If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Security Issue, or Just Paranoid?
A month ago, a hacker got into my system and wiped clean all the data from
two computers -- and my automated backup hard drive. I have become something of a madwoman about this, as you can imagine. In the weeks since then, every security certificate I examine has an expired date on it. This includes the ActiveX control for automated updates from Microsoft! I just ran the system recovery media on an Averatec computer that has not yet been on the internet, and it has 25 compressed files that have names like DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and Destroy has not been installed on this computer. Another suspicious category is eight zip files with apparently identical contents, each named a different combination of 8 alphanumeric characters, filed in C:\windows\java\packages. So, for example, it's C:\windows\java\packages\7BRR3PZV. The thing that makes me really crazy is when I went into Recovery console from a Windows XP disk, I am asked for an administrator password, and I did not set an administrator password. What I think is happening is that this is a very clever hijack program that makes a copy of everything I have ever put on this computer. Thus, every method I have used to reformat the hard drive (and believe me, I have used a lot of different methods for this), or to control this menace, is copied as I shut down, and when I reboot, they have engineered the program so as to make it appear to work when it is not. I just read this thread called "Security Problem?" and it sounds like this is something that would be easy enough to do. Or am I really just crazy? Thanks! |
Ads |
#2
|
|||
|
|||
Security Issue, or Just Paranoid?
You are doing something wrong when you reinstall the operating system. You
need to make sure that the hard drive is formatted and not quick formatted for ntfs when you do a pristine install of the operating system. Another possibility is that you are using infected media [cdrom/DVD,USB, etc] to compromise the computer, opening an email attachments that is infecting the computer, downloading and installing infected software, or connecting the computer to the internet without proper firewall and antivirus program. Anything that you copy back to your computer from backup media must be scanned for viruses first before you copy it to the new installation and your installation disk must be a genuine install disk from Microsoft - not some copy you got from someone. If other users have physical access to the computer that could also be a cause for concern. Any scans for malware/Spyware must be done with quality programs that are updated from the vendors website before you do the scans and also scan in Safe Mode. The links below may help and also you should always have backups of your data to offline media such as cdrom, DVD, etc. If you make no progress you may want to hire someone that specializes in securing operating systems and networks. If you are using wireless network then lack of security for your wireless network could explain a lot of what is going on. WEP is not secure by today's standards unless you are using 802.1X and dynamic WEP. WPA with PSK is much better as long as you use a PSK of at least 15 characters that is complex. --- Steve http://www.microsoft.com/athome/secu...2/Default.mspx --- Protect Your PC http://www.microsoft.com/athome/secu...s/default.mspx --- Viruses and worms info from MS "SueInCincy" wrote in message ... A month ago, a hacker got into my system and wiped clean all the data from two computers -- and my automated backup hard drive. I have become something of a madwoman about this, as you can imagine. In the weeks since then, every security certificate I examine has an expired date on it. This includes the ActiveX control for automated updates from Microsoft! I just ran the system recovery media on an Averatec computer that has not yet been on the internet, and it has 25 compressed files that have names like DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and Destroy has not been installed on this computer. Another suspicious category is eight zip files with apparently identical contents, each named a different combination of 8 alphanumeric characters, filed in C:\windows\java\packages. So, for example, it's C:\windows\java\packages\7BRR3PZV. The thing that makes me really crazy is when I went into Recovery console from a Windows XP disk, I am asked for an administrator password, and I did not set an administrator password. What I think is happening is that this is a very clever hijack program that makes a copy of everything I have ever put on this computer. Thus, every method I have used to reformat the hard drive (and believe me, I have used a lot of different methods for this), or to control this menace, is copied as I shut down, and when I reboot, they have engineered the program so as to make it appear to work when it is not. I just read this thread called "Security Problem?" and it sounds like this is something that would be easy enough to do. Or am I really just crazy? Thanks! |
#3
|
|||
|
|||
Security Issue, or Just Paranoid?
