OK, sorry if this is long winded. I got a call today from my boss saying one of our clients had got Novarg. Simple enought to remove it, but......... once I'd got rid of it, that well known matter hit the fan. Trying to run Norton AV, Outlook Express, and
a Spyware checker ( seperately ) caused them to use 99% CPU time. Then, just to compound the issue, trying access WordPerfect gave me a not enough memory error. Not good. Now, this is an XP Home machine running 512Mb RAM, no problem there, so I decided to
look in Event Viewer to try see what was going on. I'd already used msconfig to stop stuff starting on boot so I expected a few error messages in EV. What I didn't expect was to see so many failed logon attempts by several users all of which seemed to come
from outside, along with a few successful logon's, again not the actual user, but from an external source. This is a standalone PC with a DSL connection, and NO firewall of any variety. Not too smart for a lawyer!!!!!! I guess my question is, as I am no s
ecurity guru, am I right in thinking that these EV messages are stating that people are trying to access this machine remotely, and in a few cases actually managing to logon? Many of these failed logon events occurred whilst I was working on the machine. U
sing netstat -an didn't seem to show any ports open that shouldn't be open. Help meeeeeeeeeeeeeeeeeeeee. Thanks.

All too often, the penalty for not having a good antivirus program installed,
not enabling a firewall, and not downloading the critical updates
available from the Windows Update website, is an opportunity
to perform a "clean install" of your operating system. Virus files are
designed to inflict damage to a PC, and apparently that is what happened.

I would suggest backing up your important documents and files
and proceed with a "clean install" of Windows XP:

The Windows XP CD is bootable and contains all the tools necessary
to partition and format your drive. Follow this procedure and allow
Windows XP to partition and format your drive:

NOTE: It would be best to physically disconnect all your peripheral hardware
devices, except the monitor, mouse and keyboard, before installing XP.

1. Open your BIOS and set your "CD Drive as the first bootable device".

===> Accessing Motherboard BIOS
===> http://www.michaelstevenstech.com/bios_manufacturer.htm

2. Insert your Windows XP CD in the CD Drive and reboot your computer.
3. You'll see a message to boot to the CD....follow the instructions.
4. The setup menu will appear and you should elect to delete the existing
Windows partitions, then create a new partition, then format the primary
partition (preferably NTFS) and proceed to install Windows XP.

5. Clean Install Windows XP
http://michaelstevenstech.com/cleanxpinstall.html

[Courtesy of Michael Stevens, MS-MVP]

6. ==> Immediately after installing Windows XP, turn on XP's Firewall.
==> http://www.microsoft.com/security/protect/

7. After Windows XP is installed, visit the Windows Update website
and download the available "Critical Updates".

8. After installing the critical updates, be sure and visit the support website
of the manufacturer of the computer to download and install any
available Windows XP compatible drivers, such as video adapter
and audio drivers.

9. If you happen to run into any installation difficulties, use the following resources:

How to Troubleshoot Windows XP Problems During Installation
http://support.microsoft.com/default.aspx?scid=kb;EN-US;310064

Troubleshooting Windows XP Setup
http://www.kellys-korner-xp.com/xp_setup.htm

[Courtesy of MS-MVP Kelly Theriot]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------------------------------

"Brian Carter" > wrote in message:
...

| OK, sorry if this is long winded. I got a call today from my boss saying one of our clients had got Novarg.
Simple enought to remove it, but......... once I'd got rid of it, that well known matter hit the fan. Trying
to run Norton AV, Outlook Express, and a Spyware checker ( seperately ) caused them to use 99% CPU time. Then,
just to compound the issue, trying access WordPerfect gave me a not enough memory error. Not good. Now, this
is an XP Home machine running 512Mb RAM, no problem there, so I decided to look in Event Viewer to try see
what was going on. I'd already used msconfig to stop stuff starting on boot so I expected a few error messages
in EV. What I didn't expect was to see so many failed logon attempts by several users all of which seemed to
come from outside, along with a few successful logon's, again not the actual user, but from an external
source. This is a standalone PC with a DSL connection, and NO firewall of any variety. Not too smart for a
lawyer!!!!!! I guess my question is, as I am no security guru, am I right in thinking that these EV messages
are stating that people are trying to access this machine remotely, and in a few cases actually managing to
logon? Many of these failed logon events occurred whilst I was working on the machine. Using netstat -an
didn't seem to show any ports open that shouldn't be open. Help meeeeeeeeeeeeeeeeeeeee. Thanks.

Hi Brian.


