Spyware Warrior

[malc51]

Hi there,
I have been directed to this page by Nick, who has helped me with my HijackThis log, I have still got a couple of issues that are not HijackThis related, so over to you guys..... once again, thanks Nick.

For two years I have been loging on to a chat site, so while listing to our home town soccer team play, we could chat to other people from around the world about how the game is going.

This season though, after downloading...SpyBot SND...Ad-Aware 6...SpyBlaster...HijackThis...Registry Mechanic...Microsoft Baseline Security Analyzer 1.2 (all latest versions and updated)....I have not been able to connect....also subscibe to McAfee for virus and firewall protection.Date/Time

I guess one of these sites has put a block on it some where, so I checked my McAfee firewall Plus inbound events.....

I think I have found a way to sort the prob...by clicking a 'trust' link in McAfee.

Now a funny thing just happened....tried the link once again...so I could gather some info to post for you...and...yep....got a connection...but I kept my McAfee Firewall inbound event page open....now I'm not sure whether to trust them or not ?

This is how I get my conn to the chat site......

www.ccfc.co.uk........click 'match day commentary'...follow link....page connects to...irc.dal.net6666 a drop down security page appears asking if you would like to run a prog by JPIOLT (click yes)........then tries to conn to....slimey uk.ea.dal.net.....
This used to conn straight away....now I get 'pinged out' after a short period of time....except for today ? Strange that after 20+(not all at the same time) attempts it lets me in ?

Here is what my firewall log is telling me while the conn is open....

in reverse order...read bottom to top...


1) 2004/08/24 09:52:48 144.136.46.29 CPE-144-136-46-29.vic.bigpond.net,au Telnet

2) 2004/08/24 09:44:32 194.68.45.50 irc.dal.net 4254 8081 irc.dal.net port 8081 (TCP)

3) 2004/08/24 09:43:45 194.68.45.50 irc.dal.net 3821 6667 irc.dal.net IRCU

4) 2004/08/24 09:42:59 194.68.45.50 irc.dal.net 3388 23 irc.dal.net Telnet

5) 2004/08/24 09:42:13 194.68.45.50 irc.dal.net 2935 81 irc.dal.net HOST2 Main Server

6) 2004/08/24 09:41:27 194.68.45.50 irc.dal.net 2543 8080 irc,dal.net HTTP proxy scan

7) 2004/08/24 09:39:55 194.68.45.50 irc.dal.net World Wide Web HTTP.



I think no.1 is telling me that if I want to use the telnet service (I think that means the site I am trying to access) I have to open port 22......McAfee are telling me it is dangerous to do so......

I guess my question is......with all my security measures in place and up to date..."could I trust this site and still be protected from other sourses trying to abuse this port and others that are being probed "?

Here is a short extract from my McAfee firewall log...if you see anything nasty that I should report to McAfee...please let me know and I will report it......( once again in reverse order...bottom to top)

Date/Time Source IP Host name SPort DPort
2004/08/24 11:34:12 61.11.75.1 SSH remote log in protocal 6761 22

2004/08/24 11:32:06 219.154.24.150 4387 9898 MonkeyCom

2004/08/24 11:26:34 218.190.162.222 4383 9898 MonkeyCom

2004/08/24 11:26:34 218.190.162.222 4020 5554 SGI ESP HTTP

2004/08/24 11:15:17 65.35.57.9 9-57.35-65.tampabay.rr.com 5627 1080 socks

2004/08/24 11:10:54 61.18.52.192 cm61-18-52-192.hkcable.com.hk 1399 9898 MonkeyCom

2004/08/24 11:10:52 61.18.52.192 cm61-18-52-192.hkcable.com.hk 1145 5554 SGI ESP HTTP

2004/08/24 11:02:11 80.3.92.185 spr1-brig5-6-0-cust185.lond.broadband.ntl.com 4044 1025 network blackjack

2004/08/24 11:01:28 219.133.247.243 0 0 ICMP ping

2004/08/24 10:57:57 221.124.120.94 1650 9898

2004/08/24 10:57:57 221.124.120.94 1121 5554

2004/08/24 10:46:28 218.191.70.172 1992 9898

2004/08/24 10:46:28 218.191.70.172 1730 5554

2004/08/24 10:44:18 218.5.66.230 37276 22

2004/08/24 10:30:30 80.3.179.122 spr1-horn1-3-0-cust122.cosh.broadband.ntl.com 0 0

Closed chat page conn.......

