Is This A Trojan?

[Kuade]

Norton Internet Security was annoying the heck out of me so I got Zone Alarm. Its picked up an endless number of the following -

The firewall has blocked Internet access to irc.dalnet.com (209.116.7.23) (TCP Port 6667) from your computer [TCP Flags: S].

Time: 25/04/2002 9:15:28 PM

The firewall has blocked Internet access to your computer (Telnet) from 209.171.61.138 (TCP Port 45786) [TCP Flags: S].

Time: 25/04/2002 8:51:04 PM

c:\nslookup 209.171.61.138

Server: dns1.tpgi.com.au
Address: 203.12.160.35

Name: proxy2.monitor.dal.net
Address: 209.171.61.138

 

[Kuade]

I might also add that Norton Internet Security never picked this up.

I also noticed when I loaded Zone Alarm and connected to the internet that a warning came up saying "Do you want to allow to do blah blah blah" There wasnt a specific file or program indicated after the word allow. Could this be a hidden program (Trojan) or is this my windows XP internet sharing?

 

[Static 99]

Do you use mIRC?

I'm not a security expert, but i think mIRC uses TCP Port 6667 to connect to the server
- (m)irc.dalnet.com -.
So, it's probably just annoying.


And for the other one(s), i guess that's "normal".

This is what i get after a few hour's surfing (just a tiny bit of the full log file)

FWIN,2002/04/05,10:42:20 +2:00 GMT,210.135.92.189:1749,24.132.90.xxx:21,TCP (flags:S)
FWIN,2002/04/05,10:47:02 +2:00 GMT,24.214.174.253:1102,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,11:18:17 +2:00 GMT,24.83.196.209:4046,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,11:49:31 +2:00 GMT,168.243.3.6:21,24.132.90.xxx:21,TCP (flags:S)
FWIN,2002/04/05,12:27:45 +2:00 GMT,24.220.64.134:3997,24.132.90.xxx:27374,TCP (flags:S)
FWIN,2002/04/05,13:35:41 +2:00 GMT,24.242.112.150:1497,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,13:45:53 +2:00 GMT,24.206.81.149:3592,24.132.90.xxx:1080,TCP (flags:S)
FWIN,2002/04/05,14:20:20 +2:00 GMT,24.234.170.222:3438,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,15:18:10 +2:00 GMT,24.200.162.117:2486,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,15:34:24 +2:00 GMT,24.57.44.81:2150,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,16:26:57 +2:00 GMT,24.156.22.17:4453,24.132.90.xxx:27374,TCP (flags:S)
FWIN,2002/04/05,16:30:52 +2:00 GMT,24.202.122.26:1654,24.132.90.xxx:80,TCP (flags:S)
FWIN,2002/04/05,16:39:06 +2:00 GMT,68.0.81.110:4844,24.132.90.xxx:27374,TCP (flags:S)
FWIN,2002/04/05,16:55:17 +2:00 GMT,62.150.48.250:56308,24.132.90.xxx:515,TCP (flags:S)
FWIN,2002/04/05,17:14:23 +2:00 GMT,62.194.201.14:2546,24.132.90.xxx:27374,TCP (flags:S)

But, like i said: i'm not a security expert, i could be wrong!

 

[Twink]

if you're not running any iRC program then chances are yes, you have a trojan/zombie. Some trojans connect to IRC to inform people when you are online so they can have there fun. Others can be used in DDoS Attacks, where your computer is used as a base to launch a hack attack against someone else (usually involves alot of computers)

 

[Kuade]

What has brought my concern to light is the fact that my isp emailed me, threatening to disconnect me if I continued trying to port scan a server at the University of California. I was sent a log file as well. The thing is, I wouldnt have a clue where to start with that. My guess is someone got into my machine through an open port and did it.

My problem is I had Norton Internet Security running at the time. I also downloaded and installed Swat It, a trojan scanner, but it didnt find anything.

Ive attached one of the warnings that Zone Alarm Picked up.

I have to accept some of them for my IE to work. So Im not sure where the problem is or if what Ive found is a trojan. Whatever " " is its not running as a process.

 

[Static 99]

Sadly, i can't help you on how to get rid of it, but you could try the (free) online Trojan Scan at: http://scan.sygatetech.com/

Good luck!

 

[dijital]

when all else fails, reformat