Mike-Bracknell

This is why you need to run Malwarebytes via safe mode with command prompt. Because in the vast majority of recent viruses the main method of defence employed by the virus has been to 'hide' itself from whatever AV you're using at the time....and this is hooked into explorer.exe. The ONLY version of booting Windows which doesn't invoke explorer.exe is safe mode with command prompt (and then manually navigating to, and executing mbam.exe). I've had machines which say "0 files infected" when booted normally, which then say "100 files infected" in safe mode with command prompt.

Not recently, but then recently things have got better with patching, firewalls, AV readily available. In the past, yes.

Initially, you spoof the source address or run a man-in-the-middle attack.

You assume that all inter-process communication is password protected. And/or that hackers intend to use things like CIFS shares for access?

Let me give you one relevant example. The recent Anonymous attacks have been related to SQL injection hacks, where SQL servers have been exploited by sending malformed requests, leading to them coughing up things like passwords or other otherwise hidden documents. Now, consider a SQL server running on a PC (not an unknown phenomenon on a lot of PCs that otherwise don't need it), sat waiting for querying. It doesn't take too much of a leap of faith to see that if there was access to that server you could be susceptible to a security breach of the PC. Now what if you had access through NAT to the port? pretty easy to hack, huh? Especially if you remember that NAT holds the port open for a fair amount longer than it takes to transmit the data. Not too difficult to gain access in that regard, if the port's opened for some reason or another.