I just noticed that my firewall was off...it's never off...i make sure of it...and i'm the only one who has access to my computer. anyway, the firewall's engine was off, and i just checked the logs...and the last few entries are weird...and several of them look spoofed (you know in irc, how the linux people can spoof their addresses)... now how can i make completely sure that everything is ok? my antivirus is still on, and was updated yesterday i believe...and i did an online scan the day before that. I have no idea how they got through. earlier someone from my isp kept trying to gain access to my account, so i reported them to my isp...some sort of vengeance? Oh yeah, I just remembered...the reason why i did an update of my antivirus yesterday was because for some reason it was disabled...it wouldn't start back up via the icon in the task bar (norton antivirus corporate edition), and when i tried to start it manually via services, it said the environment wasn't correct. so i uninstalled and reinstalled the antivirus and did an online scan. what programs are good for finding trojans?

the cleaner from moosoft is a good trojan cleaner, 30 day trialware. http://www.moosoft.com/thecleaner/ I think it is written by puppet the windows help channels op on undernet.

i tried something called tauscan, but it didn't find anything. I tried your "the cleaner"...it found 3 trojans...what's interesting is that 2 of the trojans are the same...the one from grc, and the last one is an mirc trojan called aristotles, but i don't use mirc to chat (i use trillian) plus mirc's script.ini file is empty (but the program you recommended said it had it). Plus having irc'd since 1992, i know never to accept any downloads. anyway, i went digging around, and found that my firewall had been set up to trust everyone from my isp's ip range, and to give them access to my files and folders... event viewer reports that my firewall service was terminated unexpectedly, and it also reports the following: The description for Event ID ( 4000 ) in Source ( fwdrv ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: \Device\FWDRV, BufferAllocate: BufferSize (8246) > MaxBufferSize . Looks like a buffer overrun? And also, I don't understand why my computer would need to display messages from a remote computer when i don't have a lan or anything set up. It also says that event log was turned off for a minute before being turned back on...

Once you have everything back in place I would suggest that you got to www.pcflank.com (or some other firewall checker) for a checkup. Underdog V-Peace-V

hi shaddow, what kind of firewall are you running? from what you say about the buffer overflow, and this is only a guess, is that your computer has been botted, and that you may have a bionet trojan, as you mention that your anti-virus program has been disabled. if so do a free trojan and port scan at PCFlank, install Regprot and download a free 30 trial of Trojan Hunter and scan your computer. the bionet trojan is very hard to manually disable, as it is capable of masking itself and is extremely hard to find so if Trojan Hunter can not destroy it you may want to install BOClean. check your files for these files: Bionet.exe - 409,088 bytes Bionet.exe - 488,960 bytes Bionet.exe - 525, Bionet.exe - 530,432 bytes Bionet.exe - 604,160 bytes Bionet.exe - 609,792 bytes Bionet.exe - 626,688 bytes Bionet.exe - 638,976 bytes Bionet.exe - 648,192 bytes Bionet.exe - 665,600 bytes Bionet.exe - 667,136 bytes Bionet.exe - 669,904 bytes Bionet.exe - 2,008,576 bytes Builder.exe - 563,200 bytes Builder.exe - 563,712 bytes Builder.exe - 579,072 bytes Builder.exe - 593,920 bytes Builder.exe - 633,856 bytes Builder.exe - 651,776 bytes Builder.exe - 654,336 bytes Builder.exe - 710,656 bytes Builder.exe - 872,960 bytes Builder.exe - 879,616 bytes Builder.exe - 885,760 bytes Server.exe - 225,480 bytes Server.exe - 269,490 bytes Server.exe - 271,026 bytes Server.exe - 271,388 bytes Server.exe - 273,588 bytes Server.exe - 274,662 bytes Server.exe - 316,590 bytes Server.exe - 404,480 bytes Server.exe - 415,744 bytes Server.exe - 425,472 bytes Server.exe - 727,040 bytes Servernt.exe - 415,232 bytes Server37.exe - 265,904 bytes Debug.exe - 404,480 bytes Debug.exe - 415,744 bytes Debug.exe - 425,472 bytes Debugnt.exe - 415,744 bytes Gcinet.exe - 702,464 bytes Gcinet.exe - 703,488 bytes Gcinetnt.exe - 702,464 bytes Libupdate.exe - Bnscript.ini - Bnhook.dll - Bnplug.dll - 335,360 bytes Winsock.dll - Explorer.e - Cdeztks.exe - Editor.exe - 318,976 bytes Editor.exe - 319,488 bytes Editor.exe - 610,816 bytes for more info on Bionet and other Remote Access Trojans go to www.thepublicworks.com security section and link to simovits consulting and go to trojans by name. hope this helps, murve

i was using kerio personal firewall. from time to time it would "forget" the rules and let anyone have access. i've switched firewalls already. good thing about being hacked and starting all over is that my computer's fast again, it can go into suspend mode, hard drive's write caching is enabled again...and i bet if i tried, my OS will be able to use floppies and zip drives correctly. My printer drivers actually even ran now...so now everything is perfect, except that in power options, there's no option for me to tell it to suspend when i push the reset button...

Ultimate checklist? Yea its real short: 1) Restore from uncompromised backup This is the ONLY way you can 'make sure that everything is ok.'