Results 1 to 7 of 7

Thread: m$ firewall/network/sockets?

Hybrid View

  1. #1
    Junior Member
    Join Date
    Oct 2006
    Posts
    9

    m$ firewall/network/sockets?

    not sure where to put this as so much has gone wrong 'over night'
    running xp home sp2, avast antivirus, windoz firewall

    all ok last night

    avast (on auto update) when rebooted can not start 5 of the protection services (NNAMP POP3 STMP) protection

    m$ firewall will not start try and manually start it get error

    '..because the associated service is not running. Do you want to start the W$ firewall/ics service'

    network (this gets weird)

    if i ping an local ip 192.168.2.2 the laptop beeps?!! and then says pinging 'oy' with 32 bytes of data. what is the beep and what is oy all about (usually ip address)

    i can not ping www.google.com but can ping it's unresolved ip 64.233.183.147??

    finally using wireshark (ethereal) there are 2 unknown mac addresses on the laptop compal_8e:f0:21 and intelcor_45:73:9a and these are doing so weird sh1t like 'gratuitous arp'??

    my other computers are ok (at the mo!!)

    oh i have tried to reset winsocks but there is a dll file missing ifmon.dll.......

    any thoughts

    like to fix rather than reinstall!

    cheers

    psaux

    a

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Disconnect it from your network!!!

    Three possibilities spring to mind:

    1. Your HDD is about to go South and you are getting file corruption...............try a surface scan in safe mode.

    2. You have a nasty malware infection. Scan in safe mode with:

    • antivirus
    • EWIDO
    • SpyBot Search & Destroy
    • AdAware SE
    3. You are "owned"

    If it is #3 you have no real choice other than to reformat and reinstall.


  3. #3
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    backup what you can, and format and re-install, you could sit there for hours possibley days, trying to save your laptop, but in the end you would never know for sure if there is any other backdoors etc lying around etc..

    also don't use the Administrator account, or another account with Administrator priveledges for day to day internet surfing etc, only use it when you really need to.

    cheers
    acidtone..

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    acidtone,

    I agree entirely mate! reformat and reinstall is the only reliable solution, and it does look as if he has been "owned". If a customer were to bring that box to me, that is exactly what I would do.

    However, if psaux wants to use it as an educational exercise then the tools I suggested are a good start. Then run HijackThis! and check what is still running.

    Even after I had satisfied myself, curiosity wise, I would still reformat and reinstall

    As you rightly say, you can never be certain otherwise, and it is the quickest solution. I would have thought the time would be better spent hardening the fresh installation to prevent it happening again?

    But that is just me

  5. #5
    Junior Member
    Join Date
    Oct 2006
    Posts
    9
    i agree with all of the above
    i know a little forensics but not much
    something to ask what exactly does owned mean
    have a rough idea but what are the principles

    finally had ethereal up and running during a shutdown and a whole mess of user interface and sent requests zipped past!!!

    scary thing is this laptop is on a LAN

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi psaux,

    Firstly let me apologise for not welcoming you to AO........... as a moderator it is something I should have done out of duty as well as good manners.... belated welcome my friend!

    Now.............. Please, Please, get that box disconnected from the network!!!!!

    These things are best "fought in private" in my opinion........... if you have been owned then the "botmaster" or "botherder" can access it with full admin rights and start to attack the rest of the network!

    That is what "being owned" means. Someone, somehow has managed to install code on the machine that makes it "phone home" or be externally accessed. They will have admin rights and can/have install(ed) trojans, backdoors, password sniffers, keyloggers, spam spewers and God knows what else?

    The only thing I have never seen is one that installed the password to the refrigerator where they kept their beer

    Seriously, take it offline and wipe it. You might have time to do a mirror of the HDD so you can play with that on a "labrat" ( an independent laboratory analysis machine), but I do not know your circumstances......... me/ I have "labrats", "decoys" and "ARVs" (Armoured Reconaissance Vehicles........... for going on the "darkside")

    Cheers

    Johnno

  7. #7
    Junior Member
    Join Date
    Oct 2006
    Posts
    9
    yep pulled out the wireless network card
    knew things were really fubar when opera would not work even after a re install

    shame the wife will not let me put linux on it!! (her laptop)

    propbably will have a play on it first to see if i can find anything else and then fry the HD

    not sure why other boxes on network not 'owned'!!!

    cheers for your welcome btw

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •