hdd from Thunderbird to
> Daphne - but then had to find a partition on Daphne
> to install W2K - so this is a fresh install on an
> essentially Windows-pristine computer - all I had
> ever had on Daphne has been Linux. Slackware 10.0.
>
> OK, more background - ops is our "Server." It has
> a Samba server, one instance of Apache, and masquerades
> the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
> that I got from some website that seems to be down...
> Yeah: This firewall:
> ---
> #!/bin/bash
> #
> # rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
> # http://projectfiles.com/firewall/
> #
> # Copyright (C) 2001-2003 Scott Bartlett <(E-Mail Removed)>
> #...
> ---
> And the website is still timing out.
>
> Anyways, this firewall has a "BLACKLIST" clause, but clearly
> I haven't got the right malware sites blacklisted yet.
>
> The problem is, I'm getting viruses. When Autocad wouldn't
> work on Daphne, with a fresh install, even not even plugged
> into the network - and this is a fresh Windows2000, WITH
> format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!
>
> Answerworks Runtime installed itself.
>
> Again.
>
> Not even plluggged into the fucking NETWORK! That's
> black fucking magic.
>
> So, anyway, I decided to bite the bullet, and do something
> about these viruses. I haven't been able to find anything
> at all on getting rid of answerworks runtime and making
> it not install itself - everybody seems to like it. Problem
> is, there's a correlation - every time Autocad breaks,
> it turns out Answerworks has installed itself again.
>
> So I'd like to find out how to make that go away and
> not come back.
>
> I did some serious googling on viruses and trojans and
> stuff, and did come up with this:
> http://www.claymania.com/removal-trojan-adware.html
>
> I've followed their instructions to the letter, on another
> fresh clean install of W2K, and while in safe mode -
> incidentally, they did turn up some really vicious-sounding
> stuff!
>
> Right at this very moment, I have the W2K box (Thunderbird)
> booted in "safe mode with networking", and am in the
> middle of http://housecall.antivirus.com 's check, and
> it reports "PE_Parite A", 9 times, Aw, FUCK! One of them
> is in mamepp.exe, which is supposed to only be MAME -
> Multiple Arcade Machine Emulator, so I can play Mr. Do!
> and Bubble Bobble and Centipede and PacMan and Donkey
> Kong! Geez, guess I'll have to look at Xmame again...
> 1 Worm/Trojan horse detected:
> PE PARITE A File Infector
>
> They call ordinary cookies "spyware" - heh.
>
> Microsoft Vulnerability Check:
> Oh. There's 6, but the fix for them is to go to MS's
> patch page.
>
> OK, so there's the PE PARITE.
>
> Answerworks hasn't installed itself yet...
>
> But on top of that, I went to run s-t-i-n-g-e-r, from
> http://www.claymania.com/removal-trojan-adware.html ,
> and it gave an error message: "Caution! May Be Infected!"
> So I downloaded stinger again, and the one that said that
> it might be infected was about 200K bigger.
>
> So, I looked up housecalls, lessee - I should run the
> other ones - but I can do that any time; I hope I've
> made my point about the virus problems and that I am
> trying to do something about them on my own, and not
> having any damn success.
>
> But I have a "firewall"! - oh, yeah, did I say that
> their website is down?
>
> Well, here's the whole script - it gets run during
> etc/rc.d/rc.inet2, FWIW.
> http://neodruid.org/rc.firewall.txt
>
> But I had only just downloaded it and installed it
> about a year ago, and forgot about it - none of the
> other doze units on the LAN seem to have a virus problem,
> albeit I did see on the PHBs computer, while I
> was looking over his shoulder and he was showing
> me something, that three times within less than
> a minute, there were popup warnings that an attack
> was in progress.
>
> That's not supposed to happen!
> (he evidently has some commercial live virus
> blocker, but I have no money. )-
>
> And, I've got two ethernet interfaces on my box,
> and only activate one in Linux, and the other in
> Windows, so that I was able to put the
> DENY_OUTBOUND clause in the settings part of the
> firewall. It doesn't seem to help.
>
> I'm not going to ask somebody to teach me how to
> write a firewall, and I don't think I'll ever
> understand IPTABLES; and I should be asking the
> Windows folks if there's something I can do to
> Windows to keep that stuff out?
>
> Also, yesterday, while doing all of those scans,
> I also did Windows Update while in "safe" mode.
>
> I also now have a broken windows explorer - blank
> folders pane, AND, when I went to move the minesweeper
> shortcut from start/program files/accessories/games
> to start, it dragged all right, but at the start
> menu, id didn't drop or prompt me or anything -
> the little black bar just disappeared.
>
> But, is there a URL of block of URLs that have been
> determined to be where all those viri are coming
> from, so I could blacklist them?
>
> I think I know that sniffing for content requires
> an entire proxy server, but if I can't even get
> IPTABLES right, how am I supposed to configure
> a proxy server?
>
> This all has to be freeware, of course. I have
> no money.
>
> Of course, the ideal proxy server would be the
> one where the defaults are everything's closed,
> and I could go into a GUI and click which luser
> is allowed to do what.
>
> Essentially, I want to completely block the
> internet from me, while still being able to
> access the Samba server. "DENY_OUTBOUND"
> doesn't seem to do that yet, and I can't
> operate the free on-line scanners that
> way. Then, I'd want the boss and the CFO
> to have their internet access, but if possible,
> block malware before it gets to them. Of course,
> if a proxy server did that, then it'd be safe
> for me to go to the internet in Doze - Doze
> does still have the purtyer eye candy!
>
> A list of malware IPs that should be blacklisted
> would be cool.
>
> And, presumably, it's easy to do.
>
> Or a dead-easy, copy the script and run it and
> you're safe, kind of proxy server.
>
> There is no email server here - just HTTP port
> 80, is the ONLY thing I want getting through.
>
> Oh - I could go to, is it, say, etc/services?
>
> And just close all of the ports there?
>
> no, that's not it - ... inetd.conf.
>
> The only things I have uncommented in inetd.conf
> on ops (the "Server") are:
> time stream tcp nowait root internal
> time dgram udp wait root internal
> ftp stream tcp nowait root /usr/sbin/tcpd proftpd
> comsat dgram udp wait root /usr/sbin/tcpd in.comsat
> auth stream tcp wait root /usr/sbin/in.identd in.identd
>
> Any comments? (on any of this rambling dissertation?)
>
> Thanks,
> Rich
>

