boom.badpenguin.com and svshost
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: boom.badpenguin.com and svshost

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    9

    Question boom.badpenguin.com and svshost

    Hello ... I thought I'd start here as I am definately a security newbie. I am a sys-admin whose had the luxery of focussing on performance over the years, and ignoring security in my profession. But I've just spent a hellish 3 weeks trying to kill a trojan on my home system, and thought I'd see if anyone has anymore info.

    I appear to have killed it, but it manifested itself as an executable in windows\system32 called svshost.exe (though it ran in task mgr as svChost.exe, same as the windows services one). My firewall (thank you zone alarm, lol) kept blocking in and out attempts from an ip that resolved to boom.badpenguin.com. I'm curious if anyone has any info about this domain or svshost.exe.

    As, for me, it seems to be cured. svshost is no longer running, and zone alarm has no unusual traffic through it. But still, i'm curious for more info.

    Cheers,
    Elron

  2. #2
    Junior Member
    Join Date
    Jan 2004
    Posts
    9
    I just went through my Zone Alarm logs, and thge IP address was 66.98.168.220 ... boom.badpenguin.com no longer resolves, lol ... guess they figured advertising was bad, lol.

    Any info would be appreciated.

    Elron

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    A quick google search says that it is the Worm.P2P.Spybot.gen Virus. You got it from an infected file or P2P file sharing.

    I'd recommend googling for these things in the future as any good AV software could have corrected the issue in a matter of minutes instead of weeks

  4. #4
    Junior Member
    Join Date
    Jan 2004
    Posts
    9
    Hmm ... well, I run AVG on a regular basis with updates, and it missed it. As did TrojanHunter. The only indication I even HAD a trojan was that Zone Alarm caught the traffic, and after about 3 hours of being unable to connect, it would blow my internet settings so my browser no longer connected.

    So an anti-virus is NOT always an effective means of catching a trojan.

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Not really sure what type of information your looking for, but that IP belongs to an ISP in Houston.

    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 2600 Southwest Freeway
    Address: Suite 500
    City: Houston
    StateProv: TX
    PostalCode: 77098
    Country: US

    NetRange: 66.98.128.0 - 66.98.239.255
    CIDR: 66.98.128.0/18, 66.98.192.0/19, 66.98.224.0/20
    NetName: EVRY-BLK-14
    NetHandle: NET-66-98-128-0-1
    Parent: NET-66-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment:
    RegDate: 2003-07-02
    Updated: 2003-08-26

    TechHandle: RW172-ARIN
    TechName: Williams, Randy
    TechPhone: +1-713-400-5400
    TechEmail: admin@ev1.net

    OrgAbuseHandle: ABUSE477-ARIN
    OrgAbuseName: ABUSE
    OrgAbusePhone: +1-713-400-5400
    OrgAbuseEmail: abuse@ev1.net

    OrgNOCHandle: NOC1445-ARIN
    OrgNOCName: NOC
    OrgNOCPhone: +1-713-400-5400
    OrgNOCEmail: noc@ev1.net

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-400-5400
    OrgTechEmail: admin@ev1.net

    # ARIN WHOIS database, last updated 2003-12-24 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 2600 Southwest Freeway
    Address: Suite 500
    City: Houston
    StateProv: TX
    PostalCode: 77098
    Country: US
    Comment:
    RegDate:
    Updated: 2003-12-08

    AbuseHandle: ABUSE477-ARIN
    AbuseName: ABUSE
    AbusePhone: +1-713-400-5400
    AbuseEmail: abuse@ev1.net

    AdminHandle: RW172-ARIN
    AdminName: Williams, Randy
    AdminPhone: +1-713-400-5400
    AdminEmail: admin@ev1.net

    NOCHandle: NOC1445-ARIN
    NOCName: NOC
    NOCPhone: +1-713-400-5400
    NOCEmail: noc@ev1.net

    TechHandle: RW172-ARIN
    TechName: Williams, Randy
    TechPhone: +1-713-400-5400
    TechEmail: admin@ev1.net
    Cheers:
    DjM

  6. #6
    Junior Member
    Join Date
    Jan 2004
    Posts
    9
    That'll do fine ... refresh my memory please ... how do you get that listing?

  7. #7
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    There are many different ways to get this info. For this one, I went HERE


    Cheers:
    DjM

  8. #8
    Junior Member
    Join Date
    Jan 2004
    Posts
    9
    Excellent ... thank you ... can you also tell me why I should have Generic Host Process for Win32 Services listening to ports 3002, 3004, and 5000? As far as I know, I should have NO servers running here ... I am on Win XP Home, btw.

  9. #9
    Senior Member
    Join Date
    Dec 2003
    Posts
    137
    you can whois the ip from following websites to get the above information

    http://www.phaster.com/find_info_net_traffic.html

    http://www.securityspace.com/swhois/whois.html
    Life is a shipwreck but we must not forget to sing in the lifeboats. ~Voltaire

  10. #10
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Elron
    Excellent ... thank you ... can you also tell me why I should have Generic Host Process for Win32 Services listening to ports 3002, 3004, and 5000? As far as I know, I should have NO servers running here ... I am on Win XP Home, btw.
    Here is some quick info on Generic Host Process & svshost. If your looking for more info. hit google.


    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •