July 14th, 2002, 08:16 AM
Trojans disabling anti-virus?
I've recently been getting alerts from my Norton Personal Firewall that said connection request to SubSeven Server or NetBus Trojan from (xxx.xxx.xx.xx) auto-blocked. I'm not really worried because I have 2 firewalls running and this is only my dial up router computer (Nothing important on here, its all behind it on a LAN). I have the most up to date norton and anti virus versions (live updated today before this happened, and 3 weeks before). Of course, I never play with trojans or anything and I think its a possibility someone with physical access to the computer infected me. Can these or other trojans disable Norton AntiVirus completely, even the updated versions? I've performed a full system scan which turned up nothing, and I have auto-protect enabled. I am extremely embarrased to admit I use dial up AOL, but I use the freebie ISPs when something like this happens.
July 14th, 2002, 09:31 AM
Happens all the time, more common in viruses though. I have actualy never seen subseven disable an AV utility. I didn't think that functionality was built into it. But to answer your question, yes. Check you see if your AV program still works. And then reinstall it, because that may be the only way to get it to work again.
July 14th, 2002, 11:21 AM
Re: Trojans disabling anti-virus?
When you don t trust your av do a free online check at trend.com
i m gone,thx everyone for so much fun and good info.
cheers and good bye
July 14th, 2002, 02:47 PM
If the attacker has access to the machine, he/she can disable/enable anything, even AV. Yes, SubSeven has potential for that feature, even NetBus.
I have actualy never seen subseven disable an AV utility.
July 14th, 2002, 07:30 PM
Dude, if your using Norton Antivirus like me, there is a problem. You need to go in the options and into the Exclusions section. Norton by default does NOT scan the \_RESTORE\ directory which is the SYSTEM RESTORE directory in windows. REMOVE THIS from the exclusion list and run the scan again. Chances are the trojan is in there. (I had this EXACT SAME PROBLEM) Now its not as easy as it sounds though! Norton can't just delete stuff from the restore directory because all the files are 'in use'. What you need to do is the following: (I use Windows ME so it may be a little different from what you may be using ;-)
1. Right Click on My Computer and go to 'Properties'
2. Click on the 'Preformance' Tab
3. Click on 'File System' then on the 'Troubleshooting' tab
4. Check the 'Disable System Restore' box, click ok and reboot!
This empties the restore directory right out. Scan again just to make sure all the traces are gone. Also, Windows ME and XP both have UVPnP active by default which run off of port 5000. THIS PORT IS A TROJAN PORT!!! (I have to clue what Microsoft was thinking when they did this, maybe they weren't) You need to get the patch of their site for that by the way. My firewall logged these as a local connection to a 'Backdoor-g-1' trojan. It could be either of these, maybe even both. I suggest you follow the instructions I gave you up top and to get the update. EVERY trojan I have ever had spread to the Restore directory. I'm still mad at Symantec for excluding this directory by default. Some people these days...
Alcohol & calculus don't mix. Never drink & derive.
July 14th, 2002, 08:16 PM
if the person had physical access to your machine then it's somebody you know just trying to play a practical joke on you. i dont no about norton's firewall but i no that zone alarm hasn't let any of many many attempts on me get through and im "pretty sure" that sub7/netbus cant shut down your av proggy unless its already connected to a console.
I did not come here to tell you how it is going to end, I came here to tell you how it was going to begin. I\'m going to hang up this phone, then I\'m going to tell these people what you don\'t want them to hear.
July 14th, 2002, 08:34 PM
I had the very same problem, uninstalling Norton won't work like someone said, I ended up reformatting for this and other reasons, because I didn't know about any fix, silly me!
Search First Ask Second. www.google.com
July 14th, 2002, 09:03 PM
when your firewall notifies you of these connection attempts, it dosn't mean you have the trojan on you system.
What your seeing are kiddies scanning the internet, looking for infected computers. if they get a response to there connection attempt, it is logged and when thier scanners run is done they'll come back to play with it.
You'll get these all the time, it means nothing.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
July 14th, 2002, 09:52 PM
It's not only a connection attempt, the alert said the connection attempt was to SubSeven or NetBus trojan. I reformatted the drive late last nite (I set the computer up so I could wipe it in an emergency) and I was going to use to it to scan the rest of my network for anything else. But I accidently fried that machine I think while plugging in an ethernet cable while the machine was booting and it just went off and I can't get it to even come back on. Back to square one here, but luckily theres nothing even slightly important on there. Anybody know of any good pay-as-you go ISPs with no proprietary windows software? (I'd love to use a slackware router)
July 14th, 2002, 10:02 PM
As far as I know, NetBus or Sub Seven Trojans cannot disable your anti-virus. But there are many that can. Some people might send you that kind of viruses frist; through e-mail or messengers then they might send you a Trojan.
So becareful what you are downloading.
Its good to have an updated firewall and a anti-virus.
With great power comes great responsibility.