trojan still a problem

Discussion in 'NZ Computing' started by kiwivalve, Feb 21, 2004.

  1. kiwivalve

    kiwivalve Guest

    Earlier this week I discovered that a friend had enabled file sharing over
    tcp/ip on my computer, I discovered this when I went to shutdown the
    computer without disconnecting from the net first and got a windows message
    saying something to the effect that 1 user was still connected to my
    computer, was I sure I wanted to shutdown. My computer had been in this
    state for 2 weeks unbeknown to me. My friend reakons that it would not have
    been a internet security problem since none of my folders were actually
    shared which I am a little suspect about.
    Anyhow I ran nortons antivirus with up to date virus definitions and spybot
    and the advice I was given here was to install a firewall, so I installed
    zonealarm. Well blow me down I have just found that my internet traffic
    indicator is blinking away without any internet applications loaded, and I
    didn't hear a peep from either nortons antivirus or zonealarm. Zonealarm is
    setup with the default options I think apart from internet zone security
    which I set to medium, i.e my computer can be seen but not entered.
    Like I said before this is a big problem for me as I use my credit card
    online and some passwords could cause a problem in the wrong hands.
    So any ideas of how I can protect myself apart from formatting my harddrive,
    I am guessing that a trojan has been uploaded to my computer when tcp/ip
    file sharing was enabled and because of this the firewall does not work.
     
    kiwivalve, Feb 21, 2004
    #1
    1. Advertising

  2. kiwivalve

    kiwivalve Guest

    "kiwivalve" <radio@old> wrote in message news:4036b463$...
    > Earlier this week I discovered that a friend had enabled file sharing over
    > tcp/ip on my computer, I discovered this when I went to shutdown the
    > computer without disconnecting from the net first and got a windows

    message
    > saying something to the effect that 1 user was still connected to my
    > computer, was I sure I wanted to shutdown. My computer had been in this
    > state for 2 weeks unbeknown to me. My friend reakons that it would not

    have
    > been a internet security problem since none of my folders were actually
    > shared which I am a little suspect about.
    > Anyhow I ran nortons antivirus with up to date virus definitions and

    spybot
    > and the advice I was given here was to install a firewall, so I installed
    > zonealarm. Well blow me down I have just found that my internet traffic
    > indicator is blinking away without any internet applications loaded, and I
    > didn't hear a peep from either nortons antivirus or zonealarm. Zonealarm

    is
    > setup with the default options I think apart from internet zone security
    > which I set to medium, i.e my computer can be seen but not entered.
    > Like I said before this is a big problem for me as I use my credit card
    > online and some passwords could cause a problem in the wrong hands.
    > So any ideas of how I can protect myself apart from formatting my

    harddrive,
    > I am guessing that a trojan has been uploaded to my computer when tcp/ip
    > file sharing was enabled and because of this the firewall does not work.
    >

    Forgot to mention that I am using windows98se.
     
    kiwivalve, Feb 21, 2004
    #2
    1. Advertising

  3. kiwivalve

    kiwivalve Guest

    "kiwivalve" <radio@old> wrote in message news:4036b577$...
    >
    > "kiwivalve" <radio@old> wrote in message news:4036b463$...
    > > Earlier this week I discovered that a friend had enabled file sharing

    over
    > > tcp/ip on my computer, I discovered this when I went to shutdown the
    > > computer without disconnecting from the net first and got a windows

    > message
    > > saying something to the effect that 1 user was still connected to my
    > > computer, was I sure I wanted to shutdown. My computer had been in this
    > > state for 2 weeks unbeknown to me. My friend reakons that it would not

    > have
    > > been a internet security problem since none of my folders were actually
    > > shared which I am a little suspect about.
    > > Anyhow I ran nortons antivirus with up to date virus definitions and

    > spybot
    > > and the advice I was given here was to install a firewall, so I

    installed
    > > zonealarm. Well blow me down I have just found that my internet traffic
    > > indicator is blinking away without any internet applications loaded, and

    I
    > > didn't hear a peep from either nortons antivirus or zonealarm. Zonealarm

