backdoor?
Results 1 to 8 of 8

Thread: backdoor?

  1. #1
    Junior Member
    Join Date
    Jun 2003
    Posts
    4

    backdoor?

    I have Norton personal firewall on a DSL line and run XP. The firewall periodically tells me c:windows\system32\svchost.exe is preparing to access the internet. I have blocked traffic whenever I see this. Symantec says this file is a legit filename and NAV does not identify it, but it is also the name of one of the files placed on the computer under BackDoor-AQT (McAfee)—and my thanks to whoever it was who published some of this info in another thread. I cannot find this file by searching Windows even with all files shown. I should assume it is a backdoor, but I am not clear what to do about it given the Norton ambivalence.

    I have more questions but none matter if I have a backdoor open right now. I’m getting really twitchy watching the monitor every second. My ability to research this is limited by my paranoia about being online. Advice?

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    this is for windows automatic update, it is not, or at least shouldn't be a trojan or backdoor. Here is an excerp from a cached site from google:

    The easiest way to stop the auto updates is to look under services 'automatic updates'
    the command line is this:
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    I just stop the service and set it to manual. It's probably a good backup plan
    to do the file switch that I did above.
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  3. #3
    Banned
    Join Date
    Mar 2002
    Posts
    594
    The definition is located here: http://www.igknighttec.com/Windows/W...vchost_exe.php

    It isn't anything you should worry about... it just another one of these things Windows has to help it run. And if you don't trust the information from the link above, then try this one, straight from the horse's mouth:
    http://support.microsoft.com/?kbid=314056

    = Cheers, jag291 =

  4. #4
    Junior Member
    Join Date
    Jun 2003
    Posts
    4

    Thumbs up

    Thank you cross and jaguar291--what a relief. I mean it, I feel like I can breath again. I am grateful.

    Now I need to make sure I fixed everything that allowed the problem to come up in the first place. After discovering an intrusion—it was about as subtle as a flaming bag of dog doo on the front steps, and thankfully no more destructive—I reset all my passwords, raised the security level for the firewall to max, searched all over the place for settings that would allow file sharing or remote operation (all reset by ? to "Take Me I’m Yours"), updated antivirus and ran a system scan, and erased all temp files and cookies. I did a system reset to two weeks before the intrusion, and traced down every renamed file to see if it was legit. I read over the various Norton logs and the Microsoft Events but I have no idea what most of it meant. Nothing seemed scary, and as you may have guessed, I scare easily. The firewall records were missing for the period when the hack occurred, of course. My questions now are, did I miss anything? Is there a simple one-stop comprehensive list of Windows filesharing or similar remote-access settings that I can check against the ones I know about? Next I'll get a hardware firewall and figure out if I really need all those ports. At least I am learning a lot.

  5. #5
    Banned
    Join Date
    Mar 2002
    Posts
    594
    No problem on the help but I'm just curious how you know that there was an intrusion if it was "about as subtle as a flaming bag of dog doo on the front steps, and thankfully no more destructive"?

  6. #6
    Junior Member
    Join Date
    Jun 2003
    Posts
    4
    I hope I did not get carried away with my metaphor. Evidence consisted of (1) admin powers given to other users but taken away from mine, both for XP and for Firewall (2) all levels of protection on the firewall reduced to lowest level instead of default or medium level that I had them set to, and then the firewall was disabled (3) all settings--that i know of-- for remote access and file sharing set to Allow Access instead of No, where I had them (4) my OE address book copied and left on the desktop (same for other user profiles) (5) logs for a few days immediately before the discovery appear as if the computer was never on, so i assume they were erased. No one outside my family has physical access to this machine. Do you agree that sounds like a hack --even if one of the most ethical ones in history? Thanks again for your post.

  7. #7
    Banned
    Join Date
    Mar 2002
    Posts
    594
    Yeah, it sounds like an intrusion and some of those things have actually happened to my computer within the last month... I never thought it was an attack, I just assumed that I didn't save settings or I acidentally copied something but now I'm going to go check my firewall log ...

    = Cheers, jag291 =

  8. #8
    Junior Member
    Join Date
    Jun 2003
    Posts
    4
    Well, that is interesting, that you have seen similar activity. I can't interpret most of the log info. But if you can, I will be eager to see what you learn. Thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •