Sign in with
Sign up | Sign in
Your question

network routing without my permission

Last response: in Windows XP
Share
Anonymous
August 24, 2005 1:20:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

About 6 months ago I found out my 2 WinXP computers had been hijacked. After
working with wonderful help of Microsoft tech support I thought I was able to
correct the problems...but I was wrong!

I will start from the beginning:

One day trying to access my banking website I found my password had been
changed so I "fixed" the password and went on about my business. A few days
later a virus tried to install itself on one of the computers and I stopped
it. Using Symantec security suite at the time I thought I was safe, but
decided to do a little digging around to see what else was happening. I
checked the firewall settings and found MANY things were being allowed to
access the computer. I was stumped!

I downloaded a process viewer so I could see more detail as to just what
process were running and doing so I found that my WinXP taskmanager was a
fake and (it was long ago so I can't remember the name) was hiding the real
taskmanager. When I hit Ctrl+Alt+Del, the fake manager was activated. The
process manager I downloaded was able to bring up the "taskmanager behind the
fake taskmanager" that showed all the evil processes that had benn running on
this computer for I have no idea how long.

After reinstalling several times even after reformating the hard drive, the
issue was still there...remember during this time I was NOT connected to the
internet.

I then bought a new hard drive, flashed the bios so I could start on a clean
system. I still found traces of the hijacking after that. I bought a hard
drive cleaning utility, WipeDrive, and did it all again...Long story short I
gave up and took the computers to a computer tech and had them taken care of.

Gladly getting the computers back, I had my arsenal prepared of McAfee
Security Suite 7, Microsoft AntiSpy, Spy Sweeper along with the others
suggested ready to install.

Computers up and running with protection and a Linksys router with firewall
enabled, they were back online.

With in few days they were hijacked again! After many hours with Microsoft
tech support (bless them) we found a hardware problem with the RAM! After
installing new RAM, computers back running again...for a while.

With in a few weeks I noticed things slowing and acting funny. This time I
decided to try to figure this one out myself. Running Netstat I found many
listening connections. I downloaded a network monitoring utility and watched
as several ip addresses connected to those listening ports and eventually IE
6, FireFox, Outlook Express and Thunderbird were tunneling through those
ports. I am in so OVER my head at this point!

I have watched this happen so I could try to learn what was happening. I
have wiped the hard drive several times and reinstalled to watch it happen
all over again. I can block IPs for a while but eventually it they get
through again.

If the blocking would work I wouldn't be writing this, but for some reason
some of the blocked IPs wont allow me to get to certain web sites. I thought
it was just Yahoo mail. When I try to access that site the browser kinda
hangs and McAfee firewall pops up with inbound traffic trying to access a
certain set of IPs with port event information of many connection attempts
and the browser never gets into the Yahoo mail site. For a while I thought
it was Yahoo and maybe it was being done on purpose so I unblocked it. Later
I found that other sites like Amazon and other commercial sites also were
being re-routed. This set of IPs were from Europe, Korea, China and Japan so
I just don't believe it supposed to happen.

I do not want to have to pay someone to figure this out only to have it
happen again!

This has been a long story and thank you for having the patience to read it
through. If you have answers, please help!
Anonymous
August 24, 2005 1:45:43 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Cindy" <Cindy@discussions.microsoft.com> wrote in message
news:A34678C8-FFA5-46D2-B765-ADBE8853566B@microsoft.com...
> About 6 months ago I found out my 2 WinXP computers had been hijacked.
> After
> working with wonderful help of Microsoft tech support I thought I was able
> to
> correct the problems...but I was wrong!
>

I think the key to your problems is in this statement "my 2 WinXP computers"
Did you have both computers disconnected from the Internet while they were
being cleaned? The procedure is to disconnect everything from the Internet
including the router. Disconnect both computers from the router. Delete all
partitions on all hard drives on both computers then reinstall Windows.
Better yet use a utility to overwrite track zero on all hard drives. Make
sure the router is not connected to the Internet. Reset the router to the
factory settings as per the manual. Hook up one of the computers to the
router and make sure the router is not set for remote management and change
the password for it. You may even want to flash the BIOS of the router. This
is to ensure it is not the router being hacked. Hook up the router to the
Internet and hook up the remaining computer to the router. Download and
install the latest drivers and Microsoft Updates for both computers. Install
a good antivirus package on both computers. If you still get hacked then it
must be some program you are installing that does it.