    > is
    > > setup with the default options I think apart from internet zone security
    > > which I set to medium, i.e my computer can be seen but not entered.
    > > Like I said before this is a big problem for me as I use my credit card
    > > online and some passwords could cause a problem in the wrong hands.
    > > So any ideas of how I can protect myself apart from formatting my

    > harddrive,
    > > I am guessing that a trojan has been uploaded to my computer when tcp/ip
    > > file sharing was enabled and because of this the firewall does not work.
    > >

    > Forgot to mention that I am using windows98se.
    >


    I do have a file on my desktop just called ~ ,no extension, anyone know what
    this is?
     
    kiwivalve, Feb 21, 2004
    #3
  4. kiwivalve

    Jason M Guest

    On Sat, 21 Feb 2004 14:27:54 +1300, "kiwivalve" <radio@old> wrote:

    >Anyhow I ran nortons antivirus with up to date virus definitions and spybot
    >and the advice I was given here was to install a firewall, so I installed
    >zonealarm. Well blow me down I have just found that my internet traffic
    >indicator is blinking away without any internet applications loaded, and I
    >didn't hear a peep from either nortons antivirus or zonealarm.


    I definitely have no spyware or trojans.
    I use Kerio firewall and it is currently rejecting and logging around
    20 pages per day of accesses to my computer that I don't want.

    First of all I set Kerio to ignore everything in and out, and noted
    what it logged. Then I made new rules to allow access for the software
    and places that I'll accept. I now have 33 rules and everything works
    fine.
     
    Jason M, Feb 21, 2004
    #4
  5. kiwivalve

    harry Guest

    harry, Feb 21, 2004
    #5
  6. kiwivalve

    kiwivalve Guest

    "harry" <> wrote in message
    news:1uzZb.25386$...
    > kiwivalve wrote:
    >
    > >
    > >
    > > I do have a file on my desktop just called ~ ,no extension, anyone know

    what
    > > this is?
    > >
    > >

    >
    > Its a just a bug in the address book.
    > Read this
    > http://www.pchell.com/support/tildefile.shtml


    Thanks for that.
     
    kiwivalve, Feb 21, 2004
    #6
  7. kiwivalve

    Gavin Tunney Guest

    On Sat, 21 Feb 2004 14:27:54 +1300, "kiwivalve" <radio@old> wrote:

    >Earlier this week I discovered that a friend had enabled file sharing over
    >tcp/ip on my computer, I discovered this when I went to shutdown the
    >computer without disconnecting from the net first and got a windows message
    >saying something to the effect that 1 user was still connected to my
    >computer, was I sure I wanted to shutdown. My computer had been in this
    >state for 2 weeks unbeknown to me. My friend reakons that it would not have
    >been a internet security problem since none of my folders were actually
    >shared which I am a little suspect about.
    >Anyhow I ran nortons antivirus with up to date virus definitions and spybot
    >and the advice I was given here was to install a firewall, so I installed
    >zonealarm. Well blow me down I have just found that my internet traffic
    >indicator is blinking away without any internet applications loaded, and I
    >didn't hear a peep from either nortons antivirus or zonealarm. Zonealarm is
    >setup with the default options I think apart from internet zone security
    >which I set to medium, i.e my computer can be seen but not entered.
    >Like I said before this is a big problem for me as I use my credit card
    >online and some passwords could cause a problem in the wrong hands.
    >So any ideas of how I can protect myself apart from formatting my harddrive,
    >I am guessing that a trojan has been uploaded to my computer when tcp/ip
    >file sharing was enabled and because of this the firewall does not work.
    >


    If Zonealarm is showing in your system tray it will be working ok, you
    can also fire it up and check its logs. which are always interesting
    reading for those new to firewalls. It should also show which
    applications are allowed to connect....may have to ask people here how
    to set it up properly

    Lot of possible reasons why you've got traffic, could be antivirus,
    zonealarm or even windows doing a live update... or it could be
    someone at the other end hammering away at your PC trying to get in.
    When you connect to your ISP you get allocated a random IP address
    from a pool, when you disconnect your IP goes back in the pool .
    Sometimes the IP you get was last used by someone filesharing via
    Kazaa or similar and you can get heaps of inbound traffic... none of
    which is a problem except for a slight slowdown.

