Windows XP Exploit - Please Help.

[uapconsole 0]

Hello everyone. I have a dell desktop running windows xp home edition. AVG virus checker found an exploit in Firefox's application database in My Documents. I moved it to the "vault" in AVG. I have several clients to check the safety of my computer and it seems like my machine is secure, however, there is one problem. My DHCP-cable modem is directly hooked to my computer. However, even when the computer is idle, the "Send/recieve" LED's (lights) constantly blink. Do I still have the exploit or somehow I can't catch the "Trojan" the exploit installed? I run a home business and security is #1, so this makes me very concerned. I'd be grateful for all feedback. Thank you and happy new years. - Demirelli

[Markymark2 0]

Sounds like you need a firewall as well as some virus protection..what firewall are you using? the winxp built in one? if so get rid of it and get something like Zonelabs or Black Ice..Also I would do a deep scan with something like Adaware just to check whats eben left behind if anything by the exploit..my guess is that AVG has done its job because its one of the best anti virus on the market.

[ne0 0]

Probably there are no trojans there. First look at the connection status. Are there any sent/received bytes? My best recommendation to you is to hook all the connections (TCP/IP). To do this you should download a tool named CPorts (or CurrPorts). You can download it from http://www.nirsoft.net/ . So what does this tool do ?It shows all the TCP/IP connections, the ports TCP/UDP and all open ports. By this tool you can view what kind of applications are making connections. So then you can find which of your application (or any running process) is connected to somewhere else.By the connection you can find the IP adress of the host that application is connecting to. If that IP address belongs to untrusted "X" host then you can kill that application (process). But before killing that proces i recommend to capture for data on that connection. By capturing you can exactly know what kind of informations are uploading/downloading. So in order to capture i recommend you to download a tool named SmartSniff from http://www.nirsoft.net/. SmartSniff captures all the TCP/IP packets that pass through your network adapter. After that probably you will be sure that "x" process is doing "x" things.Or there maybe some another things ... It's up to your reply. :)Happy New Year!

[uapconsole 0]

Thank you for replying, guys. I have a desktop dell and gateway laptop on a wireless network. Router New Linksys/Cisco powered wireless router/switch. My WAN/ISP connection is standard 384kbs DHCP-cable modem from Charter communications. Both machines run windows xp home edit. they run AVG for virus scanning and Zone Alarm for firewall. AVG did find an exploit in my documents/firefox/...application data/... I placed this file in the "virus vault" of avg agent. Now, there are no reports of exploits. However I am still a bit paranoid about these LEDs flashing on the cable modem. The Receive Led "flickers" even if both machines are idle. I even turned both machines off completely and the lights continued to blink. This leads me to conclude that perhaps there is a trojan client trying to shake hands with Trojan server that might be installed on one of my nodes. I hope I am being too paranoid, but its good to be on the safe side. I will try the TCP monitor you suggested, Neo, Happy New Years .

[FirefoxRocks 0]

The lights on my cable modem blinks even when my computers are off.It is just an occasional message that your ISP sends you in order to test your connection and stuff like that. It isn't a harmful data packet that is going through (I hope).Anyways, I wish you best of luck to figure out what it is. And hopefully it isn't something malicious attempting to connect. :|

[tansqrx 0]

There is a lot of garbage that passes through an unfiltered cable connection. One possibility is of course your ISP sending its routine maintenance packets. On my particular network, the raw stream is filled with ARP packets from everyone on my node. I live in a fairly rural area so that could be many square miles.

In the end, think of your cable modem as a miniature computer. It has its own memory, processor, and operating system. Even if your main computer is off, this small computer is still running in the background receiving packets from the Internet. Depending on the model, even if nothing is attached the modem, it can still send ping relies and you can possibly remotely connect to the modem. Some networks are not internally switched so you are actually seeing every conversation on your node. Add to that the fact that just about every IP gets scanned several times a day (possibly 100s) by automated port scanners. In the end, there are a lot of raw packets hitting your cable modem.

A more valid reporting mechanism would be to look at the modem link light. These are the packets that are actually forwarded to your network (in this case you computer). Not every packet hits your computer and this should be a better indication of how much traffic you are receiving. Another monitoring tool is WireShark (formally Ethereal) located at https://www.wireshark.org/. Itâs free and all you have to do is open a listener and see what is actually hitting you computer. Iâm on the paranoid side so I actually listen to my traffic several times a month just to make sure nothing nasty has gotten in and is trying to phone home. In most cases you should have a very quiet wire as long as you are not surfing the net and avoid the occasional antivirus update.

I think the best solution for you is to get a hardware firewall or even a NAT router. This will stop 99% of the traffic from getting to you computer. I make this a recommendation to everyone who has a computer and just not in your case.

[Lewisthemusician 0]

download more anti-virus's and search for virus'sI sugguest Spy Bot Search & Destroy

[FirefoxRocks 0]

Multiple Antivirus and Firewall will NOT help. They can cause compatibility issues and will interfere with each other.Multiple anti-spyware software WILL help because sometimes one doesn't catch all of them. I once had up to 7 anti-spyware programs on my computer. I still have the installation files, just that they can't be installed because Shaw Secure won't allow me to.SpyBot S&D, Ad-Aware Personal Edition, Yahoo! Toolbar with Anti-Spy are all good software to use to defend yourself from spyware.

[Grafitti 0]

ZoneAlarm's new firewall is pretty tough on rules. I would suggest you try that. When it's running, select "Lock all internet activity" and then see if the lights on the modem still blink. If they do, then that's just the modem checking in, possibly rejecting pings, whatever. then again, any decent firewall should have that option, so probably whatever you're running has it too.For the paranoid, I haven't found anything yet that beats Kaspersky. I don't use it because it slows down the computer somewhat in its realtime scanning mode, but i don't know how much more secure you can get than that.