answerworks won't go away, and I have another virus already!

Discussion in 'Linux Networking' started by Rich Grise, Jul 13, 2005.

  1. Rich Grise

    Rich Grise Guest

    I've been getting so sick and tired of this virus crap. I'd
    abandon windows completely if I didn't need to use Autocad
    at my job. I'm running http://housecall.antivirus.com as
    I type this (Luckily, I have two computers in the office,
    Win 2000 Pro is on the other) - I'm on Thunderbird, the
    one with the viri is Daphne. So, anyway, I was having
    problems that were acting very much like a memory problem -
    I was getting access violations and fatal errors, and
    every time I shut down, it'd put up a window about
    "program is not responding... end now?" with explorer.exe
    in the title bar.

    So, anyway, since I had 256MB in Thunderbird, and an old
    48 MB stick on the bookshelf, I stuck it in the other memory
    stick, and things did improve, for a while. Well, if I
    rearranged the drives a bit, and installed Windows on
    Daphne, I discovered during my diagnosis, I could have
    768 MB in Daphne. Got all the drives swapped around -
    well, actually, I just swapped Thunderbird and Daphne
    under the desk, and moved hdd from Thunderbird to
    Daphne - but then had to find a partition on Daphne
    to install W2K - so this is a fresh install on an
    essentially Windows-pristine computer - all I had
    ever had on Daphne has been Linux. Slackware 10.0.

    OK, more background - ops is our "Server." It has
    a Samba server, one instance of Apache, and masquerades
    the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
    that I got from some website that seems to be down...
    Yeah: This firewall:
    ---
    #!/bin/bash
    #
    # rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
    # http://projectfiles.com/firewall/
    #
    # Copyright (C) 2001-2003 Scott Bartlett <>
    #...
    ---
    And the website is still timing out.

    Anyways, this firewall has a "BLACKLIST" clause, but clearly
    I haven't got the right malware sites blacklisted yet.

    The problem is, I'm getting viruses. When Autocad wouldn't
    work on Daphne, with a fresh install, even not even plugged
    into the network - and this is a fresh Windows2000, WITH
    format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!

    Answerworks Runtime installed itself.

    Again.

    Not even plluggged into the fucking NETWORK! That's
    black fucking magic.

    So, anyway, I decided to bite the bullet, and do something
    about these viruses. I haven't been able to find anything
    at all on getting rid of answerworks runtime and making
    it not install itself - everybody seems to like it. Problem
    is, there's a correlation - every time Autocad breaks,
    it turns out Answerworks has installed itself again.

    So I'd like to find out how to make that go away and
    not come back.

    I did some serious googling on viruses and trojans and
    stuff, and did come up with this:
    http://www.claymania.com/removal-trojan-adware.html

    I've followed their instructions to the letter, on another
    fresh clean install of W2K, and while in safe mode -
    incidentally, they did turn up some really vicious-sounding
    stuff!

    Right at this very moment, I have the W2K box (Thunderbird)
    booted in "safe mode with networking", and am in the
    middle of http://housecall.antivirus.com 's check, and
    it reports "PE_Parite A", 9 times, Aw, ****! One of them
    is in mamepp.exe, which is supposed to only be MAME -
    Multiple Arcade Machine Emulator, so I can play Mr. Do!
    and Bubble Bobble and Centipede and PacMan and Donkey
    Kong! Geez, guess I'll have to look at Xmame again...
    1 Worm/Trojan horse detected:
    PE PARITE A File Infector

    They call ordinary cookies "spyware" - heh.

    Microsoft Vulnerability Check:
    Oh. There's 6, but the fix for them is to go to MS's
    patch page.

    OK, so there's the PE PARITE.

    Answerworks hasn't installed itself yet...

    But on top of that, I went to run s-t-i-n-g-e-r, from
    http://www.claymania.com/removal-trojan-adware.html ,
    and it gave an error message: "Caution! May Be Infected!"
    So I downloaded stinger again, and the one that said that
    it might be infected was about 200K bigger.

    So, I looked up housecalls, lessee - I should run the
    other ones - but I can do that any time; I hope I've
    made my point about the virus problems and that I am
    trying to do something about them on my own, and not
    having any damn success.

    But I have a "firewall"! - oh, yeah, did I say that
    their website is down?

    Well, here's the whole script - it gets run during
    etc/rc.d/rc.inet2, FWIW.
    http://neodruid.org/rc.firewall.txt

    But I had only just downloaded it and installed it
    about a year ago, and forgot about it - none of the
    other doze units on the LAN seem to have a virus problem,
    albeit I did see on the PHBs computer, while I
    was looking over his shoulder and he was showing
    me something, that three times within less than
    a minute, there were popup warnings that an attack
    was in progress.

    That's not supposed to happen!
    (he evidently has some commercial live virus
    blocker, but I have no money. )-;)

    And, I've got two ethernet interfaces on my box,
    and only activate one in Linux, and the other in
    Windows, so that I was able to put the
    DENY_OUTBOUND clause in the settings part of the
    firewall. It doesn't seem to help.

    I'm not going to ask somebody to teach me how to
    write a firewall, and I don't think I'll ever
    understand IPTABLES; and I should be asking the
    Windows folks if there's something I can do to
    Windows to keep that stuff out?

    Also, yesterday, while doing all of those scans,
    I also did Windows Update while in "safe" mode.

    I also now have a broken windows explorer - blank
    folders pane, AND, when I went to move the minesweeper
    shortcut from start/program files/accessories/games
    to start, it dragged all right, but at the start
    menu, id didn't drop or prompt me or anything -
    the little black bar just disappeared.

    But, is there a URL of block of URLs that have been
    determined to be where all those viri are coming
    from, so I could blacklist them?

    I think I know that sniffing for content requires
    an entire proxy server, but if I can't even get
    IPTABLES right, how am I supposed to configure
    a proxy server?

    This all has to be freeware, of course. I have
    no money.

    Of course, the ideal proxy server would be the
    one where the defaults are everything's closed,
    and I could go into a GUI and click which luser
    is allowed to do what.

    Essentially, I want to completely block the
    internet from me, while still being able to
    access the Samba server. "DENY_OUTBOUND"
    doesn't seem to do that yet, and I can't
    operate the free on-line scanners that
    way. Then, I'd want the boss and the CFO
    to have their internet access, but if possible,
    block malware before it gets to them. Of course,
    if a proxy server did that, then it'd be safe
    for me to go to the internet in Doze - Doze
    does still have the purtyer eye candy!

    A list of malware IPs that should be blacklisted
    would be cool.

    And, presumably, it's easy to do.

    Or a dead-easy, copy the script and run it and
    you're safe, kind of proxy server.

    There is no email server here - just HTTP port
    80, is the ONLY thing I want getting through.

    Oh - I could go to, is it, say, etc/services?

    And just close all of the ports there?

    no, that's not it - ... inetd.conf.

    The only things I have uncommented in inetd.conf
    on ops (the "Server") are:
    time stream tcp nowait root internal
    time dgram udp wait root internal
    ftp stream tcp nowait root /usr/sbin/tcpd proftpd
    comsat dgram udp wait root /usr/sbin/tcpd in.comsat
    auth stream tcp wait root /usr/sbin/in.identd in.identd

    Any comments? (on any of this rambling dissertation?)

    Thanks,
    Rich
     
    Rich Grise, Jul 13, 2005
    #1
    1. Advertisements

  2. Rich Grise

    Rich Grise Guest

    Rich Grise, Jul 13, 2005
    #2
    1. Advertisements

  3. Rich Grise

    Baho Utot Guest


    Get yourself a _REAL_ system admin
     
    Baho Utot, Jul 13, 2005
    #3
  4. Rich Grise

    Guest Guest

    Does any of this have anything to do with this News Group
    comp.os.linux.networking ???

    If so ASK an understandable question
    but by all means learn how to post to newsgroups.
     
    Guest, Jul 14, 2005
    #4
  5. Rich Grise

    legg Guest

    Try alt.comp.anti-virus.

    Doesn't sound like you're getting much work done. Hope you're not
    interfering with others' ability to do so.

    RL
     
    legg, Jul 14, 2005
    #5
  6. Rich Grise

    Rich Grise Guest

    [crossposted all over the place, but I've set followups-to to
    sci.electronics.design, because that's my primary hangout.]
    [long virus/trojan whine]
    Sounds like a good idea.
    No, just my own. In fact, that's another thing about the problem that was
    so baffling - none of the other computers on the LAN seem to have the same
    problem!

