Okay, doing it.
Windows Firewall was turned "off". I had been using Norton Internet Security and it's inherent firewall. Is Norton's flawed?
In any event, here are the exceptions:
Four exceptions for "file and printer sharing", all of which are limited in scope to my subnet. I think I installed these for gaming with my son (I just haven't done that in months).
One Remote assistance program -- I don't recall it, but maybe it was installed way back when my computer was last reformatted (about a year ago, IIRC). The program is "c:\windows\system32\sessmgr.exe".
Looking at the Norton Personal Firewall, it is set to a custom level. It is allowing the following unfamiliar programs:
Gamedrvr.exe
GTEK AOL on Desktop
Two instances of Microsoft Application Error Reporting
Two instances of Microsoft Generic Host Process for Win32 Services (the error messages come up on these programs!)
Two instances of Microsoft help &support center
Microsoft DOS FTP (I always use WinFTP myself)
Microsoft Help Center Hosting Server
Microsoft HTML Application Host
point32.exe
rundll32.exe
Wildtanget application
WildTangent AIM WD Installer
I'm guessing that the WildTangent issues are part of the problem. I also noticed that many of the programs (like Outlook, Corel WordPerfect (yes, I am a dinosaur) and others apperaed 2-5 times on the list.
My internet Explorer Security levels were all "custom." Here are the
Internet settings:.NET Framework-reliant components:
Run components not signed with Authenticode -- ENABLED
Run components signed with Authenticode -- ENABLED
ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- DISABLED
Binary and Script Behaviors -- ENABLED
Download signed ActiveX controls -- ENABLED
Download unsigned ActiveX controls -- PROMPT
Initialize and script ActiveX controls not marked as safe -- PROMPT
Run ActiveX controls and plug-ins -- ENABLED
Script ActiveX controls marked safe for scripting -- ENABLED
Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- ENABLED
Font download -- ENABLED
Java VM:
Java Permissions -- LOW SAFETY
Miscellaneous:
Access data sources across domains -- ENABLED
Allow META REFRESH -- ENABLED
Allow scripting of Internet Explorer Webbrowser control -- DISABLED
Allow script-iinitiated windows without size or position constraints -- DISABLED
Allow Web pages to use restricted protocols for active content -- PROMPT
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists -- ENABLED
Drag and drop or copy and paste files -- ENABLED
Installation of desktop items -- ENABLED
Launching programs and files in an IFRAME -- ENABLED
Navigate subframes across different domains -- ENABLED
Open files based on content, not file extension -- ENABLED
Software channel permissions -- LOW SAFETY
Submit non-encrypted form data -- ENABLED
Use Pop-up Blocker -- ENABLED
Userdata persistence -- ENABLED
Web sites in less privileged web content zone can navigate into this zone -- ENABLED
Scripting:
Active Scripting -- ENABLED
Allow paste operations via script -- ENABLED
Scripting of Java applets -- ENABLED
User Authentication: Logon:
Automatic logon with current username and password
Now for the Local Intranet settings:
.NET Framework-reliant components:
Run components not signed with Authenticode -- ENABLED
Run components signed with Authenticode -- ENABLED
ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- ENABLED
Binary and Script Behaviors -- ENABLED
Download signed ActiveX controls -- PROMPT
Download unsigned ActiveX controls -- DISABLED
Initialize and script ActiveX controls not marked as safe -- DISABLED
Run ActiveX controls and plug-ins -- ENABLED
Script ActiveX controls marked safe for scripting -- ENABLED
Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- ENABLED
Font download -- ENABLED
Java VM:
Java Permissions -- MEDIUM SAFETY
Miscellaneous:
Access data sources across domains -- PROMPT
Allow META REFRESH -- ENABLED
Allow scripting of Internet Explorer Webbrowser control -- ENABLED
Allow script-iinitiated windows without size or position constraints -- ENABLED
Allow Web pages to use restricted protocols for active content -- PROMPT
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists -- ENABLED
Drag and drop or copy and paste files -- ENABLED
Installation of desktop items -- PROMPT
Launching programs and files in an IFRAME -- PROMPT
Navigate subframes across different domains -- ENABLED
Open files based on content, not file extension -- ENABLED
Software channel permissions -- MEDIUM SAFETY
Submit non-encrypted form data -- ENABLED
Use Pop-up Blocker -- DISABLED
Userdata persistence -- ENABLED
Web sites in less privileged web content zone can navigate into this zone -- ENABLED
Scripting:
Active Scripting -- ENABLED
Allow paste operations via script -- ENABLED
Scripting of Java applets -- ENABLED
User Authentication: Logon:
Automatic logon only in Intranet zone
Now the
Custom Sites:.NET Framework-reliant components:
Run components not signed with Authenticode -- ENABLED
Run components signed with Authenticode -- ENABLED
ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- ENABLED
Binary and Script Behaviors -- ENABLED
Download signed ActiveX controls -- ENABLED
Download unsigned ActiveX controls -- PROMPT
Initialize and script ActiveX controls not marked as safe -- PROMPT
Run ActiveX controls and plug-ins -- ENABLED
Script ActiveX controls marked safe for scripting -- ENABLED
Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- ENABLED
Font download -- ENABLED
Java VM:
Java Permissions -- LOW SAFETY
Miscellaneous:
Access data sources across domains -- ENABLED
Allow META REFRESH -- ENABLED
Allow scripting of Internet Explorer Webbrowser control -- ENABLED
Allow script-iinitiated windows without size or position constraints -- ENABLED
Allow Web pages to use restricted protocols for active content -- ENABLED
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists -- PROMPT
Drag and drop or copy and paste files -- ENABLED
Installation of desktop items -- ENABLED
Launching programs and files in an IFRAME -- ENABLED
Navigate subframes across different domains -- ENABLED
Open files based on content, not file extension -- ENABLED
Software channel permissions -- LOW SAFETY
Submit non-encrypted form data -- ENABLED
Use Pop-up Blocker -- DISABLED
Userdata persistence -- ENABLED
Web sites in less privileged web content zone can navigate into this zone -- PROMPT
Scripting:
Active Scripting -- ENABLED
Allow paste operations via script -- ENABLED
Scripting of Java applets -- ENABLED
User Authentication: Logon:
Automatic logon with current username and password
Finally, here are the
Restricted Sites:.NET Framework-reliant components:
Run components not signed with Authenticode -- DISABLED
Run components signed with Authenticode -- DISABLED
ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- DISABLED
Binary and Script Behaviors -- DISABLED
Download signed ActiveX controls -- DISABLED
Download unsigned ActiveX controls -- DISABLED
Initialize and script ActiveX controls not marked as safe -- DISABLED
Run ActiveX controls and plug-ins -- DISABLED
Script ActiveX controls marked safe for scripting -- DISABLED
Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- DISABLED
Font download -- PROMPT
Java VM:
Java Permissions -- DISABLE JAVA
Miscellaneous:
Access data sources across domains -- DISABLED
Allow META REFRESH -- DISABLED
Allow scripting of Internet Explorer Webbrowser control -- DISABLED
Allow script-iinitiated windows without size or position constraints -- DISABLED
Allow Web pages to use restricted protocols for active content -- DISABLED
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists -- DISABLED
Drag and drop or copy and paste files -- DISABLED
Installation of desktop items -- DISABLED
Launching programs and files in an IFRAME -- DISABLED
Navigate subframes across different domains -- DISABLED
Open files based on content, not file extension -- DISABLED
Software channel permissions -- HIGH SAFETY
Submit non-encrypted form data -- PROMPT
Use Pop-up Blocker -- ENABLED
Userdata persistence -- DISABLED
Web sites in less privileged web content zone can navigate into this zone -- DISABLED
Scripting:
Active Scripting -- DISABLED
Allow paste operations via script -- DISABLED
Scripting of Java applets -- DISABLED
User Authentication: Logon:
Prompt for username and password
I also use Mozilla Firefox -- I checked the security settings and they appear okay (all three SSL security boxes are checked). Do you need more info?
Finally, I'm ready to run FxBlast.exe. I'm at the office, so I don't have connectivity on my personal laptop. For good measure, though, I popped the Linksys card -- and the machine died.
That's never happened before. Odd.
Okay, rebooted without the laptop wireless card plugged in. Interestingly, I got no error messages this time. Perhaps the malware determiens whether it has internet access before attempting to do it's thing?
Now to run FxBlast.exe.
It didn't find anything.
After looking at the "permissions" in my Norton Firewall, I took a gander at my program directories. I do not have AOL, but it is on there. I have not downloaded AIM, but it is on there. Weatherbug (which I have NEVER used on this computer) is on there. Something called Msnmusic is on there (never heard of that); Netmeeting is on there -- dated last week (I didn't install it); and a new folder called "xerox" with a subfolder titled "nwwia" that I am not able to delete (WinXP says it is in use by another person or program). It is also a hidden file.
Okay -- now I reinserted the linksys card and rebooted. I am still getting the error messages. This does not appear to have worked.
Sigh.
Edited by MrSpkr, 23 August 2005 - 12:56 PM.