Security Issue, or Just Paranoid?

A month ago, a hacker got into my system and wiped clean all the data from
two computers -- and my automated backup hard drive. I have become something
of a madwoman about this, as you can imagine.

In the weeks since then, every security certificate I examine has an expired
date on it. This includes the ActiveX control for automated updates from
Microsoft!

I just ran the system recovery media on an Averatec computer that has not
yet been on the internet, and it has 25 compressed files that have names like
DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called
C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and
Destroy has not been installed on this computer.

Another suspicious category is eight zip files with apparently identical
contents, each named a different combination of 8 alphanumeric characters,
filed in C:\windows\java\packages. So, for example, it's
C:\windows\java\packages\7BRR3PZV.

The thing that makes me really crazy is when I went into Recovery console
from a Windows XP disk, I am asked for an administrator password, and I did
not set an administrator password.

What I think is happening is that this is a very clever hijack program that
makes a copy of everything I have ever put on this computer. Thus, every
method I have used to reformat the hard drive (and believe me, I have used a
lot of different methods for this), or to control this menace, is copied as I
shut down, and when I reboot, they have engineered the program so as to make
it appear to work when it is not.

I just read this thread called "Security Problem?" and it sounds like this
is something that would be easy enough to do.

Or am I really just crazy?

Thanks!

You are doing something wrong when you reinstall the operating system. You
need to make sure that the hard drive is formatted and not quick formatted
for ntfs when you do a pristine install of the operating system. Another
possibility is that you are using infected media [cdrom/DVD,USB, etc] to
compromise the computer, opening an email attachments that is infecting the
computer, downloading and installing infected software, or connecting the
computer to the internet without proper firewall and antivirus program.
Anything that you copy back to your computer from backup media must be
scanned for viruses first before you copy it to the new installation and
your installation disk must be a genuine install disk from Microsoft - not
some copy you got from someone. If other users have physical access to the
computer that could also be a cause for concern. Any scans for
malware/Spyware must be done with quality programs that are updated from the
vendors website before you do the scans and also scan in Safe Mode.

The links below may help and also you should always have backups of your
data to offline media such as cdrom, DVD, etc. If you make no progress you
may want to hire someone that specializes in securing operating systems and
networks. If you are using wireless network then lack of security for your
wireless network could explain a lot of what is going on. WEP is not secure
by today's standards unless you are using 802.1X and dynamic WEP. WPA with
PSK is much better as long as you use a PSK of at least 15 characters that
is complex. --- Steve

http://www.microsoft.com/athome/secu...2/Default.mspx
--- Protect Your PC
http://www.microsoft.com/athome/secu...s/default.mspx --- Viruses
and worms info from MS

"SueInCincy" wrote in message
...
A month ago, a hacker got into my system and wiped clean all the data from
two computers -- and my automated backup hard drive. I have become
something
of a madwoman about this, as you can imagine.

In the weeks since then, every security certificate I examine has an
expired
date on it. This includes the ActiveX control for automated updates from
Microsoft!

I just ran the system recovery media on an Averatec computer that has not
yet been on the internet, and it has 25 compressed files that have names
like
DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called
C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and
Destroy has not been installed on this computer.

Another suspicious category is eight zip files with apparently identical
contents, each named a different combination of 8 alphanumeric characters,
filed in C:\windows\java\packages. So, for example, it's
C:\windows\java\packages\7BRR3PZV.

The thing that makes me really crazy is when I went into Recovery console
from a Windows XP disk, I am asked for an administrator password, and I
did
not set an administrator password.

What I think is happening is that this is a very clever hijack program
that
makes a copy of everything I have ever put on this computer. Thus, every
method I have used to reformat the hard drive (and believe me, I have used
a
lot of different methods for this), or to control this menace, is copied
as I
shut down, and when I reboot, they have engineered the program so as to
make
it appear to work when it is not.

I just read this thread called "Security Problem?" and it sounds like this
is something that would be easy enough to do.

Or am I really just crazy?

Thanks!

From: "SueInCincy"

| A month ago, a hacker got into my system and wiped clean all the data from
| two computers -- and my automated backup hard drive. I have become something
| of a madwoman about this, as you can imagine.
|
| In the weeks since then, every security certificate I examine has an expired
| date on it. This includes the ActiveX control for automated updates from
| Microsoft!
|
| I just ran the system recovery media on an Averatec computer that has not
| yet been on the internet, and it has 25 compressed files that have names like
| DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called
| C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and
| Destroy has not been installed on this computer.
|
| Another suspicious category is eight zip files with apparently identical
| contents, each named a different combination of 8 alphanumeric characters,
| filed in C:\windows\java\packages. So, for example, it's
| C:\windows\java\packages\7BRR3PZV.
|
| The thing that makes me really crazy is when I went into Recovery console
| from a Windows XP disk, I am asked for an administrator password, and I did
| not set an administrator password.
|
| What I think is happening is that this is a very clever hijack program that
| makes a copy of everything I have ever put on this computer. Thus, every
| method I have used to reformat the hard drive (and believe me, I have used a
| lot of different methods for this), or to control this menace, is copied as I
| shut down, and when I reboot, they have engineered the program so as to make
| it appear to work when it is not.
|
| I just read this thread called "Security Problem?" and it sounds like this
| is something that would be easy enough to do.
|
| Or am I really just crazy?
|
| Thanks!

Are you using SpyBot Search and Destroy v1.4 ?

The DSO Exoploit is very old and was fixed long ago and should not be a factor in WinXP.

Earlier versions of SpyBot S&D repeatedly falsely declared the DSO Exploit has has long
since been corrected by new signatures and by SpyBot S&D v1.4.

I don't see anthing else in you post so I think you are over reacting. I dod suggest that
you use and perform the following to make sure there is no malware on your PC.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I appreciate your quick replies, and I don't think I made myself clear about
how many different ways we have tried to get this disk cleared.

First I tried the system recovery media. That worked one time, but I didn't
really understand what I was up against, and the bad guys got back in before
I could download the Windows security updates, etc. The next two times I
tried that method I had evidence of the bad guys even before I downloaded any
files or hooked up to the internet.

Then I tried using the "long reformat" option from a Windows XP disc, and
that appeared to have worked once.

Then, I tried the FDisk command from DOS, and then a couple of different
DOD-approved products for wiping a hard drive clean that booted from the CD.
Then I hired a specialist in security matters, who proceeded to use a machine
I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys
for my wireless network.

I have never used anything by OEM software and/or downloads from OEM
websites.

I don't know how they are doing this.

I really do appreciate your prompt response, but I really do want you to
consider that this is something you haven't seen before.

I have spent hundreds of hours studying this issue during the past five
weeks, and my daughter told me yesterday "she wants her mommy back." I don't
see anyone describing anything that comes close to this experience.

Thanks again for your help.



"David H. Lipman" wrote:

From: "SueInCincy"

| A month ago, a hacker got into my system and wiped clean all the data from
| two computers -- and my automated backup hard drive. I have become something
| of a madwoman about this, as you can imagine.
|
| In the weeks since then, every security certificate I examine has an expired
| date on it. This includes the ActiveX control for automated updates from
| Microsoft!
|
| I just ran the system recovery media on an Averatec computer that has not
| yet been on the internet, and it has 25 compressed files that have names like
| DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called
| C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and
| Destroy has not been installed on this computer.
|
| Another suspicious category is eight zip files with apparently identical
| contents, each named a different combination of 8 alphanumeric characters,
| filed in C:\windows\java\packages. So, for example, it's
| C:\windows\java\packages\7BRR3PZV.
|
| The thing that makes me really crazy is when I went into Recovery console
| from a Windows XP disk, I am asked for an administrator password, and I did
| not set an administrator password.
|
| What I think is happening is that this is a very clever hijack program that
| makes a copy of everything I have ever put on this computer. Thus, every
| method I have used to reformat the hard drive (and believe me, I have used a
| lot of different methods for this), or to control this menace, is copied as I
| shut down, and when I reboot, they have engineered the program so as to make
| it appear to work when it is not.
|
| I just read this thread called "Security Problem?" and it sounds like this
| is something that would be easy enough to do.
|
| Or am I really just crazy?
|
| Thanks!

Are you using SpyBot Search and Destroy v1.4 ?

The DSO Exoploit is very old and was fixed long ago and should not be a factor in WinXP.

Earlier versions of SpyBot S&D repeatedly falsely declared the DSO Exploit has has long
since been corrected by new signatures and by SpyBot S&D v1.4.

I don't see anthing else in you post so I think you are over reacting. I dod suggest that
you use and perform the following to make sure there is no malware on your PC.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "SueInCincy"

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.
|
| First I tried the system recovery media. That worked one time, but I didn't
| really understand what I was up against, and the bad guys got back in before
| I could download the Windows security updates, etc. The next two times I
| tried that method I had evidence of the bad guys even before I downloaded any
| files or hooked up to the internet.
|
| Then I tried using the "long reformat" option from a Windows XP disc, and
| that appeared to have worked once.
|
| Then, I tried the FDisk command from DOS, and then a couple of different
| DOD-approved products for wiping a hard drive clean that booted from the CD.
| Then I hired a specialist in security matters, who proceeded to use a machine
| I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys
| for my wireless network.
|
| I have never used anything by OEM software and/or downloads from OEM
| websites.
|
| I don't know how they are doing this.
|
| I really do appreciate your prompt response, but I really do want you to
| consider that this is something you haven't seen before.
|
| I have spent hundreds of hours studying this issue during the past five
| weeks, and my daughter told me yesterday "she wants her mommy back." I don't
| see anyone describing anything that comes close to this experience.
|
| Thanks again for your help.
..

Don't use wireless ! If you must do networking, go wired.
Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that
Router. Even better would be a full implementation of a FireWall on that Router.

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.

And you still haven't. If you want help you must be specific. Of the 10's of thousands of
infectors only a few dozen are Boot Sector Infectors and they will survive a reformat.

Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I
know you might have had the Kriz or Chernobyl viruses and they could have wiped the data
from your disks.

You also did reply about my information on SpyBot and the DSO False Positive declaration.

It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and
take precautionary measures then you won't need corrective measures and Mommy can be Mommy.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave,

-----------------------

Don't use wireless ! If you must do networking, go wired.
-------------------------
I am not wireless now; I even switched to a cable modem from DSL.

Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139
and 445 on that
Router. Even better would be a full implementation of a FireWall on that
Router.
--------------
Right now I am only trying to get one computer at a time safe.
------------------

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.
----------------------------
And you still haven't. If you want help you must be specific. Of the 10's of
thousands of infectors only a few dozen are Boot Sector Infectors and they
will survive a reformat.
I think I did spell out all the different ways we have used to clean off
this hard drive, if you look at my last post.
----------------------

Nowhere do I see anything posted about the use of anti virus software !
Hell, for all I know you might have had the Kriz or Chernobyl viruses and
they could have wiped the data from your disks. I guess I figured it went
without saying that I had updated virus Protection -- first the EZ Firewall
and Antivirus production from Computer Associates, and then Norton Internet
Security with full updates. I also used Kapersky and Zone Alarm and Ewido,
none of which ever found anything like a virus, or even a significant spyware
or malware.

---------------

You also did reply about my information on SpyBot and the DSO False Positive
declaration.
---------------------
In my first post, I said that SpyBot hasn't been installed on this machine
since at least three reformats ago.

-----------------------

It doesn't matter if I haven't "seen" what you had before. If you practice
Safe Hex and take precautionary measures then you won't need corrective
measures and Mommy can be Mommy.

-----------------
I know that you are doing this as a freebie, and I appreciate that, but
please understand that I really have done everything according to the book,
at least according to the book that comes with the OEM software I have been
using, and still this continues to happen. You are the first person to
acknowledge in writing that there are Boot Sector Infectors (or whatever)
that can survive a thorough reformat.

----
I do appreciate your expertise, but I am very frustrated by the experience
of being treated at every turn like I am either a hypochondriac or an
uninformed slob with poor computer hygiene. I really do appreciate your
help.

Thanks again.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" wrote:

From: "SueInCincy"

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.
|
| First I tried the system recovery media. That worked one time, but I didn't
| really understand what I was up against, and the bad guys got back in before
| I could download the Windows security updates, etc. The next two times I
| tried that method I had evidence of the bad guys even before I downloaded any
| files or hooked up to the internet.
|
| Then I tried using the "long reformat" option from a Windows XP disc, and
| that appeared to have worked once.
|
| Then, I tried the FDisk command from DOS, and then a couple of different
| DOD-approved products for wiping a hard drive clean that booted from the CD.
| Then I hired a specialist in security matters, who proceeded to use a machine
| I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys
| for my wireless network.
|
| I have never used anything by OEM software and/or downloads from OEM
| websites.
|
| I don't know how they are doing this.
|
| I really do appreciate your prompt response, but I really do want you to
| consider that this is something you haven't seen before.
|
| I have spent hundreds of hours studying this issue during the past five
| weeks, and my daughter told me yesterday "she wants her mommy back." I don't
| see anyone describing anything that comes close to this experience.
|
| Thanks again for your help.
..

Don't use wireless ! If you must do networking, go wired.
Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that
Router. Even better would be a full implementation of a FireWall on that Router.

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.

And you still haven't. If you want help you must be specific. Of the 10's of thousands of
infectors only a few dozen are Boot Sector Infectors and they will survive a reformat.

Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I
know you might have had the Kriz or Chernobyl viruses and they could have wiped the data
from your disks.

You also did reply about my information on SpyBot and the DSO False Positive declaration.

It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and
take precautionary measures then you won't need corrective measures and Mommy can be Mommy.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I just want to be doubly sure that you know that it has been at least three
reformats ago (one by a professional) since there was any Spybot on this
machine at all.

"David H. Lipman" wrote:

From: "SueInCincy"

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.
|
| First I tried the system recovery media. That worked one time, but I didn't
| really understand what I was up against, and the bad guys got back in before
| I could download the Windows security updates, etc. The next two times I
| tried that method I had evidence of the bad guys even before I downloaded any
| files or hooked up to the internet.
|
| Then I tried using the "long reformat" option from a Windows XP disc, and
| that appeared to have worked once.
|
| Then, I tried the FDisk command from DOS, and then a couple of different
| DOD-approved products for wiping a hard drive clean that booted from the CD.
| Then I hired a specialist in security matters, who proceeded to use a machine
| I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys
| for my wireless network.
|
| I have never used anything by OEM software and/or downloads from OEM
| websites.
|
| I don't know how they are doing this.
|
| I really do appreciate your prompt response, but I really do want you to
| consider that this is something you haven't seen before.
|
| I have spent hundreds of hours studying this issue during the past five
| weeks, and my daughter told me yesterday "she wants her mommy back." I don't
| see anyone describing anything that comes close to this experience.
|
| Thanks again for your help.
..

Don't use wireless ! If you must do networking, go wired.
Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that
Router. Even better would be a full implementation of a FireWall on that Router.

| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.

And you still haven't. If you want help you must be specific. Of the 10's of thousands of
infectors only a few dozen are Boot Sector Infectors and they will survive a reformat.

Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I
know you might have had the Kriz or Chernobyl viruses and they could have wiped the data
from your disks.

You also did reply about my information on SpyBot and the DSO False Positive declaration.

It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and
take precautionary measures then you won't need corrective measures and Mommy can be Mommy.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Not a help to your present predicament, but if runnins a company server I'd
also advise genning-up on rotational backups. What has happened to you
demonstrates something I have a hard time convincing clients of, which is
that a single backup is insufficient.

Ideally a full rotational system will use a tape drive, and to make a full
year's backup-set will require twenty tapes. (four daily, four weekly, twelve
monthly)

That way, even if the damage was done a month ago, you can still restore a
copy of the server's OS from before that time, and then decide which copies
of the data are usable, perhaps merging several tapes' worth to get a
near-complete restore. I f you reuse all of your your tapes daily or weekly
then you have no such options.

Hope this helps, at least to prevent a repeat loss of data.

Ian.

From: "SueInCincy"

| Dave,
|
| -----------------------
|
| Don't use wireless ! If you must do networking, go wired.
| -------------------------
| I am not wireless now; I even switched to a cable modem from DSL.
|
| Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139
| and 445 on that
| Router. Even better would be a full implementation of a FireWall on that
| Router.
| --------------
| Right now I am only trying to get one computer at a time safe.
| ------------------
|
| I appreciate your quick replies, and I don't think I made myself clear about
| how many different ways we have tried to get this disk cleared.
| ----------------------------
| And you still haven't. If you want help you must be specific. Of the 10's of
| thousands of infectors only a few dozen are Boot Sector Infectors and they
| will survive a reformat.
| I think I did spell out all the different ways we have used to clean off
| this hard drive, if you look at my last post.
| ----------------------
|
| Nowhere do I see anything posted about the use of anti virus software !
| Hell, for all I know you might have had the Kriz or Chernobyl viruses and
| they could have wiped the data from your disks. I guess I figured it went
| without saying that I had updated virus Protection -- first the EZ Firewall
| and Antivirus production from Computer Associates, and then Norton Internet
| Security with full updates. I also used Kapersky and Zone Alarm and Ewido,
| none of which ever found anything like a virus, or even a significant spyware
| or malware.
|
| ---------------
|
| You also did reply about my information on SpyBot and the DSO False Positive
| declaration.
| ---------------------
| In my first post, I said that SpyBot hasn't been installed on this machine
| since at least three reformats ago.
|
| -----------------------
|
| It doesn't matter if I haven't "seen" what you had before. If you practice
| Safe Hex and take precautionary measures then you won't need corrective
| measures and Mommy can be Mommy.
|
| -----------------
| I know that you are doing this as a freebie, and I appreciate that, but
| please understand that I really have done everything according to the book,
| at least according to the book that comes with the OEM software I have been
| using, and still this continues to happen. You are the first person to
| acknowledge in writing that there are Boot Sector Infectors (or whatever)
| that can survive a thorough reformat.
|
| ----
| I do appreciate your expertise, but I am very frustrated by the experience
| of being treated at every turn like I am either a hypochondriac or an
| uninformed slob with poor computer hygiene. I really do appreciate your
| help.
|
| Thanks again.
|

Frankly, you still haven't stated anything substantial. You still haven't addressed the
version of SpyBot S&S and the Flase positive decalarations of the DSO Exploit.

I don't care if it is one PC or twenty. I still sugeest the use of a router. To
specifically block TCP and UDP ports 135 ~ 139 and 445 on that
Router and it would be even better to get a one with a full implementation of a FireWall on
that Router.

Changing over from DSL to Cable is a red herring. The internet security risks are equal
with both terchologies. The cahnge that has to be made is between tthe Broadband modem and
the persobnal computer(s) and that is by the use of a NAT Router or even better a NAT Router
with a full implementation of a FireWall.

This is evident by your statement... "...and the bad guys got back in before I could
download the Windows security updates, etc. The next two times I tried that method I had
evidence of the bad guys even before I downloaded any files or hooked up to the internet..