From: "SueInCincy"
| A month ago, a hacker got into my system and wiped clean all the data from | two computers -- and my automated backup hard drive. I have become something | of a madwoman about this, as you can imagine. | | In the weeks since then, every security certificate I examine has an expired | date on it. This includes the ActiveX control for automated updates from | Microsoft! | | I just ran the system recovery media on an Averatec computer that has not | yet been on the internet, and it has 25 compressed files that have names like | DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called | C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and | Destroy has not been installed on this computer. | | Another suspicious category is eight zip files with apparently identical | contents, each named a different combination of 8 alphanumeric characters, | filed in C:\windows\java\packages. So, for example, it's | C:\windows\java\packages\7BRR3PZV. | | The thing that makes me really crazy is when I went into Recovery console | from a Windows XP disk, I am asked for an administrator password, and I did | not set an administrator password. | | What I think is happening is that this is a very clever hijack program that | makes a copy of everything I have ever put on this computer. Thus, every | method I have used to reformat the hard drive (and believe me, I have used a | lot of different methods for this), or to control this menace, is copied as I | shut down, and when I reboot, they have engineered the program so as to make | it appear to work when it is not. | | I just read this thread called "Security Problem?" and it sounds like this | is something that would be easy enough to do. | | Or am I really just crazy? | | Thanks! Are you using SpyBot Search and Destroy v1.4 ? The DSO Exoploit is very old and was fixed long ago and should not be a factor in WinXP. Earlier versions of SpyBot S&D repeatedly falsely declared the DSO Exploit has has long since been corrected by new signatures and by SpyBot S&D v1.4. I don't see anthing else in you post so I think you are over reacting. I dod suggest that you use and perform the following to make sure there is no malware on your PC. For non-viral malware... Please download, install and update the following software... * Ad-aware SE v1.06 http://www.lavasoft.de/ http://www.lavasoftusa.com/ * SpyBot Search and Destroy v1.4 http://security.kolla.de/ After the software is updated, I suggest scanning the system in Safe Mode. I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects that may be on the PC. * BHODemon http://www.definitivesolutions.com/bhodemon.htm For viral malware... * Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#4
|
|||
|
|||
Security Issue, or Just Paranoid?
I appreciate your quick replies, and I don't think I made myself clear about
how many different ways we have tried to get this disk cleared. First I tried the system recovery media. That worked one time, but I didn't really understand what I was up against, and the bad guys got back in before I could download the Windows security updates, etc. The next two times I tried that method I had evidence of the bad guys even before I downloaded any files or hooked up to the internet. Then I tried using the "long reformat" option from a Windows XP disc, and that appeared to have worked once. Then, I tried the FDisk command from DOS, and then a couple of different DOD-approved products for wiping a hard drive clean that booted from the CD. Then I hired a specialist in security matters, who proceeded to use a machine I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys for my wireless network. I have never used anything by OEM software and/or downloads from OEM websites. I don't know how they are doing this. I really do appreciate your prompt response, but I really do want you to consider that this is something you haven't seen before. I have spent hundreds of hours studying this issue during the past five weeks, and my daughter told me yesterday "she wants her mommy back." I don't see anyone describing anything that comes close to this experience. Thanks again for your help. "David H. Lipman" wrote: From: "SueInCincy" | A month ago, a hacker got into my system and wiped clean all the data from | two computers -- and my automated backup hard drive. I have become something | of a madwoman about this, as you can imagine. | | In the weeks since then, every security certificate I examine has an expired | date on it. This includes the ActiveX control for automated updates from | Microsoft! | | I just ran the system recovery media on an Averatec computer that has not | yet been on the internet, and it has 25 compressed files that have names like | DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called | C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and | Destroy has not been installed on this computer. | | Another suspicious category is eight zip files with apparently identical | contents, each named a different combination of 8 alphanumeric characters, | filed in C:\windows\java\packages. So, for example, it's | C:\windows\java\packages\7BRR3PZV. | | The thing that makes me really crazy is when I went into Recovery console | from a Windows XP disk, I am asked for an administrator password, and I did | not set an administrator password. | | What I think is happening is that this is a very clever hijack program that | makes a copy of everything I have ever put on this computer. Thus, every | method I have used to reformat the hard drive (and believe me, I have used a | lot of different methods for this), or to control this menace, is copied as I | shut down, and when I reboot, they have engineered the program so as to make | it appear to work when it is not. | | I just read this thread called "Security Problem?" and it sounds like this | is something that would be easy enough to do. | | Or am I really just crazy? | | Thanks! Are you using SpyBot Search and Destroy v1.4 ? The DSO Exoploit is very old and was fixed long ago and should not be a factor in WinXP. Earlier versions of SpyBot S&D repeatedly falsely declared the DSO Exploit has has long since been corrected by new signatures and by SpyBot S&D v1.4. I don't see anthing else in you post so I think you are over reacting. I dod suggest that you use and perform the following to make sure there is no malware on your PC. For non-viral malware... Please download, install and update the following software... * Ad-aware SE v1.06 http://www.lavasoft.de/ http://www.lavasoftusa.com/ * SpyBot Search and Destroy v1.4 http://security.kolla.de/ After the software is updated, I suggest scanning the system in Safe Mode. I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects that may be on the PC. * BHODemon http://www.definitivesolutions.com/bhodemon.htm For viral malware... * Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#5
|
|||
|
|||
Security Issue, or Just Paranoid?
From: "SueInCincy"
| I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. | | First I tried the system recovery media. That worked one time, but I didn't | really understand what I was up against, and the bad guys got back in before | I could download the Windows security updates, etc. The next two times I | tried that method I had evidence of the bad guys even before I downloaded any | files or hooked up to the internet. | | Then I tried using the "long reformat" option from a Windows XP disc, and | that appeared to have worked once. | | Then, I tried the FDisk command from DOS, and then a couple of different | DOD-approved products for wiping a hard drive clean that booted from the CD. | Then I hired a specialist in security matters, who proceeded to use a machine | I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys | for my wireless network. | | I have never used anything by OEM software and/or downloads from OEM | websites. | | I don't know how they are doing this. | | I really do appreciate your prompt response, but I really do want you to | consider that this is something you haven't seen before. | | I have spent hundreds of hours studying this issue during the past five | weeks, and my daughter told me yesterday "she wants her mommy back." I don't | see anyone describing anything that comes close to this experience. | | Thanks again for your help. .. Don't use wireless ! If you must do networking, go wired. Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that Router. Even better would be a full implementation of a FireWall on that Router. | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. And you still haven't. If you want help you must be specific. Of the 10's of thousands of infectors only a few dozen are Boot Sector Infectors and they will survive a reformat. Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I know you might have had the Kriz or Chernobyl viruses and they could have wiped the data from your disks. You also did reply about my information on SpyBot and the DSO False Positive declaration. It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and take precautionary measures then you won't need corrective measures and Mommy can be Mommy. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#6
|
|||
|
|||
Security Issue, or Just Paranoid?
Dave,
----------------------- Don't use wireless ! If you must do networking, go wired. ------------------------- I am not wireless now; I even switched to a cable modem from DSL. Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that Router. Even better would be a full implementation of a FireWall on that Router. -------------- Right now I am only trying to get one computer at a time safe. ------------------ | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. ---------------------------- And you still haven't. If you want help you must be specific. Of the 10's of thousands of infectors only a few dozen are Boot Sector Infectors and they will survive a reformat. I think I did spell out all the different ways we have used to clean off this hard drive, if you look at my last post. ---------------------- Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I know you might have had the Kriz or Chernobyl viruses and they could have wiped the data from your disks. I guess I figured it went without saying that I had updated virus Protection -- first the EZ Firewall and Antivirus production from Computer Associates, and then Norton Internet Security with full updates. I also used Kapersky and Zone Alarm and Ewido, none of which ever found anything like a virus, or even a significant spyware or malware. --------------- You also did reply about my information on SpyBot and the DSO False Positive declaration. --------------------- In my first post, I said that SpyBot hasn't been installed on this machine since at least three reformats ago. ----------------------- It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and take precautionary measures then you won't need corrective measures and Mommy can be Mommy. ----------------- I know that you are doing this as a freebie, and I appreciate that, but please understand that I really have done everything according to the book, at least according to the book that comes with the OEM software I have been using, and still this continues to happen. You are the first person to acknowledge in writing that there are Boot Sector Infectors (or whatever) that can survive a thorough reformat. ---- I do appreciate your expertise, but I am very frustrated by the experience of being treated at every turn like I am either a hypochondriac or an uninformed slob with poor computer hygiene. I really do appreciate your help. Thanks again. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm "David H. Lipman" wrote: From: "SueInCincy" | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. | | First I tried the system recovery media. That worked one time, but I didn't | really understand what I was up against, and the bad guys got back in before | I could download the Windows security updates, etc. The next two times I | tried that method I had evidence of the bad guys even before I downloaded any | files or hooked up to the internet. | | Then I tried using the "long reformat" option from a Windows XP disc, and | that appeared to have worked once. | | Then, I tried the FDisk command from DOS, and then a couple of different | DOD-approved products for wiping a hard drive clean that booted from the CD. | Then I hired a specialist in security matters, who proceeded to use a machine | I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys | for my wireless network. | | I have never used anything by OEM software and/or downloads from OEM | websites. | | I don't know how they are doing this. | | I really do appreciate your prompt response, but I really do want you to | consider that this is something you haven't seen before. | | I have spent hundreds of hours studying this issue during the past five | weeks, and my daughter told me yesterday "she wants her mommy back." I don't | see anyone describing anything that comes close to this experience. | | Thanks again for your help. .. Don't use wireless ! If you must do networking, go wired. Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that Router. Even better would be a full implementation of a FireWall on that Router. | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. And you still haven't. If you want help you must be specific. Of the 10's of thousands of infectors only a few dozen are Boot Sector Infectors and they will survive a reformat. Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I know you might have had the Kriz or Chernobyl viruses and they could have wiped the data from your disks. You also did reply about my information on SpyBot and the DSO False Positive declaration. It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and take precautionary measures then you won't need corrective measures and Mommy can be Mommy. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#7
|
|||
|
|||
Regarding the Spybot thing
I just want to be doubly sure that you know that it has been at least three
reformats ago (one by a professional) since there was any Spybot on this machine at all. "David H. Lipman" wrote: From: "SueInCincy" | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. | | First I tried the system recovery media. That worked one time, but I didn't | really understand what I was up against, and the bad guys got back in before | I could download the Windows security updates, etc. The next two times I | tried that method I had evidence of the bad guys even before I downloaded any | files or hooked up to the internet. | | Then I tried using the "long reformat" option from a Windows XP disc, and | that appeared to have worked once. | | Then, I tried the FDisk command from DOS, and then a couple of different | DOD-approved products for wiping a hard drive clean that booted from the CD. | Then I hired a specialist in security matters, who proceeded to use a machine | I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys | for my wireless network. | | I have never used anything by OEM software and/or downloads from OEM | websites. | | I don't know how they are doing this. | | I really do appreciate your prompt response, but I really do want you to | consider that this is something you haven't seen before. | | I have spent hundreds of hours studying this issue during the past five | weeks, and my daughter told me yesterday "she wants her mommy back." I don't | see anyone describing anything that comes close to this experience. | | Thanks again for your help. .. Don't use wireless ! If you must do networking, go wired. Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 and 445 on that Router. Even better would be a full implementation of a FireWall on that Router. | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. And you still haven't. If you want help you must be specific. Of the 10's of thousands of infectors only a few dozen are Boot Sector Infectors and they will survive a reformat. Nowhere do I see anything posted about the use of anti virus software ! Hell, for all I know you might have had the Kriz or Chernobyl viruses and they could have wiped the data from your disks. You also did reply about my information on SpyBot and the DSO False Positive declaration. It doesn't matter if I haven't "seen" what you had before. If you practice Safe Hex and take precautionary measures then you won't need corrective measures and Mommy can be Mommy. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#8
|
|||
|
|||
Security Issue, or Just Paranoid?
Not a help to your present predicament, but if runnins a company server I'd
also advise genning-up on rotational backups. What has happened to you demonstrates something I have a hard time convincing clients of, which is that a single backup is insufficient. Ideally a full rotational system will use a tape drive, and to make a full year's backup-set will require twenty tapes. (four daily, four weekly, twelve monthly) That way, even if the damage was done a month ago, you can still restore a copy of the server's OS from before that time, and then decide which copies of the data are usable, perhaps merging several tapes' worth to get a near-complete restore. I f you reuse all of your your tapes daily or weekly then you have no such options. Hope this helps, at least to prevent a repeat loss of data. Ian. |
#9
|
|||
|
|||
Security Issue, or Just Paranoid?
From: "SueInCincy"
| Dave, | | ----------------------- | | Don't use wireless ! If you must do networking, go wired. | ------------------------- | I am not wireless now; I even switched to a cable modem from DSL. | | Make sure you use a router. Specifically block TCP and UDP ports 135 ~ 139 | and 445 on that | Router. Even better would be a full implementation of a FireWall on that | Router. | -------------- | Right now I am only trying to get one computer at a time safe. | ------------------ | | I appreciate your quick replies, and I don't think I made myself clear about | how many different ways we have tried to get this disk cleared. | ---------------------------- | And you still haven't. If you want help you must be specific. Of the 10's of | thousands of infectors only a few dozen are Boot Sector Infectors and they | will survive a reformat. | I think I did spell out all the different ways we have used to clean off | this hard drive, if you look at my last post. | ---------------------- | | Nowhere do I see anything posted about the use of anti virus software ! | Hell, for all I know you might have had the Kriz or Chernobyl viruses and | they could have wiped the data from your disks. I guess I figured it went | without saying that I had updated virus Protection -- first the EZ Firewall | and Antivirus production from Computer Associates, and then Norton Internet | Security with full updates. I also used Kapersky and Zone Alarm and Ewido, | none of which ever found anything like a virus, or even a significant spyware | or malware. | | --------------- | | You also did reply about my information on SpyBot and the DSO False Positive | declaration. | --------------------- | In my first post, I said that SpyBot hasn't been installed on this machine | since at least three reformats ago. | | ----------------------- | | It doesn't matter if I haven't "seen" what you had before. If you practice | Safe Hex and take precautionary measures then you won't need corrective | measures and Mommy can be Mommy. | | ----------------- | I know that you are doing this as a freebie, and I appreciate that, but | please understand that I really have done everything according to the book, | at least according to the book that comes with the OEM software I have been | using, and still this continues to happen. You are the first person to | acknowledge in writing that there are Boot Sector Infectors (or whatever) | that can survive a thorough reformat. | | ---- | I do appreciate your expertise, but I am very frustrated by the experience | of being treated at every turn like I am either a hypochondriac or an | uninformed slob with poor computer hygiene. I really do appreciate your | help. | | Thanks again. | Frankly, you still haven't stated anything substantial. You still haven't addressed the version of SpyBot S&S and the Flase positive decalarations of the DSO Exploit. I don't care if it is one PC or twenty. I still sugeest the use of a router. To specifically block TCP and UDP ports 135 ~ 139 and 445 on that Router and it would be even better to get a one with a full implementation of a FireWall on that Router. Changing over from DSL to Cable is a red herring. The internet security risks are equal with both terchologies. The cahnge that has to be made is between tthe Broadband modem and the persobnal computer(s) and that is by the use of a NAT Router or even better a NAT Router with a full implementation of a FireWall. This is evident by your statement... "...and the bad guys got back in before I could download the Windows security updates, etc. The next two times I tried that method I had evidence of the bad guys even before I downloaded any files or hooked up to the internet.. The "bad boys" (as you call them) got in becuase you did not a use a FireWall or NAT Router when installing the Critical Updates. If you are directly connected to a Cable modem then you are at a greater risk. That risk being based upon you ability to secure the OS and mitigate OS and software vulnerabilities. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#10
|
|||
|
|||
Security Issue, or Just Paranoid?
