Think I've been done over by a trojan?
#1
Weird things have been happening which makes me suspect foul play.
Here's the deal.
Couple of weeks ago noticed an IP address prefixing my internet start page so instead of uk.yahoo.com I was getting 216.128.blah.blah/uk.yahoo.com and it was taking ages to connect.
Connecting to anything was taking ages infact.
Did a tracert on said IP address and it ends up in Canada...
I also found something in the registry/run like cnbabes.exe (sounds dodgy!) but there was an uninstaller for this, common browser was how it was described. Anyway I binned that an now IE6 trys another IP address 214.something and doesn't connect to the net.
I uninstalled IE6 but this fecked everything(nice 1 microsoft)and had to roll back the system (Win ME - honestly a nice one MS) to get the OS to load at all.
FTP and email both work.
I'm resigned to a rebuild but not too bothered as I have a ghost image of the PC, but I'd like to know what I should look for and if there's any way of stripping it out??
What should I look for in netstat - I can't tell what is genuine and what's not..........
Thx
FJ
Here's the deal.
Couple of weeks ago noticed an IP address prefixing my internet start page so instead of uk.yahoo.com I was getting 216.128.blah.blah/uk.yahoo.com and it was taking ages to connect.
Connecting to anything was taking ages infact.
Did a tracert on said IP address and it ends up in Canada...
I also found something in the registry/run like cnbabes.exe (sounds dodgy!) but there was an uninstaller for this, common browser was how it was described. Anyway I binned that an now IE6 trys another IP address 214.something and doesn't connect to the net.
I uninstalled IE6 but this fecked everything(nice 1 microsoft)and had to roll back the system (Win ME - honestly a nice one MS) to get the OS to load at all.
FTP and email both work.
I'm resigned to a rebuild but not too bothered as I have a ghost image of the PC, but I'd like to know what I should look for and if there's any way of stripping it out??
What should I look for in netstat - I can't tell what is genuine and what's not..........
Thx
FJ
#2
Scooby Regular
Join Date: Jul 2001
Location: maturin23 - 205GTi Drivers.com
Posts: 504
Likes: 0
Received 0 Likes
on
0 Posts
Hi 'Father'!!
Just a suggestion - I'm no techie by any means, but are you running a software firewall like Zone Alarm - means you are able to monitor any outgoing traffic and isolate what app is doing this.
Check out www.zonelabs.com I think - free to download.
Apologies if I've missed the point of your question!
cheers
Ian
Just a suggestion - I'm no techie by any means, but are you running a software firewall like Zone Alarm - means you are able to monitor any outgoing traffic and isolate what app is doing this.
Check out www.zonelabs.com I think - free to download.
Apologies if I've missed the point of your question!
cheers
Ian
#3
Yeah - I know. I had it but my priority was to get Age of Empires running and it don't like Zonealarm....!!
I installed ZA after the event, but it didn't pick up anything as the deed had already been done, so nothing changed as far as it was concerned.
Doh...
[Edited by father_jack - 10/31/2001 5:14:37 PM]
I installed ZA after the event, but it didn't pick up anything as the deed had already been done, so nothing changed as far as it was concerned.
Doh...
[Edited by father_jack - 10/31/2001 5:14:37 PM]
#4
Scooby Regular
Join Date: Jul 2001
Location: maturin23 - 205GTi Drivers.com
Posts: 504
Likes: 0
Received 0 Likes
on
0 Posts
Surely it will still show up any dodgy apps send out data, whether or not it was infected prior to installing Zone Alarm!?
Slighly out of my depth now!
Slighly out of my depth now!
#5
Scooby Regular
Join Date: Mar 2001
Location: Berkshire
Posts: 5,528
Likes: 0
Received 0 Likes
on
0 Posts
ZoneAlarm will only allow programs that you authorise to get out and onto the Internet. So if anything tries to go out via your TCP stack, you will be asked about it.
