|
-
January 14th, 2004, 07:24 PM
#11
Junior Member
Right ... thanx again ... useful info. Still didn't give me a reason for 3002, 3004, and 5000 to be active. Not overly concerned, since this machine is behind a 3com router which shows as stealthed on those ports, so they aren't listening beyond my house. Still, curious what they might be ... the only google info I can find on 3002 relates to a program, xic, i have never heard of ... for backend management of things ... hmmmm ... curious
-
January 14th, 2004, 08:04 PM
#12
Originally posted here by Elron
Hmm ... well, I run AVG on a regular basis with updates, and it missed it. As did TrojanHunter. The only indication I even HAD a trojan was that Zone Alarm caught the traffic, and after about 3 hours of being unable to connect, it would blow my internet settings so my browser no longer connected.
So an anti-virus is NOT always an effective means of catching a trojan.
I just did a search through AVG's virus encyclopedia and they don't seem to have this virus listed when it is listed on McAfee and Trends website. I have no experience with AVG directly, but perhaps they are not as current with their .dat files as the other major players in AV scanning? They do have a general listing in their encyclopedia for the generic "spybot" virus type, but it is not as detailed as some of their listings, take lovsan for example.
Trend has had .dat files that would detect/clean this particular nasty since June of last year.
Have you always had a firewall on your system? Given that Worm.P2P.Spybot.gen can give a remote attacker complete control over your system perhaps other things have been installed which accounts for those strange ports you are seeing.
Most people around here will always recommend a complete system rebuild after you have been infected for any length of time. Just to be sure that everything is cleaned up properly.
-
January 14th, 2004, 08:11 PM
#13
Junior Member
Righty ... well, my specific config here is 2 computers, Win XP Home on both, connecting through a 3com router (fully stealthed) to a cable-based broadband. Thats the way its always been. However, I have run P2P share programs like Kazaa and the like, and the other computer has as well. This may be where the stuff came from. I have noticed AVG is better at viruses than it is at trojans and spyware. Still, a variety of stuff, from Ad-aware through Trojan Hunter missed the svshost one. The ONLY indication was the odd logs from Zone Alarm.
I may very well do a rebuild. Its been awhile, and I have always been a firm believer in rebuilding my windows systems regularly for performance and other reasons, so ite probably worth it anyway. Just a pain backing up the damn 40gb disk before-hand, grrrr.
Thanx for ALL the help ... much obliged.
Elron
-
January 14th, 2004, 11:18 PM
#14
mohaughn> Differnet companies use different naming conventions. worm/spybot on AVG is mostlikely the same thing...
That one worm is called:
Worm.P2P.SpyBot.gen [KAV]
W32/Spybot-Fam [Sophos]
W32/Spybot.worm.gen [McAfee]
WORM_SPYBOT.GEN [Trend]
Win32.Spybot.gen [CA]
btw... this one also connects to IRC, so your Firewall logs should have shown an IRC connection. Maybe that is how it was trying to connect to boom.badpenguin.com.
And don't just delete svshost.exe as that is a real system file.
Oh yeah, and as Elron pointed out... AVG is for virsues. It does some trojans/spyware, but thats what tauscan and adaware are for.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
January 14th, 2004, 11:23 PM
#15
Junior Member
Thanx for the info Soulman ... I have a 24/7 IRC connection running anyway ... online gamer, lol. So it's not likely I would've noticed it based on that. Although, now you mention, I did also block some 6667 ports to the badpenguin (nice name eh? LMAO) a while back, so it likely cycles through the ports it uses as well. I have removed the svshost.exe file i found in system32 (well quarentined it) ... no ill effects found as yet. Are you thinking of svChost.exe, which is still there?
-
January 14th, 2004, 11:52 PM
#16
svshost.exe is the trojan. The system process is svchost.exe which is used to load processes dynamically from .dll's.
-Maestr0
http://www.antionline.com/showthread...134#post692134
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
January 14th, 2004, 11:54 PM
#17
Junior Member
Righty ... thats what I thought too ... svshost.exe will be toast shortly i think ... no point keeping the thing in a vile, unless someone esle wants to have a look at it before it goes.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
