Google Answers Logo
View Question
 
Q: How to track the source of virus attacks ( Answered 5 out of 5 stars,   3 Comments )
Question  
Subject: How to track the source of virus attacks
Category: Computers > Security
Asked by: goldmountain-ga
List Price: $50.00
Posted: 16 Sep 2005 14:09 PDT
Expires: 16 Oct 2005 14:09 PDT
Question ID: 568868
I want to locate software, a service company, or an individual, to
track the source of virus attacks on my computer. The ideal tracking
info would include I.P. address and physical address, or info re how
to locate the physical address.

Within the last nine weeks, I've twice had to reformat the C drive,
because of these attacks. On the day of the most recent reformat, the
computer was hit with a worm, a trojan, and two viruses.

The symptom of the attacks is that the computer first slows down, then
within a few days becomes essentially useless. Each
reformat/reinstall/reregister takes at least two full days.

Three days ago, I changed both ISP and e-mail client. Still the
attacks come, which makes me wonder if the means isn't FTP.

For approximately eight months, Norton Anti-virus has been installed.
For the past three or four weeks, Norton has been supplemented with
Spyware Doctor and Registry Mechanic.

Norton's current log of attacks---minus two that I deleted before
locating Google Questions---shows that the largest category is
W32.Spybot.W... (worm?). These end up is System 32 and have file names
that include: boot32.pif, cvjoazicr.exe, dos.pif, and
eraseme_81282.exe. Today I've also been hit three times with
Backdoor.Gray.... These end up in Documents and Settings and are named
mc22A.tmp.

Request for Question Clarification by sublime1-ga on 16 Sep 2005 19:59 PDT
goldmountain...

I understand your wish to find the source of your troubles,
but the fact is there may be numerous sources, and tracking
them down, which seems unlikely to succeed, would not resolve
the basic issue, which is that your system is vulnerable.

I would recommend that instead, you fortify your system so
that attacks are unsuccessful. I have an always-on cable
connection, and haven't had a bug that was allowed to be
activated in at least 2 years. I've only detected one bit
of adware/spyware in the past 2 months.

If you'd like, I can create an answer that instructs you
on how to create a bullet-proof system, using a hardware
firewall in the form of a router, or using a free one in
the form of ZoneAlarm software. To that, I can add a suite
of software (all of which is free) that will, together, 
make your system essentially invulnerable. This would 
include a free AntiVirus program which not only scans
on demand, but actively monitors hidden "drive-by"
downloads of trojans by malicious websites, and does
a better job (in my experience) than Norton of catching
the nasties.

Let me know what you think...

sublime1-ga

Clarification of Question by goldmountain-ga on 17 Sep 2005 10:34 PDT
sublime1,

I had to think about your offer, because what I really want to do is
locate the source of the attacks. But I accept your offer.

I'm a bit of a technoignoramus. Tried Zone Alarm some years back, but
couldn't get it working;-) If a hardware solution would be simpler,
that's the better choice for someone like me.

The rest of the package sounds fine, as is.

DavidH
Answer  
Subject: Re: How to track the source of virus attacks
Answered By: sublime1-ga on 17 Sep 2005 15:44 PDT
Rated:5 out of 5 stars
 
David...

Great! I've been looking for an excuse to put all this in writing,
where it can serve as a point of reference for a long time to come.

======================
THE BULLETPROOF SYSTEM
======================

The bulletproof system consists of a multi-pronged approach which
will make your system essentially invulnerable to attack by the 
vast majority of spyware, adware, and malware.


I - ASSESS YOUR VULNERABILITY

Go to Steve Gibson's ShieldsUP! page and test how accessible
your computer's ports are to a hacker looking for a way in:
https://www.grc.com/x/ne.dll?bh0bkyd2

Click on Common Ports to test the ones most used.
Click on All Service Ports for a complete test.

The perfect firewall will show Stealth (invisible) status
for all ports. ZoneAlarm is one of the few software
firewalls that can provide this level of protection.
It used to be the ONLY one.



II - INSTALL PROTECTION


1 - FIREWALL

You have a choice of a hardware or software solution here.


SOFTWARE FIREWALL

The best software firewall is ZoneAlarm, and it has the
advantage of being free, as well. ZoneAlarm protects both
against incoming attacks and outgoing events, such as 
a keylogger sending private information, by asking you
if you initiated the program which is attempting to access
the internet at that moment. If you recognize the program,
such as the Internet Explorer browser, you can give it 
blanket permission to access at all times, without being
checked out. If you say no, it will be blocked. You can
also give one-time access to check out any results, like
error messages from a Windows service which needs to run
in order to give your browser access.

ZoneAlarm offer a Pro version which provides additional
features and support, but the free version is just fine:
http://www.zonelabs.com/store/content/home.jsp


HARDWARE FIREWALL

A hardware firewall is simply a router that sits
between your DSL or Cable modem and the network
card in your PC. It very effectively blocks all
incoming traffic which has not been intitiated
from your PC. It will NOT block programs on your
PC from accessing the internet, so, while it may
prevent a trojan from being loaded onto your PC,
it will not prevent it from working once it's
been initiated. When combined with the other
protection here, that won't be a problem, but
you should know that this blocking of outgoing
access by programs, without your permission, is
one of the virtues of ZoneAlarm.

The biggest advantage of a router is that is
fields all the traffic sent to the IP address
given to you by your ISP, and reassigns the IP
address used by your computer, so your PC's IP
address is simply not accessible.

Though they offer the possibility of being
configured, little or no configuration is 
usually necessary.

One of the best routers for the money is Asante.
One of the most cost-effective solutions is the
FriendlyNET FR1004:
http://www.asante.com/products/productsLvl3/FR1004.asp


2 - ANTIVIRUS (AV)

Many of the commercial AV programs are notorious for failing
to detect bugs in a timely manner, and for causing conflicts
with other software (Norton is one of these). As a result,
users started looking for better solutions. I've tried any
number of the freeware solutions and finally settled on 
AntiVir.

Here's a good list of possible programs:

Free online or downloadable virus scans:

AntiVir:
http://www.free-av.com/

BitDefender:
http://www.bitdefender.com/scan/licence.php

Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx

Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp

I like AntiVir for several reasons:

- It tends to find viruses missed by other AV programs.

- Detection files are updated frequently - often several
  times a day. You can set the update component to update
  as often as you like. I update once a day.

- It has a component called AntiVir Guard which monitors
  file activity on your hard drive and scans on-the-fly.
  This is especially valuable in the case of hidden
  "drive-by" downloads from malicious sites - a common
  source of trojans. The Guard component sees these
  hidden downloads and scans the files, immediately
  alerting you of malicious content, and offering you 
  the option of deleting, moving or renaming the file
  or placing it in quarantine. Priceless.


3 - WINDOWS UPDATES

Microsoft is painfully aware of the many vulnerabilities
in its software, from Windows itself to Outlook Express
to Internet Explorer. They work hard to patch them as
quickly as possible after becoming aware of a problem.
Updating your system is vital to any comprehensive
effort to protect yourself:
http://www.windowsupdate.com/

You can set Windows up to automatically check for new
updates and notify you from the system tray by going
to Start -> Settings -> Control Panel -> Automatic
Updates and checking the box that says "Keep my 
computer up to date."


4 - FREEWARE SOLUTIONS

Out of all the freeware solutions out there, the following
programs should be considered essential. They are tried and
true, contain no spyware or adware themselves, work well with
other programs, and are constantly being updated and improved
by some of the most creative and conscientious programmers in
the world.

Many of them overlap in their protective capabilities, but
there's no such thing as too much protection. At the same
time, they each contain some unique aspects which more
than make up for any overlap in function.


- AdAware

"Ad-Aware is designed to provide advanced protection from
 known Data-mining, aggressive advertising, Parasites,
 Scumware, selected traditional Trojans, Dialers, Malware,
 Browser hijackers, and tracking components. With the
 release of Ad-Aware SE Personal edition, Lavasoft takes
 the fight against Spyware to the next level."
http://www.lavasoftusa.com/software/adaware/

The free version is essential. Plus and Professional
versions are also available.

Use it once a week, or more often if you browse aggressively.
Manually update before each use.


- Spybot Search & Destroy

A partial list of features:

Removal of adware and spyware
Removal of dialers
Removal of keyloggers
Removal of trojans and other baddies
Removal of usage tracks
Save removal of threats by shredding them
Backups of every removed problem
Exclude option to ignore specific problems
Permanent blocking of threatening ActiveX downloads
Permanent blocking of known tracking cookies for IE
Permanent blocking of threating downloads in IE 
http://www.safer-networking.org/en/features/index.html

Overview:
http://www.safer-networking.org/en/spybotsd/index.html


- Javacool Software's Spyware Blaster

"Prevent the installation of ActiveX-based spyware, adware,
 browser hijackers, dialers, and other potentially unwanted
 software.

 Block spyware/tracking cookies in Internet Explorer and
 Mozilla/Firefox.

 Restrict the actions of potentially unwanted sites in
 Internet Explorer.

 SpywareBlaster can help keep your system spyware-free and
 secure, without interfering with the "good side" of the web.

 And unlike other programs, SpywareBlaster does not have to
 remain running in the background."
http://www.javacoolsoftware.com/spywareblaster.html

Run it once a week to update it, and enable all protection.
Then close the program. This program acts more like an 
inoculation, preventing changes to the system. 4349 items
are currently in the database.


- WinPatrol

"WinPatrol uses a heuristic approach to detecting attacks
 and violations of your computing environment. Traditional
 security programs scan your hard drive searching for
 previously identified threats. WinPatrol takes snapshot
 of your critical system resources and alerts you to any
 changes that may occur without your knowledge."
http://www.winpatrol.com/

This program loads with Windows and sits in the system
tray, offering many features. The most noticeable are
when Scotty, the Scottish Terrier, barks to alert you
that a new program has been added to the Windows Startup
sequence, either in the registry or the Startup Folder.

Since one of the ways that viruses multiply themselves
is to add an entry to Windows Startup, this is a very
valuable program. You can immediately deny any program
from placing a startup entry.

You can also use the program by double-clicking on the
tray icon. Scotty will bark in response, and you'll
have access to several tabs of options, including 
viewing Startup Programs, Active Tasks, IE Helpers,
Cookies, and much, much more.

Scotty can also be set to monitor any changes made to
your HOSTS file. Much more on this later.


- HijackThis (HJT)

HijackThis is a legendary program which is of immense
value if you've already been infected, or think you 
might have been.

"HijackThis examines certain key areas of the Registry
 and Hard Drive and lists their contents. These are areas
 which are used by both legitimate programmers and hijackers."
http://www.tomcoyote.org/hjt/

HJT creates a log of what it finds which can then be 
posted for analysis by experts such as those found here
on Google Answers, or in a forum dedicated to assisting
those who are infected, such as 'TomCoyote Forums', 
'Geeks to Go Forums' and 'SpywareInfo Forums'.

Experts can tell you precisely what entries to check for
removal by HJT.

One of the latest enhancements to this program is the
addition of online HJT log analyzers, which can give 
you a leg up in analyzing them yourself:

IamNotaGeek.com log parser:
http://hjt.iamnotageek.com/

HijackThis log analyzer (a more graphic version):
http://www.hijackthis.de/en

HJT has other very useful features, including one which
marks a file for deletion on reboot. This is very useful
when Windows prevents you from deleting a file because
it's currently in use, which happens a lot with viruses.


- Microsoft Windows Anti-Spyware (Beta)

I installed this and ran it for about a week. It didn't
give any indication of having found anything that wasn't
already protected against by the other software here, but
I'm including it because it's received very good reviews
in the geek community, and I'd certainly recommend it to
anyone who has limited knowledge of spyware and the other
programs I've outlined to prevent it.

Let this run in your system tray.
http://www.microsoft.com/athome/security/spyware/software/default.mspx


- HOSTS file

The HOSTS file is a little-known Windows file which normally
does nothing, since the content is minimal by default, that
being:

127.0.0.1  localhost

That entry just points to your computer and identifies it
as localhost.

But additional entries can be made to this file that amount
to Windows wizardry!

The file is typically located here, in W2000 & XP:
C:\WINNT[or Windows]\system32\drivers\etc

It has no extension, but your can rename it HOSTS.txt
and open it with Notepad to see that it is a text file.

Entries can be added on a custom basis. These entries
will point specified addresses to your computer, rather
than to your DNS server, so that, instead of looking for
the files on the web, your browser will look for them on
your PC. Since they don't exist there, they won't be
found and loaded. In this way, you can effectively block
certain sites from ever being loaded in your browser.

Many people use the file to prevent known advertising
servers and malicious sites from having access to your
browser. There are many sites which post replacement
HOSTS files to use in place of the default one.

Different sites focus on different content. You can find
sites that block porn sites, sites that block ads from
loading in your browser, sites that are known to be
malicious, and combinations of all of these.

Since there are hundreds of sites of all these types, the
number of entries in the HOSTS file can cause it to become
much larger. If the file is too large, it will slow the
speed of your browser's loading things, so some authors
of HOSTS files take this into account, and use it to 
redirect only the most malicious sites and ubiquitous
advertisers.