Yes, it is quite possible for those events to indicate someone is trying to
connect remotely. I've seen it happen on my machine when I downed my
firewall. My cable ISP usually blocks the ports used by Windows networking
(since it has no legitimate use over the Internet) but it slipped through
once (I guess they were doing maintenance??)

Well a firewall would be good idea! Consider enabling the built-in Windows
XP firewall, or get a fancier third-party one like Norton Internet Security,
ZoneAlarm etc. Or a hardware firewall (a simple "cable/dsl" router will
help too.)

Seeing as this is a standalone: At the very least, go into Control
Panel --> Network Connections --> double click the icon for the network
connection to the DSL modem --> "Properties" and then **uncheck** the box
for "File and Print sharing". Then highlight TCP/IP, and choose Properties.
Click the "Advanced" button way at the bottom and then go to the tab called
"WINS". Make sure that NetBIOS over TCP/IP is disabled.

This will at least disable remote access to resources. This doesn't really
mean you are completely secure though. But I guess its better than nothing.
I strongly suggest some kind of firewall though- even the built-in XP
firewall is fairly effective and much less annoying than the fancier
3rd-party products.

One caveat is that firewalls sometimes interfere with things like online
games.

I'm surprised that the Security audit log was actually turned on. Last time
I checked, it is "off" by default. Anyway, I'd examine it very carefully
for any "successes" that come from a foreign source :)


-------------------

Colin Nash
Microsoft MVP



"Brian Carter" > wrote in message
...
> OK, sorry if this is long winded. I got a call today from my boss saying
one of our clients had got Novarg. Simple enought to remove it, but.........
once I'd got rid of it, that well known matter hit the fan. Trying to run
Norton AV, Outlook Express, and a Spyware checker ( seperately ) caused them
to use 99% CPU time. Then, just to compound the issue, trying access
WordPerfect gave me a not enough memory error. Not good. Now, this is an XP
Home machine running 512Mb RAM, no problem there, so I decided to look in
Event Viewer to try see what was going on. I'd already used msconfig to stop
stuff starting on boot so I expected a few error messages in EV. What I
didn't expect was to see so many failed logon attempts by several users all
of which seemed to come from outside, along with a few successful logon's,
again not the actual user, but from an external source. This is a standalone
PC with a DSL connection, and NO firewall of any variety. Not too smart for
a lawyer!!!!!! I guess my question is, as I am no security guru, am I right
in thinking that these EV messages are stating that people are trying to
access this machine remotely, and in a few cases actually managing to logon?
Many of these failed logon events occurred whilst I was working on the
machine. Using netstat -an didn't seem to show any ports open that shouldn't
be open. Help meeeeeeeeeeeeeeeeeeeee. Thanks.

Carey brings up a good point.

If you are truly serious about security, once a system has been compromised
by a virus, hacker etc., you need to isolate it and wipe it clean since it
can no longer be trusted and there's always a chance that something else has
been hidden deep in there.

Obviously this may sound like overkill but it depends how much security
really matters to you. It's a tradeoff between your time and your piece of
mind.

Besides, reinstalling Windows is good practice and lotsa fun ;)