2004/08/24 09:52:48 144.136.46.29 CPE-144-136-46-29.vic.bigpond.net.au 27139 23
2004/08/24 09:44:32 194.68.45.50 irc.dal.net 4254 8081
2004/08/24 09:43:45 194.68.45.50 irc.dal.net 3821 6667
2004/08/24 09:42:59 194.68.45.50 irc.dal.net 3388 23
2004/08/24 09:42:13 194.68.45.50 irc.dal.net 2935 81
2004/08/24 09:41:27 194.68.45.50 irc.dal.net


The other prob I have is conected to the www.ccfc.co.uk forums page as in that I can not post from my side of the pc, even though it is telling me I am loged on and registered.....if I go in from my wifes side of the pc...I can post no prob ?

So could have I changed a setting in my user account ?

Might have a prob with something to do with....APPLET RSAspProxyApplet HKEY-USERS\s-1-5-20

We have Windows XP sp1(updated)....have put the block on SP2 at the moment after reading some posts on this site.

Surley any 'fix' or 'block' I have done with any of the security progs would effect the system as a 'whole' and not just my user account ?

Would be greatfull for any input on my little probs and thanks for your continued suport.

Malc.
_________________
Been around a long time, but I am quite new to all this !

[mikey]

Are you be any chance using SSD's BHO content filter as described in the bottom half of this page? http://www.voiceofthepublic.com/SSD/SI/teatimer.swf.html

If you choose 'ask for blocking confirmation', then when anything is blocked, you get at least some control.


_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[Moore]

Hi malc.

I'm not at all familiar with Mcafee firewalls and their functions , I know its a reasonably secure firewall , but not something I'd choose.

[Moore]

[malc51]

Hi Mikey...Hi Moore...thanks for the tips and links....

No trace of a 'fix' on the HijackThis logs (can be found on the HJT forum , middle of second page under 'DSO-EXPLOIT').....but do remember seeing HKEY.......etc....on SpyBot log.....will go and take a look in a mo.....

I tried putting SND 'immunize' on "ask for blocking autherisation" and straight away a window poped up asking for me to respond......as I had no idea if it was true or false...I did nothing and re-ticked the 'block all'....

So I will go back into my McAfee Firewall and tell it to trust the 'actual remote port 6667...and see what happens...

Now then, how do I go about finding out, if my posting prob. is a prob with Javascript?.

Like to thank you once again for your time and patience.....sorry, but as it says at the bottom.................................

Malc.
_________________
Been around a long time, but I am quite new to all this !

[malc51]

Hi again, just ran SND changed 'block all' to 'alert me' on the 'immunize' section......nothing poped up.....tried to get in to chat room and now I get this instead of the conn page?

Microsoft OLE DB Provider for SQL Server<br>[DAL.cls] ExecuteSP [on MPPWEB3 version 1.1.0]<br>[Affiliates.cls] GetTag [on MPPWEB3 version 1.1.0]<br>[Affiliate.cls] GetTag [on MPPWEB3 version 1.1.0] error '80004005'

[DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.

/web/sentinel/sentinel.asp, line 73 .

Ooh, er, ...now what have I done ?.

Malc.
_________________
Been around a long time, but I am quite new to all this !

[malc51]

Hi again guys... sorry not been back sooner, been checking things out but no joy as yet....also been trying to help my sis-n-law out with the help of 3162 on the 'spyware removal' forum page under the heading 's.o.s. from....

Sorry guys, just checked my notes and I had got a bit mixed up.

I have not applied a fix to the APPLET, the fix was to do with something else entierly (just got overlapped in my notes space) .

Should of read.....APPLET RSAspProxyApplet started (but get no conn)

I can find no trace of a block on any of my progs...could really do with being pointed in the right direction on how to allow Java Applets/Java sciprt run on my pc...

Thanks for your patience in this matter...

Malc.
_________________
Been around a long time, but I am quite new to all this !

[3162]

[3162]

Why do you even need SQL?
Do you actually use it?

Cripple it in services.msc
_________________
Proud member of the Chest Zipper Club!

[3162]

OK, can't be crippled in services, will post back, after I gain 'edit' priveledges.

Sorry about this
_________________
Proud member of the Chest Zipper Club!

[3162]

Back to 'threads 101'

[malc51]

Hi there from over there over here....yep, checked services, could see no ref to SQL...

Will look into deleting the other progs tomorrow,

Thanks for your help once again.

Malc.
_________________
Been around a long time, but I am quite new to all this !

[3162]

NOT delete, cripple.
Temporarily, to see which one is causing the conflict
_________________
Proud member of the Chest Zipper Club!

[malc51]

Hi there.....well I know how to delete.....not sure how to temp...stop the progs....I right clicked on icon, properties....but could not see a away to do this from there?

So if you could point the way once again...?

Many thanks...
Malc.
_________________
Been around a long time, but I am quite new to all this !

[linc]

malc51.

To cripple a programme.
Right click the programme in the task bar
and exit the programme.
good luck.
_________________
I'm not worried by insanity--I enjoy every minute of it



URL=http://img74.echo.cx/my.php?image=installdisk3nr.jpg][/URL]

[malc51]

Hi there, thanks for that, will try!

Trying to find out about Java Appletts came across this, I know I have XP SP1, but this sounds like the prob I am having......


BUG: Internet Explorer HTTP GET Request User Agent Incorrect for Java AppletsApplies To This article was previously published under Q320055 SYMPTOMSWhen you download Java applets with Microsoft J++, Internet Explorer sends an incorrect value for the HTTP_USER_AGENT request variable.
This occurs for Microsoft Windows 2000 Professional, Service Pack 2, that runs Internet Explorer 5.5, Service Pack 2: Mozilla/4.0 (compatible; MSIE 5.5, Windows NT 5.0; T312461).When the browser tries to download a Java applet that is indicated in an Mozilla/4.0. (compatible; MSIE.5.0; Win32) CAUSEThis problem occurs with the Internet Explorer HTTP GET Request because the User Agent is incorrect for Java applets.
This occurs because the string that is associated with the HTTP.agent is taken from the hkcu\software\microsoft\windows\currentversion\internet settings\User Agent. RESOLUTIONTo work around this problem, you can modify the registry key that the Java applet is using to the USER_AGENT of the respective browser.

Note that this is a client-side fix. Therefore, the following change must be made for all client users:hkcu\software\microsoft\windows\currentversion\internet settings\user agentExample:For Internet Explorer 6.0 on Microsoft Windows XP with the .NET Framework installed, change to: Mozilla/4.0 (compatible; Microsoft Internet Explorer 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
STATUSMicrosoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATIONNOTE: This is a bug in the Microsoft virtual machine (MS JVM 4.1). This bug will not be fixed.Steps to Reproduce the Behavior1.
Before running the code, start Network Monitor. Then, after running the code, view the trace file. 2. Use the following code sample to reproduce the error:<HTML><HEAD><META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"><TITLE></TITLE></HEAD><BODY><APPLET name=RSAspProxyApplet codebase=http://myserver/myfolder/_ScriptLibrary code=RSProxy.class height=0 width=0 VIEWASTEXT></APPLET><P>Test of APPLET tag</P></BODY></HTML>
The information in this article applies to:· Microsoft virtual machine 38xx SeriesLast Reviewed: 8/28/2002 (1.0)
Keywords: kbbug kbDSupport KB320055

Sounds like the prob I am having...but still not sure what to do or where to do it?

Maybe it will make sence to you ?

If it does...would you kindly show me the way please. thanks a lot.

Malc.
_________________
Been around a long time, but I am quite new to all this !