What virus have I got?


Recommended Posts

The 1st two highlighted connections are from msn, but the other 1 starts up with windows.. it connects to an IRC server (from EFNet i think??). Nobody in my house will fess up to anything, so it makes my job that lil bit harder. Scanned pc with: NAV 2K Corp; AVG; Adaware; Spybot Search and Destroy; and a few other trojan removers. None of them detect anything. It looks like it's trying to spread itself all over my lan (which is just 1 more pc - not affected). I'm running W2K SP4 (and all further updates from windowsupdate). Any help is appreciated - in the mean time I set up a rule to block it.

post-32-1064663343.jpg

Link to comment
Share on other sites

you could actually search for scvhost.exe on Google, and it will turn up results, possibly naming your Definite Virus. I agree with checking out internat.exe as well, definitely some spyware there. Be more careful on downloading through File-sharing networks if you do, because thats the main place these spread, includes IRC. And if you're going to run Kerio Firewall, you should know now that a common way for virus coders to write code victims will not only RUN, but ALLOW their firewall permissions, they use run-off names of popular Windows Processes. Good Luck to you in the future.

Link to comment
Share on other sites

Hi guys, here's a rundown of what's in the startup pic:

internet connection wizard

internat.exe - because i run multiple keyboard languages

the 3 logitech entries are for my webcam

also have office startup, then nero, nod antivirus, pdfFactory

synch manager is also from windows for infa-red connections

taumonitor is an app that i used to kill other apps

vptray is nav2k autoprotect

funnily enough, as i said before, 3 av suites (norton, avg, nod) didn't detect it.

Link to comment
Share on other sites

why's the ICW in your startup?  you run that thing once and you're done (depending on your connection, you don't even have to run it once...)

i dunno.. it was probably there coz i took the pc offline while it was infected. its not there anymore. im still quite puzzled as to why it wasn't detected by ANY antivirus program. the ones i used were:

-nav 2k corp

-avg free

-nod

-http://housecall.trendmicro.com/

-sophos

perhaps its a new variant of another virus?? :huh:

Link to comment
Share on other sites

The file has been identified as Win32.Moega.F worm.

Similar names (alias) reported by other AV products are listed here:

(Backdoor.SdBot.gen) (W32/Sdbot.worm.gen)

I submitted it to a few av places, and ca.com identified it.

CA antivirus products address this threat as follows:

eTrust Antivirus 6/eTrust InoculateIT 6 (InoculateIT engine)

Engine Signature Updated

23.62.0 23.62.55 27 Sep

eTrust Antivirus 6/eTrust InoculateIT 6 (VET engine)

Engine MajorDat MinorDat MacroDat Updated

10.60.0 10.60.4008 10.60.4933 10.60.4933 26 Sep

InoculateIT 4/Inoculan 4 products

Engine Signature Updated

44.0* 44.55* 27 Sep

* Limited abilitiy to cure infections, i.e. cleaning system

registry

eTrust EZ Antivirus 6

Engine MajorDat MinorDat MacroDat Updated

10.60.0 10.60.4008 10.60.4933 10.60.4933 26 Sep

eTrust EZ Antivirus 5.4

Engine MajorDat MinorDat MacroDefDate Updated

5.4.10.1 1000 2595 Sep 19 2003 19 Sep

Vet Antivirus 10.5

MajorDat MinorDat MacroDat Updated

4008 4933 4933 26 Sep

Vet Antivirus 10.4

MajorDat MinorDat MacroDefDate Updated

1000 2595 Sep 19 2003 19 Sep

Link to comment
Share on other sites

With it trying to connect to IRC and having a file called svchost.exe, it is likely you have been 'rooted'. As i explained in another topic before, this is the process of using someones computer to host files. If you have ever used IRC to get warez, you will know of all the bots, well these are hacked box's and their connection is abused to serve these files. The fact that it was called scvhost.exe instead of svchost.exe makes me think the person that rooted you is dyslecsic or something, although they can call the files all they want. Try searching in your c:\winnt\system32 directory for folders that are large in size and you will probably come across a 'rootkit'. If you wish, there should be a relatively small dll file, open it and look for the server and channel it joins. Then you can go in and abuse your abusers, should you wish.

G-Dub

Link to comment
Share on other sites

But isnt it connecting to a proper MSN servers so it doesnt appear to be dodgy, are u trying to read ur hotmail by using the link in MSN messanger or have u clicked on a link from MSN 2day. Also it looks as though its the proper MSN EXE so i dont think that could have been modifyed by a virus (or something else) to send data etc.

Link to comment
Share on other sites

Scanned pc with: NAV 2K Corp; AVG; Adaware; Spybot Search and Destroy; and a few other trojan removers. None of them detect anything.

Not one of those programs you listed is a trojan 'remover'. Although some A/V programs will find a bunch of trojans, they will not scan for all know trojans. Spyware programs won't do anything for trojans nor for viruses/worms/etc. Only a Trojan Scanner is made to scan for trojans.

The Cleaner is one Trojan Scanner. There are a few of them out there, just hit Google and search for Trojan Scanners.

Link to comment
Share on other sites

why don't u try to scAn yur system with norton in the norton site...something that works for me.

they a free virus can and spy scan too. try u like it...

good luck.

mate

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.