Port 80

[Guest]

I've just gotten rid of Trojan.byte.verify. NAV and several online scans,
including Panda, say the machine is clean. Even used System Recovery, but
according to Symantec's online security scan, Port 80 is still open and the
computer responds to a ping. How can I close this thing?? (NAV2004 and
Sygate PF) I'm not used to XP yet, just upgraded computers so I'm having a
tough time sorting this out. Will be very grateful for some help! I'm
really concerned about a lingering security compromise.

Margie

 

[SlowJet]

Hi Magie,

SyGate version 5 - free version, I Assume.

Find ICPM setting and turn on. This will make your
computer name Stealth from a ping. (If not there is is on
PRO version.)
Port 80 is the HTTP port.
Are you runing web server software? If you need this then
you need to secure the web software settings as this can
not be done through windows settings.
Also, chat program my be listening on 80. MSN Mesenger or
Messenger running in back ground?

NAV 2004 should be very up to date, just run live update
to make sure.

Do you have SP1 installed (or SP1a) My Computer,
Properties, text on gray screen under SYSTEM.

If not go to IE, Tools, Web Updates and follow
instruction.
Select SP1a from Windows Update area and install.

Then go back to WU and install all critical updates.


At this point the only thing more secure would be the Pro
version of your Firewall, and SP2 (Which you can get
automatically thru auto windows update.
It will be just for your install and will download
starting about the 16-25 and take a week to complete
depending on your line speed.
When it is ready you will be notified.) It will have a
new firewall which you will need to turn off to use
SyGate.

You may want to try running these two together if you
only do HTTP and e-mail as the Windows FW will come on
very early during boot up and only allow DHCP to the ISP
until the boot up is done. You just need to add SyGAte
program to the exception list of the Windows FW. (I think)

SJ

P.S. Backup and clean up disk before instlling Sp's.

 

[Wesley Vogel]

Turn on a firewall.

HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283673

Port 80
http://grc.com/port_80.htm

 

[Guest]

A little further info:

this from the Sygate scurity scan just made:
Trying to gather information from your web browser...
Trying to find out what services you are running...
Web Server Found = Server: GoAhead-Webs

This last, Server: GaAhead-Webs, I have no clue what this is. Can you
identify it for me??

Margie

 

[Wesley Vogel]

Missed the part about Sygate PF.
You are correct, best to run just one firewall.
So, close port 80 with Sygate PF.

I would also suggest the following...........

First. Make sure of these settings and nothing will install without you
answering YES. (Except what may install as part of some other software.)
Don't click YES if you don't know/trust the source.

Start | Settings | Control Panel | Internet Options | Advanced tab |
Make sure both of these are NOT checked.

 Enable Install On Demand (Internet Explorer)
[[Specifies to automatically download and install Internet Explorer
components if a Web page needs them in order to display the page properly or
perform a particular task.]]

 Enable Install On Demand (Other)
[[Specifies to automatically download and install Web components if a Web
page needs them in order to display the page properly or perform a
particular task.]]

Apply | OK

 Enable Install On Demand (Other)
Is part of the driveby downloading of unwanted programs. i.e. Scumware or
whatever will install w/o you even being aware of it.
=====

It is known as scumware. Visit these sites. 1, 2, 3 and 4 are really good.
Download, install, run, update and run again; one or all. They are all
good, FREE utilities. Make sure you update every program, even if you
just downloaded it. You must have the latest updates. Without updates,
you have a gun without ammo.

1) CWShredder direct download:
http://216.180.233.163/~merijn/files/CWShredder.exe

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/downloads.html

4a) HijackThis (direct download)
http://aumha.org/downloads/hijackthis.zip

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

=====

MVPS HOSTS file is a free download from:
http://www.mvps.org/winhelp2002/

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

=====

Problems uninstalling? Here's some advice.
http://www.kephyr.com/spywarescanner/uninstallproblems.phtml

Additional information & instructions.
A wealth of information here, boys and girls.

THE PARASITE FIGHT QUICK FIX PROTOCOL
http://aumha.org/a/quickfix.htm

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
http://aumha.org/a/parasite.htm

Bugs, Glitches & Stuffups
http://www.mvps.org/inetexplorer/Darnit.htm

Dealing with Unwanted Spyware and Parasites
http://mvps.org/winhelp2002/unwanted.htm

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315

Spyware and Deceptive Software
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx?gssnb=1

What you should know about spyware
http://www.microsoft.com/security/articles/spyware.asp

Cleaning Up XP
http://www.kellys-korner-xp.com/xp_c.htm#cleanup

 

[Wesley Vogel]

Margie,

Yepper. Web cam!!

Read the parts about bugs >>>>

InnoMedia VideoPhone Authorization Bypass
http://neworder.box.sk/explread.php?newsid=10723

InnoMedia VideoPhone Authorization Bypass Vulnerability
http://www.net-security.org/vuln.php?id=3311

[[Service: http (80/tcp)
Severity: Low
The remote web server type is :GoAhead-Webs
Solution : We recommend that you configure (if possible) your web server to
return a bogus Server header in order to not leak information.]]

 

[Guest]

Hey, Wes!

Thanks for checking that out for me!!

Am presently (and temporarily) using daughter's computer - mine is totally
down. Went to Sygate to purchase and download the Sygate Pro PF, which
offered Panda AV as a package deal. Stupidly, I forgot to disconnect from
the web before I uninstalled the NAV and was instantly hit with what I think
is the Blasterworm. Whatever it is, my next stop will be to a shop/tech who
can salvage my data, then I'll strip everything down and make a whole new
installation of the system and OS files with my rescue CDs. Wanted to do
that today, but a hurricane is on my doorstep and can't get out today.
Wanted to check with you and send this while the power is still on.

I so very much appreciate the help and advice both you and SJ have given.
You are just tops!

I'll check back in when my puter is back in service again.

Warmest regards,
Margie

Margie,

Yepper. Web cam!!

Read the parts about bugs >>>>

InnoMedia VideoPhone Authorization Bypass
http://neworder.box.sk/explread.php?newsid=10723

InnoMedia VideoPhone Authorization Bypass Vulnerability
http://www.net-security.org/vuln.php?id=3311

[[Service: http (80/tcp)
Severity: Low
The remote web server type is :GoAhead-Webs
Solution : We recommend that you configure (if possible) your web server to
return a bogus Server header in order to not leak information.]]

--
Hope this helps. Let us know.
Wes

In

A little further info:

this from the Sygate scurity scan just made:
Trying to gather information from your web browser...
Trying to find out what services you are running...
Web Server Found = Server: GoAhead-Webs

This last, Server: GaAhead-Webs, I have no clue what this is. Can
you identify it for me??

Margie

 

[Wesley Vogel]

Good luck, Margie!! ;-)

--
Hope this helps. Let us know.
Wes

In

Hey, Wes!

Thanks for checking that out for me!!

Am presently (and temporarily) using daughter's computer - mine is
totally down. Went to Sygate to purchase and download the Sygate Pro
PF, which offered Panda AV as a package deal. Stupidly, I forgot to
disconnect from the web before I uninstalled the NAV and was
instantly hit with what I think is the Blasterworm. Whatever it is,
my next stop will be to a shop/tech who can salvage my data, then
I'll strip everything down and make a whole new installation of the
system and OS files with my rescue CDs. Wanted to do that today, but
a hurricane is on my doorstep and can't get out today. Wanted to
check with you and send this while the power is still on.

I so very much appreciate the help and advice both you and SJ have
given. You are just tops!

I'll check back in when my puter is back in service again.

Warmest regards,
Margie

Margie,

Yepper. Web cam!!

Read the parts about bugs >>>>

InnoMedia VideoPhone Authorization Bypass
http://neworder.box.sk/explread.php?newsid=10723

InnoMedia VideoPhone Authorization Bypass Vulnerability
http://www.net-security.org/vuln.php?id=3311

[[Service: http (80/tcp)
Severity: Low
The remote web server type is :GoAhead-Webs
Solution : We recommend that you configure (if possible) your web
server to return a bogus Server header in order to not leak
information.]]

