RE: VERY strange problem? HELP!
- Posted by CoJaBo <cojabo at suscom.net> Jun 28, 2004
- 478 views
Kat wrote: > > On 27 Jun 2004, at 9:40, CoJaBo wrote: > > > > > posted by: CoJaBo <cojabo at suscom.net> > > > > irv mullins wrote: > > > > > > CoJaBo wrote: > > > > > > > > I already have AdAware and I just ran a scan, and found nothing. > > > > The time that the hacker took control of my computer and hacked my > > > > accounts it had found well over 800. No, that is not a misteak. > > > > I had to reformat the hard drive to get rid of them... > > > > I also have SpyBot S&D, it just found the normal: > > > > a what's related link and a bunch of cookies (Mmmm... cookies!) > > You realise cookies can be made executeable too? > > > > 800 must be some kind of record! > > Sorry, I forgot to include the additial 300 that SpyBot S&D found. > > I had also fuond the source: an active X super-virus, it got past > > 2 firewalls and my virus scanner. This one alone was the reason I > > had to reformat and reinstall; no mater what it would reinstall > > itself and at least 500 others. > > Yes, isn't ActiveX great? The thing is: *ALL* scripting languages run thru > firewalls like rain thru clouds. That includes ActiveX, VB, VBS, Java, JS, > everything on an html "link" tag (great for hiding java/script downloads!). > And > it's true IE will execute html in a .jpg or other pic file, and while i > haven't tried > > it, i imagine netscrape will also execute html in a web url ending in .jpg. > > > > Anyway, three of the symptoms you mentioned are common signs of infection: > > > > > -Mouse moves on its own > > > > > -Browser opens up random page > > > > > -Internet connection is extremely slow > > > > > > If that's still happening, then perhaps something is still there, but > > > not recognized by Ad-aware/SpyBot. Do you have a really good firewall > > > in place? How about a way to monitor outgoing traffic to see if your > > > computer is busy sending out spam? > > I use Norton Internet Security and a router with a hardware firewall. > > None are reporting anything odd except connections to unknown computers: > > 192.168.100.1 > > 10.150.1.103 > > Pop open mirc, and type: > /dns 192.168.100.1 None of the 3 computers or the router use 192.168.100.1, also, the router only assigns addresses in the 192.168.2.1-100 range. 192.168.100.1 doesn't respond to a PING, but 10.150.1.103 does. I have confirmed 10.150.1.103 isn't part of the LAN, the ISP probably uses it for somthing. The LAN addresses are: 192.168.2.1 (router) 192.168.2.30 (this one) 192.168.2.8 192.168.2.44 > and you should see yourself. Errr,, your computer's name, or something else > you'd recognise. > > Those are both LAN addresses. I suspect the 192.168... is your computer or > router, and the 10.150.. (unless it's you) is on your isp. Neither address > should be on the internet, and you should firewall the following to/from the > internet: > > 10.0.0.0 - 10.255.255.255 > 172.16.0.0 - 172.31.255.255 > 192.168.0.0 - 192.168.255.255 > > Kat > >