On Wed, 13 Jul 2005 21:36:28 GMT, Rich Grise <(E-Mail Removed)>
wrote:

>I've been getting so sick and tired of this virus crap. I'd
>abandon windows completely if I didn't need to use Autocad
>at my job. I'm running http://housecall.antivirus.com as
>I type this (Luckily, I have two computers in the office,
>Win 2000 Pro is on the other) - I'm on Thunderbird, the
>one with the viri is Daphne. So, anyway, I was having
>problems that were acting very much like a memory problem -
>I was getting access violations and fatal errors, and
>every time I shut down, it'd put up a window about
>"program is not responding... end now?" with explorer.exe
>in the title bar.
>
>So, anyway, since I had 256MB in Thunderbird, and an old
>48 MB stick on the bookshelf, I stuck it in the other memory
>stick, and things did improve, for a while. Well, if I
>rearranged the drives a bit, and installed Windows on
>Daphne, I discovered during my diagnosis, I could have
>768 MB in Daphne. Got all the drives swapped around -
>well, actually, I just swapped Thunderbird and Daphne
>under the desk, and moved hdd from Thunderbird to
>Daphne - but then had to find a partition on Daphne
>to install W2K - so this is a fresh install on an
>essentially Windows-pristine computer - all I had
>ever had on Daphne has been Linux. Slackware 10.0.
>
>OK, more background - ops is our "Server." It has
>a Samba server, one instance of Apache, and masquerades
>the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
>that I got from some website that seems to be down...
>Yeah: This firewall:
>---
>#!/bin/bash
>#
># rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
># http://projectfiles.com/firewall/
>#
># Copyright (C) 2001-2003 Scott Bartlett <(E-Mail Removed)>
>#...
>---
>And the website is still timing out.
>
>Anyways, this firewall has a "BLACKLIST" clause, but clearly
>I haven't got the right malware sites blacklisted yet.
>
>The problem is, I'm getting viruses. When Autocad wouldn't
>work on Daphne, with a fresh install, even not even plugged
>into the network - and this is a fresh Windows2000, WITH
>format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!
>
>Answerworks Runtime installed itself.
>
>Again.
>
>Not even plluggged into the fucking NETWORK! That's
>black fucking magic.
>
>So, anyway, I decided to bite the bullet, and do something
>about these viruses. I haven't been able to find anything
>at all on getting rid of answerworks runtime and making
>it not install itself - everybody seems to like it. Problem
>is, there's a correlation - every time Autocad breaks,
>it turns out Answerworks has installed itself again.
>
>So I'd like to find out how to make that go away and
>not come back.
>
>I did some serious googling on viruses and trojans and
>stuff, and did come up with this:
>http://www.claymania.com/removal-trojan-adware.html
>
>I've followed their instructions to the letter, on another
>fresh clean install of W2K, and while in safe mode -
>incidentally, they did turn up some really vicious-sounding
>stuff!
>
>Right at this very moment, I have the W2K box (Thunderbird)
>booted in "safe mode with networking", and am in the
>middle of http://housecall.antivirus.com 's check, and
>it reports "PE_Parite A", 9 times, Aw, FUCK! One of them
>is in mamepp.exe, which is supposed to only be MAME -
>Multiple Arcade Machine Emulator, so I can play Mr. Do!
>and Bubble Bobble and Centipede and PacMan and Donkey
>Kong! Geez, guess I'll have to look at Xmame again...
>1 Worm/Trojan horse detected:
>PE PARITE A File Infector
>
>They call ordinary cookies "spyware" - heh.
>
>Microsoft Vulnerability Check:
>Oh. There's 6, but the fix for them is to go to MS's
>patch page.
>
>OK, so there's the PE PARITE.
>
>Answerworks hasn't installed itself yet...
>
>But on top of that, I went to run s-t-i-n-g-e-r, from
