owned pc-need your imput pls

ok guys hi and ty for your answers and solutions
its not my pc:) learned few tricks here
my friend called me that her pc is getting crazy with poip ups and her daughter is 12 yrs old and she is using this pc the most.
its old p3 with xp pr and 256mg but hardware probably not important here.
She has modem dial up.(set up by friend)
i went to her place instaled ad-aware and spybot 1.4 and cc(crap cleaner) and found quite a lot objects and files which shouldnt be there(500).
but noticed one of files was trojan and when i did netstat-a to see the conection there were some very strange lettters there.
my question is this?
if somone broke to her computer and use it to surf the net or to do whatever he/she wants connection for any reason does everywhere he goes and
does is visible on my friend pc or its on attacker pc.
i am not sure if i am expressing myself clearly here.
when i look into the history of internet explore it was able to look 2 weeks back.lot of porno sites and usual crap but wat was interesting time and date on pc was different(set for 17/8/2005.
when i calculated excact time and day noone was this hours in house except grandmother 85 yrs old.possible remote access because its xp?
i think here is case of social engenering where person who instaled her upgrade month ago maybe used this feature without her knowlage(no professsionlly employed tehnician)
Or maybe boyfriend of older gelfriend knows password and user name to log in.but if you log in from say your pc(just to setup internet connection with her details )that has nothing to do with this fisical pc.
So is this somone acctually using her pc(in the house) or how this things work.??
sry dont really know how to ecplain it but if you have questions pls ask
how did all that crap come to her pc>somone surfing from her pc or somone on remote acces and is still all visible on this pc?
thnks

Just my guess, but if her only internet access is via a dialup modem, I doubt someone would remotely use it to surf porn. That is WAY too slow.

First of all, keep an eye on the grandmother...its always the last one you'd expect ;) Sounds to me that if your browser history is full of porn, someone is using your PC to visit porn sites. The trojan you got is probably from one of the sites. I bet's its the boyfriend.

Well, before assuming the worst, she might wanna monitor the activity of the 12 yr old.
maybe install a site blocker. If some outsider set up her internet connection and account and she thinks that they are using her account, tell her to change her password.
This goes without saying, but make sure you kill that trojan.

Quote:

---

but noticed one of files was trojan and when i did netstat-a to see the conection there were some very strange lettters there.

---

Is their anyway you can cut and paste the output of netstat -A? If this is an XP machine you should try netstat -ano check out what PID it's using then use this command tasklist /svc and match the PID to the 'image name' it's a start.
I would also recommend installing some AV software on this machine with AV definiations fully updated. Then do a full system scan and see what it detects.

Quote:

---

if somone broke to her computer and use it to surf the net or to do whatever he/she wants connection for any reason does everywhere he goes and
does is visible on my friend pc or its on attacker pc.

---

If this PC has been breached then yes the attacker could see what the remote user is doing on her PC for sure. Trojans Like Sub7 Back orifice do such things etc...

Quote:

---

how did all that crap come to her pc>

---

Not to be rude or anything like that but a lot of times customers do this to themselves and don't realize it. Heres an example, customer is online at walmart.com just shopping, surfing the net etc... then all of a sudden while looking at walmart.com a pop up comes up "2 for 1 price at applebees" customer clicks on it, then BAM, all these unwanted ads and pop ups appear while they are just trying to surf the net. Customer is mad about this sort of thing because the pop ups wont stop (I never got pop ups on AOL they state) and they call and get hostile, very nasty, short with you and start cussing @ customer support because we didn't *protect their computers* from this. Even though they're the ones who infect themselves and BTW Yes this is a true story.

It is even ridiculous to think that someone gained access to that PC to surf porn sites .... this makes no sense whatsoever .... I prone to believe that the computer has been used physically by someone to surf porn .... If you said that some one installed a links to porn websites by adding them into the Favorites, I would say that someone could plant a malware or a trojan is playing behind the scene ..... am ought with thoughts ...

But if you are still baranoid .... use the magic command ... C:\Format ... :D

Cheers

After it is cleaned or reloaded make sure they change all their passwords in case they were scooped.

It could be anyone....that has physical access to the computer IMHO

I have 3x11 year olds....(twins plus partners kid)...and they make me blush with some of the things they are saying.

The way I curbed it was stop fixing their computer....til they whined so much that it was too slow blah blah blah...

I then showed them that I know what sites they were at...even if they clear thier cookies\history. (a little tool I found on this site)....talk about blushing...and I am not just talking about the kids :eek:


What I am saying...is teach them.....not just the kids...and show them that you can tell where and when and what they were doing....and explain how it compromises your computer ...and privacy

Create seperate accounts for everyone...and dont give them admin rights

Just some thoughts...

MLF

MLF, about that tool....

Quote:

---

I then showed them that I know what sites they were at...even if they clear thier cookies\history. (a little tool I found on this site)....talk about blushing...and I am not just talking about the kids

---

What tool is that? Sounds very interesting.

RedCliffWebHistorian....reads the .dat files ;)

posted by TigerShark....

MLF

Quote:

---

C:\Format ...

---

.... and the prize for the most useless piece of information goes to..... Black Cluster..... ;)

Unless the user has moved format.com from the system32 folder to the root this command would not work.... The correct command would be

format c:

Just keeping it straight here..... :D

Quote:

---

Originally posted here by Tiger Shark


.... and the prize for the most useless piece of information goes to..... Black Cluster..... ;)

Unless the user has moved format.com from the system32 folder to the root this command would not work.... The correct command would be

format c:

Just keeping it straight here..... :D

---

LOL!!! LMAO!!!

Isnt that

format C: /y

;)

MLF

it's also possibe that nobody was 'surfing porn'.

the nature of porn-poppers is to make money from porn sites by reffering people to them. to accomplish this they secretly download software onto the computers of unknowing users which then proceeds to open pop-ups. each popup is recorded by the site that it opens and is counted as a hit. a very small amount is paid for each original hit so the more sites the malware maker can make aggangements with and the more computers they can get to go to those sites the more money they will make. for the site it's a numbers game...a certain percentage WILL sign-up.

the malware responsible for the pop-ups can be downloaded onto a computer from porn sites but that doesn't have to be the case. many sites that people go to for "free" stuff, including cutesy graphics for kids, are spreaders of malware. some people make their money just by setting up sites that download other peoples malware. some others include it in attractive sounding freeware. they're not too pickey as to who made the malware or what it does once it gets onto someone's computer. as long as they're getting paid.

every pop-up that's opened leaves it's mark in browsing history so finding porn sites listed there does not necessarly mean someone was intentionaly viewing porn.

Quote:

---

Unless the user has moved format.com from the system32 folder to the root this command would not work.... The correct command would be

format c:

Just keeping it straight here.....

---

For shits and giggles I just tried that on my system format c: heres the output;

Quote:

---

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\computernerd22>format c:
The type of the file system is NTFS.

WARNING, ALL DATA ON NON-REMOVABLE DISK
DRIVE C: WILL BE LOST!
Proceed with Format (Y/N)? y
Verifying 6142M

Format cannot run because the volume is in use by another
process. Format may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N) y
Cannot lock the drive. The volume is still in use.

C:\Documents and Settings\computernerd22>

---

;)

Computernerd,

did you get all the shits and giggles you anticipated? :D

Quote:

---

Computernerd,

did you get all the shits and giggles you anticipated?

---

Does a bear **** in the woods? ;)

LOL

thanks for your imput guys/girls.
she only have a modem dial up so i think all is getting to somone having phisical access i think
she was on net with no antivirus program, no firewalls and no knowlage about pc whatsoever.
i didnt have much time to play with it because until i downloaded all needed tools it was ages on dial up.
dont you hate having friends which have no idea and they dont know why sudenly nothing works and they didnt touch nothing and i have to drive 2 hours to clean up their crap for free uhhhhhh

and talkking about blushings ....seen few around when only gone trough history hehehe.
it look like that i will be gatting some phone calls from here again:(
ty for your help now she has clean pc. firewall and antivirus and administrative account with password(told her not to trust her inocent 12 yrs old girlwhen it coimes to pc)
it puzzles me how the p2p winmx was instaled on it when daughter has limited user.
but then mother account(admin)doesnt have a password.

i said to my friend its nice to know we have very inteligent kids who think we are stupid
ty once more

My personal vote would be to nuke it from orbit and then rebuild it in a safer configuration.

No PC anywhere should be in use without anti-virus software. If necessary get AVG, but in reality go and pay for something decent. I personally like the version of ZoneAlarm with integrated Anti-Virus - that's a nice product and not too expensive.

Also.. ditch Internet Explorer. That's really one of the best and simplest (and cheapest) things that you can do. Hide the icon somewhere and use Firefox (or Opera.. or Mozilla) instead. Do the same for the mail client.. use Thunderbird, Eudora or something else.

Don't forget to patch the PC up to the very latest patches you can find. Really big ones like Service Packs are best applied from a CD after being downloaded on broadband.

Quote:

---

she was on net with no antivirus program, no firewalls and no knowlage about pc whatsoever....dont you hate having friends which have no idea and they dont know why sudenly nothing works and they didnt touch nothing and i have to drive 2 hours to clean up their crap for free

---

That's what friends are for :halo: If you pass on advice as well as fixing the machine you're doing all you can. I don't charge my friends for fixing their PCs but most are nice enough to chuck some beers or a bottle of wine my direction :drink:

Baked goods are always acceptable too :)

Computernerd, don't you just miss how back in the "Win98" days, that would of worked? =/
Sure was a lot easier than popping in the XP setup disk.

Quote:

---

back in the "Win98" days

---

Those days are still alive and well here. I always have 98 on one of my HDDs. Obviously not the only OS, but you have to love it's simplistic nature. So when I want a flash from the past, I just "Start It Up" :D

!~cheers~!

i still Win98 occasionally too!

dynamo
i think instead of hiding ie you can go to control panel>add or remove programs or windows components and then on left hand side press remove windows components and untick internet explorer.

ty guys for your responces its interesting to see all oppinions which goes from cleaning pc from crap, pathcing it, virus/firewall instalaation to reformating c: to bomb it and sestroy it:)
tnkhs