-
November 6th, 2006, 09:15 PM
#1
Junior Member
m$ firewall/network/sockets?
not sure where to put this as so much has gone wrong 'over night'
running xp home sp2, avast antivirus, windoz firewall
all ok last night
avast (on auto update) when rebooted can not start 5 of the protection services (NNAMP POP3 STMP) protection
m$ firewall will not start try and manually start it get error
'..because the associated service is not running. Do you want to start the W$ firewall/ics service'
network (this gets weird)
if i ping an local ip 192.168.2.2 the laptop beeps?!! and then says pinging 'oy' with 32 bytes of data. what is the beep and what is oy all about (usually ip address)
i can not ping www.google.com but can ping it's unresolved ip 64.233.183.147??
finally using wireshark (ethereal) there are 2 unknown mac addresses on the laptop compal_8e:f0:21 and intelcor_45:73:9a and these are doing so weird sh1t like 'gratuitous arp'??
my other computers are ok (at the mo!!)
oh i have tried to reset winsocks but there is a dll file missing ifmon.dll.......
any thoughts
like to fix rather than reinstall!
cheers
psaux
a
-
November 7th, 2006, 08:51 AM
#2
Disconnect it from your network!!!
Three possibilities spring to mind:
1. Your HDD is about to go South and you are getting file corruption...............try a surface scan in safe mode.
2. You have a nasty malware infection. Scan in safe mode with:
- antivirus
- EWIDO
- SpyBot Search & Destroy
- AdAware SE
3. You are "owned"
If it is #3 you have no real choice other than to reformat and reinstall.
-
November 7th, 2006, 09:05 AM
#3
backup what you can, and format and re-install, you could sit there for hours possibley days, trying to save your laptop, but in the end you would never know for sure if there is any other backdoors etc lying around etc..
also don't use the Administrator account, or another account with Administrator priveledges for day to day internet surfing etc, only use it when you really need to.
cheers
acidtone..
-
November 7th, 2006, 12:14 PM
#4
acidtone,
I agree entirely mate! reformat and reinstall is the only reliable solution, and it does look as if he has been "owned". If a customer were to bring that box to me, that is exactly what I would do.
However, if psaux wants to use it as an educational exercise then the tools I suggested are a good start. Then run HijackThis! and check what is still running.
Even after I had satisfied myself, curiosity wise, I would still reformat and reinstall
As you rightly say, you can never be certain otherwise, and it is the quickest solution. I would have thought the time would be better spent hardening the fresh installation to prevent it happening again?
But that is just me
-
November 7th, 2006, 04:37 PM
#5
Junior Member
i agree with all of the above
i know a little forensics but not much
something to ask what exactly does owned mean
have a rough idea but what are the principles
finally had ethereal up and running during a shutdown and a whole mess of user interface and sent requests zipped past!!!
scary thing is this laptop is on a LAN
-
November 7th, 2006, 06:05 PM
#6
Hi psaux,
Firstly let me apologise for not welcoming you to AO........... as a moderator it is something I should have done out of duty as well as good manners.... belated welcome my friend!
Now.............. Please, Please, get that box disconnected from the network!!!!!
These things are best "fought in private" in my opinion........... if you have been owned then the "botmaster" or "botherder" can access it with full admin rights and start to attack the rest of the network!
That is what "being owned" means. Someone, somehow has managed to install code on the machine that makes it "phone home" or be externally accessed. They will have admin rights and can/have install(ed) trojans, backdoors, password sniffers, keyloggers, spam spewers and God knows what else?
The only thing I have never seen is one that installed the password to the refrigerator where they kept their beer
Seriously, take it offline and wipe it. You might have time to do a mirror of the HDD so you can play with that on a "labrat" ( an independent laboratory analysis machine), but I do not know your circumstances......... me/ I have "labrats", "decoys" and "ARVs" (Armoured Reconaissance Vehicles........... for going on the "darkside")
Cheers
Johnno
-
November 7th, 2006, 09:02 PM
#7
Junior Member
yep pulled out the wireless network card
knew things were really fubar when opera would not work even after a re install
shame the wife will not let me put linux on it!! (her laptop)
propbably will have a play on it first to see if i can find anything else and then fry the HD
not sure why other boxes on network not 'owned'!!!
cheers for your welcome btw
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|