The following page on the MS Most Valuable Professionals
site, offers the best compromise and supporting information
I've found for the HOSTS file:
http://www.mvps.org/winhelp2002/hosts.htm

You can download the one they provide and use it to 
replace the default one (after renaming it). You can
then also lock the file, by right-clicking on it,
selecting Properties and checking Read-only. This will
prevent trojans and other hijackers from writing to 
it, which can cause some major problems.

The MVPs page also offer a batch file utility which allows
you to temporarily turn off protection by renaming the file.



III RE-TEST YOUR SYSTEM

Once you've installed your firewall, go back to Steve Gibson's
ShieldsUP! page and test it out.

Then just update and run your AV program, Spyware Blaster,
Spybot S&D, and AdAware about once a week, and more often
if you have a period of agressive browsing in unknown
territory, or you have reason to suspect there is a bug
on the loose.

Meanwhile, AntiVir Guard, WinPatrol's Scotty, and MS's
Anti-Spyware programs, as well as Spyware Blaster's 
innoculations, are keeping your system safe, and looking
for any changes.

BULLETPROOF!


Please do not rate this answer until you are satisfied that  
the answer cannot be improved upon by way of a dialog  
established through the "Request for Clarification" process. 

sublime1-ga

Request for Answer Clarification by goldmountain-ga on 17 Sep 2005 20:28 PDT
OK, I'll do the best I can to follow the instructions;-)

I do have Norton Anti-virus installed. Should I remove it, after I've
installed AntiVar?

DavidH

Clarification of Answer by sublime1-ga on 17 Sep 2005 21:51 PDT
David...

Some people have reported complications resulting from
uninstalling Norton software. If you have sufficient
disk space to leave it installed, I would do that, and
simply use WinPatrol to disable any of its components
on the Startup tab.

I'm not certain if Norton also runs a portion of their
software as a Windows Service, but if they do, you can
go to Start -> Settings -> Control Panel -> Administrative
Tools -> Services and find it/them listed there. Right
click on it/them, select Properties, and select Disabled
under Startup Type.

By doing these two things, when you next reboot, Norton
should be inactive. Look for any signs of it in the 
system tray.

I would do this *before* installing AntiVir, while offline,
if possible. It's not good to have two antivirus programs
running at the same time, even for a brief time.

sublime1-ga

Request for Answer Clarification by goldmountain-ga on 15 Oct 2005 19:26 PDT
Ok,

I got the Asante router working with my static IP address, installed
BitDefender 9 Standard (Anti-Var's update site was too slow), and
installed Zone Alarm free edition.

When I go to ShieldsUp, the probe reveals that my Port 113 is visible
(tho "closed") and my computer responds to pings.

I'm concerned, because before I installed the router and the new
sofware apps, the ShieldsUp probe returned a perfect score. No open
ports, no ping reponses. Any thoughts?

DavidH

Clarification of Answer by sublime1-ga on 15 Oct 2005 21:42 PDT
David...

You'll find an educational discourse on Port 113 and the issues
with stealthing it on Steve Gibson's site here:
http://grc.com/port_113.htm

You note that you installed BitDefender. Be aware that, as far
as I know, BitDefender doesn't have the capacity of AntiVir's
Guard component, to protect you by actively monitoring files
being used and downloaded (often hidden in drive-by attacks).
Since about 90% of the real threats I've had toward my PC in
the past few years have come from this source, and AntiVir 
caught them all, it might be worth reconsidering.


You also note that you're using both ZoneAlarm and an Asante
router. I kept this redundancy for a couple of months until
I realized that ZoneAlarm's log reflected that absolutely
nothing had gotten by the Asante Router. When you're also
convinced of this, you can disable or uninstall ZoneAlarm.
You don't need both firewalls, as I noted originally.


There are, in fact, two adjustments you can make to the 
Asante router's settings that will restore you to full
stealth.


Port 113

As noted in Gibson's article, you can have your hardware
router forward this to a local address. Open the router
configuration page in your browser: http://192.168.123.254/

Then go to the Advanced tab and scroll down to the Distributed
Servers Setup. At Port 1, enter 113 under Service Ports, and
redirect that to 192.168.123.199 and check the enable box.
At the bottom, select AUTH(113) in the Common Ports drop-down
box, and Apply to Port ID 1 in the drop-down box to the right.
Click the Apply New Distributed Servers Setting and you're set.

For this to work, check the 2nd section from the top of that
page, under DHCP Server Setup, and make sure that DHCP Server
is enabled, with a range from 100 - 199.


