Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

(OT) Virus Relative Question.

by Nik
on Jul 24, 2004 at 18:17 UTC ( #377151=perlquestion: print w/ replies, xml ) Need Help??
Nik has asked for the wisdom of the Perl Monks concerning the following question:

Question about viruses and other ackward behaviours. Not a perl one but because you guys are very good i think i wann learn ti from you. I postd this in other places but no one until now, knew exaclty hwy things work like this to expl;ain. please dont hate me for asking this. i wont again.

Well i use Kasperksy on my XP. I Updates 3-4 times a day! I though i was safe! But i am not! Even though i use an updated AntiVirus and Firewall i still get infected with viruses, worm stuff like that. Epsecailly the Sasser and Lovesan worms.

Within some minutes after the worm infection kasperkey tells me that have found a worm in systerm32 folder calles TFTP(some number) and after some other minutes it founds more and more and more files liek this, only the muber changes. I even get lsass windows telling me that the ystem will shutdwon in 1 minute.

WHY am i infected? Well for one thing until 1 week ago i was never turned on automatic win upadtes. I always have this feature disables ( i really dont know why). Ok then i realised that my system had way to many open holes (windows programming errors) that patches claim to correct. Although i ahve googled and found the appropriate patch my system wont accept it! What happens exaclty is that when i try to install the patch the program tries to run and then closes immediately or i get an error access denied even though i am the admin of my pc and logged in as in.

a) Why the patch wont install although my win is activated?!? What must i do to make it install??!?!

b) Kaspersky screams that finds worms every 10 minutes or less. Why damn it?!?! If it is able to find them and identify them after i am infected with these why it does not detect the worm the minute that atttemtps to break into my pc? After all is nt that AV soft is supposed to do? Preventing virus to break in into pcs? Do i have to get infected and then clean/delete the virus? Why not just work like "The Prevention is way better than the Cure"??

c) Kasperksky asks me what i want to do with the virus(.exe) that found in system32. Well i say delete it of course but then damn AV cant delete because it says that the virus is in use or access denied! Well thats logical meaning that the virus(.exe) is already been executing/running in memory as a proccess but then again why not the aV just KILL the damn process and all its relevant files ?!??! After all it knows the virus id and how exaclty the virus is working!!! Well ic an fic it by booting in safe mode where no other proccesses runs except basic system ones.

d) If you care to answer and i know Gandalf is 9and i appreciate that) please explin to me this in detail so that i can clarify this one and for all!

e) Thanks and sorry i ask these here but i know you can answer this!

f) Also wantes to mention is these problems relevant to the fatc than i cant run Xnews because it just closes by itself as well as Kerio v2.5.1 does the same?!? I cant explin thise ackward behaviour!! Thank you and i am sorry for askig this here...
The Devil Is In The Details!

Edit by castaway - added 'OT' to title (since there were enough keep votes.. )

Comment on (OT) Virus Relative Question.
Re: Virus Relative Question.
by CountZero (Bishop) on Jul 24, 2004 at 19:06 UTC
    Nik,

    You are right, this is not an anti-virus website and I'm not the local anti-virus expert either.

    It looks similar to a virus which once invaded my office computer (and we have a corporate IT-team who take care of updates to the antivirus programs and run the anti-virus firewalls and e-mail scanners), just because I was out-of-the-office one afternoon when they installed corporate-wide an emergency new definition file for the anti-virus software and an update for the OS). I missed both, so next morning when I switched on my computer it was infected before I could brew my first cup of tea!

    Nothing could be done to "clean" it or update Windows fast enough to avoid the virus from taking over and trying to spread. Only solution was to "reflash" the computer (i.e. re-install a clean copy of the OS and then put the back-up of my personal files on the new system). I didn't loose any files (thanks to the automatic back-up which runs everyday) but had to spend the next week re-installing all kind of "useful" tools and programs (all very much against the corporate standards of course) I need to do my job.

    So if you can do it and have a recent back-up of your personal files: wipe the hard-disks and re-install from scratch and do an immediate update of your system before you even open IE or your e-mail program and close all ports you don't need except the ones for the update of your OS (I would thighten down the firewall even before I would plug in the network cable).

    As for your other questions, I can't help you. I don't run any anti-virus software continuously on my home systems (it really gets in the way of all kind of other programs), just do every few weeks a scan of the computer, update the OS as much/as soon as needed and be generally very cautious with opening e-mail attachments and downloaded files (when in doubt don't open them or run them through an updated virus-scanner). And of course I have firewalls all around.

    CountZero

    "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

      So if you can do it and have a recent back-up of your personal files: wipe the hard-disks and re-install from scratch and do an immediate update of your system before you even open IE or your e-mail program and close all ports you don't need except the ones for the update of your OS (I would thighten down the firewall even before I would plug in the network cable).

      this is neat trick! but how will i close every open port? Win uses a lot of services in the bg i dotn know about!Only allow the upadate ports to work ? ok but how??? I mean how do i do ti practically?
      The Devil Is In The Details!
        Oh my, we are getting more and more off-topic.

        The firewall I use (ZoneAlarm) starts by closing all ports. Any program that runs and needs to make a network connection will trigger a pop-up box asking to be allowed to open a port. If it is a genuine request (and not coming from a virus), you allow the port to be opened by this program. Easy as pie!

        I don't know how other firewalls work, but probably somewhat similar to ZoneAlarm I guess: there must be some way of configuring which ports are to be allowed and denied.

        CountZero

        "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 02:09:25 2004 (EST)
    Reason: Anneq Delete: troll node

    For more information on this node visit: this

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 03:55:22 2004 (EST)
    Reason: Anneq Delete: troll

    For more information on this node visit: this

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 05:38:57 2004 (EST)
    Reason: Anneq Delete: Troll

    For more information on this node visit: this

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 03:57:11 2004 (EST)
    Reason: Anneq Delete: troll

    For more information on this node visit: this

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 03:57:22 2004 (EST)
    Reason: Anneq Delete: troll

    For more information on this node visit: this

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 05:39:14 2004 (EST)
    Reason: Anneq Delete: troll

    For more information on this node visit: this

Re: Virus Relative Question.
by NodeReaper (Curate) on Jul 25, 2004 at 00:12 UTC
    This node was taken out by the NodeReaper on Sun Jul 25 13:12:03 2004 (EST)
    Reason: ysth Troll. Delete

    For more information on this node visit: this

      This kind of shenigans isn't really necessary. Here at the monestary, we have a consideration/moderation system that allows a vote to be taken as to whether a given node should be edited or deleted. If enough people think that a node will be deleted, it will.

      thor

        Not quite.. No matter how many people think it should be deleted, as long as at least 3 (I think) vote for keep, it stays. (Unless some god overrides the keep votes). Voting isn't a ratio thing. (Sometimes I think it should be.. Then I see all the sheeppeople that vote delete when they just havent looked at the context (Ive done it myself), and prefer the current system.)

        C.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://377151]
Approved by NetWallah
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (6)
As of 2014-10-22 23:58 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (122 votes), past polls