The "bad boys" (as you call them) got in becuase you did not a use a FireWall or NAT Router
when installing the Critical Updates.
If you are directly connected to a Cable modem then you are at a greater risk. That risk
being based upon you ability to secure the OS and mitigate OS and software vulnerabilities.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

It sounds like the "specialist" that you hired may have not been up to the
task. It is difficult to find someone who knows what they are doing since it
seems almost everyone claims to be some sort of a computer expert these
days. Since you feel you are in over your head you should take you computer
to a reputable computer shop to do the reinstall and tell them that you want
to examine the OS for your alleged hackers before you leave. It does not
really matter how many hours you have studied in just five weeks because
that is no substitute for the years of experience many of us have in
repairing and securing computers/networks. Also ask them to install Zone
Alarm for you and to not configure it for any access which you can do
yourself. Zone Alarm will alert you when any application tries to access the
internet at which time you can decide whether or not you want to allow it or
not. You can examine and modify the applications list that the firewall
allows at any time. Note that a personal firewall can prevent unauthorized
access to your computer but does not make up for an insecure wireless
network installation. --- Steve

"SueInCincy" wrote in message
...
I appreciate your quick replies, and I don't think I made myself clear
about
how many different ways we have tried to get this disk cleared.

First I tried the system recovery media. That worked one time, but I
didn't
really understand what I was up against, and the bad guys got back in
before
I could download the Windows security updates, etc. The next two times I
tried that method I had evidence of the bad guys even before I downloaded
any
files or hooked up to the internet.

Then I tried using the "long reformat" option from a Windows XP disc, and
that appeared to have worked once.

Then, I tried the FDisk command from DOS, and then a couple of different
DOD-approved products for wiping a hard drive clean that booted from the
CD.
Then I hired a specialist in security matters, who proceeded to use a
machine
I knew was "dirty" (and he insisted I was just paranoid) to get the WEP
keys
for my wireless network.

I have never used anything by OEM software and/or downloads from OEM
websites.

I don't know how they are doing this.

I really do appreciate your prompt response, but I really do want you to
consider that this is something you haven't seen before.

I have spent hundreds of hours studying this issue during the past five
weeks, and my daughter told me yesterday "she wants her mommy back." I
don't
see anyone describing anything that comes close to this experience.

Thanks again for your help.



"David H. Lipman" wrote:

From: "SueInCincy"

| A month ago, a hacker got into my system and wiped clean all the data
from
| two computers -- and my automated backup hard drive. I have become
something
| of a madwoman about this, as you can imagine.
|
| In the weeks since then, every security certificate I examine has an
expired
| date on it. This includes the ActiveX control for automated updates
from
| Microsoft!
|
| I just ran the system recovery media on an Averatec computer that has
not
| yet been on the internet, and it has 25 compressed files that have
names like
| DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory
called
| C:\program files\Spybot - Search & Destroy\updates, when Spybot Search
and
| Destroy has not been installed on this computer.
|
| Another suspicious category is eight zip files with apparently
identical
| contents, each named a different combination of 8 alphanumeric
characters,
| filed in C:\windows\java\packages. So, for example, it's
| C:\windows\java\packages\7BRR3PZV.
|
| The thing that makes me really crazy is when I went into Recovery
console
| from a Windows XP disk, I am asked for an administrator password, and I
did
| not set an administrator password.
|
| What I think is happening is that this is a very clever hijack program
that
| makes a copy of everything I have ever put on this computer. Thus,
every
| method I have used to reformat the hard drive (and believe me, I have
used a
| lot of different methods for this), or to control this menace, is
copied as I
| shut down, and when I reboot, they have engineered the program so as to
make
| it appear to work when it is not.
|
| I just read this thread called "Security Problem?" and it sounds like
this
| is something that would be easy enough to do.
|
| Or am I really just crazy?
|
| Thanks!

Are you using SpyBot Search and Destroy v1.4 ?

The DSO Exoploit is very old and was fixed long ago and should not be a
factor in WinXP.

Earlier versions of SpyBot S&D repeatedly falsely declared the DSO
Exploit has has long
since been corrected by new signatures and by SpyBot S&D v1.4.

I don't see anthing else in you post so I think you are over reacting. I
dod suggest that
you use and perform the following to make sure there is no malware on
your PC.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe
Mode.

I also suggest downloading, installing and updating BHODemon for any
Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm