ZoneAlarm Pro caught 24.101.60.195

[CromNogger]

24.101.60.195 attempting to connect to me for some reason? Came up as a red warning in ZoneAlarm. Funny NIS didn't budge. Anyway, according to tracert and ZoneAlarm's help it is an @home user. wave.home.com.. 24.101.60.195.on.wave.home.com [24.101.60.195].

I've tried deleting all the registry stuff but I am unsure if I am clean or not, because I don't know which trojan(s) I am infected with.

I got a netbios warning earlier too, it was a diff IP. Think he's successfully spoofing it or what?

 

[pulse8]

Nevermind...read your other post.

 

[yllus]

Could be a lot of things, trippy. Versions of ICQ let other users connect directly to you when sending a message/file/etc so their address shows up. You really shouldn't publicize the guy's IP as you have here either - what port is he trying to get to?

NetBIOS is pretty secure, am I correct? Though if you don't have a home network which would warrant its installation, you might as well uncheck it.

Edit: Get The Cleaner from Moosoft, it's freeware too.

 

[CromNogger]

This is newer. Anyone have suggestions, or can point me to a really good trojan cleaner?

 

[CromNogger]

sully,

Latest ver of ICQ, MSN, AIM, etc. Usually use MSN lately. Yeah, the guy most likely has his IP address spoofed. But anyway, if he's hacking me, he deserves to have it posted. @home got a little email, I don't know if they're looking into it or not. It's no big deal, but I don't want it to go unnoticed. And I want this fixed dammit!

 

[Redwingsguy]

Hey howd you get my ip?

the only answer...hack him and find out!

 

[CromNogger]

I don't know how.
All I know is his MSN contact. Damn I suck!

 

[metallibloke]

I'm a little confused. Why are you so worried about this? Did you actually get a virus? or hacked into some other way?

IMO, unless you actually got hacked in some way, its not worth worrying about.

 

[gogeeta13]

hehe, some dude was sending rogue packets and trying to ping me to death)with only his pc), so i called up his ISP and got him kicked, hehe. I just used the arin-whois thing, then got the ISP security number. I faxed them the ZA logs, ans then kicked him that same day! ZA is simply awesome

 

[CromNogger]

I have been. I talked to the person who was doing it too, he told me about Sub-7, but I doubt that's what he's using now since none of the files for Sub-7 were found anywhere, and NIS has blocked Sub-7 .. it has to be something it can't block right?

He was telling me I had porn (the only thing possible is traces in the cache.. wtf would he be doing there?), he repated stuff I typed to other people, etc. It's a trojan for sure. And he threatened to "f*ck me up" because I "f*cked with his friends". But I don't have the foggiest clue as to who that is, and who his friends are. I haven't been being a bitch to anybody, so I don't get it.

 

[gogeeta13]

trippy, I say fight fire with fire, hack his ass. If you are unable, just reformat, no big deal.

If you really want to get fancy though, tell him you will duel in CS to decide if he has to stop bothering you!

 

[wyvrn]

Download or buy a good virus program, firewalls cannot protect from getting infected. Also try the cleaner as suggested earlier.

 

[CromNogger]

Running the cleaner.

what's that tcactive thingy it always wants to run?

 

[Keego]

trying to connect and actually doing something is totally different... Are you sure he isn't just trying to get in?
If he's just trying, ban his IP in NIS, it's easy

 

[CromNogger]

Hey, this is a cool program. It's probably infected with trojans itself though..

The TCactive and Monitor are pretty cool.

 

[CromNogger]

He IS in, he was viewing files.

BTW, ZA just caught something a second ago. "Alert message 100002b: "The firewall has blocked access to your computer (port 111) from 216.167.37.160(port 3125)." this is not the same IP. Hmm.

 

[CromNogger]

I'm scanning with Norton Antivirus and with The Cleaner 3.2. I have NAV monitoring activity as it happens, I have ZoneAlarm Pro and NIS open.

I remember I was only using NIS, and I think it was disabled for a short time ... could I possibly have gotten infected then? I seriously don't see how. If the guy hadn't repeated stuff I said to others, I really would think he's full of shit. But he's not.

6000 files scanned so far in Cleaner, nothing found. 30000 files in Norton so far (started earlier), nothing found. Grrrr...

 

[CromNogger]

By the way, I am running NIS and ZAPro at maximum security right now - I haven't noticed a difference in being able to access stuff. wtf? Shouldn't it be blocking out a lot of stuff? oh well, what can I do eh

 

[CromNogger]

One more thing, i'm running 2k on NTFS not FAT32, if that counts for anything. Hmmm it's still not finding anything. HTF did he get access..
I removed a bunch of stuff from the registry earlier, "Mobsync" .. crap, I was reading up and that looked really really suspicious, I'm fairly certain it was part of the trojan crap. So I removed it, and some other keys accidentally. I've rebooted since, and I haven't had a problem.. when I scan for mobsync in the registry now, there's nothing. If you get it that way, there's no way of it coming back right?

 

[MrBond]

You're using Windows2000, IIRC. Do you have the guest account disabled? Also, double check any accounts you have, make sure a service isn't logging in (Tape backups are very easy to hack, because if they log into the box, lazy admins almost always leave them unpassworded or with a very simple password (Like 'tape') )

Don't be surprised if the ISP ignores your plea. Earthlink doesn't care if they're being used as a base for hack attempts, and many other ISP's will follow suit. That's a Canadian @home IP, if it's real. I think @home is a little more strict, but nothing will prevent him from signing up again

Edit: just saw your post about Mobsync. I'm assuming you checked hklocalmach...\software\microsoft\windows\currentversion\run and all the other run tags. Thats where most stuff gets stuck.

 

[CromNogger]

WTF, The Cleaner is frozen?

 

[CromNogger]

Haven't checked that, will do.

But what the *beeeeeeeeeeep* is going on, The Cleaner is not responding (for minutes now). That makes me very suspicious.

 

[CromNogger]

N/M, it magically unfroze.

BTW, the guest account is disabled (that's funny, I don't think I have ever disabled it, and it usually comes enabled). Oh well.

So far nothing still.

 

[MrBond]

I think in Win2k, its disabled as default.

 

[Bozo Galora]

so, i get this all the time:

like a few days ago
210.52.5.210 hit me with the following
TCP probe
HTTP probe
FTP probe
Socks probe
Telnet probe
Proxy probe
(I assume this guy really wanted in}

and yesterday
[chello213047116055.14.vie.surfer.at]
No additional details have been discovered about this Intruder.
hit me with a UDP probe 262 times, looked like a pinball machine