Question on trojans/viruses

[atropine]

Hi! I am pretty computer illiterate ... but starting to learn the hard way it seems . Before posing this question, I have looked through some other posts to see if I could find anything without bothering anyone with another of the same type. However, my question still remains, so here goes: I had a trojan several months ago (from a joke file I had saved) and, since my husband was going to install windows XP, he went ahead and reformatted my computer after deleting that file. We also purchased Norton Internet Security and Antivirus. With this I immediately began getting security alerts - all stating "Backdoor/SubSeven Trojan horse" and "Protocol: TCP (Inbound)". My ISP changes the IP address every so many weeks so we figured people were just still trying to connect to the IP that used to be infected. It has now been 2 months and I still get security alerts ... and lately they have reached 5 - 10 per day and all still stating the same (Backdoor/SubSeven Trojan). The only other things I have seen in the alerts over the 2 months have been one port scan, an invalid TCP, an alert on one BackOrifice Trojan (also Inbound), and "lsass.exe" trying to connect to the internet (once). When this happened, I tried to research on the internet and ended up fearing I had the Nimda Trojan and downloaded the removal tool from Symantec but it would stop half way through the scan and say an error was making it close. I update Windows and the virus scan regularly as well as do the Symantec security check. The security check has always shown all ports in stealth mode until the other day when it showed port 80 (HTTP) open. I did online virus scans and NAV and found nothing. When I re-did the security check, the port was back in stealth mode and has not been open when I checked since then. As stated, I have checked my computer with NAV, Symantec, and micro trend with nothing found. Then I tried Spy Sweeper which found "Alexa Toolbar". After browsing the other threads, I then downloaded and tried The Cleaner (nothing found), Ad-aware (found 20 tracking cookies), Spybot (found alexa and 5 DSO Exploits), and Stinger (nothing found). Since almost anyone out there reading this has more understanding of computers and trojans/viruses than I do, does anyone have any suggestions or ideas on what may be going on - if anything? Are the security alerts all innocent since they are blocked or should I be concerned by their frequency (while in stealth mode) and repeatedly the same type of attack? Does the various things the different scans found mean anything when it is all put together or just a benign coincidence? Any suggestions or ideas about this would be greatly appreciated. Thank you so much in advance!

[DVNT1]

As for the incoming attacks being reported by NIS, that is normal and isn't a definite sign that you have been compromised. Most common attacks are just made via random destinations addresses or systematic addresses chosen because of locality if the subnets to the actual infected host.

In other words, most (if not all) are not personally directed toward your computer. They just scan thousands and thousands of addresses hoping to find a response for the vounerability they are seeking.

[Mickwish]

Hi atropine, and Welcome to TechIMO!

I'll have a stab at some of these questions you have. There is a lot in there, though.

Quote:

With this I immediately began getting security alerts - all stating "Backdoor/SubSeven Trojan horse" and "Protocol: TCP (Inbound)".

Inbound means it's an attack from outside your PC. Outbound would be bad - that would mean a trojan is trying to "call home". This could be any kind of attacker - maybe a port sniffer just looking for something to get into.

Quote:

My ISP changes the IP address every so many weeks so we figured people were just still trying to connect to the IP that used to be infected.

If the IP address is changed every two weeks, then any previous address the trojan had sent would be invalid. This wouldn't be causing the scans you are getting now. Port scans and trojan attacks are pretty common place these days. There are lots of nasties out there.

Quote:

and "lsass.exe" trying to connect to the internet (once).

This is a Microsoft thing. Most times stopping it from connecting to the internet won't do much harm. Might upset Windows Update, I think.

Quote:

Are the security alerts all innocent since they are blocked or should I be concerned by their frequency (while in stealth mode) and repeatedly the same type of attack? Does the various things the different scans found mean anything when it is all put together or just a benign coincidence?

As long as the firewall is reporting them blocked, it's OK. It possibly is because your IP range is somehow being targeted by a trojan (possibly other IP addresses on the list are being used already), so make sure you continue to run the firewall. Oh, and email your ISP and tell them what is happening. Might be something they can block at their end.

Sounds to me like you have run as many tools as you can on your standalone system. A dedicated firewall with intrusion detetction would be the next level of protection you could go to, but is probably unnecessary on a single home based system. Sounds to me like you are as well protected as you can be ATM.

Hope this helps. Some of the real security gurus here will probably weigh in shortly.

Cheers
Mick

I see DVNT1 beat me!

[atropine]

Thank you so much for the warm welcome as well as the comfort in your knowledgable words! I feel a bit more secure now since I understand it a bit more. I just have this deep-seated fear of PC violation after finding a trojan once before and I like to try to understand the things I fear in order to help alleviate that. You guys have already been most helpful and reassuring. Thank you again!