IS SOMEONE USING MY PC AS A SERVER?

[Anon y mous]

since upgrading to XP SP2, I thought I'd try the Windows firewall. My
system started slowing down. I noticed that something was shutting this
firewall at will, though I could never find it. I used various programs to
try to find Virii. Norton never found anything even in safe mode. Ad-aware
only found 2 cookies. I tried a couple of online scans, to find various
files that were infected with POSMOD, RILER, ZINS IE FEATS A, PSYME A,
though they were not quarantined, they never seemed to be active in memory.
These seem to be banking trojans. (I recall getting a few phishing emails
from ebay and others faking to be ebay or paypal... never read them, but had
my outlook express in preview mode, which I have since turned off.

I also found under docs and settings a "microsoft.office.hta.txt that
wanted to change my office settings, a few times when I was shutting Word
down, but never let it change my settings, and it seemed to want to stop
changing the dot file after a while. It may have done its thing if my wife
acknowledged it- she never seems to remember this stuff. but when I deleted
the hta.txt file- seemed to increase the speed at which Word loads.

My modem seems to be constantly doing things (activity light flashing) even
when I am not using the net (cable modem- comcast). My system seems to
pause a lot- mouse goes to hourglass, doesn't respond for 3-5 seconds if I
am multitasking (its a 2.4 GHz P4 with 512k ram) with 2 or 3 open apps-
never used to do this before.

I shut the network off, booted in safe mode, ran a virus scan, came clean.
I uninstalled zone alarm,got rid of all custom settings and ran the ZA pro
trial (15 days) to start clean. I also ran spybot s&d....ZA only found 2
cookies to clean out, in addition to cleaning out all caches.

My system is a bit faster now, Word and Excel load faster than before. How
can I really be sure there is nothing going on in the background??? I'm not
an expert at ports and looking at them.

All I know is ZA Pro found a network when I installed, which I assumed was
my connection to comcast- I just want to be sure its not someone using my PC
as a server- having hijacked my computer (I've found hijacking and dialers
with adaware several months ago).


Thx

Paul

 

[David H. Lipman]

Follow the directions in the below URL and let us know how you make out...

http://www.claymania.com/removal-trojan-adware.html

--
Dave




| since upgrading to XP SP2, I thought I'd try the Windows firewall. My
| system started slowing down. I noticed that something was shutting this
| firewall at will, though I could never find it. I used various programs to
| try to find Virii. Norton never found anything even in safe mode. Ad-aware
| only found 2 cookies. I tried a couple of online scans, to find various
| files that were infected with POSMOD, RILER, ZINS IE FEATS A, PSYME A,
| though they were not quarantined, they never seemed to be active in memory.
| These seem to be banking trojans. (I recall getting a few phishing emails
| from ebay and others faking to be ebay or paypal... never read them, but had
| my outlook express in preview mode, which I have since turned off.
|
| I also found under docs and settings a "microsoft.office.hta.txt that
| wanted to change my office settings, a few times when I was shutting Word
| down, but never let it change my settings, and it seemed to want to stop
| changing the dot file after a while. It may have done its thing if my wife
| acknowledged it- she never seems to remember this stuff. but when I deleted
| the hta.txt file- seemed to increase the speed at which Word loads.
|
| My modem seems to be constantly doing things (activity light flashing) even
| when I am not using the net (cable modem- comcast). My system seems to
| pause a lot- mouse goes to hourglass, doesn't respond for 3-5 seconds if I
| am multitasking (its a 2.4 GHz P4 with 512k ram) with 2 or 3 open apps-
| never used to do this before.
|
| I shut the network off, booted in safe mode, ran a virus scan, came clean.
| I uninstalled zone alarm,got rid of all custom settings and ran the ZA pro
| trial (15 days) to start clean. I also ran spybot s&d....ZA only found 2
| cookies to clean out, in addition to cleaning out all caches.
|
| My system is a bit faster now, Word and Excel load faster than before. How
| can I really be sure there is nothing going on in the background??? I'm not
| an expert at ports and looking at them.
|
| All I know is ZA Pro found a network when I installed, which I assumed was
| my connection to comcast- I just want to be sure its not someone using my PC
| as a server- having hijacked my computer (I've found hijacking and dialers
| with adaware several months ago).
|
|
| Thx
|
| Paul
|
|

 

[Zvi Netiv]

http://www.claymania.com/removal-trojan-adware.html

Nice!

Regards

 

[Peter Seiler]

Anon y mous - 10.01.2005 13:46 :

please no capitals in subject. THX

 

[Spin Dryer]

On Mon, 10 Jan 2005 04:46:42 -0800, [Anon y mous] said :-

since upgrading to XP SP2, I thought I'd try the Windows firewall. My

"IS SOMEONE USING MY PC AS A SERVER?"

I expect so - you're posting from Comcast - by far the largest amount
of spam comes via users on Comcast with trojanned machines.

 

[Heather]

GET A LIFE, PETER!!

 

[David H. Lipman]

--
Dave




| GET A LIFE, PETER!!
|
| | > Anon y mous - 10.01.2005 13:46 :
| >
| > please no capitals in subject. THX
| > --
| > by(e) PS
| >
| > spam will be killed
| >
|
|

 

[Peter Seiler]

David H. Lipman - 10.01.2005 21:53 :

--
Dave




| GET A LIFE, PETER!!
|
| | > Anon y mous - 10.01.2005 13:46 :
| >
| > please no capitals in subject. THX
| > --
| > by(e) PS
| >
| > spam will be killed
| >
|
|

 

[Peter Seiler]

Heather - 10.01.2005 21:52 :

GET A LIFE, PETER!!

yes!!

 

[Max M.Wachtel III]

Follow the directions in the below URL and let us know how you make out...

http://www.claymania.com/removal-trojan-adware.html

Good job David!
-max

--
Virus Removal Instructions: http://www.geocities.com/maxpro4u/
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[David H. Lipman]

I am glad that you Max and Zvi like it.

I think you remember the Troll that sparked this web page into life.

--
Dave




| David H. Lipman wrote:
| > Follow the directions in the below URL and let us know how you make out...
| >
| > http://www.claymania.com/removal-trojan-adware.html
| >
| Good job David!
| -max
|
| --
| Virus Removal Instructions: http://www.geocities.com/maxpro4u/
| Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
| Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
| Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
| (nomail.afraid.org has been set up specifically for
| use in Usenet. Feel free to use it yourself.)

 

[Max M.Wachtel III]

I am glad that you Max and Zvi like it.
I think you remember the Troll that sparked this web page into life.

Yes- it got me to write one!(I still like your "canned reply").
-max
--
Virus Removal Instructions: http://www.geocities.com/maxpro4u/
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[Anon y mous]

Thanks for the tips.

Paul

 

[Anon y mous]

Wow, that's good and comforting to know. I can tell when it happened- all
of a sudden my speed dropped about 50% and there are bouts where the mouse
freezes up for 3-5 seconds at a time when I haven't done much to tax the
memory of this puppy.

On Mon, 10 Jan 2005 04:46:42 -0800, [Anon y mous] said :-

since upgrading to XP SP2, I thought I'd try the Windows firewall. My

"IS SOMEONE USING MY PC AS A SERVER?"

I expect so - you're posting from Comcast - by far the largest amount
of spam comes via users on Comcast with trojanned machines.

 

[Anon y mous]

All came up clean. When I boot- I get this nasty PC Doctor OnCall popup
(remnant from some online scanning I did??). It wont' shut down. Seems
like from online task monitor- a realtime app or two and something called
pasta.

I searched the net- can't find any useful references to remove, if I hit the
buttons on it- it freezes, won't shut off, can't remove the incon from the
system tray, if I go to select the system tray icon, it disappears. It acts
very suspicious.

This is a new development in the last few days, long after I suspected
problems.

Despite the lack of finding any trojans- could a server still be set up
behind the scenes? How would I monitor for outgoing stuff?

Thanks

 

[Anon y mous]

I found it with winpatrol- the little icon- C:windows/realtime.exe.....
f*ckers trying to pose as REALplayer.... the little ambulance icon gives the
bastards away.

My other question- how can I monitor outgoing to determine whether someone
has already set up a network? ( Could comcast be using my system as a
server-given previous comments about nearly everyone being trojaned in
comcast???)

Thx

 

[David H. Lipman]

If you are connected to Broadband, many Cable/DSL Routers provide a logging feature. I have
a Linksys BEFSR81 and use the logger with WallWatcher -- http://www.wallwatcher.com/

Run MSCONFIG.EXE and uncheck suspicious applications and processes, reboot into Safe Mode
and scan again.

