Win2k Netstat sockets interpretation

Discussion in 'Computer Security' started by warf, Jan 28, 2007.

  1. warf

    warf Guest

    I have been trying to learn as much as I can about internet 'security'
    to get a better feeling for what data is leaving my home,
    cable-connected computer.
    Win2Ksp4,ZAint-security7-Highsecurity,cookies expirede immediately,
    remote access service disabled, filesharing deleted in 'networkadapter
    properties. T-bird, Firefox2.0

    BUT, netstat /a indicates netbios ports 137,138,139,445 listening when I
    allow ZA to allow T-bird to act as a server to connect to the
    mail/news server.

    I am confused by netstats output and don't understand the loopback
    0.0.0.0 ports, the 255.255.255 gateway significance? I see when i have
    established tcp/ip connections to webpages ip addresses, but the other
    report outputs are confusing?

    For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
    notice randomly ports assigned to urls or ip addresss. Most are obvious,
    but Akamaitech~ is frequently there and firefox always has 4 connections
    local and 4 remote open inaddition to the url i am browsing????

    The output from Ethereal showed a big download in the background from
    google...hex and what looks like certificates or host file additions to
    banks .....I no option to control F.F. updates and like to know
    when/what is updated since permissions and options have a nasty habit of
    being reset to 'lame' when updates happen silently [old M$ trick]

    I have checked many netstat resources to no avail...help?
    Warf, back in the saddle....but I'm still slippin off!
     
    warf, Jan 28, 2007
    #1
    1. Advertising

  2. warf wrote:

    > I have been trying to learn as much as I can about internet 'security'


    Obviously you didn't. Anyway else you would have never installed:
    >ZAint-security7-Highsecurity,

    to **** up your system for no good reason.

    > to get a better feeling for what data is leaving my home,


    Eh... is that any serious problem at all?

    > cookies expirede immediately,


    What a nonsense. Seems like you don't understand the concept of cookies.

    > BUT, netstat /a indicates netbios ports 137,138,139,445 listening


    See, you didn't learn anything. You didn't even disable the SMB binding and
    the NetBIOS bindings. And this even when some clever guys already collected
    an easily understandable overview on websites like
    <http://ntsvcfg.de/ntsvcfg_eng.html>.

    > when I allow ZA to allow T-bird to act as a server


    Again, pure nonsense. Thunderbird doesn't open any ports in LISTENING
    state. An no, the things below are no excuse for ZA.

    > I am confused by netstats output and don't understand the loopback
    > 0.0.0.0 ports, the 255.255.255 gateway significance?


    0.0.0.0 is no loopback, 255.255.255.x is no gateway. You want to run a
    host-based packet filter as a security mechanisms, but you don't even have
    the slightest clue about TCP/IP? Get figure!

    > For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
    > notice randomly ports assigned to urls or ip addresss.


    > and firefox always has 4 connections local and 4 remote open inaddition
    > to the url i am browsing????


    *repeating the thousandth time*
    'netstat' on Win2K provides a view on the state of the *TDI interface*, not
    the actual TCP/IP sockets. The TDI interface has different semantics, and
    something appearing as 0.0.0.0 listening means "an outstanding request to
    open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
    If you had just take the simplest measures to actualy verify such bogus
    open ports with a port scan, you'd have found them closed.

    > but Akamaitech~ is frequently there


    Wow... Windows Automatic Updates... the mysterious of technology aren't to
    be believed !!!11

    > I have checked many netstat resources to no avail...help?


    MSDN... Ah, might just be better to get a replacement which works like the
    real netstat command, f.e. TcpView from Sysinternals^W Microsoft.
     
    Sebastian Gottschalk, Jan 29, 2007
    #2
    1. Advertising

  3. warf

    warf Guest

    Sebastian Gottschalk wrote:
    > warf wrote:
    >
    >> I have been trying to learn as much as I can about internet 'security'

    snip diatribe and gratuitous snarling....
    >> to get a better feeling for what data is leaving my home,


    > Eh... is that any serious problem at all?


    Yes, if you have, or ever did have, any media on your system, or if you
    realize the RIAA and ilk will someday get the legal club to go after
    'other' citizens for $750USD/title, or even if you are just fed up with
    surreptitious datamining for unstated purposes. or if subversion of your

    connection for nepharious purposes is 'problematic: then,YES.

    >> BUT, netstat /a indicates netbios ports 137,138,139,445 listening

    >
    > See, you didn't learn anything. You didn't even disable the SMB binding and
    > the NetBIOS bindings. And this even when some clever guys already collected
    > an easily understandable overview on websites like
    > <http://ntsvcfg.de/ntsvcfg_eng.html>.


    I said I was "trying"....never claimed to 'know'. better ishould be like
    the rest of the cattle and pretend it is not really going to affect me?
    By making an effort to learn I take responsibility...you have been
    helpful..even if grumpy.

    >
    >> when I allow ZA to allow T-bird to act as a server

    snip.......
    Restated "When I run T-bird ZA tells me T-bird wants to access the
    internet and act as a server.
    I have deleted "file and print sharing" under "internet connections and
    disbled most recognizable "remote access" services under 'services.msc'
    but ZA detects a few remote access modules running and gives them
    permission if select "OK" to the suggested query.
    AND
    >> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
    >> notice randomly ports assigned to urls or ip addresss.

    >
    >> and firefox always has 4 connections local and 4 remote open inaddition
    >> to the url i am browsing????



    > *repeating the thousandth time*
    > 'netstat' on Win2K provides a view on the state of the *TDI interface*, not
    > the actual TCP/IP sockeets. The TDI interface has different semantics, and
    > something appearing as 0.0.0.0 listening means "an outstanding request to
    > open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
    > If you had just take the simplest measures to actualy verify such bogus
    > open ports with a port scan, you'd have found them closed.


    Iam using Ethereal and there is traffic...I am 'learning' but it is a
    very complex topic ...for non-pro's like me...but that is why i ask.

    >> but Akamaitech~ is frequently there

    >
    > Wow... Windows Automatic Updates... the mysterious of technology aren't to
    > be believed !!!11


    no, WINUPDATE is manual...I reassembled the TCP/IP strream and saw in
    one instance it was a ZA update. This concurrs with the stated utility
    of those servers. I read conflicting ideas as to the scope of the AKAMAI
    servers and wondered why I would be 'uploading' to them as well...with
    optout selected for all products 'satisfaction' reports.

    >> I have checked many netstat resources to no avail...help?

    >
    > MSDN... Ah, might just be better to get a replacement which works like the
    > real netstat command, f.e. TcpView from Sysinternals^W Microsoft.


    Now I have to spracken ze duetch. That is exactly what i needed but the
    launguage for the links is all german!!! Damn.

    Breifly: How does one interpret the 'listening', 'waiting',
    'established' and all the other port information netstat lists? The only
    one I get is one with a 'foreign' ip and 'established'...those are
    actual internet connections right?
    Eastlink is very coy and stingy with 'what services and ports I require'
    info...so I am trying to learn thru you and int-resources.

    Thanks for that helpful link...wish I spoke enough german to decipher it!
    Warf.
     
    warf, Jan 30, 2007
    #3
  4. warf wrote:

    > Sebastian Gottschalk wrote:
    >> warf wrote:
    >>
    >>> I have been trying to learn as much as I can about internet 'security'

    > snip diatribe and gratuitous snarling....
    >>> to get a better feeling for what data is leaving my home,

    >
    >> Eh... is that any serious problem at all?

    > [...]
    > or if subversion of your connection for nepharious purposes is
    > 'problematic: then,YES.


    Subversion of your connection implies malicious software. There's nothing
    you can do against this except to ensure that it doesn't get executed in
    first place. Once it's running, you've lost.

    >>> when I allow ZA to allow T-bird to act as a server

    > snip.......
    > Restated "When I run T-bird ZA tells me T-bird wants to access the
    > internet and act as a server.


    Then uninstall this software. It's obviously telling nonsense.

    >>> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
    >>> notice randomly ports assigned to urls or ip addresss.

    >>
    >>> and firefox always has 4 connections local and 4 remote open inaddition
    >>> to the url i am browsing????

    >
    >> *repeating the thousandth time*
    >> 'netstat' on Win2K provides a view on the state of the *TDI interface*, not
    >> the actual TCP/IP sockeets. The TDI interface has different semantics, and
    >> something appearing as 0.0.0.0 listening means "an outstanding request to
    >> open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
    >> If you had just take the simplest measures to actualy verify such bogus
    >> open ports with a port scan, you'd have found them closed.

    >
    > Iam using Ethereal


    Fine, then why don't you provide a dump of which traffic you see and what's
    unclear to you?

    > and there is traffic...


    Let's hash this together:

    If a socket is not in LISTENING state, even though TDI tells so, then every
    incoming traffic to that port gets a TCP RST as reply. Nothing more.

    If you're actively sending data on this port, it should be in the OPEN
    state and TDI just gets it wrong as well.

    If you're passively sending data on this port really being in LISTENING
    state, then it can't be on 0.0.0.0, but must be bound to an interface. (An
    exception would be Raw Sockets, but this almost never applies.)

    In any case, TDI gets it wrong. Thus, there is traffic, but no port in
    LISTENING state.

    > I reassembled the TCP/IP strream and saw in
    > one instance it was a ZA update. This concurrs with the stated utility
    > of those servers. I read conflicting ideas as to the scope of the AKAMAI
    > servers and wondered why I would be 'uploading' to them as well...with
    > optout selected for all products 'satisfaction' reports.


    This "upload" is either the requests for the download or the ACKs of the
    connection.

    Unless we once again catched ZoneAlarm with spying on the users.

    >>> I have checked many netstat resources to no avail...help?

    >>
    >> MSDN... Ah, might just be better to get a replacement which works like the
    >> real netstat command, f.e. TcpView from Sysinternals^W Microsoft.

    >
    > Now I have to spracken ze duetch. That is exactly what i needed but the
    > launguage for the links is all german!!! Damn.


    Ehm... now why don't you grap TcpView?

    > Breifly: How does one interpret the 'listening', 'waiting',
    > 'established' and all the other port information netstat lists?


    Read RFC 793. On page 21 you'll find a wonderful ASCII art illustration.

    > Eastlink is very coy and stingy with 'what services and ports I require'


    As a client you don't require any services at all.
     
    Sebastian Gottschalk, Jan 30, 2007
    #4
  5. warf

    warf Guest

    Sebastian Gottschalk wrote:
    > warf wrote:
    >
    >> Sebastian Gottschalk wrote:
    >>> warf wrote:
    >>>
    >>>> I have been trying to learn as much as I can about internet 'security'

    snip....
    > Ehm... now why don't you grap TcpView?


    I have It Sebastian, while useful it appears to yield a subsection of
    what Spybot S&D 'processtool' coughs up. And S&D lists modules and
    process's. etc...

    I am reading the win2k manual and it explains the difference between
    application 'ports', sockets[winsock] and the various protocals layered
    within. I am getting a 'better' picture of the hiearchy.
    I am still confused by 'NETBUI'[not NETBIOS, that I understand is simply
    a file/print sharing protocal yes?] Even when I have 'SERVER', FILE
    PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
    136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
    Then enthereal shows NETBUI "name lookup" traffic...is this the DHCP IP
    renewal server contacting my cable ISP to register my IP?

    I ask becasue in an effort to disable all 'REmote access' I ineveitably
    loose DNS Lookup or something that can't be restored short of an OS
    REPAIR install...and that gets tiring..."wipe and rebuild"

    >> Eastlink is very coy and stingy with 'what services and ports I require'

    >
    > As a client you don't require any services at al l.


    As a Cable modem customer placed directly on the Inet backbone if I
    block ALL servers via ZA I loose DNSlookup, autoupdates and I can't
    restore it easilly...

    Most of the W2K essential services [services.msc] are hard to ascertain
    for HTTP internet browsing, pop/smtp and newsgroups...for eg: REMOTE
    ACCESS CONNECTION MGR....seems to imply "I am a server" if allowed to
    start automaticly....but DHCP fails because NETBUI is innactivated If I
    disable it in SERVices.msc

    I'll get it someday.
    I sure wish that link you sent me was in English as well as German...se
    la gar.
    Warf.
     
    warf, Feb 4, 2007
    #5
  6. warf wrote:

    > Even when I have 'SERVER', FILE
    > PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
    > 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???


    Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

    > I ask becasue in an effort to disable all 'REmote access' I ineveitably
    > loose DNS Lookup or something that can't be restored short of an OS
    > REPAIR install...


    Then why don't you read before acting?

    > and that gets tiring..."wipe and rebuild"


    Nonsense. It's trivial to backup and restore the service configuration.

    > but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc


    Very strange.
     
    Sebastian Gottschalk, Feb 4, 2007
    #6
  7. warf

    warf Guest

    Re: Clarification-Win2k Netstat sockets interpretation

    Sebastian Gottschalk wrote:
    > warf wrote:
    >
    >> Even when I have 'SERVER', FILE
    >> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
    >> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???

    >
    > Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?


    I did...twice, even emailed the admin [very nice guy] who said they only
    have Deutsch pages linked for the near future. It is exactly what I
    need though.

    >
    >> I ask becasue in an effort to disable all 'REmote access' I ineveitably
    >> loose DNS Lookup or something that can't be restored short of an OS
    >> REPAIR install...

    >
    > Then why don't you read before acting?


    Vida Supra...

    >
    >> and that gets tiring..."wipe and rebuild"

    >
    > Nonsense. It's trivial to backup and restore the service configuration.


    Correct me if I am wrong [like I have to offer...grin]:new versions
    mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
    partition hiding, kernal level misdirection of detection...ad naus.

    FOR EG...while updating my firwall a newly discovered file infecting
    virus [with no known repair method to date] slid in with the update TCP

    traffic and settled in the Winnt\internetlogs\ZA as J.S-LAME and was
    flagged during the subsequent bit level scan.
    So...to what extent, if any, my files were compromised or if it had
    even yet been executed is unknown. SO....i take your oft 'suggested'
    advice and WIPE then REBUILD.

    Are you suggestion you were remiss for that advice?

    I accepted you earstwhile advice re rebuiling and:
    I acted atavisticly and installed Win2000 on a spare laptop with no
    useful data just so I could do a better job of noting changes AND
    rebuild in far less time time than with my XP macine.
    Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware,
    Dlink router setup,all the Ibuddie drivers for NICard THEN...disable a
    dozenservices,remove FILE&PRINT SHARING, T-BIRD,FIREFOX and configure
    the Dlink WLan [killit!] enable the Dlink WAN, clone the Mac address,
    set the lame software defaults to block mobile code, not save any
    ..DAT,HST...nor cookies web-bugs and like ilk....then fight for an hour
    to find which services I accidently disabled with names like "REMOTE
    ACCESS...REMOTE DESKTOP...DNS...DHCP...TCP/NETBUI..." and so on and on.

    All because i lost my innocense reading how the boys at PHRAK get their
    jollies!

    SO>>>>>>>maybe it's easy for you but for pleabs like me playing with the
    bigleagers in kids gear [actually, irroicly the inverse is more likely!]
    it is hard not to add to the problem by naivley being a server for
    malcode and redirection and providing safe haven for code that should be
    nuked.

    >> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc

    >
    > Very strange.


    I thought so as well... and that is becasue I am not even sure of what I
    don't know yet.[as I grin weakly and apologeticly for inflicting my
    carcass on you ...sycophantly groveling for pearls of info.] Most
    webpages on the subject say disable DNSlookup [or is it DNSserver?] and
    DHCP if acting as a client only. My
    inability to connect

    My ISP provides no filtering for us...Straight to the pipe [backbone]
    with our cable modems. A report on Eastlink.ca indicates a problem with
    an "open DNS server" and they require DHCP for IP aquisition...which is
    'maybe' why the actions of my service.msc changes are not immediate???

    With Ethereal in 'promiscuous mode' it is incredible [to me] how much
    broadcasting and icmp traffic there is at any one moment.
    Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
    actively seeking vulerable IP addresses is unknown to me but this is a fact:
    Twice, while connecting my computer to the internet via an ethernetcable
    and W2k [no firewall] I had a bogus popup before I could even pop in the
    ZA CD....as though there is near constant broadcasting seeking open
    unprotected servers to compromise.

    Help?
    Warf.
    ..
     
    warf, Feb 4, 2007
    #7
  8. Re: Clarification-Win2k Netstat sockets interpretation

    warf wrote:

    > Sebastian Gottschalk wrote:
    >> warf wrote:
    >>
    >>> Even when I have 'SERVER', FILE
    >>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
    >>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???

    >>
    >> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

    >
    > I did...twice, even emailed the admin [very nice guy] who said they only
    > have Deutsch pages linked for the near future. It is exactly what I
    > need though.


    The one specified page I linked is written in English, so is the script.
    Only the website linking the content of the script to the specific services
    sadly is only in German.

    Thus, what about now finally understanding that this script does exactly
    what you want?

    >>> and that gets tiring..."wipe and rebuild"

    >>
    >> Nonsense. It's trivial to backup and restore the service configuration.

    >
    > Correct me if I am wrong [like I have to offer...grin]:new versions
    > mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
    > partition hiding, kernal level misdirection of detection...ad naus.


    I though you just referred to yourself fucking up the service configuration
    by experimenting.

    > and settled in the Winnt\internetlogs\ZA as J.S-LAME


    JS-Lame sounds like a JavaScript which does some non-malicious, but
    annoying (thus lame) action. I guess its description will point this out
    exactly.

    > So...to what extent, if any, my files were compromised or if it had
    > even yet been executed is unknown. SO....i take your oft 'suggested'
    > advice and WIPE then REBUILD.


    When did this discussion start off? I assumed that you've already done so.

    > I accepted you earstwhile advice re rebuiling and:
    > I acted atavisticly and installed Win2000 on a spare laptop with no
    > useful data just so I could do a better job of noting changes AND
    > rebuild in far less time time than with my XP macine.


    A rebuild with an image backup is sure way faster.

    > Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware,


    SP4 should have already been integrated in your Windows 2000 CD. And still
    I sense at least 3 superfluos programs in that list.

    > Dlink router setup,


    WTF? Doesn't it have a web configuration interface?

    > all the Ibuddie drivers for NICard


    WTF? What a bunch of bloat is your NIC driver?

    > THEN...disable a dozenservices,remove FILE&PRINT SHARING,


    Yes, reasonable.

    > T-BIRD,FIREFOX


    Well, try SeaMonkey. :)

    > set the lame software defaults to block mobile code,


    What software and which settings?

    > not save any .DAT,HST


    What?

    >...nor cookies web-bugs and like ilk....


    You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.

    > then fight for an hour to find which services I accidently disabled


    See? That why you should take a look at the ntsvcfg script.

    > All because i lost my innocense reading how the boys at PHRAK get their
    > jollies!


    Then why aren't you running a Unix flavour?

    >>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc

    >>
    >> Very strange.

    >
    > I thought so as well... and that is becasue I am not even sure of what I
    > don't know yet.


    Maybe you might use Regmon to track down this bug?

    > With Ethereal in 'promiscuous mode' it is incredible [to me] how much
    > broadcasting and icmp traffic there is at any one moment.
    > Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
    > actively seeking vulerable IP addresses is unknown to me but this is a fact:
    > Twice, while connecting my computer to the internet via an ethernetcable
    > and W2k [no firewall] I had a bogus popup before I could even pop in the
    > ZA CD....as though there is near constant broadcasting seeking open
    > unprotected servers to compromise.
    >
    > Help?


    Get the patches installed before you go online. Or at least get the
    vulnerable services deactivated. Or active the TCP/IP filtering or RAS
    firewall.
     
    Sebastian Gottschalk, Feb 4, 2007
    #8
  9. warf

    warf Guest

    Re: Clarification-Win2k Netstat sockets interpretation

    Sebastian Gottschalk wrote:
    > warf wrote:
    >
    >> Sebastian Gottschalk wrote:
    >>> warf wrote:
    >>>
    >>>> Even when I have 'SERVER', FILE
    >>>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
    >>>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
    >>> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

    >> I did...twice, even emailed the admin [very nice guy] who said they only
    >> have Deutsch pages linked for the near future. It is exactly what I
    >> need though.

    >
    > The one specified page I linked is written in English, so is the script.
    > Only the website linking the content of the script to the specific services
    > sadly is only in German.
    >
    > Thus, what about now finally understanding that this script does exactly
    > what you want?


    Ungh, I took for granted that running someone elses code to accomplish a
    task i 'could' do manually was sloppy and invited malware?
    I think I also just read that security rule #1 was " If you are running
    unknown code you have already lost control" I know very little of ANY of
    the code on my machine so...I ask you, "is it safe"
    [Marathon man, Dustin Hoffman]

    >>>> and that gets tiring..."wipe and rebuild"
    >>> Nonsense. It's trivial to backup and restore the service configuration.

    >> Correct me if I am wrong [like I have to offer...grin]:new versions
    >> mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
    >> partition hiding, kernal level misdirection of detection...ad naus.

    >
    > I though you just referred to yourself fucking up the service configuration
    > by experimenting.


    yes...that is why I seek your help... to allow me to access the internet

    somewhat safely whilst edifying myself as to the vagueries of
    I-protocal...and M$ weaknesses.

    >> and settled in the Winnt\internetlogs\ZA as J.S-LAME

    >
    > JS-Lame sounds like a JavaScript which does some non-malicious, but
    > annoying (thus lame) action. I guess its description will point this out
    > exactly.


    Well I can't wait for the VBS-blowjob virus to go wild!

    snip..
    > SP4 should have already been integrated in your Windows 2000 CD. And still
    > I sense at least 3 superfluos programs in that list.

    no, it is an older OEM disk...It lacks USB2.0, So I take my saved SP4
    upgrade I got before M$ made us pull pur pants down and take a shot of
    code to make sure we own the OS install.
    BTW...I drop the defenses reluctantly and incrementally to enable manual
    update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
    enough to allow your upgrade' test.

    >
    >> Dlink router setup,

    > WTF? Doesn't it have a web configuration interface?


    Yes it does. If you understand :MAC address and cloning same, protcols,
    SSID, WLAN/WAN/LAN, ad-infinitum...AND don;t allow their farmed out tech
    support to mislead you about when the WAN is actually activated, it is
    probably a snap to make it secure...AND functional. I now know
    192.168.0.1 like I know my birthdate!

    >
    >> all the Ibuddie drivers for NICard

    >
    > WTF? What a bunch of bloat is your NIC driver?


    SIS drivers have a lot of applets.

    >> THEN...disable a dozenservices,remove FILE&PRINT SHARING,

    >
    > Yes, reasonable.


    Ok,I'm feelin on track now!

    >
    >> set the lame software defaults to block mobile code,


    ZA, Dlink setup utility requires J-script enabled or it won't update
    settings.....it just makes you think it does.

    >
    > What software and which settings?
    >
    >> not save any .DAT,HST

    >
    > What?



    I'm just making a point; I dislike all the tracking of everything I
    type,save,see,use,start,stop,plugin etc, So Disable password saving,
    history,remember lastfile etc.

    >> ...nor cookies web-bugs and like ilk....

    >
    > You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.


    Web-bugs do...scroll your mouse over bug-encoded webpages and watch the
    script call in the lower left...OR use DOM editor. A single pixle is
    enough..and it can be the same color as the background=> invisible.
    Scripted cookies are certainly capable of doing maliscious things, as I
    read, AND, every problem [not of my own doing by
    disabling useful services] has occurred while temporarilly enabling Java
    /Java-Scripting or 'mobile code' to accomplish a download or a device
    configuration. I get security levels reset, host file manipulated etc...
    I have been reading that the old cookie has been supplanted with a
    myriad of ways to get info you or I would likely not volunteer if given
    a choice before it happened.

    I doubt you are didactically 'out of date' on mal-techniques datamining
    and exploits, so what are you getting at? Seriously, I know only
    what I read from security dedicated websites...and less from opinion
    columns and NGs unless public scrutiny exposes a fake professor.

    >> then fight for an hour to find which services I accidently disabled

    >
    > See? That why you should take a look at the ntsvcfg script.


    Well then I ask you; is that not the same as installing utilities from
    websites? [like going sans condom, eventually something comes.... alive!

    a
    >> All because i lost my innocense reading how the boys at PHRAK get their
    >> jollies!

    >
    > Then why aren't you running a Unix flavour?


    I bought a MANDRAKE kit and realized that it was only safer because I
    'could' get to know the code intimately [unlike M$ code]. In
    otherwords, it is only safer if I REALLY understand what I'm doing. I
    plan to install it on a separate laptop specifically for learning, and
    learing about the free V-OS I have as well.
    Until then, I am still working on making windows work for me. [country
    song in the works]

    >>>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
    >>> Very strange.

    >> I thought so as well... and that is becasue I am not even sure of what I
    >> don't know yet.

    >
    > Maybe you might use Regmon to track down this bug?


    Does regmon track registry changes? ZA alerts me to ALLOW/DISALLOW every
    instance of a program, module or process before it makes a registry
    change. There are still many changes that slip by unannounced though;
    must be at the kernal level?[ring1?] Even Spybot Teatimer stops
    responding to registry changes after a few days.

    I have a beef with all commercial security software [to date]; in order
    to allow people with even less knowledge than I to get running they
    allow some questionable defaults on install. FOR EG; both Mcafee and
    Symantic allow every already on your computer 'trusted' status...from
    spyware, datamining phonehome-ware to mal-ware. Worse, you can't
    unselect many of them either.
    Atleast ZA allows manual reconfiguration but who would want to allow
    WEBBUGS and a dozen or so clicktracking URLs to have 'trusted' status by
    default...unless they paid for that privilege!? At least they can be
    removed though in ZA.

    >
    >> With Ethereal in 'promiscuous mode' it is incredible [to me] how much
    >> broadcasting and icmp traffic there is at any one moment.
    >> Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
    >> actively seeking vulerable IP addresses is unknown to me but this is a fact:
    >> Twice, while connecting my computer to the internet via an ethernetcable
    >> and W2k [no firewall] I had a bogus popup before I could even pop in the
    >> ZA CD....as though there is near constant broadcasting seeking open
    >> unprotected servers to compromise.
    >>
    >> Help?

    >
    > Get the patches installed before you go online. Or at least get the
    > vulnerable services deactivated. Or active the TCP/IP filtering or RAS
    > firewall.


    I saw that applet. Would I enable filtering of TCP,UDP,IP and allow only
    port80 I/O, 110 In, 25 Out, 53 I/O[dns lookup]?
    There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP

    This is exactly where I eventually disable something and can't recover.
    All I want is HTTP browsing, email and newsreader...maybe file download.
    Is that so hard to enable without loosing DNS lookup, DHCP IP assignment
    and connect ability?

    I know your time is valuable.
    maybe I'll try the script for now...of course i have to pull down my
    pants to download and then run it though.
    Warf.
     
    warf, Feb 5, 2007
    #9
  10. Re: Clarification-Win2k Netstat sockets interpretation

    warf wrote:

    >> Thus, what about now finally understanding that this script does exactly
    >> what you want?

    >
    > Ungh, I took for granted that running someone elses code to accomplish a
    > task i 'could' do manually was sloppy and invited malware?


    Isn't that the reason why it's Open Source? (beside that this is by design)

    >>> and settled in the Winnt\internetlogs\ZA as J.S-LAME

    >>
    >> JS-Lame sounds like a JavaScript which does some non-malicious, but
    >> annoying (thus lame) action. I guess its description will point this out
    >> exactly.

    >
    > Well I can't wait for the VBS-blowjob virus to go wild!


    And I can't wait for an RFC for "remote-stabbing over TCP/IP"...

    >> SP4 should have already been integrated in your Windows 2000 CD. And still
    >> I sense at least 3 superfluos programs in that list.

    > no, it is an older OEM disk...It lacks USB2.0


    There a various guides on the net that describe how to convert an OEM
    install disc into a retail version. But, even though, OEM disks can also
    get SP4 integrated.

    > So I take my saved SP4
    > upgrade I got before M$ made us pull pur pants down and take a shot of
    > code to make sure we own the OS install.


    Huh?

    > BTW...I drop the defenses reluctantly and incrementally to enable manual
    > update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
    > enough to allow your upgrade' test.


    Are you talking about Windows Automatic Updates or the Windows Update
    website?

    >> What software and which settings?
    >>
    >>> not save any .DAT,HST

    >>
    >> What?

    >
    > I'm just making a point; I dislike all the tracking of everything I
    > type,save,see,use,start,stop,plugin etc,


    Even if this is just supposed to assist you?

    >>> ...nor cookies web-bugs and like ilk....

    >>
    >> You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.

    >
    > Web-bugs do...scroll your mouse over bug-encoded webpages and watch the
    > script call in the lower left...OR use DOM editor. A single pixle is
    > enough..and it can be the same color as the background=> invisible.


    This is no web-bug. It's something that is supposed to work like this, and
    there's nothing malicious about it.

    > Scripted cookies are certainly capable of doing maliscious things,


    So? What specifically?

    > as I read, AND, every problem [not of my own doing by
    > disabling useful services] has occurred while temporarilly enabling Java
    > /Java-Scripting or 'mobile code' to accomplish a download or a device
    > configuration.


    Interesting. Could it be that your Java VM and/or your webbrowser is
    totally outdated?

    > I get security levels reset, host file manipulated etc...


    WTF? A non-admin user doesn't even have write access to the HOSTS file.


    > I doubt you are didactically 'out of date' on mal-techniques datamining
    > and exploits, so what are you getting at?


    You should learn to differ between non-identifying information,
    computer-identifying information and personal information, as well as who
    can read it under which circumstances.

    About exploits: The official statistics tell that Mozilla Firefox, if
    always kept up-to-date, was at best vulnerable for 34 days for a
    non-critical problem. Which could already have been worked around by
    pro-active configuration.

    >>> then fight for an hour to find which services I accidently disabled

    >>
    >> See? That why you should take a look at the ntsvcfg script.

    >
    > Well then I ask you; is that not the same as installing utilities from
    > websites?


    A script is a script is a series of commands that you can read in
    cleartext. You can easily read how the script determines the Windows
    version, configures the services and adds registry entries.

    >>> All because i lost my innocense reading how the boys at PHRAK get their
    >>> jollies!

    >>
    >> Then why aren't you running a Unix flavour?

    >
    > I bought a MANDRAKE kit


    I pity you. Mandrake is about the second-worst to start off.

    >>>>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
    >>>> Very strange.
    >>> I thought so as well... and that is becasue I am not even sure of what I
    >>> don't know yet.

    >>
    >> Maybe you might use Regmon to track down this bug?

    >
    > Does regmon track registry changes?


    As the name (and the description of the program) implies.

    > ZA alerts me to ALLOW/DISALLOW every instance of a program,
    > module or process before it makes a registry change.


    If you're still running ZoneAlarm, you shouldn't wonder about anything
    going wrong in your system. The registry functions filter fucking it up a
    bit should be your least worries.

    > FOR EG; both Mcafee and
    > Symantic allow every already on your computer 'trusted' status...from
    > spyware, datamining phonehome-ware to mal-ware. Worse, you can't
    > unselect many of them either. Atleast ZA allows manual reconfiguration


    What about using Windows' security features? Now this allows you to define
    security domains and, in contrast to the addon nonsense, can actually
    enforce this policy.

    >> Get the patches installed before you go online. Or at least get the
    >> vulnerable services deactivated. Or active the TCP/IP filtering or RAS
    >> firewall.

    >
    > I saw that applet. Would I enable filtering of TCP,UDP,IP and allow only
    > port80 I/O, 110 In, 25 Out, 53 I/O[dns lookup]?


    Maybe you may want to read the documentation again. The TCP/IP filtering
    only applies to inbound traffic and already works stateful. Thus, you don't
    need to allow anything for TCP and UDP, and for IP you may just want 1,6
    and 17.

    > There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP
    >
    > This is exactly where I eventually disable something and can't recover.
    > All I want is HTTP browsing, email and newsreader...maybe file download.
    > Is that so hard to enable without loosing DNS lookup, DHCP IP assignment
    > and connect ability?


    Normally not. Maybe you should really consider uninstalling FroneAlarm?
     
    Sebastian Gottschalk, Feb 5, 2007
    #10
  11. warf

    warf Guest

    Re: Clarification-Win2k Netstat sockets interpretation

    Sebastian Gottschalk wrote:
    > warf wrote:

    Hi Sebastian...through all the chatter I have lost the intent of your
    initial
    suggestion to use the De script to secure/disable my remote access. Are
    you definatively saying "it is safe and contains no uninvited actions?

    snip..
    > And I can't wait for an RFC for "remote-stabbing over TCP/IP"...


    I just realized; if we all had to sit on wet seats holding a wire
    connected to line voltage and an ethernet enabled switched so that any
    malicious code or commands sent
    from your computer would shock the shit out of the sender ...
    Remote Stabbing is pretty funny though...unless your loopback adapter
    misdirects the command->home.

    snip
    >> So I take my saved SP4
    >> upgrade I got before M$ made us pull pur pants down and take a shot of
    >> code to make sure we own the OS install.

    >
    > Huh?


    Metaphor for 'drop my protection'.

    >
    >> BTW...I drop the defenses reluctantly and incrementally to enable manual
    >> update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
    >> enough to allow your upgrade' test.

    >
    > Are you talking about Windows Automatic Updates or the Windows Update
    > website?


    You make a good point...I was unaware that they are now different.
    Before [goodol'days] I could manually download every security upate and
    servicepack from MS.com but now...they send you a bit of Cop-code that
    fails to run unless ALL defences are down [hence,the allusion to pants down]

    snip...
    >> I'm just making a point; I dislike all the tracking of everything I
    >> type,save,see,use,start,stop,plugin etc,

    >
    > Even if this is just supposed to assist you?


    I would have considered the original intent of cookies to be patently
    'assistive'... but those days are long gone. I don't for a second
    consider datamining 'assistive'. They have evolved significantly.
    Data is now so valuable companies are but a few steps behind the
    blackhats in implementing 'choice making software' that runs sans
    consent. Cookies are not software but the ability to trigger 'features'
    code is evolving rapidly....cookies are no longer benign. Supercookies
    ....well i am waiting to hear that justification. I don't need a law
    degree to know when I've been beaten up or robbed. I don't need a
    CompSci degree to know the Int-box is just the vehicle. Follow the money
    Sebastien, motive and means almost certainly lead to the purps.

    2points about "assitance in choice": I like to make choices and not have
    them made for me, it muddys the waters of 'what's good for me'.
    Secondly, see 1st point.
    A the third of two points, trust has been broken so all websites are
    duly bound to establish trust...And since I decide when to trust, I need
    to be highly convinced.

    Speaking of convincing, Are you sure the script from ntsvcfg is benign
    in addition to being useful?

    snip...
    >> Scripted cookies are certainly capable of doing maliscious things,

    >
    > So? What specifically?


    reset browser features and security levels for one. Grab whatever data
    the browser is designed [or inadvertently designed to] hand over or allow.
    I defer to your knowledge FTSoA. I am still suspicious of unstated
    assitance though.

    >> as I read, AND, every problem [not of my own doing by
    >> disabling useful services] has occurred while temporarilly enabling Java
    >> /Java-Scripting or 'mobile code' to accomplish a download or a device
    >> configuration.

    >
    > Interesting. Could it be that your Java VM and/or your webbrowser is
    > totally outdated?


    No. Latest Dec 19-06 download of firefox and t-bird. Windoz updates
    reluctantly on Auto[persmion] to install required.
    Speakingof...Windows claims to be unable to deliver me security updates
    from the website [~ms.com] and asks for full trusted status
    scripting,cookies,etc activated and sends me the 'validation' exe that
    fails to run [or did it,was it "assisting me" in some other
    unstatedway"??? BUT, auto updates bypass all security and permissions as
    long as the required services are running. So...who owns my computer?

    >
    >> I get security levels reset, host file manipulated etc...

    >
    > WTF? A non-admin user doesn't even have write access to the HOSTS file.


    vidasupra
    I realize I am in gray water when trying to limit permissions and
    still allow software mods,registry cleaning etc..
    I no doubt have vulnerabilities ..... i came here seeking help not
    claiming authority.
    I do know something of human nature though and needn't be an expert in
    all fields to spot funkiness in areas of limited authority.

    For all the banter,I am still at you mercy and seeking assitance.
    The rest is entertainment and long distance connection...Or, am I
    responding to a BOT? Has AI finally made the leap?
    You had me going HAL.

    >
    >> I doubt you are didactically 'out of date' on mal-techniques datamining
    >> and exploits, so what are you getting at?

    >
    > You should learn to differ between non-identifying information,
    > computer-identifying information and personal information, as well as who
    > can read it under which circumstances.


    You are absolutely correct there HAL, er ah, Sebastian. Unfortunately,
    the trust has been abused by so many marketers that until I learn enough
    about how to distinguish I will be handycapped.

    >
    > About exploits: The official statistics tell that Mozilla Firefox, if
    > always kept up-to-date, was at best vulnerable for 34 days for a
    > non-critical problem. Which could already have been worked around by
    > pro-active configuration.


    True...but I am talking about my INsecurity at an even more basic level;
    that of which options to disallow and which services to disable and ...
    I have come to accept that a determined and clever hacker will always
    have his/her way with my box....that didn't come out right!

    ....
    > A script is a script is a series of commands that you can read in
    > cleartext. You can easily read how the script determines the Windows
    > version, configures the services and adds registry entries.


    ok, I'll give it a go.

    ....
    > I pity you. Mandrake is about the second-worst to start off.


    You could probably pity me for more substantial reasons...like my need
    to inject humor to gain acceptance, and my unfortunate physical
    features, and...

    >> ZA alerts me to ALLOW/DISALLOW every instance of a program,
    >> module or process before it makes a registry change.

    >
    > If you're still running ZoneAlarm, you shouldn't wonder about anything
    > going wrong in your system. The registry functions filter fucking it up a
    > bit should be your least worries.


    Can you give me a "F'r instance"?
    Why are you so averse to ZA? of all the commercial FWs it at least
    allowed me a modicum of insight into what passes twixt my puty and the
    wire. Were it not for that I [most non-experts] would have no idea of
    how much undisclosed persons want our data and how much mischief is on
    the superhiway.
    This much I will admitt, now that I see figures like 605,000 instances
    reported of but a single mal-port seek in a month[day?] ...network
    admins must be sick of the "ZA just notified me of a blocked attack..."
    and i know from my ISP that even they don;t get any response from other
    ISPs to shutdown mal~ and attack sites.
    So, at least I have progressed to 'empathy' for you.

    >
    > What about using Windows' security features? Now this allows you to define
    > security domains and, in contrast to the addon nonsense, can actually
    > enforce this policy.


    BINGO! That is what I really really wanted to learn from you...how do I
    shut down non-essential services in W2k [or XP] and change permissions
    to harden and control what leaves and enters my computer?

    The rest is entertaining and I hope you enjoy it as much as I and don't
    feel the need to light up after a reply...[that damned injection again!]

    Seriously, my attempts have led to 'failure to connect', faliure to
    launch', failure to fail... and even with all the reading I have been
    doing I suspect many admins seek the same thing ...else there would be
    no NG dedicated to this.


    >....
    >> There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP


    that still perplexesme...
    Thanks for the assitance thus far Sebastian.
    Warf.
     
    warf, Feb 5, 2007
    #11
  12. Re: Clarification-Win2k Netstat sockets interpretation

    warf wrote:

    > "it is safe and contains no uninvited actions?


    This holds at least for the recent version I downloaded. Well, why don't
    you read the source to actually see what it's doing?

    >> And I can't wait for an RFC for "remote-stabbing over TCP/IP"...

    >
    > I just realized; if we all had to sit on wet seats holding a wire
    > connected to line voltage and an ethernet enabled switched so that any
    > malicious code or commands sent
    > from your computer would shock the shit out of the sender ...
    > Remote Stabbing is pretty funny though...unless your loopback adapter
    > misdirects the command->home.


    That brings an entirely new application to Power-over-Ethernet. :-D

    >> Are you talking about Windows Automatic Updates or the Windows Update
    >> website?

    >
    > You make a good point...I was unaware that they are now different.
    > Before [goodol'days] I could manually download every security upate and
    > servicepack from MS.com but now...they send you a bit of Cop-code that
    > fails to run unless ALL defences are down [hence,the allusion to pants down]


    Now you're getting even more confusing. Every update can be downloaded from
    https://downloads.microsoft.com as well, with any webbrowser. Windows
    Update is an IE-only "website" that checks your installed updates against a
    database and offers the missing ones, either for download-install-throwaway
    or permanent download. And Windows Automatic Updates does the same, just
    fully automatically and without IE involved.

    >>> I'm just making a point; I dislike all the tracking of everything I
    >>> type,save,see,use,start,stop,plugin etc,

    >>
    >> Even if this is just supposed to assist you?

    >
    > I would have considered the original intent of cookies to be patently
    > 'assistive'... but those days are long gone.


    So, now they're just useless and still not tracking. Wait, they're not
    useless, since you can intentionally allow to save credentials.

    > A the third of two points, trust has been broken so all websites are
    > duly bound to establish trust...And since I decide when to trust, I need
    > to be highly convinced.


    Cookies don't have anything to do with trust.

    > Speaking of convincing, Are you sure the script from ntsvcfg is benign
    > in addition to being useful?


    Yes. I read the code and understood it.


    >>> Scripted cookies are certainly capable of doing maliscious things,

    >>
    >> So? What specifically?

    >
    > reset browser features and security levels for one.


    Impossible for cookies and/or scripts.

    > Grab whatever data the browser is designed [or inadvertently designed to]
    > hand over or allow.


    Which aren't identifying data. Anyway, you can limit this behaviour if you
    don't like it.

    > (WGA validation tool)
    > [or did it,was it "assisting me" in some other unstatedway"???


    Was is the GenuineCheck.exe or WGAPluginInstall.exe?

    > BUT, auto updates bypass all security and permissions as
    > long as the required services are running. So...who owns my computer?


    In case of doubt: Microsoft ;-D


    > Why are you so averse to ZA?


    Because it's totally broken? It's just the users who have a problem with
    accepting that fact, and usually just after they finally uninstalled it
    they're going to believe that it's actually totally broken.

    > of all the commercial FWs it at least
    > allowed me a modicum of insight into what passes twixt my puty and the
    > wire.


    So does Ethereal. Without installing any crap.

    > Were it not for that I [most non-experts] would have no idea of
    > how much undisclosed persons want our data and how much mischief is on
    > the superhiway.


    I rather prefer making sure that no such data transfer happens in first
    place. Anything else wouldn't work anyway.

    >> What about using Windows' security features? Now this allows you to define
    >> security domains and, in contrast to the addon nonsense, can actually
    >> enforce this policy.

    >
    > BINGO! That is what I really really wanted to learn from you...how do I
    > shut down non-essential services in W2k [or XP]


    See the script.

    > and change permissions to harden


    Trivial: create a "Restricted User" account.

    > and control what leaves and enters my computer?


    You can't. For the simple reason that malicious programs can communicate
    with legitimate programs.
     
    Sebastian Gottschalk, Feb 5, 2007
    #12
  13. warf

    warf Guest

    Re: Clarification-Win2k Netstat sockets interpretation

    Sebastian Gottschalk wrote:
    > warf wrote:

    ....
    >>> Are you talking about Windows Automatic Updates or the Windows Update
    >>> website?

    >> You make a good point...I was unaware that they are now different.
    >> Before [goodol'days] I could manually download every security upate and
    >> servicepack from MS.com but now...they send you a bit of Cop-code that
    >> fails to run unless ALL defences are down [hence,the allusion to pants down]

    >
    > Now you're getting even more confusing. Every update can be downloaded from
    > https://downloads.microsoft.com as well, with any webbrowser. Windows
    > Update is an IE-only "website" that checks your installed updates against a
    > database and offers the missing ones, either for download-install-throwaway
    > or permanent download. And Windows Automatic Updates does the same, just
    > fully automatically and without IE involved.


    Ok, I certainly did not know that...all the advice I have ever read
    indicates IE/OE should be ditched; so I make FF and TB my browser and
    popmail apps. I have only had warnings that my security settings
    prevented the updates or SW downloads directly never "IE is not your
    default browser". Recall, the verification utility fails to work after
    downloading and running it. must read more.


    > Which aren't identifying data. Anyway, you can limit this behaviour if you
    > don't like it.


    k'. I don't, and I do. Just making the point again.

    >> (WGA validation tool)
    >> [or did it,was it "assisting me" in some other unstatedway"???

    >
    > Was is the GenuineCheck.exe or WGAPluginInstall.exe?


    Genuinecheck.exe 1.40 MB (1,475,376 bytes)

    >
    >> BUT, auto updates bypass all security and permissions as
    >> long as the required services are running. So...who owns my computer?

    >
    > In case of doubt: Microsoft ;-D


    I relent.

    >
    >> Why are you so averse to ZA?

    >
    > Because it's totally broken? It's just the users who have a problem with
    > accepting that fact, and usually just after they finally uninstalled it
    > they're going to believe that it's actually totally broken.
    >
    >> of all the commercial FWs it at least
    >> allowed me a modicum of insight into what passes twixt my puty and the
    >> wire.

    >
    > So does Ethereal. Without installing any crap.

    .....

    again, k'....I guess??? the specifics of the crap still escapes me though.

    >
    >> and change permissions to harden

    >
    > Trivial: create a "Restricted User" account.


    B' b' but...OK...this approach isn't working, I'll learn what I can
    about 'that' approach.
    Hey, what about Thinstalls jitit ? the nifty little registry utility
    that can be surreptitiously installed on your puter even on a locked
    desktop? Read about how the CIA bought in so they could remotely access
    every bodies 'locked-down' computers at work or home.
    If it is now public knowledge you can be certain it is being utilized by

    many other 'ilk'.
    http://www.thinstall.com/

    what hope is there?
    Seriously though, I will run the script and watch traffic for a
    while....we live next to the highway. [can't stay serious]
    Thanks for your insight Seb~
    warf.


    >> and control what leaves and enters my computer?

    >
    > You can't. For the simple reason that malicious programs can communicate
    > with legitimate programs.
     
    warf, Feb 5, 2007
    #13
  14. Re: Clarification-Win2k Netstat sockets interpretation

    warf wrote:

    > Ok, I certainly did not know that...all the advice I have ever read
    > indicates IE/OE should be ditched; so I make FF and TB my browser and
    > popmail apps. I have only had warnings that my security settings
    > prevented the updates or SW downloads directly never "IE is not your
    > default browser". Recall, the verification utility fails to work after
    > downloading and running it. must read more.


    For Firefox/Mozilla, there's a plugin available that does WGA. If you're
    lucky and Microsoft didn't **** it up again, it should be offered for
    download at any WGA-demanding download.

    >>> (WGA validation tool)
    >>> [or did it,was it "assisting me" in some other unstatedway"???

    >>
    >> Was is the GenuineCheck.exe or WGAPluginInstall.exe?

    >
    > Genuinecheck.exe 1.40 MB (1,475,376 bytes)


    Indeed, GenuineCheck.exe is a strange beast. It works in the background for
    a long time until it displays the hash (if it could get one).

    >> So does Ethereal. Without installing any crap.

    > ....
    >
    > again, k'....I guess??? the specifics of the crap still escapes me though.


    Which is something you can't change either.

    > Hey, what about Thinstalls jitit ? the nifty little registry utility
    > that can be surreptitiously installed on your puter even on a locked
    > desktop?


    Using restricted rights only limits what the user can do to other users on
    the system and the system itself. Within his context, he's still free. If a
    program doesn't demand changing the system for its installation or doesn't
    need any installation at all, it can run.

    If you want to avoid running any program, you might remove the "execute
    program" rights from your user intentionally. And take a look at Software
    Restriction Policies in Windows XP, which enforces such policies against
    the users themselves.

    > what hope is there?


    Eh... none? Once you run malware, you're hosed.
     
    Sebastian Gottschalk, Feb 5, 2007
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dean Puhalovich

    EXAM 70-226 query and interpretation?

    Dean Puhalovich, Jul 16, 2003, in forum: MCSE
    Replies:
    3
    Views:
    955
    Gary - US
    Jul 18, 2003
  2. Charles Linquist

    Interpretation of SMART data

    Charles Linquist, Jan 27, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    562
    Charles Linquist
    Jan 27, 2005
  3. Jordan Lund

    Kill Bill v.2 Ending Interpretation:

    Jordan Lund, Aug 11, 2004, in forum: DVD Video
    Replies:
    14
    Views:
    5,284
    Rutgar
    Aug 18, 2004
  4. St. George

    Task Manager - Interpretation

    St. George, Jan 2, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    711
    Plato
    Jan 5, 2006
  5. The Doctor

    RootkitRevealer Interpretation

    The Doctor, Nov 3, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    500
    The Doctor
    Nov 3, 2006
Loading...

Share This Page