    But I seem to be making progress - I've just checked the control panel/
    add/remove programs applet, and answerworks wasn't there! :) :) :)

    And I ran Autocad Mechanical Desktop just now, and didn't get the fatal
    error. :) :) :)

    I still have some trepidation, however. But, like they say, all you
    can do is what's next. :)

    Thanks!
    Rich
     
    Rich Grise, Jul 15, 2005
    #6
  7. Rich Grise

    Rich Grise Guest

    Is there a freeware firewall that will prevent viri, trojans,
    spamware, and all that from installing themselves on a half-
    dozen Windows 2000 workstations on a simple Samba share?

    IOW, It'd do the firewall in lieu of masquerading from
    [public ip] to [10.0.0.*].

    "Server" name ops, currently serving up www.abiengr.com,
    and serving Samba shares to the 10.0.0.* LAN.

    Thanks!
    Rich
     
    Rich Grise, Jul 15, 2005
    #7
  8. Rich Grise

    Guest Guest

    A firewall limits connections thru it. viruses/spyware are
    piggybacked to traffic allowed into a machine .. Not really
    a related issue

    They are Rarely a LINUX problem .. Usually open holes in WINBLOWS allow
    viruses/spyware to take hold
    What does a file server ... SAMBA have to do with viruses/spyware ???
    Sorry I can't get a clue What you are asking
     
    Guest, Jul 15, 2005
    #8
  9. Rich Grise

    JeffM Guest

    When Autocad wouldn't work on Daphne, with a fresh install,
    Google fumbled your original post, so I'll pick up the thread here.

    I think your problem might be the same mess
    that Paul Hovnanian was encountering in this thread:
    http://groups-beta.google.com/group...n+Autocad+copy-protection-scheme+66.102.7.104

    I believe the problem is the trojan that ships with AutoCAD:
    http://66.102.7.104/search?q=cache:...it-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-versions

    Clearing the old infection (one-installation-per-purchase code)
    from the boot sector of the HDD, requires an FDISK if I'm correct.
     
    JeffM, Jul 15, 2005
    #9
  10. Rich Grise

    Rich Grise Guest

    Sorry, I'm the best system admin that the company can afford. )-;

    Thanks anyway,
    Rich
     
    Rich Grise, Jul 16, 2005
    #10
  11. On Wed, 13 Jul 2005 21:36:28 +0000, Rich Grise wrote:

    OK, may I have a drum roll please? I'm about to issue the command:
    # while [ 1 = 1 ] ; do echo Hello! ; done | dd of=/dev/hdb2
    ..
    That oughta get rid of that pesky file system, huh?

    Hell, it wouldn't be the end of the world - there's another
    8 GB partition on the other drive from when it was in the
    other computer.

    Well, here goes!

    Thanks!
    Rich
     
    Rich Grise, but drunk, Jul 16, 2005
    #11
  12. Rich Grise

    Rich Grise Guest

    Not that much, except that SAMBA and internet routing are on the same box.
    "How do I get rid of these viruses and make them not come back?"

    Thanks,
    Rich
     
    Rich Grise, Jul 16, 2005
    #12
  13. Rich Grise

    Baho Utot Guest

    Maybe try
    dd if=/dev/zero of=/dev/hdb2 bs=1024k &
     
    Baho Utot, Jul 16, 2005
    #13
  14. Rich Grise

    Rich Grise Guest

    Thanks, but the dd above seems to have solved the problem - I let
    it run for a couple of hours, broke out of it, and am now enjoying
    a nice, clean pristine Windows install. And the computer is not
    connected to the internet.

    Now, who was that guy who said I should "Harden" it? Will I still
    be able to get to the LAN/gateway? And to the "windows update" site?

    I tried that site before - ah heck, I attribute:

    From Art <>:

    .... Let me see if I can
    help just a little bit. And let's begin with a fresh install of
    Win 2K. What do you do if you don't have a external
    hardware router/firewall? You're screwed because you
    can't go on line to do Windows Update or download a
    software firewall. Your new Windows install is likely to
    be compromised in just minutes since you will have open
    ports. So let's start there. You can use these instructions
    I wrote for just such a situation:

    http://www.claymania.com/windows2000-hardening.html

    Now that it's safe to go on line for the first time, do a
    Windows update. Let it install all the critical security
    patches, IE 6, sp4 and the new rollup.