Kerry
Anonymous
August 24, 2005 2:27:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry,

I did do most of the things you have suggested except flash routher
bios...didnt know about that. Matter of fact I gave up and am only working
with one computer at a time...one is horriably taken over and not being used
for ANYTHING important.

The one computer I am working with is not and has not been connected to the
router for quite a while. The router firewall log is how I found the problem
in June that caused me to disconnect and start again.

The software I install BEFORE connecting to internet is WinXP sp2and McAfee
Security Suite 7. I then have to used the motherboard software CD to update
the network card. I have the Microsoft book: Windows SP Inside Out and use
it to disable services not needed. Then I turn off automatic updates and
connect the the internet and update McAfee. Then I update WinXP.

I have a list of some of the IPs needed to be blocked and block them before
going online. Still I notice activity happening shortly after going online.
This is why I am wondering if somehow MY internet IP has somehow connected
somewhere "out there" that automaticaly connects the computer and writes
something to the registery. I don't have much registery knowledge. I have
been reading through the registery and searching for help on the internet as
I go along.

I do believe something actually installs itself and rewrites .dll's because
the dll's used are WinXP.

Thank you for your help...keep sending suggestions...I will update!

"Kerry Brown" wrote:

> "Cindy" <Cindy@discussions.microsoft.com> wrote in message
> news:A34678C8-FFA5-46D2-B765-ADBE8853566B@microsoft.com...
> > About 6 months ago I found out my 2 WinXP computers had been hijacked.
> > After
> > working with wonderful help of Microsoft tech support I thought I was able
> > to
> > correct the problems...but I was wrong!
> >
>
> I think the key to your problems is in this statement "my 2 WinXP computers"
> Did you have both computers disconnected from the Internet while they were
> being cleaned? The procedure is to disconnect everything from the Internet
> including the router. Disconnect both computers from the router. Delete all
> partitions on all hard drives on both computers then reinstall Windows.
> Better yet use a utility to overwrite track zero on all hard drives. Make
> sure the router is not connected to the Internet. Reset the router to the
> factory settings as per the manual. Hook up one of the computers to the
> router and make sure the router is not set for remote management and change
> the password for it. You may even want to flash the BIOS of the router. This
> is to ensure it is not the router being hacked. Hook up the router to the
> Internet and hook up the remaining computer to the router. Download and
> install the latest drivers and Microsoft Updates for both computers. Install
> a good antivirus package on both computers. If you still get hacked then it
> must be some program you are installing that does it.
>
> Kerry
>
>
>
Related resources
Anonymous
August 24, 2005 3:42:00 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Cindy" <Cindy@discussions.microsoft.com> wrote in message
news:D B07F07A-4C79-49EB-8083-FA4D96181324@microsoft.com...
> Kerry,
>
> I did do most of the things you have suggested except flash routher
> bios...didnt know about that. Matter of fact I gave up and am only
> working
> with one computer at a time...one is horriably taken over and not being
> used
> for ANYTHING important.
>
> The one computer I am working with is not and has not been connected to
> the
> router for quite a while. The router firewall log is how I found the
> problem
> in June that caused me to disconnect and start again.
>
> The software I install BEFORE connecting to internet is WinXP sp2and
> McAfee
> Security Suite 7. I then have to used the motherboard software CD to
> update
> the network card. I have the Microsoft book: Windows SP Inside Out and
> use
> it to disable services not needed. Then I turn off automatic updates and
> connect the the internet and update McAfee. Then I update WinXP.
>
> I have a list of some of the IPs needed to be blocked and block them
> before
> going online. Still I notice activity happening shortly after going
> online.
> This is why I am wondering if somehow MY internet IP has somehow connected
> somewhere "out there" that automaticaly connects the computer and writes
> something to the registery. I don't have much registery knowledge. I
> have
> been reading through the registery and searching for help on the internet
> as
> I go along.
>
> I do believe something actually installs itself and rewrites .dll's
> because
> the dll's used are WinXP.
>
> Thank you for your help...keep sending suggestions...I will update!
>

It is very unlikely the router was compromised. I was trying to cover all
the possibilities. The only explanation I can come up with is something you
are installing has a trojan in it. Are there any other users than you? Are
you using any P2P software to download software or music? Do you use MSN
Messenger, ICQ, AOL Messenger, etc.? Download and run Hijack This. Post the
log to an appropriate forum.

http://www.spywareinfo.com/~merijn/htlogtutorial.html

http://forums.majorgeeks.com/showthread.php?t=38752

http://castlecops.com/HijackThis.html

There are many more. Google for more if needed.

Kerry

Kerry
Anonymous
August 24, 2005 5:50:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Cindy" <Cindy@discussions.microsoft.com>

| About 6 months ago I found out my 2 WinXP computers had been hijacked. After
| working with wonderful help of Microsoft tech support I thought I was able to
| correct the problems...but I was wrong!
|
| I will start from the beginning:
|
| One day trying to access my banking website I found my password had been
| changed so I "fixed" the password and went on about my business. A few days
| later a virus tried to install itself on one of the computers and I stopped
| it. Using Symantec security suite at the time I thought I was safe, but
| decided to do a little digging around to see what else was happening. I
| checked the firewall settings and found MANY things were being allowed to
| access the computer. I was stumped!
|
| I downloaded a process viewer so I could see more detail as to just what
| process were running and doing so I found that my WinXP taskmanager was a
| fake and (it was long ago so I can't remember the name) was hiding the real
| taskmanager. When I hit Ctrl+Alt+Del, the fake manager was activated. The
| process manager I downloaded was able to bring up the "taskmanager behind the
| fake taskmanager" that showed all the evil processes that had benn running on
| this computer for I have no idea how long.
|
| After reinstalling several times even after reformating the hard drive, the
| issue was still there...remember during this time I was NOT connected to the
| internet.
|
| I then bought a new hard drive, flashed the bios so I could start on a clean
| system. I still found traces of the hijacking after that. I bought a hard
| drive cleaning utility, WipeDrive, and did it all again...Long story short I
| gave up and took the computers to a computer tech and had them taken care of.
|
| Gladly getting the computers back, I had my arsenal prepared of McAfee
| Security Suite 7, Microsoft AntiSpy, Spy Sweeper along with the others
| suggested ready to install.
|
| Computers up and running with protection and a Linksys router with firewall
| enabled, they were back online.
|
| With in few days they were hijacked again! After many hours with Microsoft
| tech support (bless them) we found a hardware problem with the RAM! After
| installing new RAM, computers back running again...for a while.
|
| With in a few weeks I noticed things slowing and acting funny. This time I
| decided to try to figure this one out myself. Running Netstat I found many
| listening connections. I downloaded a network monitoring utility and watched
| as several ip addresses connected to those listening ports and eventually IE
| 6, FireFox, Outlook Express and Thunderbird were tunneling through those
| ports. I am in so OVER my head at this point!
|
| I have watched this happen so I could try to learn what was happening. I
| have wiped the hard drive several times and reinstalled to watch it happen
| all over again. I can block IPs for a while but eventually it they get
| through again.
|
| If the blocking would work I wouldn't be writing this, but for some reason
| some of the blocked IPs wont allow me to get to certain web sites. I thought
| it was just Yahoo mail. When I try to access that site the browser kinda
| hangs and McAfee firewall pops up with inbound traffic trying to access a
| certain set of IPs with port event information of many connection attempts
| and the browser never gets into the Yahoo mail site. For a while I thought
| it was Yahoo and maybe it was being done on purpose so I unblocked it. Later
| I found that other sites like Amazon and other commercial sites also were
| being re-routed. This set of IPs were from Europe, Korea, China and Japan so
| I just don't believe it supposed to happen.
|
| I do not want to have to pay someone to figure this out only to have it
| happen again!
|
| This has been a long story and thank you for having the patience to read it
| through. If you have answers, please help!
|

The first and foremost protection of a PC is using Safe Hex practices.
http://www.claymania.com/safe-hex.html

If you fail to protect yourself against Social Engineering techniques, then you will easily
get re-infected with viral or non-viral malware If you formatted a hard disk, re-installed
the OS and were hijacked again you must look at YOUR actions that got you infected. Unless
you had a true virus in the form of a Boot Sector Infector, it would not survive a hard disk
format.

As for a Router being compramised, the chances of that are extremely low. However, there
are ways to mitigate a Router being compramised and protect the LAN side of the Router form
Internet worms and hackers and to keep your MS Networking to leak out from the LAN side of
the Router to the WAN side.

The Router should have the following settings...

Enable -- "Block WAN request"
Disable -- "Remote Managemet"
Disable -- "Remote Upgrade"

Block both TCP and UDP ports 135 ~ 139 and 445.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
!