alexp Posted September 27, 2003 Share Posted September 27, 2003 The 1st two highlighted connections are from msn, but the other 1 starts up with windows.. it connects to an IRC server (from EFNet i think??). Nobody in my house will fess up to anything, so it makes my job that lil bit harder. Scanned pc with: NAV 2K Corp; AVG; Adaware; Spybot Search and Destroy; and a few other trojan removers. None of them detect anything. It looks like it's trying to spread itself all over my lan (which is just 1 more pc - not affected). I'm running W2K SP4 (and all further updates from windowsupdate). Any help is appreciated - in the mean time I set up a rule to block it. Link to comment Share on other sites More sharing options...
Niels Posted September 27, 2003 Share Posted September 27, 2003 type msconfig in run, then go to the startup tab and see if there is anything in there that shouldn't be. Link to comment Share on other sites More sharing options...
alexp Posted September 27, 2003 Author Share Posted September 27, 2003 no msconfig on my system Link to comment Share on other sites More sharing options...
fpd Posted September 27, 2003 Share Posted September 27, 2003 download codestuff starter to see what your startup processes are Link to comment Share on other sites More sharing options...
null_ Posted September 27, 2003 Share Posted September 27, 2003 Click here to download msconfig for 2000. Link to comment Share on other sites More sharing options...
alexp Posted September 27, 2003 Author Share Posted September 27, 2003 nothing suss there... Link to comment Share on other sites More sharing options...
Mike Posted September 27, 2003 Share Posted September 27, 2003 the 2 scvhost.exe's shouldnt be there (it should be svchost.exe) find where the scvhost.exe is and delete it (after killing it in task manager) Link to comment Share on other sites More sharing options...
Kriz Posted September 27, 2003 Share Posted September 27, 2003 Ye one svhost is quite big aswell Dude, y dnt u just do a full system scan an get it removed? Link to comment Share on other sites More sharing options...
salterbomb Posted September 27, 2003 Share Posted September 27, 2003 i would also check on that internat.exe thing Link to comment Share on other sites More sharing options...
Sn00pY Posted September 27, 2003 Share Posted September 27, 2003 if you got it through MSN it must be the SMB thing... housecall.trendmicro.com do a free ONLINE scan... Link to comment Share on other sites More sharing options...
Nautica Posted September 27, 2003 Share Posted September 27, 2003 http://www.grisoft.com/us/us_dwnl_free.php best free anti virus, use it mate Link to comment Share on other sites More sharing options...
+Fulcrum Subscriber¹ Posted September 27, 2003 Subscriber¹ Share Posted September 27, 2003 you could actually search for scvhost.exe on Google, and it will turn up results, possibly naming your Definite Virus. I agree with checking out internat.exe as well, definitely some spyware there. Be more careful on downloading through File-sharing networks if you do, because thats the main place these spread, includes IRC. And if you're going to run Kerio Firewall, you should know now that a common way for virus coders to write code victims will not only RUN, but ALLOW their firewall permissions, they use run-off names of popular Windows Processes. Good Luck to you in the future. Link to comment Share on other sites More sharing options...
dreamz Veteran Posted September 27, 2003 Veteran Share Posted September 27, 2003 here's one thing i found on scvhost.exe: http://forums1.itrc.hp.com/service/forums/...733039+28353475 Link to comment Share on other sites More sharing options...
alexp Posted September 28, 2003 Author Share Posted September 28, 2003 Hi guys, here's a rundown of what's in the startup pic: internet connection wizard internat.exe - because i run multiple keyboard languages the 3 logitech entries are for my webcam also have office startup, then nero, nod antivirus, pdfFactory synch manager is also from windows for infa-red connections taumonitor is an app that i used to kill other apps vptray is nav2k autoprotect funnily enough, as i said before, 3 av suites (norton, avg, nod) didn't detect it. Link to comment Share on other sites More sharing options...
John Veteran Posted September 28, 2003 Veteran Share Posted September 28, 2003 why's the ICW in your startup? :blink: you run that thing once and you're done (depending on your connection, you don't even have to run it once...) Link to comment Share on other sites More sharing options...
alexp Posted September 28, 2003 Author Share Posted September 28, 2003 why's the ICW in your startup? you run that thing once and you're done (depending on your connection, you don't even have to run it once...) i dunno.. it was probably there coz i took the pc offline while it was infected. its not there anymore. im still quite puzzled as to why it wasn't detected by ANY antivirus program. the ones i used were: -nav 2k corp -avg free -nod -http://housecall.trendmicro.com/ -sophos perhaps its a new variant of another virus?? :huh: Link to comment Share on other sites More sharing options...
alexp Posted September 29, 2003 Author Share Posted September 29, 2003 The file has been identified as Win32.Moega.F worm. Similar names (alias) reported by other AV products are listed here: (Backdoor.SdBot.gen) (W32/Sdbot.worm.gen) I submitted it to a few av places, and ca.com identified it. CA antivirus products address this threat as follows: eTrust Antivirus 6/eTrust InoculateIT 6 (InoculateIT engine) Engine Signature Updated 23.62.0 23.62.55 27 Sep eTrust Antivirus 6/eTrust InoculateIT 6 (VET engine) Engine MajorDat MinorDat MacroDat Updated 10.60.0 10.60.4008 10.60.4933 10.60.4933 26 Sep InoculateIT 4/Inoculan 4 products Engine Signature Updated 44.0* 44.55* 27 Sep * Limited abilitiy to cure infections, i.e. cleaning system registry eTrust EZ Antivirus 6 Engine MajorDat MinorDat MacroDat Updated 10.60.0 10.60.4008 10.60.4933 10.60.4933 26 Sep eTrust EZ Antivirus 5.4 Engine MajorDat MinorDat MacroDefDate Updated 5.4.10.1 1000 2595 Sep 19 2003 19 Sep Vet Antivirus 10.5 MajorDat MinorDat MacroDat Updated 4008 4933 4933 26 Sep Vet Antivirus 10.4 MajorDat MinorDat MacroDefDate Updated 1000 2595 Sep 19 2003 19 Sep Link to comment Share on other sites More sharing options...
turbomonkeycock Posted September 29, 2003 Share Posted September 29, 2003 With it trying to connect to IRC and having a file called svchost.exe, it is likely you have been 'rooted'. As i explained in another topic before, this is the process of using someones computer to host files. If you have ever used IRC to get warez, you will know of all the bots, well these are hacked box's and their connection is abused to serve these files. The fact that it was called scvhost.exe instead of svchost.exe makes me think the person that rooted you is dyslecsic or something, although they can call the files all they want. Try searching in your c:\winnt\system32 directory for folders that are large in size and you will probably come across a 'rootkit'. If you wish, there should be a relatively small dll file, open it and look for the server and channel it joins. Then you can go in and abuse your abusers, should you wish. G-Dub Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted September 29, 2003 MVC Share Posted September 29, 2003 But isnt it connecting to a proper MSN servers so it doesnt appear to be dodgy, are u trying to read ur hotmail by using the link in MSN messanger or have u clicked on a link from MSN 2day. Also it looks as though its the proper MSN EXE so i dont think that could have been modifyed by a virus (or something else) to send data etc. Link to comment Share on other sites More sharing options...
alexp Posted September 30, 2003 Author Share Posted September 30, 2003 hi, i'm pretty sure that it's gone. here's a screenshot of my firewall after startup. Link to comment Share on other sites More sharing options...
IgwanaRob Posted September 30, 2003 Share Posted September 30, 2003 Scanned pc with: NAV 2K Corp; AVG; Adaware; Spybot Search and Destroy; and a few other trojan removers. None of them detect anything. Not one of those programs you listed is a trojan 'remover'. Although some A/V programs will find a bunch of trojans, they will not scan for all know trojans. Spyware programs won't do anything for trojans nor for viruses/worms/etc. Only a Trojan Scanner is made to scan for trojans. The Cleaner is one Trojan Scanner. There are a few of them out there, just hit Google and search for Trojan Scanners. Link to comment Share on other sites More sharing options...
sipher26 Posted September 30, 2003 Share Posted September 30, 2003 why don't u try to scAn yur system with norton in the norton site...something that works for me. they a free virus can and spy scan too. try u like it... good luck. mate Link to comment Share on other sites More sharing options...
nekrosoft13 Posted September 30, 2003 Share Posted September 30, 2003 by looking at symantecs website that internat.exe could be a virus check it out http://www.symantec.com/avcenter/venc/data...2.ghotex.a.html Link to comment Share on other sites More sharing options...
Recommended Posts