To Thread - Forum Home

The Mudcat Café TM
https://mudcat.org/thread.cfm?threadid=119440
27 messages

Tech: Alert! Notice

16 Mar 09 - 03:22 PM (#2590321)
Subject: Tech: Alert! Notice
From: bobad

I have been getting these Alert! notices popping up on my screen on occasion and haven't given them much notice, just click the OK option and off they go. I am now a bit curious about them. Is someone trying to access my computer and is being stopped by my firewall? The alert appears generic, ie. not identified as being from any of my utilities. The sites identified on the alert usually appear to be government or .edu sites. Here are a couple of examples:

www.rkb.mipt.org:443 uses an invalid security certificate.

The certificate is only valid for www.rkb.us

(Error code: ssl_error_bad_cert_domain)


Anyone have an idea on this?

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

secureapp2.hqda.pentagon.mil:443 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)


16 Mar 09 - 03:29 PM (#2590329)
Subject: RE: Tech: Alert! Notice
From: Amos

Internet Explorer is using a security method of checking certificates for sites your machine is trying to access. Why it is tryuing to access them may be because of a piece of malware, adware, spyware or just some java code embedded in a site you visit intentionally.

My two bits.


A


16 Mar 09 - 03:57 PM (#2590362)
Subject: RE: Tech: Alert! Notice
From: bobad

I use Firefox and it pops up at no specific site, even Mudcat. I have never tried to access any of those sites. I have run a bunch of malware, adware, AV utilities and the only thing I see comes up only with Kaspersky:"not-a-virus:AdWare.Win32.Gator.3202" which, from what I can find out, is not yet removable. It resides in a program that came with my machine and isn't installed. The program is "DivX Pro 5.0.3 (without spyware - cracked full version).exe" If I get rid of this program will that get rid of the Ad-Ware?


16 Mar 09 - 04:08 PM (#2590372)
Subject: RE: Tech: Alert! Notice
From: Bill D

It may just be that the 'security certificate' the site offers is not up to the standards your browser is requesting. This is a real can of worms...trying to learn what 'security level' is appropriate.

www.rkb.mipt.org didn't cause any alarms in my Opera browser.


16 Mar 09 - 04:33 PM (#2590400)
Subject: RE: Tech: Alert! Notice
From: bobad

I notice one of the sites is the pentagon. Is it possible that someone is somehow trying to access the pentagon through my computer, and if so how would this be done and how can I find out?


16 Mar 09 - 04:35 PM (#2590405)
Subject: RE: Tech: Alert! Notice
From: Stilly River Sage

Get AVG (free will do), install it, and set it up to scan incoming AND outgoing email. It looks for mail like that. Also get something like Spybot or Kerio that look to see what your computer is trying to send.

SRS


16 Mar 09 - 04:39 PM (#2590408)
Subject: RE: Tech: Alert! Notice
From: bobad

"Get AVG (free will do), install it, and set it up to scan incoming AND outgoing email."

Got that and it is not mail I'm talking about, the alerts pop up any time the computer is on.

Also have Spybot.


16 Mar 09 - 05:15 PM (#2590445)
Subject: RE: Tech: Alert! Notice
From: Nick

I would be very tempted to go to somewhere like Spybot forums and post a HiJack this file - or rather follow the suggestions there.

My son managed to install a root kit on my machine some while back by clicking on something or other and my machine was merrily working away and sending stuff all round the internet without me controlling it. I had a firewall; anti spyware stuff; anti virus etc etc all of little use! The person who helped me there was wonderful. There are all sorts of useful tools out there to help (like combofix - Malwarebytes - all sorts of others) but it's probably good to get someone who knows what they are doing to point you in a good direction.


16 Mar 09 - 05:27 PM (#2590458)
Subject: RE: Tech: Alert! Notice
From: Bruce MacNeill

The fact that the urls end in :443 means that your computer is trying to make a secure connection to the site rather than the standard port 80 conection for HTTP. If you're not trying to acces the pentagon or these other sites, then yes you probably have a worm of some kind that Kapersky can't spot. The fact that Gator is mentioned means that you do have spyware, well particularly obnoxious adware on your machine. By last job, prior to retirement was developing cleaner programs for this sort of thing but I had to leave the tools at my place of employment. With updates, Spybot is generally pretty good at spotting this junk although it may not be able to get rid of it. Spybot runs clean? That's strange. How successful you might be at cleaning the junk depends upon how much of a geek you are. A good place to start is with www.sysinternals.com where there is a process viewer that displays what's linked into what and if you can recognize what doesn't belong, gives you a chance to stop and delete the offending dll's thereby crippling the virus and giving you a better chance to remove it. Unfortunately, virus writers are aware of sysinternal's stuff and may filter their results. Then you have to get into tricks like renaming their program to some other name and running it to see if the results are different than when it is run with its normal name. If you're not a real geek, you need one.


18 Mar 09 - 01:24 PM (#2591886)
Subject: RE: Tech: Alert! Notice
From: bobad

refresh


18 Mar 09 - 01:51 PM (#2591904)
Subject: RE: Tech: Alert! Notice
From: bobad

Bruce, thanks for your input. I downloaded the Process Monitor from Sysinternals but am not sure what I should be looking for, maybe you can give me an idea about that.

I also downloaded and ran their Rootkit Revealer and it flagged a couple of embedded nulls (whatever that is) in the registry. I then downloaded the RegDelNull tool to remove them but am not clear on how to use it, here are the instructions, perhaps someone can tell me how to apply them:

Using RegDelNull
Usage: regdelnull [-s]

-s Recurse into subkeys.

Thanks.


18 Mar 09 - 01:59 PM (#2591911)
Subject: RE: Tech: Alert! Notice
From: GUEST,johnross

Try running these programs: SpyZooka (spyzooka.com), Malwarebytes anti-malware (www.malwarebytes.org), and ComboFix (www.combofix.org). They're all effective and finding and killing malware, which is what it sounds like you've got.


18 Mar 09 - 03:09 PM (#2591984)
Subject: RE: Tech: Alert! Notice
From: bobad

Thanks johnross, I ran those utilities and everything looks clean but I will send the ComboFix log file to a forum just to make sure.

Just a caution, when I first went to the ComcoFix site you gave I was redirected to a fake AV site called ComboFixtool.com and downloaded their program but it was caught by AVG during installation.

This site Bleeping Computer has a good guide and instructions on using ComboFix.


18 Mar 09 - 07:04 PM (#2592158)
Subject: RE: Tech: Alert! Notice
From: olddude

bobad
go to microsofts one care and let it give it a scan
this should get rid of it. it is absolutely some spyware on your machine

http://onecare.live.com/site/en-us/default.htm


18 Mar 09 - 07:24 PM (#2592177)
Subject: RE: Tech: Alert! Notice
From: Stilly River Sage

I realized when I said that about AVG that the problem probably didn't come and go via email, but the scan is the other part of the tool that is very good.

There are actually several very good free programs for this kind of thing, but you have to choose them one at a time, so if AVG doesn't help, look at the review sites and choose another. Use them one at a time--DON'T run these both installed at the same time. As a rule, competing programs don't play well together.

SRS


18 Mar 09 - 08:01 PM (#2592196)
Subject: RE: Tech: Alert! Notice
From: bobad

olddude, I tried the Microsoft One Care site and it gets hung up when downloading scanning tool files, I tried several times with the same result.


19 Mar 09 - 05:56 AM (#2592408)
Subject: RE: Tech: Alert! Notice
From: Simon G

This all started with a couple of alerts about SSL certificates.

One thing for sure is malware installed on you computer isn't going to generate alerts as that would, well, alert you to its presence. Malware is going to do its best to be completely invisible.

The alerts must have come from an application on your computer which has been directed to connect to these sites. Almost certainly this is a browser, but it could be anything that accesses the internet -- email, news reader, etc.

The most useful program from sysinternals.com is tcpview.

When they appear fire up tcpview and take a look and see what is connecting to the sites, of course the connection might have disappeared by then.If they have try exiting your web browser -- Firefox -- do the alerts go with it. Open Task Manager and check that all the firefox processes are gone, kill any that remain, does the alert disappear?

If it is the browser, what site did you visit at the point the alerts appeared, add it to your list of sites never to visit.

A web page you load into your browser is perfectly entitled to load anything from anywhere on the internet. so it can have links to these sites.


19 Mar 09 - 07:00 AM (#2592429)
Subject: RE: Tech: Alert! Notice
From: GUEST,.gargoyle

What Simon G writes above is right on.

bobadI congradulate you on getting me to do a thorough scan of my machine a few weeks ago. Thanks.

A couple questions:

Are you now or have you in the past used "BitTorrent" for downloading?
Is a kid (someone under 35 using your machine)?
Do you keep a log (AtGuard is one)? (Keep dumping it and watching activity)
Didn't we go through this recently before?
Have you tried booting from a drive instead of the HD?

It is recommended that you run two different on-line checkers in addition to the AV installed on your machine. (MicroTrend has one)

For file recovery pcinspector.de is excellent - select English in the upper right corner.

Take a look here: YOU NEED TO ADD the HTTP part to view:

209.85.173.132/search?q=cache:lzYrCW1NppgJ:www.spywareinfoforum.com/lofiversion/index.php/t9447.html+lockupinfo+server%3D%22209.87.208.60%22+port%3D%220%22+enable%3D%22false%22&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a

Worst case - You may need to reformat your drive and do a clean install.

Sincerely,
Gargoyle


19 Mar 09 - 07:10 AM (#2592431)
Subject: RE: Tech: Alert! Notice
From: Bruce MacNeill

I've been out of this for a couple of years. I used to allow myself a week or so to teach MCSE's how to interpret process stacks etc. There are a couple of process utilities at sysinternals apparently. The one I think gives the most information is Process Explorer. In that one you get a list of everything running on the machine and can select each process, open it and see what modules are running within , which are called it's threads, then open each of those and get details as to what they are doing, if they are accessing the internet or not and if they are what addresses they are accessing. Most will just be waiting or listening for something. What you're looking for are processes or threads that don't look "Normal" and that's the trick, to know what's "Normal" Each process or thread has properties which tell who wrote it, like Microsoft or Kapersky or Adobe etc. The bad ones generally don't have a writer listed. Legitimate threads are probably running from \system32 but the bad ones are frequently in a \temp folder, that's a flag that they came in from the Internet. It can take hours to look through the whole list and find something out of place if it's well hidden. That's why I said you needed a real geek to look at this. Sorry, if you have a "Root Kit" worm on your machine, and you aren't familiar with this, your odds are really bad of recognizing it.

There are other scanners besides the Microsoft one that may give you a clue. Trend Micro had a pretty good free PC scan on their website that might say something. The first trick is to get a clue as to where the offending thread is.


19 Mar 09 - 07:10 AM (#2592433)
Subject: RE: Tech: Alert! Notice
From: GUEST,.gargoyle

Do you notice your telephone ringing - shortly after opening e-mail?

I recommend downloading the e-mail...shut off the internet connection (zone alarm or moden switch) and then sorting through your mail and tossing the spam before reconnecting to the net.

Those "cute" (bull-sh-t) animated charactors that some people include as an imbedded gif in their mail can also have an "E-T phone home" attribute.

Watch your TCP traffic...As Simon G notes above.

Sincerely,
Gargoyle


19 Mar 09 - 07:26 AM (#2592439)
Subject: RE: Tech: Alert! Notice
From: GUEST,.gargoyle

CCleaner (Crap Cleaner)is a useful tool for cleaning cache (and cookies)and snail-trails.

Think of it as brushing your teeth after every meal. Use it every time to leave the net.

CC has several other good tools also a great registery viewer...HOWEVER, you really do not want to mess with reg-edit unless you know what you are doing.

Sincerely,
Gargoyle


19 Mar 09 - 08:06 AM (#2592461)
Subject: RE: Tech: Alert! Notice
From: bobad

I do use CCleaner regularly Garg.

Thanks to everyone for your advice, much is above my capability but I will keep at it and learn as I go on.


19 Mar 09 - 08:13 AM (#2592468)
Subject: RE: Tech: Alert! Notice
From: GUEST,Jim Martin

People like me don't seem to stand a chance, you have to be a real 'geek' to understand all this jargon, I wouldn't have a clue!

I've got AVG anti-virus with firewall & use Firefox, keep all fingers & toes crossed & just hope for the best - I suspect most people are the same!


19 Mar 09 - 11:20 AM (#2592611)
Subject: RE: Tech: Alert! Notice
From: Simon G

Jim -- Don't worry about the jargon, the first thing you can do is reduce the size of target you exhibit, in your case using Firefox does a lot. Something like Window '95 old Internet Explorer and Outlook provides a Grizzly Bear size target, using the latest Windows OS/Explorer/Outlook/Messenger takes you down to a fox size. Windows but assiduously avoiding Microsoft tools, so Firefox/Thunderbird/GoogleTalk and your down to dormouse. Of course to display a target the size of a fly you need to be on a Macintosh (which I'm not) or Linux.

The target size is fundamentally a reflection of the amount of effort put into breaking the technologies. And the effort goes into the popular choices, it pays not to go with the crowd.

Once you've sized your target it is really important not to then place yourself in the firing line. Here are some tips. To be honest I am amazed at what people are willing to do to encourage malware on to their computer.

Use AVG, Spybot, etc but remember that technical advancements in malware is happening faster the development of tools to spot and remove.

If AVG and Spybot find anything other than cookies on your computer then question everything you do on it because you are dancing around in the line of fire -- the malware didn't get there on its own.

Simon


19 Mar 09 - 11:37 AM (#2592618)
Subject: RE: Tech: Alert! Notice
From: GUEST,guest_olddude

bobad
do you have windows defender installed. That should clean it
take a look at

windows defender


30 Mar 09 - 07:58 PM (#2600849)
Subject: RE: Tech: Alert! Notice
From: GUEST,anon

Just a thought-- do you have Firefox plugin TrackMeNot running?

I think how that works is searching a bunch of random sites, and trying to connect. You may be getting these errors occasionally from a TMN session.


30 Mar 09 - 08:16 PM (#2600860)
Subject: RE: Tech: Alert! Notice
From: bobad

Yes, I do have TrackMeNot running as a matter of fact. What you say, even though I don't know what a TMN session is, kind of fits with my feeling on this lately. The alerts are very random, there have been only one or two since I posted and my computer runs as it always has and the numerous scans have found nothing. I'm pretty sure that it not infected. Thanks very much for your input, I appreciate it.