G
Guest
Hi, First of all, apologies to Phillip for the TEST message yesterday. It was the first time I had been able to get out since Friday and I didn't want to type yet another message until I knew it would post. And no, that isn't my email addy.
WinXP Home SP1, (in a residence) Dell 4600c (refurb), 266MgHz, 256RAM, 40GB HD, BEFSR41 Router w/WallWatcher attached (but nobody else doing ICS), set up 1/16/04. WU as of 2/11 said all criticals were installed. Offfice 2000 SP3w/criticals installed. Norton A/V updated daily. But something still didn't feel right. Baseline Analyzer on Tues/18 said I was missing criticals MS02-050, 054, 072, 030, 051. All else was good except I was using my admin acct as a user, and I needed MSXML security updates 3.0 and 4.0. I didn't even know about those!!!?? WallWatcher started going crazy Fri/20. Logged 1,541 Incoming and outgoing events, WW was off for 4 hours, and only 615 of them were out. Sat/21 had 5,547 events, only 840 out. Sun/22 2,930 events, 447 out. Most incoming were on Port 1214 and I don't have any p2p sharing. Then I noticed that many of the converted IP addresses were not from the US. Put my hands on a country code list and there were 30+ different countries represented. Also, 40 GB HD only had 10 GB free space and memory was critical. I came here Sat to post a what is this question, as Norton, Spybot, Ad-Aware all said A-OK. Kept crashing just as I would click "send". In fairly rapid order I discovered that CD burner was diabled, (no floppy drive), email attachments were wiped clean except for 1st page, and I was no longer the admin of my domain, so to speak. Admin tools showed a whole bunch of stuff in COM+ that I didn't do, apps and system event logs were full of errors and security log had numerous password failures on my acct and a friend's admin acct. Excel & Access going to COM+. Error 4609 that a file on d:\nt\com1x\src\events\tier1\eventsystemobj.cpp had a bad code return. D:\??? I only have a C=HD and a D=CDRW+DVD. Error 4689 about the CUSTOM components, also on D:\. I have no admin rights. Can't stop or start services. Booting up in safe mode did not fix the problem. Pulled DSL and plugged in later. The UN had not gone away. Went to neighbor's house to borrow computer to try to reach ISP (earthlink). Neigbor, who also has earthlink DSL and same router, had the same COM+ components w/o his knowledge, but according to his limited router log did not have the UN knocking, yet. Called CERT on Monday/23 (2,249 total events, 441 out, DSL only on half the day). They asked for logs and by using a different domain email account, I got them to CERT. Never did reach earthlink, but what else is new? Monday night, without my help, admin rights came back. All of my files are dated Mon/23 between 11:30 AM and 8:?? PM and there is a lot of info, but nothing that makes sense to me????? I have lots of info I think, but I'm not sure what is pertinent or not. Now have 27.9 GB free HD space, but still have 45 processes going. Not sure how to interpret F-Port or TCP view. Stuff is still in COM
What do you all think? Can lightning strike twice? The Chinese Gov't hijacked our office DSL in 2001 MayDay incident and used it to hack into a UK university. Earthlink called me that time..so did the FBI
TIA, Carol
WinXP Home SP1, (in a residence) Dell 4600c (refurb), 266MgHz, 256RAM, 40GB HD, BEFSR41 Router w/WallWatcher attached (but nobody else doing ICS), set up 1/16/04. WU as of 2/11 said all criticals were installed. Offfice 2000 SP3w/criticals installed. Norton A/V updated daily. But something still didn't feel right. Baseline Analyzer on Tues/18 said I was missing criticals MS02-050, 054, 072, 030, 051. All else was good except I was using my admin acct as a user, and I needed MSXML security updates 3.0 and 4.0. I didn't even know about those!!!?? WallWatcher started going crazy Fri/20. Logged 1,541 Incoming and outgoing events, WW was off for 4 hours, and only 615 of them were out. Sat/21 had 5,547 events, only 840 out. Sun/22 2,930 events, 447 out. Most incoming were on Port 1214 and I don't have any p2p sharing. Then I noticed that many of the converted IP addresses were not from the US. Put my hands on a country code list and there were 30+ different countries represented. Also, 40 GB HD only had 10 GB free space and memory was critical. I came here Sat to post a what is this question, as Norton, Spybot, Ad-Aware all said A-OK. Kept crashing just as I would click "send". In fairly rapid order I discovered that CD burner was diabled, (no floppy drive), email attachments were wiped clean except for 1st page, and I was no longer the admin of my domain, so to speak. Admin tools showed a whole bunch of stuff in COM+ that I didn't do, apps and system event logs were full of errors and security log had numerous password failures on my acct and a friend's admin acct. Excel & Access going to COM+. Error 4609 that a file on d:\nt\com1x\src\events\tier1\eventsystemobj.cpp had a bad code return. D:\??? I only have a C=HD and a D=CDRW+DVD. Error 4689 about the CUSTOM components, also on D:\. I have no admin rights. Can't stop or start services. Booting up in safe mode did not fix the problem. Pulled DSL and plugged in later. The UN had not gone away. Went to neighbor's house to borrow computer to try to reach ISP (earthlink). Neigbor, who also has earthlink DSL and same router, had the same COM+ components w/o his knowledge, but according to his limited router log did not have the UN knocking, yet. Called CERT on Monday/23 (2,249 total events, 441 out, DSL only on half the day). They asked for logs and by using a different domain email account, I got them to CERT. Never did reach earthlink, but what else is new? Monday night, without my help, admin rights came back. All of my files are dated Mon/23 between 11:30 AM and 8:?? PM and there is a lot of info, but nothing that makes sense to me????? I have lots of info I think, but I'm not sure what is pertinent or not. Now have 27.9 GB free HD space, but still have 45 processes going. Not sure how to interpret F-Port or TCP view. Stuff is still in COM
What do you all think? Can lightning strike twice? The Chinese Gov't hijacked our office DSL in 2001 MayDay incident and used it to hack into a UK university. Earthlink called me that time..so did the FBI
TIA, Carol