Oleg Posted June 25, 2003 Share Posted June 25, 2003 (edited) Zone alarm started asking if i want to let ShellEx to act as server and access internet Well I knew better to let it act as server but i let it access internet couple of times Q1: What is the damage from letting it access internet? I run Norton AV 2003 (up to date) in background and it did not detect anything. I went and scanned the offending file and it did not show up as virus (I'm ****ed) since this is info from Symantec site: When Backdoor.Anakha runs, it does the following,It copies itself as C:\%System%\ShellEx.exe. NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and then copies itself to that location. To allow itself to run when Windows starts, the Trojan adds the value ShellEx? C:\%System%\ShellEx.exe to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run It also creates a text file named C:\%System%\Rundll32.pin. It takes me to Q2 Q2: What the hack is wrong with those people? (i.e. why it did not catch trojan?) Well, I guess the worst enemy here is false cense of security Thank God for Zone Alarm Edited June 25, 2003 by Oleg Link to comment Share on other sites More sharing options...
MxxCon Posted June 25, 2003 Share Posted June 25, 2003 To scan with Norton AntiVirus and delete the infected files:2. Start Norton AntiVirus (NAV), and make sure that it is configured to scan all files. NAV Consumer products: Read the document How to configure Norton AntiVirus to scan all files. http://service1.symantec.com/SUPPORT/nav.n...999110513272906 3. Run a full system scan. 4. Delete all files that NAV detects as Backdoor.Anakha. 5. (Optional) Using Windows Explorer, delete C:\%System%\Rundll32.pin. To remove the value from the registry: 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the value ShellEx? C:\%System%\ShellEx.exe 5. Click Registry, and click Exit. Link to comment Share on other sites More sharing options...
+BeLGaRaTh Subscriber¹ Posted June 25, 2003 Subscriber¹ Share Posted June 25, 2003 on manual scanning enable deepest scanning method. As MxxCon says, and make sure you have the very latest updates, there was one this evening so update your definitions first. Good luck. HeHe, he changed his reply before I could finish writing this :) Link to comment Share on other sites More sharing options...
Oleg Posted June 25, 2003 Author Share Posted June 25, 2003 Thanks guys Norton still did not detect it I did remove it manually :) That will teach me :( Link to comment Share on other sites More sharing options...
uniacidz Posted June 25, 2003 Share Posted June 25, 2003 I be concerned that Norton didnt pick it up at all. Something to consider maybe using a alternative scanner. Link to comment Share on other sites More sharing options...
Jason the Eighty Eighth Posted June 26, 2003 Share Posted June 26, 2003 i had a really nasty trojan once, it screwed up my entire XP. it is the trojan which makes the user not being able to open any program, it edits system32.dll. Link to comment Share on other sites More sharing options...
flyinvr6 Posted June 29, 2003 Share Posted June 29, 2003 Symantec usually recommends rebooting into SAFE MODE first, then doing the scan. Might be worth trying it out. Link to comment Share on other sites More sharing options...
Recommended Posts