Printable View
Right ... thanx again ... useful info. Still didn't give me a reason for 3002, 3004, and 5000 to be active. Not overly concerned, since this machine is behind a 3com router which shows as stealthed on those ports, so they aren't listening beyond my house. Still, curious what they might be ... the only google info I can find on 3002 relates to a program, xic, i have never heard of ... for backend management of things ... hmmmm ... curious
I just did a search through AVG's virus encyclopedia and they don't seem to have this virus listed when it is listed on McAfee and Trends website. I have no experience with AVG directly, but perhaps they are not as current with their .dat files as the other major players in AV scanning? They do have a general listing in their encyclopedia for the generic "spybot" virus type, but it is not as detailed as some of their listings, take lovsan for example.Quote:
Originally posted here by Elron
Hmm ... well, I run AVG on a regular basis with updates, and it missed it. As did TrojanHunter. The only indication I even HAD a trojan was that Zone Alarm caught the traffic, and after about 3 hours of being unable to connect, it would blow my internet settings so my browser no longer connected.
So an anti-virus is NOT always an effective means of catching a trojan.
Trend has had .dat files that would detect/clean this particular nasty since June of last year.
Have you always had a firewall on your system? Given that Worm.P2P.Spybot.gen can give a remote attacker complete control over your system perhaps other things have been installed which accounts for those strange ports you are seeing.
Most people around here will always recommend a complete system rebuild after you have been infected for any length of time. Just to be sure that everything is cleaned up properly.
Righty ... well, my specific config here is 2 computers, Win XP Home on both, connecting through a 3com router (fully stealthed) to a cable-based broadband. Thats the way its always been. However, I have run P2P share programs like Kazaa and the like, and the other computer has as well. This may be where the stuff came from. I have noticed AVG is better at viruses than it is at trojans and spyware. Still, a variety of stuff, from Ad-aware through Trojan Hunter missed the svshost one. The ONLY indication was the odd logs from Zone Alarm.
I may very well do a rebuild. Its been awhile, and I have always been a firm believer in rebuilding my windows systems regularly for performance and other reasons, so ite probably worth it anyway. Just a pain backing up the damn 40gb disk before-hand, grrrr.
Thanx for ALL the help ... much obliged.
Elron
mohaughn> Differnet companies use different naming conventions. worm/spybot on AVG is mostlikely the same thing...
That one worm is called:
Worm.P2P.SpyBot.gen [KAV]
W32/Spybot-Fam [Sophos]
W32/Spybot.worm.gen [McAfee]
WORM_SPYBOT.GEN [Trend]
Win32.Spybot.gen [CA]
btw... this one also connects to IRC, so your Firewall logs should have shown an IRC connection. Maybe that is how it was trying to connect to boom.badpenguin.com.
And don't just delete svshost.exe as that is a real system file.
Oh yeah, and as Elron pointed out... AVG is for virsues. It does some trojans/spyware, but thats what tauscan and adaware are for.
Thanx for the info Soulman ... I have a 24/7 IRC connection running anyway ... online gamer, lol. So it's not likely I would've noticed it based on that. Although, now you mention, I did also block some 6667 ports to the badpenguin (nice name eh? LMAO) a while back, so it likely cycles through the ports it uses as well. I have removed the svshost.exe file i found in system32 (well quarentined it) ... no ill effects found as yet. Are you thinking of svChost.exe, which is still there?
svshost.exe is the trojan. The system process is svchost.exe which is used to load processes dynamically from .dll's.
-Maestr0
http://www.antionline.com/showthread...134#post692134
Righty ... thats what I thought too ... svshost.exe will be toast shortly i think ... no point keeping the thing in a vile, unless someone esle wants to have a look at it before it goes.