father_jack

Weird things have been happening which makes me suspect foul play.
Here's the deal.

Couple of weeks ago noticed an IP address prefixing my internet start page so instead of uk.yahoo.com I was getting 216.128.blah.blah/uk.yahoo.com and it was taking ages to connect.
Connecting to anything was taking ages infact.
Did a tracert on said IP address and it ends up in Canada...
I also found something in the registry/run like cnbabes.exe (sounds dodgy!) but there was an uninstaller for this, common browser was how it was described. Anyway I binned that an now IE6 trys another IP address 214.something and doesn't connect to the net.
I uninstalled IE6 but this fecked everything(nice 1 microsoft)and had to roll back the system (Win ME - honestly a nice one MS) to get the OS to load at all.
FTP and email both work.
I'm resigned to a rebuild but not too bothered as I have a ghost image of the PC, but I'd like to know what I should look for and if there's any way of stripping it out??
What should I look for in netstat - I can't tell what is genuine and what's not..........

Thx
FJ

IanWatson

Hi 'Father'!!

Just a suggestion - I'm no techie by any means, but are you running a software firewall like Zone Alarm - means you are able to monitor any outgoing traffic and isolate what app is doing this.
Check out www.zonelabs.com I think - free to download.

Apologies if I've missed the point of your question!
cheers
Ian

father_jack

Yeah - I know. I had it but my priority was to get Age of Empires running and it don't like Zonealarm....!!
I installed ZA after the event, but it didn't pick up anything as the deed had already been done, so nothing changed as far as it was concerned.

Doh...


[Edited by father_jack - 10/31/2001 5:14:37 PM]

IanWatson

Surely it will still show up any dodgy apps send out data, whether or not it was infected prior to installing Zone Alarm!?
Slighly out of my depth now!

druddle

ZoneAlarm will only allow programs that you authorise to get out and onto the Internet. So if anything tries to go out via your TCP stack, you will be asked about it.

Dave

alexf

I've been using ZoneAlarm for a while now and I'm very impressed with it (for a freebie!) Since installing it, it alerts me to every program that attempts to "dial-out" of my pc and gives me the option of denying internet access to each application in turn. Can't see how a trojan can bypass ZoneAlarm, but I'm not a security expert. There are a few experts who post on here so maybe they can shed some more light on this.

dowser

FJ

Connect to the internet, but don't launch and mail or browser apps.

Then run netstat (-n switch will giuve just IP's, and be quicker) - you shouldn't see anything listed (unless you're running some automated application - auto-virus updates, etc.).

Anything you do see is bad.

As mentioned elsewhere - ZA, when first installed, will question every outgoing connection the first time and you can accept/deny it. This is also a good way to show any trojans trying to connect to their masters.

Richard

father_jack

Cheers Dowser - I couldn't connect to the net if I wanted to now anyway, it just goes off to the dubious IP address and does nothing. Will check out the netstat. So would a trojan take the form of an .exe or a registry entry somewhere or would it more likely be a hacked DLL in IE for example?

dowser

Umm - don't really know, I'm only good at stopping/identifying such things

It'll either be running as it's own executable (kiddy style), or it's modified a system one (devious) - so yeah, dll is likely.

All I can think is to try comparing file sizes/date stamps with the OS CD.....a rebuild is probably quicker! grc.com may have more detail - try their scan.

Good Luck
Richard

JackClark

Install and update some AntiVirus software, if it's good it'll detect and remove the nasty. If it's alright it'll at least detect it.

I'm heavily biased towards McAfee/Dr Solomons.

NickAdams

iTrader: (5)

I use Norton Firewall on my home machine.I recommend it plus you can turn it off if you don't need it (Not recommended when surfing the web though!)
I constantly get people trying to load "Subseven trojans" onto my machine and it stops that.Have these people nothing better to do with their time?

Cheers,

Nick..

JackClark

Ever seen American Pie? If so you'll recall the camera in the bedroom thing. It's quite possible to look through the camera of an internet attached PC that has a trojan loaded, very tempting for some.

father_jack

Got it all sorted - rolled back the PC 2 weeks then slapped zone alarm on.
Netstat -n reveals only one line with my own IP addr. so I presume all is clear.

Jack - thank **** I don't have a web cam. I'd be featured on rotten.com in a flash*