-------------------

Colin Nash
Microsoft MVP




"Carey Frisch [MVP]" > wrote in message
...
> All too often, the penalty for not having a good antivirus program
installed,
> not enabling a firewall, and not downloading the critical updates
> available from the Windows Update website, is an opportunity
> to perform a "clean install" of your operating system. Virus files are
> designed to inflict damage to a PC, and apparently that is what happened.
>
> I would suggest backing up your important documents and files
> and proceed with a "clean install" of Windows XP:
>
> The Windows XP CD is bootable and contains all the tools necessary
> to partition and format your drive. Follow this procedure and allow
> Windows XP to partition and format your drive:
>
> NOTE: It would be best to physically disconnect all your peripheral
hardware
> devices, except the monitor, mouse and keyboard, before
installing XP.
>
> 1. Open your BIOS and set your "CD Drive as the first bootable device".
>
> ===> Accessing Motherboard BIOS
> ===> http://www.michaelstevenstech.com/bios_manufacturer.htm
>
> 2. Insert your Windows XP CD in the CD Drive and reboot your computer.
> 3. You'll see a message to boot to the CD....follow the instructions.
> 4. The setup menu will appear and you should elect to delete the
existing
> Windows partitions, then create a new partition, then format the
primary
> partition (preferably NTFS) and proceed to install Windows XP.
>
> 5. Clean Install Windows XP
> http://michaelstevenstech.com/cleanxpinstall.html
>
> [Courtesy of Michael Stevens, MS-MVP]
>
> 6. ==> Immediately after installing Windows XP, turn on XP's Firewall.
> ==> http://www.microsoft.com/security/protect/
>
> 7. After Windows XP is installed, visit the Windows Update website
> and download the available "Critical Updates".
>
> 8. After installing the critical updates, be sure and visit the support
website
> of the manufacturer of the computer to download and install any
> available Windows XP compatible drivers, such as video adapter
> and audio drivers.
>
> 9. If you happen to run into any installation difficulties, use the
following resources:
>
> How to Troubleshoot Windows XP Problems During Installation
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;310064
>
> Troubleshooting Windows XP Setup
> http://www.kellys-korner-xp.com/xp_setup.htm
>
> [Courtesy of MS-MVP Kelly Theriot]
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
>
> Be Smart! Protect your PC!
> http://www.microsoft.com/security/protect/
>
> --------------------------------------------------------------------------
----------------------------------
>
> "Brian Carter" > wrote in message:
> ...
>
> | OK, sorry if this is long winded. I got a call today from my boss saying
one of our clients had got Novarg.
> Simple enought to remove it, but......... once I'd got rid of it, that
well known matter hit the fan. Trying
> to run Norton AV, Outlook Express, and a Spyware checker ( seperately )
caused them to use 99% CPU time. Then,
> just to compound the issue, trying access WordPerfect gave me a not enough
memory error. Not good. Now, this
> is an XP Home machine running 512Mb RAM, no problem there, so I decided to
look in Event Viewer to try see
> what was going on. I'd already used msconfig to stop stuff starting on
boot so I expected a few error messages
> in EV. What I didn't expect was to see so many failed logon attempts by
several users all of which seemed to
> come from outside, along with a few successful logon's, again not the
actual user, but from an external
> source. This is a standalone PC with a DSL connection, and NO firewall of
any variety. Not too smart for a
> lawyer!!!!!! I guess my question is, as I am no security guru, am I right
in thinking that these EV messages
> are stating that people are trying to access this machine remotely, and in
a few cases actually managing to
> logon? Many of these failed logon events occurred whilst I was working on
the machine. Using netstat -an
> didn't seem to show any ports open that shouldn't be open. Help
meeeeeeeeeeeeeeeeeeeee. Thanks.
>

We have to believe what you have said about accounts and successful
logins. If someone has logged in and it is with an empowered account
or while the system was vulnerable to an exploit that allowed a limited
user that is logged in to obtain a process running as System, then you
have no choice but to assume that there are things hidden and waiting.

You could
1. review all accounts that are defined.
do this with net use as the UI in Home tends to mask some things
2. take any unknown empowered accounts as a big warning sign
3. remove or disable all that are believed not used/needed
4. set strong, new passwords on all accounts
5. turn on the firewall, and get up-to-date antivirus and anti-malware
6. set up for automatic update and inform owner on use and need
7 tell owner the machine is a business machine, not one at Home
and so it should not be XP Home (doh!)
Then watch it for anything unusual, what is running after a fresh boot,
and after being up for a couple of days, what ports outwardly visible,
etc. and be prepared for a fresh format up install.
"Brian Carter" > wrote in message
...
> OK, sorry if this is long winded. I got a call today from my boss saying
one of our clients had got Novarg. Simple enought to remove it, but.........
once I'd got rid of it, that well known matter hit the fan. Trying to run
Norton AV, Outlook Express, and a Spyware checker ( seperately ) caused them
to use 99% CPU time. Then, just to compound the issue, trying access
WordPerfect gave me a not enough memory error. Not good. Now, this is an XP
Home machine running 512Mb RAM, no problem there, so I decided to look in
Event Viewer to try see what was going on. I'd already used msconfig to stop
stuff starting on boot so I expected a few error messages in EV. What I
didn't expect was to see so many failed logon attempts by several users all
of which seemed to come from outside, along with a few successful logon's,
again not the actual user, but from an external source. This is a standalone
PC with a DSL connection, and NO firewall of any variety. Not too smart for
a lawyer!!!!!! I guess my question is, as I am no security guru, am I right
in thinking that these EV messages are stating that people are trying to
access this machine remotely, and in a few cases actually managing to logon?
Many of these failed logon events occurred whilst I was working on the
machine. Using netstat -an didn't seem to show any ports open that shouldn't
be open. Help meeeeeeeeeeeeeeeeeeeee. Thanks.

Reformat pc is required for a clean slate, and install antivirus as
soon as possible, if your like me and don't want to part with your
cash got to www.grisoft.com for a free antivirus and i do add its the
most reliable i've ever come across i've been using it for 4 years it
comes with its own scanner in email and firewall.
Best of luck!
Aly