    My mistake when trying that, the last time, was, presumably,
    doing all that stuff after I was already infected - the
    first effect I noticed was that I couldn't contact my own
    LAN any more. There are three computers in my office:
    Thunderbird, the one I'm using now, Daphne, the one that's
    undergoing yet another Windows installation, and Ops (Oops!
    Almost typed Ops's name as Oops, or Oooops! Wouldn't that
    be ironic!), which has the DSL on eth0 and the LAN on
    eth1 by way of a hub and/or switch. I've got internet
    connection sharing enabled by way of rc.firewall - but that's
    been pretty much answered - without a full-on proxy server,
    intercepting packets to examine them for viral content is
    a losing game, since the viri seem to piggyback themselves
    onto legitimate stuff ... I'm wondering how that's
    even possible....

    Welp, back to the latest Windows install! TTYL!

    Thanks!
    Rich
     
    Rich Grise, Jul 16, 2005
    #14
  15. Rich Grise

    Rich Grise Guest

    Well, I've followed instructions to the letter, and also
    installed PC-cillin, and updated it right after I did
    the first "critical update", and all seems fine,

    EXCEPT

    Now I can't access the Samba shares. I'm guessing that
    Samba needs one of the ports that got closed in that
    "Hardening" process. Interestingly, I'm getting to the
    internet just fine.

    And asking is sort of a last resort here - of the
    half-dozen or so things that got turned off in "Hardening",
    how do I find out which things to turn on to access my
    Samba shares? The Samba manual,
    http://us3.samba.org/samba/docs/using_samba/ch03.html
    tells how to do all of the standard setup, but not
    which ports it needs. And I've looked through my
    server's inetd.conf, and /etc/services, and even
    searched smb.conf for the string "port", and nothing
    so far has said, "Oh, Samba needs port so-and-so open."

    So, is this a quickie?

    Thanks!
    Rich
     
    Rich Grise, Jul 19, 2005
    #15
  16. IIRC 137/138/139, 445 and if you are dump enough to use wins 1512
    should be in /etc/services.
     
    Michael Heiming, Jul 19, 2005
    #16
  17. Rich Grise

    Rich Grise Guest

    Thanks for this - I finally just uninstalled TCP/IP and
    reinstalled it, and everything's working fine, knock on
    wood!

    Thanks for the help!
    Rich
     
    Rich Grise, Jul 20, 2005
    #17
  18. Rich Grise

    Rich Grise Guest

    I know, bad form to crosspost, and bad form to reply to oneself -
    but I've got an update, and if you want to see my original whine,
    it's all at the bottom.

    Anyway, I've been tearing my hair out with this computer - that
    God-Damned answerworks runtime keeps installing itself, like that
    "keeper" thing from Babylon 5: "It grows back ... it always grows
    back..."

    But I haven't been able to find anything about how to make it
    not install itself - everything I can find about it is that
    it's the best thing since buttered toast, even _necessary_ for
    some programs.

    Two problems with that:
    When it installs itself, it breaks Autocad.
    I feel violated that there's software that installs itself,
    when I haven't given it permission. And I don't know how to
    make it stop, and neither, apparently, does anybody else on
    the planet.

    Well, I think I've fixed it.

    Answerworks runtime always lets me uninstall it from the Add/
    Remove Programs applet, but it asks "Remove these shared dlls?"
    So, this time, instead of saying, "Yes to all", I wrote down
    the name of each one and clicked "yes" through about a half-
    dozen of these dlls. Then, I windows explored to D:\WINNT\
    System32 and created empty files with all six or so of those
    names, and made them read-only.

    Lo and behold, I do a fresh Autocad install, and AFTER the
    installer is DONE (Click "FINISH"), it gives me a dialog: "attempting
    to write to write protected file awrtl30.dll. Overwrite?"
    HA! GOTCHA! I said no. FINALLY! I believe I've blocked that
    insidious thing from my computer.

    Well so far, the computer is working, knock on wood and keep
    your fingers crossed.

    Yeah, it's a kluge, but it seems to be getting the job done.

    Cheers!
    Rich
     
    Rich Grise, Jul 22, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.