Pings

Under the Security tab of the Asante configuration page, 
check the box under the Security Options section that says:
"Discard ping from WAN side". Click on Apply, and you're set.

Now go back to Shields Up and you should test perfect stealth.


Enjoy your Bullet-Proof setup!

sublime1-ga

Request for Answer Clarification by goldmountain-ga on 15 Oct 2005 23:16 PDT
sublimel,

Worked like a charm! (And that's why writers need tech help;-))

DavidH

Clarification of Answer by sublime1-ga on 16 Oct 2005 00:39 PDT
David...

I'm extremely pleased that you were able to successfully apply
my instructions, both at the end and throughout the process, 
and that your system has responded as expected. Please don't
underestimate your contribution to the process. I know I don't.

Thanks very much for the 5 stars, and, again, I hope you get
many years of enjoyment from your bullet-proof system.

Best regards...

sublime1-ga

Clarification of Answer by sublime1-ga on 22 Sep 2006 00:30 PDT
In the interests of keeping this answer up to date, I feel
obligated to mention this new anti-spyware and Windows 
optimizer for Windows 2000 and XP, from Iobit.com, called
Advanced WindowsCare v2 Personal. It's free, and immunizes
better than Spyware Blaster, in addition to performing many
other optimization functions:
http://iobit.com/

Download the free-for-personal-use version from Major Geeks:
http://www.majorgeeks.com/Advanced_WindowsCare_d4991.html

sublime1-ga
goldmountain-ga rated this answer:5 out of 5 stars
Quick responses, suggestions and directions all worked. Making the
final adjustments to the router was not at all intuitive, and the
directions from sublimel transformed a mystery into
"plain-as-the-nose-on-your-face."

Very much appreciated.

Comments  
Subject: Re: How to track the source of virus attacks
From: llbbl-ga on 04 Nov 2005 12:53 PST
 
Norton AV and that AntiVir program do not compare to NOD32. It has the
highest detection rate of ALL antivirus programs and it uses the least
amount of system resources, something that Norton is very bad at.

Hitman Pro 2
http://www.eset.com/home/home.htm

Also you suggest that he does all these complicated things with
HijackThis that is not necessary. HijackThis should only be used in a
last resort, since it is not very user friendly and you can do serious
damage with it. I would recommend that you use Hitman Pro 2 instead of
what sublime1 recommends. Windows antispyware is a piece of junk
compared to Adaware spybot and all the others that are included with
Hitman Pro 2.

Hitman Pro 2.
http://www.hitmanpro.nl/
Subject: Re: How to track the source of virus attacks
From: sublime1-ga on 13 Feb 2006 12:51 PST
 
I'd like to add this input from my colleague byrd-ga, with
regard to email antivirus protection, which AntiVir does
not provide, reproducing her comment on a related question:

"Although I concur with my colleague sublime1-ga on the programs he
 recommended and in fact use them myself in addition to a hard router,
 I would like to add one recommendation to the list.

 I recently discovered that neither AntiVir, AdAware nor SpyBot S&D
 provide email protection, and I discovered it when a virus rode into
 my system on an email. The troublemaker activated when I viewed the
 email in the preview pane in Outlook Express. It took me nearly two
 weeks and a lot of grief to isolate and rid my system of that virus,
 which infected my display, randomly turning it multicolored dark or
 pastel colors, and unreadable, necessitating a hard reboot to clear.

 However, I have gotten rid of it, and since then discovered that I can
 run Grisoft's AVG, mentioned in the comment above, email protection
 together with my AntiVir. It is possible to activate that segment of
 the program alone, without running the full antivirus program. Many
 times it's said not to run two antivirus programs together, but there
 appears to be no conflict whatsoever with this, with AVG seamlessly
 integrating itself with both AntiVir and Outlook Express. Another
 option, of course, might have been a different email client, but I had
 too much invested in my organization of this one to make it an easy
 switch. Fortunately, AVG's flexibility made it unnecessary.

 So I'm just offering this extra bit to you and anyone else who wants
 to use both AntiVir and MS Outlook Express.

 Best wishes,
 Byrd-ga"
http://answers.google.com/answers/threadview?id=444197
Subject: Re: How to track the source of virus attacks
From: goldmountain-ga on 22 Feb 2006 09:50 PST
 
Just did add Grisoft AVG's e-mail protection to my Anti-Vir.

Thanks for the headsup. I'd misread their website and didn't realize
that e-mail protection doesn't come with the free version. (Tried to
buy the paid version, but the U.S. wasn't on their country list and
they were only accepting payment in Euros.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy