Re: network routing without my permission
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 08/24/05
- Next message: Malke: "Re: Activating User accounts after XP re-installation"
- Previous message: Cindy: "Re: network routing without my permission"
- In reply to: Cindy: "network routing without my permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Aug 2005 13:50:38 -0400
From: "Cindy" <Cindy@discussions.microsoft.com>
| About 6 months ago I found out my 2 WinXP computers had been hijacked. After
| working with wonderful help of Microsoft tech support I thought I was able to
| correct the problems...but I was wrong!
|
| I will start from the beginning:
|
| One day trying to access my banking website I found my password had been
| changed so I "fixed" the password and went on about my business. A few days
| later a virus tried to install itself on one of the computers and I stopped
| it. Using Symantec security suite at the time I thought I was safe, but
| decided to do a little digging around to see what else was happening. I
| checked the firewall settings and found MANY things were being allowed to
| access the computer. I was stumped!
|
| I downloaded a process viewer so I could see more detail as to just what
| process were running and doing so I found that my WinXP taskmanager was a
| fake and (it was long ago so I can't remember the name) was hiding the real
| taskmanager. When I hit Ctrl+Alt+Del, the fake manager was activated. The
| process manager I downloaded was able to bring up the "taskmanager behind the
| fake taskmanager" that showed all the evil processes that had benn running on
| this computer for I have no idea how long.
|
| After reinstalling several times even after reformating the hard drive, the
| issue was still there...remember during this time I was NOT connected to the
| internet.
|
| I then bought a new hard drive, flashed the bios so I could start on a clean
| system. I still found traces of the hijacking after that. I bought a hard
| drive cleaning utility, WipeDrive, and did it all again...Long story short I
| gave up and took the computers to a computer tech and had them taken care of.
|
| Gladly getting the computers back, I had my arsenal prepared of McAfee
| Security Suite 7, Microsoft AntiSpy, Spy Sweeper along with the others
| suggested ready to install.
|
| Computers up and running with protection and a Linksys router with firewall
| enabled, they were back online.
|
| With in few days they were hijacked again! After many hours with Microsoft
| tech support (bless them) we found a hardware problem with the RAM! After
| installing new RAM, computers back running again...for a while.
|
| With in a few weeks I noticed things slowing and acting funny. This time I
| decided to try to figure this one out myself. Running Netstat I found many
| listening connections. I downloaded a network monitoring utility and watched
| as several ip addresses connected to those listening ports and eventually IE
| 6, FireFox, Outlook Express and Thunderbird were tunneling through those
| ports. I am in so OVER my head at this point!
|
| I have watched this happen so I could try to learn what was happening. I
| have wiped the hard drive several times and reinstalled to watch it happen
| all over again. I can block IPs for a while but eventually it they get
| through again.
|
| If the blocking would work I wouldn't be writing this, but for some reason
| some of the blocked IPs wont allow me to get to certain web sites. I thought
| it was just Yahoo mail. When I try to access that site the browser kinda
| hangs and McAfee firewall pops up with inbound traffic trying to access a
| certain set of IPs with port event information of many connection attempts
| and the browser never gets into the Yahoo mail site. For a while I thought
| it was Yahoo and maybe it was being done on purpose so I unblocked it. Later
| I found that other sites like Amazon and other commercial sites also were
| being re-routed. This set of IPs were from Europe, Korea, China and Japan so
| I just don't believe it supposed to happen.
|
| I do not want to have to pay someone to figure this out only to have it
| happen again!
|
| This has been a long story and thank you for having the patience to read it
| through. If you have answers, please help!
|
The first and foremost protection of a PC is using Safe Hex practices.
http://www.claymania.com/safe-hex.html
If you fail to protect yourself against Social Engineering techniques, then you will easily
get re-infected with viral or non-viral malware If you formatted a hard disk, re-installed
the OS and were hijacked again you must look at YOUR actions that got you infected. Unless
you had a true virus in the form of a Boot Sector Infector, it would not survive a hard disk
format.
As for a Router being compramised, the chances of that are extremely low. However, there
are ways to mitigate a Router being compramised and protect the LAN side of the Router form
Internet worms and hackers and to keep your MS Networking to leak out from the LAN side of
the Router to the WAN side.
The Router should have the following settings...
Enable -- "Block WAN request"
Disable -- "Remote Managemet"
Disable -- "Remote Upgrade"
Block both TCP and UDP ports 135 ~ 139 and 445.
-- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
- Next message: Malke: "Re: Activating User accounts after XP re-installation"
- Previous message: Cindy: "Re: network routing without my permission"
- In reply to: Cindy: "network routing without my permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