>http://www.claymania.com/removal-trojan-adware.html ,
>and it gave an error message: "Caution! May Be Infected!"
>So I downloaded stinger again, and the one that said that
>it might be infected was about 200K bigger.
>
>So, I looked up housecalls, lessee - I should run the
>other ones - but I can do that any time; I hope I've
>made my point about the virus problems and that I am
>trying to do something about them on my own, and not
>having any damn success.
>
>But I have a "firewall"! - oh, yeah, did I say that
>their website is down?
>
>Well, here's the whole script - it gets run during
>etc/rc.d/rc.inet2, FWIW.
>http://neodruid.org/rc.firewall.txt
>
>But I had only just downloaded it and installed it
>about a year ago, and forgot about it - none of the
>other doze units on the LAN seem to have a virus problem,
>albeit I did see on the PHBs computer, while I
>was looking over his shoulder and he was showing
>me something, that three times within less than
>a minute, there were popup warnings that an attack
>was in progress.
>
>That's not supposed to happen!
>(he evidently has some commercial live virus
>blocker, but I have no money. )-
>
>And, I've got two ethernet interfaces on my box,
>and only activate one in Linux, and the other in
>Windows, so that I was able to put the
>DENY_OUTBOUND clause in the settings part of the
>firewall. It doesn't seem to help.
>
>I'm not going to ask somebody to teach me how to
>write a firewall, and I don't think I'll ever
>understand IPTABLES; and I should be asking the
>Windows folks if there's something I can do to
>Windows to keep that stuff out?
>
>Also, yesterday, while doing all of those scans,
>I also did Windows Update while in "safe" mode.
>
>I also now have a broken windows explorer - blank
>folders pane, AND, when I went to move the minesweeper
>shortcut from start/program files/accessories/games
>to start, it dragged all right, but at the start
>menu, id didn't drop or prompt me or anything -
>the little black bar just disappeared.
>
>But, is there a URL of block of URLs that have been
>determined to be where all those viri are coming
>from, so I could blacklist them?
>
>I think I know that sniffing for content requires
>an entire proxy server, but if I can't even get
>IPTABLES right, how am I supposed to configure
>a proxy server?
>
>This all has to be freeware, of course. I have
>no money.
>
>Of course, the ideal proxy server would be the
>one where the defaults are everything's closed,
>and I could go into a GUI and click which luser
>is allowed to do what.
>
>Essentially, I want to completely block the
>internet from me, while still being able to
>access the Samba server. "DENY_OUTBOUND"
>doesn't seem to do that yet, and I can't
>operate the free on-line scanners that
>way. Then, I'd want the boss and the CFO
>to have their internet access, but if possible,
>block malware before it gets to them. Of course,
>if a proxy server did that, then it'd be safe
>for me to go to the internet in Doze - Doze
>does still have the purtyer eye candy!
>
>A list of malware IPs that should be blacklisted
>would be cool.
>
>And, presumably, it's easy to do.
>
>Or a dead-easy, copy the script and run it and
>you're safe, kind of proxy server.
>
>There is no email server here - just HTTP port
>80, is the ONLY thing I want getting through.
>
>Oh - I could go to, is it, say, etc/services?
>
>And just close all of the ports there?
>
>no, that's not it - ... inetd.conf.
>
>The only things I have uncommented in inetd.conf
>on ops (the "Server") are:
>time stream tcp nowait root internal
>time dgram udp wait root internal
>ftp stream tcp nowait root /usr/sbin/tcpd proftpd
>comsat dgram udp wait root /usr/sbin/tcpd in.comsat
>auth stream tcp wait root /usr/sbin/in.identd in.identd
>
>Any comments? (on any of this rambling dissertation?)
>
Try alt.comp.anti-virus.

Doesn't sound like you're getting much work done. Hope you're not
interfering with others' ability to do so.

RL

[crossposted all over the place, but I've set followups-to to
sci.electronics.design, because that's my primary hangout.]
On Thu, 14 Jul 2005 01:43:00 +0000, legg wrote:
> On Wed, 13 Jul 2005 21:36:28 GMT, Rich Grise <(E-Mail Removed)>
[long virus/trojan whine]

> Try alt.comp.anti-virus.

Sounds like a good idea.

> Doesn't sound like you're getting much work done. Hope you're not
> interfering with others' ability to do so.

No, just my own. In fact, that's another thing about the problem that was
so baffling - none of the other computers on the LAN seem to have the same
problem!

But I seem to be making progress - I've just checked the control panel/
add/remove programs applet, and answerworks wasn't there! :-) :-) :-)

And I ran Autocad Mechanical Desktop just now, and didn't get the fatal
error. :-) :-) :-)

I still have some trepidation, however. But, like they say, all you
can do is what's next. :-)

Thanks!
Rich

On Wed, 13 Jul 2005 23:00:07 +0000, SEND NO SPAM wrote:

> Does any of this have anything to do with this News Group
> comp.os.linux.networking ???

Yes.

> If so ASK an understandable question
> but by all means learn how to post to newsgroups.

Is there a freeware firewall that will prevent viri, trojans,
spamware, and all that from installing themselves on a half-
dozen Windows 2000 workstations on a simple Samba share?

IOW, It'd do the firewall in lieu of masquerading from
[public ip] to [10.0.0.*].

"Server" name ops, currently serving up www.abiengr.com,
and serving Samba shares to the 10.0.0.* LAN.

Thanks!
Rich

Rich Grise wrote:
>
> On Wed, 13 Jul 2005 23:00:07 +0000, SEND NO SPAM wrote:
>
>
>>Does any of this have anything to do with this News Group
>>comp.os.linux.networking ???
>
>
> Yes.
>
>
>>If so ASK an understandable question
>>but by all means learn how to post to newsgroups.
>
>
> Is there a freeware firewall that will prevent viri, trojans,
> spamware, and all that from installing themselves on a half-
> dozen Windows 2000 workstations on a simple Samba share?
>

A firewall limits connections thru it. viruses/spyware are
piggybacked to traffic allowed into a machine .. Not really
a related issue

They are Rarely a LINUX problem .. Usually open holes in WINBLOWS allow
viruses/spyware to take hold

> IOW, It'd do the firewall in lieu of masquerading from
> [public ip] to [10.0.0.*].
>
> "Server" name ops, currently serving up www.abiengr.com,
> and serving Samba shares to the 10.0.0.* LAN.

What does a file server ... SAMBA have to do with viruses/spyware ???

>
> Thanks!
> Rich
>

Sorry I can't get a clue What you are asking

>When Autocad wouldn't work on Daphne, with a fresh install,
>even not even plugged into the network
>--and this is a fresh Windows2000, WITH format,
>and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!
> Rich Grise

Google fumbled your original post, so I'll pick up the thread here.

I think your problem might be the same mess
that Paul Hovnanian was encountering in this thread:
http://groups-beta.google.com/group/...e+66.102.7.104

I believe the problem is the trojan that ships with AutoCAD:
http://66.102.7.104/search?q=cache:t...*-*-*-versions

Clearing the old infection (one-installation-per-purchase code)
from the boot sector of the HDD, requires an FDISK if I'm correct.

On Wed, 13 Jul 2005 22:00:02 +0000, Baho Utot wrote:
> begin virus.scr.txt On Wed, 13 Jul 2005 21:36:28 +0000, Rich Grise wrote:
>
>> I've been getting so sick and tired of this virus crap. I'd
....
> Get yourself a _REAL_ system admin

Sorry, I'm the best system admin that the company can afford. )-;

Thanks anyway,
Rich