HELP please – I think my computer’s been sabotaged!

[DomainQuay]

Hi everyone,

I’m afraid my firewall has somehow been breached and my computer has been sabotaged! Can anyone help me please? Here is as much background as I can give:

Two nights ago, I was working online when I heard a loud click from my hard drive. I was just reading something at the time, nothing that would require disk access, so I couldn’t think why it would have done that, but I shrugged it off and kept working.

The next morning, I couldn’t get my computer to boot. It kept hanging up, but finally after completely powering down and restarting maybe four or five times, it booted. I noticed that my firewall was deactivated, but again just shrugged and reactivated it. When I tried to connect to the internet (I have dial-up), over and over I would get a connection, but it would immediately be terminated, which had never happened before and seemed kind of strange. But I finally tried another phone number and was able to connect, so I thought it might be my ISP was having problems. Didn’t think much more about any of this, until I checked my firewall’s event log this evening, and was shocked to see that the last event recorded was from two nights ago! I generally get 1 or more hits per minute, so something was clearly wrong! I tried to test my firewall, and got the message:

“Unable to Probe
The IP address requesting this page is different from the IP address of your computer. This indicates that your computer is behind a proxy or NAT. These devices allow you to access the Internet by relaying traffic, typically from multiple computers, through a single IP address.”

My computer is not behind a proxy, and I’ve always been able to test the firewall successfully until now.

I’m not sure what’s wrong (could it be a worm or virus??) and I don’t know what to do, so I was hoping that since there are so many computer savvy people on this forum, someone might be able to help me fix whatever is the problem!

Thanks so much for any help anyone can provide!!!

Joni

P.S. Absolutely no one but Mark and I have access to the physical computer.

 

[websitedeveloper]

I know there are programs you can install that will scan your hard drive and report if any worms/viruses are detected. One such program is Avast:
http://www.download.com/Avast-Home-Edition/3000-2239-10285256.html?tag=lst-0-4

You can find more similar programs here and at download.com:
http://www.download.com/3120-20-0.html?qt=scan+virus&tg=dl-2001

Good luck!

 

[DomainQuay]

Hi Clicknow,

Thank you so much for sharing those links!

I'm going to try them right now!

Joni

P.S. You know, I also do have McAfee's VirusScan on my computer which is kept updated automatically by McAfee! I'm still scratching my head at how something seems to have gotten past a firewall and virus protection!!

 

[freestyler]

the best solution is to save all the data u want to and

RESTORE THE SYSTEM

 

[DomainQuay]

Hi Freestyler,

Thank you for your suggestion!

Do you mean reformat the drive, or is there a less drastic alternative?

Joni

 

[DomainQuay]

Just completed the virus scan - it said it didn't detect any viruses.

 

[RMF]

Usually when your harddrive starts making weird clicking sounds it means the harddrive is on its way out.

 

[DomainQuay]

Thank you, RMF - that's something I hadn't thought of!

But would that explain the lack of events in the firewall log, and my not being able to test the firewall? That message I got when I tried to test it was what really got me worried! If I'm understanding it right (and maybe I'm not!), doesn't it mean that anything going back and forth between my computer and the internet is first passing through another computer? In addition to the grave security risk, it's also kinda creepy! Like someone listening in on a private phone conversation!!

And if I do reformat the hard drive, how do I prevent this from happening again?? :worried:

Thanks again to everyone for your help!

Joni

 

[MediaHound]

Just a thought - Did you look at your hosts file for unusual entries?

 

[DomainQuay]

Hi MediaHound,

Thanks for your reply!

Please excuse my ignorance, but what do you mean by "hosts file"? :emba:

Joni

 

[MediaHound]

You need to search google :-(

sorry

Just giving you a head start

 

[MediaHound]

here http://www.accs-net.com/hosts/what_is_hosts.html
http://www.google.com/search?q=hosts file&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8

 

[MediaHound]

"Another feature of the HOSTS file is it's ability to block other applications from connecting to the Internet, as long the the entry exists."

PS backup all your data your HDD is failing

 

[DomainQuay]

MediaHound, thank you so much for all your help!

So are you thinking that I'm having these problems because someone has manipulated my Hosts file?

I will go right now and thoroughly read through that link you provided, and also back up my data. Thanks again for the tips!

Joni

 

[MediaHound]

you backed it up to another computer, or at least CD's or disks, right?

as far as the hosts file, it may clue you in to other issues with your computer

there's a ton of things you could be doing to figure it all out.

http://forum.free-templates.com/showthread.php?t=317

 

[DomainQuay]

Hi MediaHound,

I'm backing everything up to CDs. I have a gazillion digital photos so disks just wouldn't work!

Here's what I found in my Hosts file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

It looks almost exactly like the example file in the link you gave me.

You said there's a ton of things I could do to figure this out? Could you please suggest a few others? You don't have to do the research, just point me in the right direction!

Thanks again!

Joni

 

[MediaHound]

great, passed that test

 

[Beachie]

The hosts file looks OK. Is your Norton AV doing a liveupdate correctly? The NetSky/Sasser worms block access to most AV sites, but they usually lock the hosts file so you can't open it. Easiest way to test is:

Start->Run

type: ping www.symantec.com

Then click the OK button. If the IP address being pinged is 127.0.0.1 it's a good indication you have NetSky.

The clicking harddisk sounds ominous. As RMF pointed out, it's almost always a sign that your drive is about to die. Consider yourself lucky that you got some warning, back up your stuff, and buy a new drive!

 

[DomainQuay]

Hi Beachie,

Thank you for all your suggestions, and for the directions on how to test for NetSky! (I'll try it as soon as I finish this post!)

About that click from my hard drive - it only happened one time, and coincidentally (or maybe not!) that's right about the same time my firewall's log stopped recording events. So I thought the two might be connected? In any case, I do consider myself very lucky to be able to back up my stuff before anything went wrong! (And that drive is only a year old too!)

Thanks again,

Joni

 

[DomainQuay]

Ok, as if I needed yet another reason to feel stupid -

Where has Microsoft hidden DOS in XP?????

Thanks guys for your tremendous patience...

Joni