--
Hope this helps. Let us know.
Wes

In

A little further info:

this from the Sygate scurity scan just made:
Trying to gather information from your web browser...
Trying to find out what services you are running...
Web Server Found = Server: GoAhead-Webs

This last, Server: GaAhead-Webs, I have no clue what this is. Can
you identify it for me??

Margie




:

Hey, SlowJet and Wesley!

*Many* thanks for responding!

Let me fill in a bit: When the Trojan hit, NAV 2004 (on auto
update) was running, as was NPF 2003 (automatically updated). I
had all Critical updates for Win updated and SP1. This is just a
home computer, not a server in any sense, and I don't use chat
rooms, IM, or any of those things.

When the Trojan hit, I immediately ran NAV and (after the fact!) it
found and destroyed the virus. In the attack, NPF was completely
shredded and taken completely out of my control. Finally just had
to delete the thing; that's when I installed the Sygate (free)
until I could get everything straightened out.

Searching through XP's logs, I found where 'RASMAN' had logged in
and setPermissions to TRUE. It has been since this time that the
computer 'pings' and Port 80 is open; previous to this, any test
I've run has indicated that it was in full stealth. I've been to
several online virus scanners, including Panda, and all say there
is no virus remaining. But I feel that some files are still
changed.

In reading the HP instruction book, it seemed that if I saved my
personal data elsewhere and used the System Recovery from what HP
says is a totally protected inviolate partition, the system files
would reinstall as it was from the factory. So I did this. But
after checking with Symantec's online security scanner, the port is
still open and it still pings.

I'm thinking that the only way to get rid of whatever
changes/damage RASMAN did is to completely delete the system files
and use the Recovery CDs that I thankfully made as recommended
when I first got this computer a few weeks ago. (Went from a
little Compaq Celeron processor with a 6 GB hd to a HP Pentium 4
with a 200GB hd. Was I happy or not?? And then to have this
happen. Big hurt!)

SJ, you think by installing Sygate Pro, this will solve the
problem? If so, I'll do that right now. Wesley, I had turned off
the ICF because I understood that 2 firewalls shouldn't run at the
same time. Am I mis-informed? BTW, I'm on a cable connection
with a router which has a hardware firewall in it, but I don't
know anymore particulars on it. (Cable Co installed it.)

Y'all don't know how much I appreciate your time and help! Eagerly
waiting to hear back from you!

(SJ, are you in the aviation community?? I spent my entire
professional career in aviation! )

Very gratefully! ))
Margie




:

Hi Magie,

SyGate version 5 - free version, I Assume.

Find ICPM setting and turn on. This will make your
computer name Stealth from a ping. (If not there is is on
PRO version.)
Port 80 is the HTTP port.
Are you runing web server software? If you need this then
you need to secure the web software settings as this can
not be done through windows settings.
Also, chat program my be listening on 80. MSN Mesenger or
Messenger running in back ground?

NAV 2004 should be very up to date, just run live update
to make sure.

Do you have SP1 installed (or SP1a) My Computer,
Properties, text on gray screen under SYSTEM.

If not go to IE, Tools, Web Updates and follow
instruction.
Select SP1a from Windows Update area and install.

Then go back to WU and install all critical updates.


At this point the only thing more secure would be the Pro
version of your Firewall, and SP2 (Which you can get
automatically thru auto windows update.
It will be just for your install and will download
starting about the 16-25 and take a week to complete
depending on your line speed.
When it is ready you will be notified.) It will have a
new firewall which you will need to turn off to use
SyGate.

You may want to try running these two together if you
only do HTTP and e-mail as the Windows FW will come on
very early during boot up and only allow DHCP to the ISP
until the boot up is done. You just need to add SyGAte
program to the exception list of the Windows FW. (I think)

SJ

P.S. Backup and clean up disk before instlling Sp's.
-----Original Message-----
I've just gotten rid of Trojan.byte.verify. NAV and
several online scans,
including Panda, say the machine is clean. Even used
System Recovery, but
according to Symantec's online security scan, Port 80 is
still open and the
computer responds to a ping. How can I close this
thing?? (NAV2004 and
Sygate PF) I'm not used to XP yet, just upgraded
computers so I'm having a
tough time sorting this out. Will be very grateful for
some help! I'm
really concerned about a lingering security compromise.

Margie
.