--
Dave




| All came up clean. When I boot- I get this nasty PC Doctor OnCall popup
| (remnant from some online scanning I did??). It wont' shut down. Seems
| like from online task monitor- a realtime app or two and something called
| pasta.
|
| I searched the net- can't find any useful references to remove, if I hit the
| buttons on it- it freezes, won't shut off, can't remove the incon from the
| system tray, if I go to select the system tray icon, it disappears. It acts
| very suspicious.
|
| This is a new development in the last few days, long after I suspected
| problems.
|
| Despite the lack of finding any trojans- could a server still be set up
| behind the scenes? How would I monitor for outgoing stuff?
|
| Thanks
|
| | > Follow the directions in the below URL and let us know how you make out...
| >
| > http://www.claymania.com/removal-trojan-adware.html
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | since upgrading to XP SP2, I thought I'd try the Windows firewall. My
| > | system started slowing down. I noticed that something was shutting this
| > | firewall at will, though I could never find it. I used various programs
| > to
| > | try to find Virii. Norton never found anything even in safe mode.
| > Ad-aware
| > | only found 2 cookies. I tried a couple of online scans, to find various
| > | files that were infected with POSMOD, RILER, ZINS IE FEATS A, PSYME A,
| > | though they were not quarantined, they never seemed to be active in
| > memory.
| > | These seem to be banking trojans. (I recall getting a few phishing
| > emails
| > | from ebay and others faking to be ebay or paypal... never read them, but
| > had
| > | my outlook express in preview mode, which I have since turned off.
| > |
| > | I also found under docs and settings a "microsoft.office.hta.txt that
| > | wanted to change my office settings, a few times when I was shutting
| > Word
| > | down, but never let it change my settings, and it seemed to want to stop
| > | changing the dot file after a while. It may have done its thing if my
| > wife
| > | acknowledged it- she never seems to remember this stuff. but when I
| > deleted
| > | the hta.txt file- seemed to increase the speed at which Word loads.
| > |
| > | My modem seems to be constantly doing things (activity light flashing)
| > even
| > | when I am not using the net (cable modem- comcast). My system seems to
| > | pause a lot- mouse goes to hourglass, doesn't respond for 3-5 seconds if
| > I
| > | am multitasking (its a 2.4 GHz P4 with 512k ram) with 2 or 3 open apps-
| > | never used to do this before.
| > |
| > | I shut the network off, booted in safe mode, ran a virus scan, came
| > clean.
| > | I uninstalled zone alarm,got rid of all custom settings and ran the ZA
| > pro
| > | trial (15 days) to start clean. I also ran spybot s&d....ZA only found
| > 2
| > | cookies to clean out, in addition to cleaning out all caches.
| > |
| > | My system is a bit faster now, Word and Excel load faster than before.
| > How
| > | can I really be sure there is nothing going on in the background??? I'm
| > not
| > | an expert at ports and looking at them.
| > |
| > | All I know is ZA Pro found a network when I installed, which I assumed
| > was
| > | my connection to comcast- I just want to be sure its not someone using
| > my PC
| > | as a server- having hijacked my computer (I've found hijacking and
| > dialers
| > | with adaware several months ago).
| > |
| > |
| > | Thx
| > |
| > | Paul
| > |
| > |
| >
| >
|
|

 

[Gabriele Neukam]

On that special day, David H. Lipman, ([email protected])
said...

I have
a Linksys BEFSR81 and use the logger with WallWatcher -- http://www.wallwatcher.com/

I would like to check this program, but there is a problem. I have a
puer broadband router (no WLAN, no modem) that is not listed in the
"supported" section. Trying to run wallwatcher with the default
settings, only results in an endless hourglass, obviously because the
program does not "find" my router. It is an Edimax 6104. Does anyone
know, if there is a router that has the same chip inside but is
supported, so that I can try the program?


Gabriele Neukam

(e-mail address removed)

 

[David H. Lipman]

WallWatcher uses SNMP Traps as it is a SNMP Trap Receiver software. It will work with a
Router that supports SNMP Traps and IPTables. The objective is to give the Router the IP
address of the SNMP Trap Receiver which is in this case the PC that is hosting WallWatcher.

http://www.edimax.com.tw/html/english/frames/b-download.htm

When viewing the manual of the 6104 (there are different models and I wasn't sure of
exactly which you have) in the "Security Log" section I was surprised to see them show
example logging with dates of 1970 !

The manual for the model I looked at, BR-6104_M.pdf, did need support SNMP logging.

You can contact the author. He is very receptive to ideas and/or changes to support a new
Router if the device support SNMP..

support @ wallwatcher.com
{ Please include the program name ("WallWatcher", "WW", "WRV", "GetLog", or "DShield") in
the SUBJECT line to bypass the spam filters. }

--
Dave




| On that special day, David H. Lipman, ([email protected])
| said...
|
| > I have
| > a Linksys BEFSR81 and use the logger with WallWatcher -- http://www.wallwatcher.com/
|
| I would like to check this program, but there is a problem. I have a
| puer broadband router (no WLAN, no modem) that is not listed in the
| "supported" section. Trying to run wallwatcher with the default
| settings, only results in an endless hourglass, obviously because the
| program does not "find" my router. It is an Edimax 6104. Does anyone
| know, if there is a router that has the same chip inside but is
| supported, so that I can try the program?
|
|
| Gabriele Neukam
|
| (e-mail address removed)
|
|
| --
| Ah, Information. A property, too valuable these days, to give it away,
| just so, at no cost.

 

[Silly Me]

Wow, that's good and comforting to know. I can tell when it happened- all
of a sudden my speed dropped about 50% and there are bouts where the mouse
freezes up for 3-5 seconds at a time when I haven't done much to tax the
memory of this puppy.

It is a good idea to turn off unused services.

You may want to tweak your system to have more control over what it does.
There are some good tips at http://www.blackviper.com/WinXP/supertweaks.htm
(not my site)

If you search Google there are more good sources for this info.