![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
I have a Windows XP Home machine that connects to the internet via an internal DSL modem. "File and Printer Sharing" is, has always been, and was by default upon installation disabled (unchecked in the properties) on that device. This computer also has an internal NIC that connects to a switch to which is also connected a linux machine. "File and Printer Sharing" is *enabled* on that internal NIC, and I have, for a long time, shared several folders with that linux machine via Samba. The XP machine has Internet Connection Sharing enabled on the DSL modem, which allows the linux machine to get out to the internet.
I also run Kerio/Tiny Personal Firewall and AVG anti-virus on the XP machine. I've never had any problems with this setup until yesterday, when I found, within each of the shared folders, an executable called "OPEN_ME.exe". AVG picked these up as "win32/Spybot", and deleted them. The info for this virus said that, among other things, machines infected with this virus/trojan seek out file shares and drop such executables in them.
I was pretty concerned when this happened. Having disabled SMB file sharing on the DSL modem, there shouldn't be any way for "outsiders" to access these folders, right? I had, briefly earlier that day turned off my software firewall while trying to get the ntp daemon on my linux machine to work. I figured that the .exe drops had happened then. Since then, though, the firewall has been on, and is and has always been configured to only allow Windows Networking from "trusted addresses" on my local network. Regardless, this morning I found that there were again "OPEN_ME.exe" executables in each of the shared folders on the Windows machine. This time, AVG identified them as some other type of virus/trojan, a PE infector that sounded pretty damn nasty. Again, they were deleted easily enough.
I have since disabled all the shared folders on the XP machine. My question is, what the hell is going on? The XP machine is, and has always been, up to date at Windows Update. I don't use Kazaa or any other file-sharing software, and don't download or run anything shady. How is it that something out there on the internet is able to access these shared folders? Shouldn't disabling "File and Printer Sharing" on the DSL modem, with my setup, be all that's needed to make the shares inaccessible to the internet?
I've tried to be thorough, but let me know if there's any other information that would help figure out what's going on.
[edit]
A full system scan with both AVG and Ad-Aware reveal nothing unusual, so I don't think it's that the Windows machine somehow became infected and is dropping these .exes into its own shares. I also don't use Outlook, and hardly ever run IE from the Windows machine. I basically just use the Windows machine for playing games.
I also run Kerio/Tiny Personal Firewall and AVG anti-virus on the XP machine. I've never had any problems with this setup until yesterday, when I found, within each of the shared folders, an executable called "OPEN_ME.exe". AVG picked these up as "win32/Spybot", and deleted them. The info for this virus said that, among other things, machines infected with this virus/trojan seek out file shares and drop such executables in them.
I was pretty concerned when this happened. Having disabled SMB file sharing on the DSL modem, there shouldn't be any way for "outsiders" to access these folders, right? I had, briefly earlier that day turned off my software firewall while trying to get the ntp daemon on my linux machine to work. I figured that the .exe drops had happened then. Since then, though, the firewall has been on, and is and has always been configured to only allow Windows Networking from "trusted addresses" on my local network. Regardless, this morning I found that there were again "OPEN_ME.exe" executables in each of the shared folders on the Windows machine. This time, AVG identified them as some other type of virus/trojan, a PE infector that sounded pretty damn nasty. Again, they were deleted easily enough.
I have since disabled all the shared folders on the XP machine. My question is, what the hell is going on? The XP machine is, and has always been, up to date at Windows Update. I don't use Kazaa or any other file-sharing software, and don't download or run anything shady. How is it that something out there on the internet is able to access these shared folders? Shouldn't disabling "File and Printer Sharing" on the DSL modem, with my setup, be all that's needed to make the shares inaccessible to the internet?
I've tried to be thorough, but let me know if there's any other information that would help figure out what's going on.
[edit]
A full system scan with both AVG and Ad-Aware reveal nothing unusual, so I don't think it's that the Windows machine somehow became infected and is dropping these .exes into its own shares. I also don't use Outlook, and hardly ever run IE from the Windows machine. I basically just use the Windows machine for playing games.