I visited a web page, my AVG scanner told me about a virus, but did not allow me to delete, heal or move to vault, so I had to close the virus warning window, result being infection (I suppose shutting down power would have been better).
Some sort of a spammer software has been installed. My AVG mail scanner detects it, it's likely using its own SMTP engine and AVG detects the port usage.
I've tried "everything", but nothing works, nothing detects it. Other trojans and viruses that came on to the PC has been removed, but there's obviously something that's not being detected. It appears that shutting down the SVCHost local service temporariliy stops it, but svchost starts again by itself.
Tried: AVG, Symantec online scan (no detection), Housecall, Bit Defender, Antitrojan A2, Giant, Spybot, Spy Doctor, Spyhunter.
I suppose I have to just format my harddrive? And perhaps installing Symantec is the only way to prevent this in the future, though Symantec has not detected anything.
Are you used Windows XP Services Pack 2 (that is my O)?
Recently Norton/Symantec packages gave me big problems. I couldn't do any Windows Update from Microsoft anymore. I have to disable them. After I disable them, I couldn't go to any secure sites (https://...) anymore, I can only go to none secure sites (http://....). So I have to uninstalled them all. After I uninstalled that Norton/Symantec packages. Everything works fine! Now I am use McAfee virus scan instead.
I have some exceptions when I running Windows Firewall. But I have to disable the Windows firewall when I connect to my office with Cisco's VPN (Virtual Private Network) client. If the Windows firewall is on, then my VPN client will fail to connect. That is remaining problem I haven't solved, yet.
That's like saying you only screw strangers without a condom for a few minutes a day. The instant you are without a firewall, you're vulnerable, and anything that exploited that will continue to be in your system once you turn the XP firewall back on. Yes, just a few minutes with a disabled firewall is enough.
Yes. That is the best and only safe thing to do. Else I would recommend consulting a local professional that cleans your PC. Most important, take your computer from the internet. You are starting to leave a trail in blacklists:
Your ISP won't be glad about that...
As you can see, Symantec does not help either. a) Don't use a browser that is insecure and has known security bugs. Switch to a different browser. b) Keep your system updated with current Windows updates to fix at least all those bug where patches are available. c) Don't browse to weird web pages. What are you doing there anyway? You don't walk into a unsafe neighborhood either, do you? If you do you have to expect to be mugged...
What exceptions? Do you connect directly to the internet or do you have a hardware router/firewall inbetween?
That should not happen and most likely due to a misconfigured VPN client. The SP2 firewall can create a log of packets dropped. You should turn that on, then use the VPN client and go through the log afterwards to see what the SP2 firewall actually did. This should give you some pointers to what caused the problems and where to look for a solution. Your system administrator should be able to help you with the proper configuration if you can point him to your problem. My Cisco VPN Client works fine with the SP2 firewall turned on and a hardware firewall/router in between.
*Again* you're making an assumption that I never made, in that the packet has to reach a listening service on a different interface. That's not true -- if that's the only scenario you can think of, your vision is limited.
Why are we not talking about that? You're changing the rules of the game, and I ain't playing.
That is not completely correct: the instant you are without a firewall, you are only vulnerable if you Windows is not properly configured not to offer services to the internet interface. If it does not, it is not vulnerable.
It can always attack the stack. That's correct. But I am not aware of an exploit that actually manages to attack an IP stack and convince it to send a packet to a service that listens on a different interface (ie not the interface to the internet). Which one do you have in mind?
Just name the exploit. That is all I want to know. An exploit that attacks a _closed_ port (i.e. noone is listening there) and exploits by the means of the first attack a service that is running on a different interface (i.e. with a different IP address and in particular the localhost interface) on the same port number or a different one. (We are not talking about potential flaws in the IP stack which are there regardless of any service.)
The advice to just open a port in your firewall as first advice without really knowing the scenario is IMHO no good advice. Only because the firewall does block something does not mean that it is not working correctly. Most of the time, it is a misconfiguration of your application. So I would really rather recommend to find out what causes the problem instead of a quick fix.
Again, you are not describing a possible exploit nor tell a name of an existing one. It does not help that you claim that I cannot think of an other scenario while you just refuse to describe it. If you can think of something else, just describe it.
No, I am not. You are changing the rules that you self set before. You wrote: "The instant you are without a firewall, you're vulnerable,". We are talking about vulerablities that are related to whether or not the firewall is running.
We are_not_ talking about vulnerabilities that may be there but are independent from this. If the IP stack is vulnerable then the firewall does not matter. The problem of IP stack attacks have nothing to do with firewall related issues. Your vision is limited if you cannot only see both mingled and do not understand that they are conceptionally different and thus are discussed differently. And anyway, you started this discussion with your hypothesis that you are without a firewall you are vulnerable. IP stack issues are not the subject. You added them when I pointed out that this hypothesis obviously not correct. You wrote "There's some exploits that attack the TCP/IP stack itself, as well as some services that always run." and you don't tell which one it is. It needs an exploit that attacks the TCP/IP stack and then exploits a services. Again, no mentioning of yours about exploiting a vulnerabily of the stack but just writing "attack" which is something different than exploit.
Last but not least you write "None, because the false assumption that you need to send a packet to *some* interface is yours, and not mine." changing completely the subject as we don't seem to talk about network related attacks or exploits anymore. We were talking about networks and firewalls in particular. In this discussion, bugs in Outlook Express when rendering an email are irrelevant because they are again completely independent from the original discussion. And as we are talking about networks your statement just does not make any sense, because at the end of the network cable there is an interface. If not, it is an open end and that is really useless...
So why do you not just keep to the subject. To me it seems as if you are talking about something completely different each time your write, taking into considerations things that we are not talking about and which you don't even specifically mention. This way, no argument is possible because there is always somewhere else something different which you may have in mind but you don't even bother writing it specificially and instead just expect other people to guess what ever on earth you are talking about.
So, unless you get more specific and describe exactly what you are talking about and how it is related with the original subject exactly (not just "it's an exploit" or "it's is software") I don't see any reason to continue this discussion because of lack of suitable argument on your side.