It sounds like the "specialist" that you hired may have not been up to the
task. It is difficult to find someone who knows what they are doing since it seems almost everyone claims to be some sort of a computer expert these days. Since you feel you are in over your head you should take you computer to a reputable computer shop to do the reinstall and tell them that you want to examine the OS for your alleged hackers before you leave. It does not really matter how many hours you have studied in just five weeks because that is no substitute for the years of experience many of us have in repairing and securing computers/networks. Also ask them to install Zone Alarm for you and to not configure it for any access which you can do yourself. Zone Alarm will alert you when any application tries to access the internet at which time you can decide whether or not you want to allow it or not. You can examine and modify the applications list that the firewall allows at any time. Note that a personal firewall can prevent unauthorized access to your computer but does not make up for an insecure wireless network installation. --- Steve "SueInCincy" wrote in message ... I appreciate your quick replies, and I don't think I made myself clear about how many different ways we have tried to get this disk cleared. First I tried the system recovery media. That worked one time, but I didn't really understand what I was up against, and the bad guys got back in before I could download the Windows security updates, etc. The next two times I tried that method I had evidence of the bad guys even before I downloaded any files or hooked up to the internet. Then I tried using the "long reformat" option from a Windows XP disc, and that appeared to have worked once. Then, I tried the FDisk command from DOS, and then a couple of different DOD-approved products for wiping a hard drive clean that booted from the CD. Then I hired a specialist in security matters, who proceeded to use a machine I knew was "dirty" (and he insisted I was just paranoid) to get the WEP keys for my wireless network. I have never used anything by OEM software and/or downloads from OEM websites. I don't know how they are doing this. I really do appreciate your prompt response, but I really do want you to consider that this is something you haven't seen before. I have spent hundreds of hours studying this issue during the past five weeks, and my daughter told me yesterday "she wants her mommy back." I don't see anyone describing anything that comes close to this experience. Thanks again for your help. "David H. Lipman" wrote: From: "SueInCincy" | A month ago, a hacker got into my system and wiped clean all the data from | two computers -- and my automated backup hard drive. I have become something | of a madwoman about this, as you can imagine. | | In the weeks since then, every security certificate I examine has an expired | date on it. This includes the ActiveX control for automated updates from | Microsoft! | | I just ran the system recovery media on an Averatec computer that has not | yet been on the internet, and it has 25 compressed files that have names like | DSOExploit (and DSOExploit1, 2, 3, 4), or are tucked in a directory called | C:\program files\Spybot - Search & Destroy\updates, when Spybot Search and | Destroy has not been installed on this computer. | | Another suspicious category is eight zip files with apparently identical | contents, each named a different combination of 8 alphanumeric characters, | filed in C:\windows\java\packages. So, for example, it's | C:\windows\java\packages\7BRR3PZV. | | The thing that makes me really crazy is when I went into Recovery console | from a Windows XP disk, I am asked for an administrator password, and I did | not set an administrator password. | | What I think is happening is that this is a very clever hijack program that | makes a copy of everything I have ever put on this computer. Thus, every | method I have used to reformat the hard drive (and believe me, I have used a | lot of different methods for this), or to control this menace, is copied as I | shut down, and when I reboot, they have engineered the program so as to make | it appear to work when it is not. | | I just read this thread called "Security Problem?" and it sounds like this | is something that would be easy enough to do. | | Or am I really just crazy? | | Thanks! Are you using SpyBot Search and Destroy v1.4 ? The DSO Exoploit is very old and was fixed long ago and should not be a factor in WinXP. Earlier versions of SpyBot S&D repeatedly falsely declared the DSO Exploit has has long since been corrected by new signatures and by SpyBot S&D v1.4. I don't see anthing else in you post so I think you are over reacting. I dod suggest that you use and perform the following to make sure there is no malware on your PC. For non-viral malware... Please download, install and update the following software... * Ad-aware SE v1.06 http://www.lavasoft.de/ http://www.lavasoftusa.com/ * SpyBot Search and Destroy v1.4 http://security.kolla.de/ After the software is updated, I suggest scanning the system in Safe Mode. I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects that may be on the PC. * BHODemon http://www.definitivesolutions.com/bhodemon.htm For viral malware... * Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Security issue with USB data link (crossover) cables inquiry | Shelly F | General XP issues or comments | 1 | June 6th 05 06:16 PM |
XP / NTSF ...security descriptor / MFT error... | RJK | General XP issues or comments | 3 | November 11th 04 06:59 PM |
Security Center/Zone Alarm/Uninstall Issue | Scott | Security and Administration with Windows XP | 3 | October 5th 04 03:16 AM |
PC Magazine article on Win XP SP 2 security hole | CMAR | The Basics | 1 | August 26th 04 05:46 AM |