    I don't think you have a trojan, sounds to me like you've done all the
    right things. If you're still worried about it then post the contents
    of your startup config. To get that run msconfig & select the startup
    tab at the top. (Start - Run - msconfig - Ok) Every box that's ticked
    is an app running at startup, just post the name of each & we should
    be able to tell you whether they're kosher or not (shouldn't be very
    many)

    You shouldn't have problems if you didn't share any folders... nothing
    to hack into via NETBIOS then. But you said someone was connected,
    which suggests there was at least one shared folder as they can't
    connect otherwise.

    Cheers

    Gavin
     
    Gavin Tunney, Feb 21, 2004
    #7
  8. kiwivalve

    kiwivalve Guest

    "Gavin Tunney" <> wrote in message
    news:...
    > On Sat, 21 Feb 2004 14:27:54 +1300, "kiwivalve" <radio@old> wrote:
    >
    > >Earlier this week I discovered that a friend had enabled file sharing

    over
    > >tcp/ip on my computer, I discovered this when I went to shutdown the
    > >computer without disconnecting from the net first and got a windows

    message
    > >saying something to the effect that 1 user was still connected to my
    > >computer, was I sure I wanted to shutdown. My computer had been in this
    > >state for 2 weeks unbeknown to me. My friend reakons that it would not

    have
    > >been a internet security problem since none of my folders were actually
    > >shared which I am a little suspect about.
    > >Anyhow I ran nortons antivirus with up to date virus definitions and

    spybot
    > >and the advice I was given here was to install a firewall, so I installed
    > >zonealarm. Well blow me down I have just found that my internet traffic
    > >indicator is blinking away without any internet applications loaded, and

    I
    > >didn't hear a peep from either nortons antivirus or zonealarm. Zonealarm

    is
    > >setup with the default options I think apart from internet zone security
    > >which I set to medium, i.e my computer can be seen but not entered.
    > >Like I said before this is a big problem for me as I use my credit card
    > >online and some passwords could cause a problem in the wrong hands.
    > >So any ideas of how I can protect myself apart from formatting my

    harddrive,
    > >I am guessing that a trojan has been uploaded to my computer when tcp/ip
    > >file sharing was enabled and because of this the firewall does not work.
    > >

    >
    > If Zonealarm is showing in your system tray it will be working ok, you
    > can also fire it up and check its logs. which are always interesting
    > reading for those new to firewalls. It should also show which
    > applications are allowed to connect....may have to ask people here how
    > to set it up properly
    >
    > Lot of possible reasons why you've got traffic, could be antivirus,
    > zonealarm or even windows doing a live update... or it could be
    > someone at the other end hammering away at your PC trying to get in.
    > When you connect to your ISP you get allocated a random IP address
    > from a pool, when you disconnect your IP goes back in the pool .
    > Sometimes the IP you get was last used by someone filesharing via
    > Kazaa or similar and you can get heaps of inbound traffic... none of
    > which is a problem except for a slight slowdown.


    I did think about someone trying to get in but a little traffic was flowing
    both ways so I thought not. It would not be antivirus or windows update but
    it could be zonealarm I suppose.


    > I don't think you have a trojan, sounds to me like you've done all the
    > right things. If you're still worried about it then post the contents
    > of your startup config. To get that run msconfig & select the startup
    > tab at the top. (Start - Run - msconfig - Ok) Every box that's ticked
    > is an app running at startup, just post the name of each & we should
    > be able to tell you whether they're kosher or not (shouldn't be very
    > many)


    Nothing to worry about in my startup config but I would have thought a
    hacker would be more cunning than to have there program show up there.

    > You shouldn't have problems if you didn't share any folders... nothing
    > to hack into via NETBIOS then. But you said someone was connected,
    > which suggests there was at least one shared folder as they can't
    > connect otherwise.
    >


    Once again I would have thought they might be more clever and that having
    shared access available would be enough to give them an opportunity without
    any folders needing to be shared. I don't say this from any particular
    knowledge, I just thought they would be much more cunning than that.

