I have a Windows XP Pro SP2 with only one account (administrator) that is password protected. I am not connected to any networks other than my ISP's ADSL connection from which I get a dynamic IP address, and even though I don't have a firewall program , it's worth mentioning I am behind a router I have file sharing in my computer enabled, but as far as I know for anyone to even get the list of the shares , they should know my password. I am also using Trillian messenger which has a 3rd party plugin which will let me know when shares in my computer have been accessed (specifically the folders, only if they are accessed). Recently Trillian is notifying me about some people accessing my shares, and I am surprised how in hell could that be possible. without knowing my password they shouldn't even be able to see the name of shared folder, ok, there are some shares with "every one" given read permission, but they shouldn't be able to see them. they should be able to access them if they know exactly the name. after this incident I changed the permission of the shares only to administrator in my computer. BUT again today I was notified that the shares were accessed, How could that even be possile, in a network with no other computer and my ip being 192.168.1.x ? I even changed my password , but it seems they somehow find their way into my computer. Ii am really concerned about this issue. I am working with this windows for more than a year, and this is the first time I am seeing such a thing!

Close all windows and run netstat -an from a command prompt. Look in the foreign address column to see who is connected to your PC. If you don't understand the output, post it here. Have you opened any attachments lately?

they are usually not connected so long I only get "folder x has been entered by %remote username% (%remote computername%)" or " %r user% (%r computername) leaved the folder x". my norton antivirus 2006 and windows defender are always on and running. I have never recieved any attachments and I never opened a suspicious file, one thing that I am sure is that my system is clean. even if it wasn't , they should be able to access my computer directly assuming there is a server sending info in revers or has opened a port in the router (which it hasn't) so accessing shares that would be possibly from a LOCAL network is making me think if there is something (somebody) f---ing around from my ISP or through them.

Just because Norton flashes the warning on the screen for a second or two, doesn't mean that they aren't connected for a longer time. Run the netstat -an the way I said. See what's happening. Also, you posted the warnings as variables using %_% Didn't you get more detail? If you did, post it.

norton doesn't say anything. it is my "share watcher" plugin, and the plugin is pretty much exact about when they enter or leave. I am familiar with netstat and I don't think so that would give my any information regarding how they are accessing my computer (to be more specific my shares) if u want actual logs, here is some : %Date% %Time% %Action% %Username% %ComputerIP% %ComputerName% %ShareName% This is when I had some folder with read permission for everyone : 13/11/2006 18:36:08 "ENTER" "TOMI" "TOMI" "TOMI" "kaplan" 13/11/2006 18:36:09 "ENTER" "TOMI" "TOMI" "TOMI" "NAV2005" 13/11/2006 18:36:17 "LEAVE" "TOMI" "TOMI" "TOMI" "kaplan" 13/11/2006 18:36:17 "LEAVE" "TOMI" "TOMI" "TOMI" "NAV2005" 14/11/2006 16:26:24 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "kaplan" 14/11/2006 16:26:24 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "NAV2005" 14/11/2006 16:26:33 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "kaplan" 14/11/2006 16:26:33 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "NAV2005" 14/11/2006 17:21:49 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "kaplan" 14/11/2006 17:21:50 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "NAV2005" 14/11/2006 17:21:55 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "kaplan" 14/11/2006 17:21:55 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "NAV2005" 15/11/2006 18:44:04 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "2005" 15/11/2006 18:44:05 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "s" 15/11/2006 18:44:08 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "2005" 15/11/2006 18:44:09 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "s" This is when I changed the access permissions to administrator only: 16/11/2006 20:07:38 "ENTER" "MONCI" "5A" "5A" "INSTALL" 16/11/2006 20:07:40 "ENTER" "MONCI" "5A" "5A" "Scripts" 16/11/2006 20:07:52 "LEAVE" "MONCI" "5A" "5A" "INSTALL" 16/11/2006 20:07:52 "LEAVE" "MONCI" "5A" "5A" "Scripts" 16/11/2006 20:10:07 "ENTER" "RENDSZER GAZDA" "NEC" "NEC" "INSTALL" 16/11/2006 20:10:07 "ENTER" "RENDSZER GAZDA" "NEC" "NEC" "Scripts" 16/11/2006 20:10:15 "LEAVE" "RENDSZER GAZDA" "NEC" "NEC" "INSTALL" 16/11/2006 20:10:16 "LEAVE" "RENDSZER GAZDA" "NEC" "NEC" "Scripts" 16/11/2006 20:47:11 "ENTER" "MONCI" "5A" "5A" "INSTALL" 16/11/2006 20:47:13 "ENTER" "MONCI" "5A" "5A" "Scripts" 16/11/2006 20:47:18 "LEAVE" "MONCI" "5A" "5A" "INSTALL" 16/11/2006 20:47:18 "LEAVE" "MONCI" "5A" "5A" "Scripts" 17/11/2006 06:35:40 "ENTER" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "INSTALL" 17/11/2006 06:35:41 "ENTER" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "Scripts" 17/11/2006 06:35:42 "LEAVE" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "INSTALL" 17/11/2006 06:35:42 "LEAVE" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "Scripts" 17/11/2006 15:37:42 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "INSTALL" 17/11/2006 15:37:42 "ENTER" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "Scripts" 17/11/2006 15:37:43 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "INSTALL" 17/11/2006 15:37:43 "LEAVE" "ZSOLT" "ZSOLT-AF9DED630" "ZSOLT-AF9DED630" "Scripts" 17/11/2006 16:15:23 "ENTER" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "INSTALL" 17/11/2006 16:15:23 "ENTER" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "Scripts" 17/11/2006 16:15:32 "LEAVE" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "INSTALL" 17/11/2006 16:15:32 "LEAVE" "RENDSZERGAZDA" "MS-COMPUTER" "MS-COMPUTER" "Scripts" anyways, attacks seem to have stoped since I've posted here... hmm...

Entering and leaving in a matter of seconds really wouldn't give anyone enough time unless they were grabbing the shares by TFTP, not FTP, TFTP. I was under the impression that it wasn't done anymore, possibly due to patches or port filtering but maybe I'm wrong.