Dave
Dave
#6
I've been using ZoneAlarm for a while now and I'm very impressed with it (for a freebie!) Since installing it, it alerts me to every program that attempts to "dial-out" of my pc and gives me the option of denying internet access to each application in turn. Can't see how a trojan can bypass ZoneAlarm, but I'm not a security expert. There are a few experts who post on here so maybe they can shed some more light on this.
#7
Scooby Senior
Join Date: Oct 2000
Location: Zurich, Switzerland
Posts: 3,105
Likes: 0
Received 0 Likes
on
0 Posts
FJ
Connect to the internet, but don't launch and mail or browser apps.
Then run netstat (-n switch will giuve just IP's, and be quicker) - you shouldn't see anything listed (unless you're running some automated application - auto-virus updates, etc.).
Anything you do see is bad.
As mentioned elsewhere - ZA, when first installed, will question every outgoing connection the first time and you can accept/deny it. This is also a good way to show any trojans trying to connect to their masters.
Richard
Connect to the internet, but don't launch and mail or browser apps.
Then run netstat (-n switch will giuve just IP's, and be quicker) - you shouldn't see anything listed (unless you're running some automated application - auto-virus updates, etc.).
Anything you do see is bad.
As mentioned elsewhere - ZA, when first installed, will question every outgoing connection the first time and you can accept/deny it. This is also a good way to show any trojans trying to connect to their masters.
Richard
Trending Topics
#8
Cheers Dowser - I couldn't connect to the net if I wanted to now anyway, it just goes off to the dubious IP address and does nothing. Will check out the netstat. So would a trojan take the form of an .exe or a registry entry somewhere or would it more likely be a hacked DLL in IE for example?
#9
Scooby Senior
Join Date: Oct 2000
Location: Zurich, Switzerland
Posts: 3,105
Likes: 0
Received 0 Likes
on
0 Posts
Umm - don't really know, I'm only good at stopping/identifying such things
It'll either be running as it's own executable (kiddy style), or it's modified a system one (devious) - so yeah, dll is likely.
All I can think is to try comparing file sizes/date stamps with the OS CD.....a rebuild is probably quicker! grc.com may have more detail - try their scan.
Good Luck
Richard
It'll either be running as it's own executable (kiddy style), or it's modified a system one (devious) - so yeah, dll is likely.
All I can think is to try comparing file sizes/date stamps with the OS CD.....a rebuild is probably quicker! grc.com may have more detail - try their scan.
Good Luck
Richard
#10
Scooby Senior
Install and update some AntiVirus software, if it's good it'll detect and remove the nasty. If it's alright it'll at least detect it.
I'm heavily biased towards McAfee/Dr Solomons.
I'm heavily biased towards McAfee/Dr Solomons.
#11
Scooby Regular
iTrader: (5)
Join Date: Mar 2001
Location: Cheshire
Posts: 2,895
Likes: 0
Received 0 Likes
on
0 Posts
I use Norton Firewall on my home machine.I recommend it plus you can turn it off if you don't need it (Not recommended when surfing the web though!)
I constantly get people trying to load "Subseven trojans" onto my machine and it stops that.Have these people nothing better to do with their time?
Cheers,
Nick..
I constantly get people trying to load "Subseven trojans" onto my machine and it stops that.Have these people nothing better to do with their time?
Cheers,
Nick..
#12
Scooby Senior
Ever seen American Pie? If so you'll recall the camera in the bedroom thing. It's quite possible to look through the camera of an internet attached PC that has a trojan loaded, very tempting for some.
#13
Got it all sorted - rolled back the PC 2 weeks then slapped zone alarm on.
Netstat -n reveals only one line with my own IP addr. so I presume all is clear.
Jack - thank **** I don't have a web cam. I'd be featured on rotten.com in a flash*
Netstat -n reveals only one line with my own IP addr. so I presume all is clear.
Jack - thank **** I don't have a web cam. I'd be featured on rotten.com in a flash*
Thread
Thread Starter
Forum
Replies
Last Post
Shropshire-Guy
Computer & Technology Related
16
30 December 2004 01:25 PM