    Thanks a lot for the help.
     
    kiwivalve, Feb 21, 2004
    #8
  9. kiwivalve

    Enkidu Guest

    On Sat, 21 Feb 2004 14:32:29 +1300, "kiwivalve" <radio@old> wrote:
    >
    >Forgot to mention that I am using windows98se.
    >

    Get a trojan checker.

    Cheers,

    Cliff
     
    Enkidu, Feb 21, 2004
    #9
  10. kiwivalve

    kiwivalve Guest

    "Enkidu" <> wrote in message
    news:eek:...
    > On Sat, 21 Feb 2004 14:32:29 +1300, "kiwivalve" <radio@old> wrote:
    > >
    > >Forgot to mention that I am using windows98se.
    > >

    > Get a trojan checker.
    >
    > Cheers,
    >
    > Cliff


    I thought spybot was a trojan checker?
     
    kiwivalve, Feb 21, 2004
    #10
  11. kiwivalve

    Gavin Tunney Guest

    On Sat, 21 Feb 2004 20:01:57 +1300, "kiwivalve" <radio@old> wrote:

    >Nothing to worry about in my startup config but I would have thought a
    >hacker would be more cunning than to have there program show up there.
    >


    There's not many other ways you can run applications at startup, every
    common trojan or worm I can recall used that method. Other options
    include replacing or altering an existing system file such as
    winsock.dll, another is to insert a trojan as a new .dll file or
    similar. They tend to used by more skilled hackers, and there aren't
    that many of those around. Keyboard loggers tend to be .dlls because
    of the way they work, the rest are usually executables of some type or
    other that have to be run at startup.

    Decent firewalls would still catch either method. They do a checksum
    of the apps that are allowed to connect out & tell you when they've
    been changed. When a .dll tries to connect out the firewall pops up a
    message like "run a dll as an app is trying to connect...."

    >> You shouldn't have problems if you didn't share any folders... nothing
    >> to hack into via NETBIOS then. But you said someone was connected,
    >> which suggests there was at least one shared folder as they can't
    >> connect otherwise.
    >>

    >
    >Once again I would have thought they might be more clever and that having
    >shared access available would be enough to give them an opportunity without
    >any folders needing to be shared. I don't say this from any particular
    >knowledge, I just thought they would be much more cunning than that.
    >


    Enabling file & print just opened certain ports, which in itself is no
    big deal provided their use is controlled. There's no actual exploits
    of Netbios that I'm aware of except for a share-password issue that
    was patched years ago, so the only way to connect is via the usual
    way. Passwording shares is always good practice btw.

    Saying that the best network security is to not open any ports at all,
    except for those you have specific use for. The objective is to
    protect yourself not just against known exploits, but also those which
    have yet to be discovered or announced. No open ports = nothing to
    hack into (except for kernel-level exploits)


    Cheers

    GT
     
    Gavin Tunney, Feb 21, 2004
    #11
  12. kiwivalve

    Enkidu Guest

    On Sat, 21 Feb 2004 20:55:42 +1300, "kiwivalve" <radio@old> wrote:

    >
    >"Enkidu" <> wrote in message
    >news:eek:...
    >> On Sat, 21 Feb 2004 14:32:29 +1300, "kiwivalve" <radio@old> wrote:
    >> >
    >> >Forgot to mention that I am using windows98se.
    >> >

    >> Get a trojan checker.
    >>
    >> Cheers,
    >>
    >> Cliff

    >
    >I thought spybot was a trojan checker?
    >

    No. So far as I'm aware, it is only an Adware scanner.

    Cheers,

    Cliff
     
    Enkidu, Feb 21, 2004
    #12
  13. kiwivalve

    kiwivalve Guest

    "Enkidu" <> wrote in message
    news:eek:...
    > On Sat, 21 Feb 2004 20:55:42 +1300, "kiwivalve" <radio@old> wrote:
    >
    > >
    > >"Enkidu" <> wrote in message
    > >news:eek:...
    > >> On Sat, 21 Feb 2004 14:32:29 +1300, "kiwivalve" <radio@old> wrote:
    > >> >
    > >> >Forgot to mention that I am using windows98se.
    > >> >
    > >> Get a trojan checker.
    > >>
    > >> Cheers,
    > >>
    > >> Cliff

    > >
    > >I thought spybot was a trojan checker?
    > >

    > No. So far as I'm aware, it is only an Adware scanner.
    >
    > Cheers,
    >
    > Cliff


    These google results sugest it is a trojan scanner

    http://www.google.com/search?sourceid=navclient&q=spybot
     
    kiwivalve, Feb 22, 2004
    #13
  14. kiwivalve

    Dave Taylor Guest

    "kiwivalve" <radio@old> wrote in news:4037f714$:

    > These google results sugest it is a trojan scanner
    >
    > http://www.google.com/search?sourceid=navclient&q=spybot
    >


    It scans for some things that could be called trojans, like a dialer, but
    it is not designed with trojans in mind, but privacy issues, so it scans
    for spyware, ad cookies, privacy revealing registry keys etc.
    Try Trendmicro's Housecall, adaware, and pestpatrols online free scan.
    That should cover the bases pretty well. For specializing in trojans there
    is TDS3, but I think it costs.
    Ciao, Dave
     
    Dave Taylor, Feb 22, 2004
    #14
  15. kiwivalve

    kiwivalve Guest

    "Dave Taylor" <> wrote in message
    news:Xns949790662A124daveytaynospamplshot@202.180.64.19...
    > "kiwivalve" <radio@old> wrote in news:4037f714$:
    >
    > > These google results sugest it is a trojan scanner
    > >
    > > http://www.google.com/search?sourceid=navclient&q=spybot
    > >

    >
    > It scans for some things that could be called trojans, like a dialer, but
    > it is not designed with trojans in mind, but privacy issues, so it scans
    > for spyware, ad cookies, privacy revealing registry keys etc.
    > Try Trendmicro's Housecall, adaware, and pestpatrols online free scan.
    > That should cover the bases pretty well. For specializing in trojans

    there
    > is TDS3, but I think it costs.
    > Ciao, Dave


    Thanks, I ran the trial version of TDS3 with updated database and found
    nothing, I would rather it have found a trojan as then I would know i had
    found it and deleted it where as now I am not much the wiser as I could have
    a trojan or not but it was worth a go in case it did find one.
     
    kiwivalve, Feb 22, 2004
    #15
  16. kiwivalve

    Enkidu Guest

    On Sun, 22 Feb 2004 16:15:41 +1300, "kiwivalve" <radio@old> wrote:

    >
    >"Dave Taylor" <> wrote in message
    >news:Xns949790662A124daveytaynospamplshot@202.180.64.19...
    >> "kiwivalve" <radio@old> wrote in news:4037f714$:
    >>
    >> > These google results sugest it is a trojan scanner
    >> >
    >> > http://www.google.com/search?sourceid=navclient&q=spybot
    >> >

    >>
    >> It scans for some things that could be called trojans, like a dialer, but
    >> it is not designed with trojans in mind, but privacy issues, so it scans
    >> for spyware, ad cookies, privacy revealing registry keys etc.
    >> Try Trendmicro's Housecall, adaware, and pestpatrols online free scan.
    >> That should cover the bases pretty well. For specializing in trojans

    >there
    >> is TDS3, but I think it costs.
    >> Ciao, Dave

    >
    >Thanks, I ran the trial version of TDS3 with updated database and found
    >nothing, I would rather it have found a trojan as then I would know i had
    >found it and deleted it where as now I am not much the wiser as I could have
    >a trojan or not but it was worth a go in case it did find one.
    >

    If it did not find anything you are probably OK.

    I'm not sure where you are now. What makes you think that you might
    still have a trojan?

    Cheers,

    Cliff
     
    Enkidu, Feb 22, 2004
    #16
  17. kiwivalve

    kiwivalve Guest

    "Enkidu" <> wrote in message
    news:...
    > On Sun, 22 Feb 2004 16:15:41 +1300, "kiwivalve" <radio@old> wrote:
    >
    > >
    > >"Dave Taylor" <> wrote in message
    > >news:Xns949790662A124daveytaynospamplshot@202.180.64.19...
    > >> "kiwivalve" <radio@old> wrote in news:4037f714$:
    > >>
    > >> > These google results sugest it is a trojan scanner
    > >> >
    > >> > http://www.google.com/search?sourceid=navclient&q=spybot
    > >> >
    > >>
    > >> It scans for some things that could be called trojans, like a dialer,

    but
    > >> it is not designed with trojans in mind, but privacy issues, so it

    scans
    > >> for spyware, ad cookies, privacy revealing registry keys etc.
    > >> Try Trendmicro's Housecall, adaware, and pestpatrols online free scan.
    > >> That should cover the bases pretty well. For specializing in trojans

    > >there
    > >> is TDS3, but I think it costs.
    > >> Ciao, Dave

    > >
    > >Thanks, I ran the trial version of TDS3 with updated database and found
    > >nothing, I would rather it have found a trojan as then I would know i had
    > >found it and deleted it where as now I am not much the wiser as I could

    have
    > >a trojan or not but it was worth a go in case it did find one.
    > >

    > If it did not find anything you are probably OK.
    >
    > I'm not sure where you are now. What makes you think that you might
    > still have a trojan?
    >
    > Cheers,
    >
    > Cliff


    Because antitrojan, antivirus etc... software is always one step behind the
    hackers.
     
    kiwivalve, Feb 23, 2004
    #17
  18. kiwivalve

    kiwivalve Guest

    > > >
    > > >Thanks, I ran the trial version of TDS3 with updated database and found
    > > >nothing, I would rather it have found a trojan as then I would know i

    had
    > > >found it and deleted it where as now I am not much the wiser as I could

    > have
    > > >a trojan or not but it was worth a go in case it did find one.
    > > >

    > > If it did not find anything you are probably OK.
    > >
    > > I'm not sure where you are now. What makes you think that you might
    > > still have a trojan?
    > >
    > > Cheers,
    > >
    > > Cliff

    >
    > Because antitrojan, antivirus etc... software is always one step behind

    the
    > hackers.
    >

    Also when I first asked for help I said that I preferred not to use a
    firewall but at least for the moment while I try to establish what to do
    next I am using zonealarm but am already loosing patience with that as you
    see the main reason for not using such a program is that the more programs
    you have running on your computer at once the more unstable it is, since
    using zonealarm I have had several computer freezes, an occurrence which is
    normally rare for me, these freezes have cost me a lot of time with lost
    downloads etc..., so my hate for such programs is reaffirmed. That said I
    have noticed that nortons antivirus is pretty harmless, no noticeable
    problems running that in the background, although once again I prefer not
    to.
     
    kiwivalve, Feb 23, 2004
    #18
  19. kiwivalve

    Enkidu Guest

    On Mon, 23 Feb 2004 14:25:10 +1300, "kiwivalve" <radio@old> wrote:
    >>
    >> I'm not sure where you are now. What makes you think that you might
    >> still have a trojan?

    >
    >Because antitrojan, antivirus etc... software is always one step behind the
    >hackers.
    >

    Ah, well not quite. Some of the better AV programs do try to spot
    "virus-like" behaviour. But it's not good if you get paranoid about
    being on the Internet.

    Cheers,

    Cliff
     
    Enkidu, Feb 23, 2004
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. lbbss
    Replies:
    6
    Views:
    542
    Timothy Timbrook
    Aug 17, 2004
  2. Joel Rubin
    Replies:
    2
    Views:
    693
  3. chocorama
    Replies:
    4
    Views:
    565
    Donnie
    Oct 26, 2005
  4. D@Z
    Replies:
    5
    Views:
    825
    Liza Smorgaborgsson
    Jan 30, 2006
  5. jamesa01
    Replies:
    2
    Views:
    486
    Steve
    Feb 27, 2006
Loading...

Share This Page