is this a a trojan?

[kas187]

Hi

I had my antivirus tell me that i have a virus to be more specific a W32.Kwbot.F.Worm which drops and runs a Backdoor.Sdbot

I tried to delete the virus (trojan) but norton antivirus 2003 said it can't and now it wont even detect it? im pretty sure that the virus (trojan) is running. I have the latest virus definitions and have used some of the extra tools on the symantec website but yet nothing is found.

Am i just getting paranoid, what should i do? Im considering taking my machine to a pc technician just to be safe. Can i try anything else to find this worm or trojan.

Am i right i assuming that this is the trojan running on my pc?

[Solarjetman]

Red flag there.

Do you know the process that is using that port? If you do not, here is how you can find out.

1 ) Go to the start buttton > Run
2 ) type in "cmd" without the quotes, this will open a dos window
3 ) type in "netstat -a -o" without the quotes, this will show all open ports with process IDs
3 ) find the connection you see in the picture you provided and look at the PID
4 ) press Crtl+Atl+Del
5 ) go to the processes tab
6 ) choose view > select columns
7 ) make sure the selection PID is checked
8 ) find the process that has the same number the netstat command gave you

[kas187]

Solarjetman
Thanks for the reply, in step 3 what am i exactly looking at from the pic i provided? is it the local IP Address, local Service port?

[The village idiot]

Can't help you other than to try 2 things.

A different antivirus from http://www.grisoft.com it is free so worth a try.

Also find Adaware, also free from lavasoft.com I think.

Run both of those and see if they can help. If it is an established trojan, you migh tneed to find a real trojan remover, sorry can't suggest anything for that.

[Solarjetman]

I do not see that connection listed.

I was expecting to see either "vaio2003:1243" or "localhost:1243" somewhere in there.

Although, whatever was using port 1243 was not connected to the outside world. It was processes talking to each other on your computer.

[The village idiot]

localhost:1028? It does have this off to the right hand side of the first image. And there is a process using 1028 in the second image. And that PID (2452) was connected to the outside world. I'm not really sure, just pointed to the things I noticed.

[Solarjetman]

localhost:1028?

Usage of 1028 is not uncommon.

And that PID was connected to the outside world. I'm not really sure, just pointed to the things I noticed.

I am pretty sure that is just his connection to his ISP. One to the dial-up server, and one to the internet proxy.

But, no harm in checking, what is the process name of the PID kas?

[Solarjetman]

You know, we are probably going about this the wrong way. I would update my virus definition in norton anti-virus, and run a complete scan of the computer. If it finds nothing, I would just write the computer off as safe.

If you are feeling REALLY paranoid, I suppose you could run the scan in safe mode. That may work.

Me, I would wager your computer is clean.

[Faustus]

IF you have problems with norton dump it and download avg antivirus from grisoft.com, if it doesnt find anything wrong after being updated I wouldnt worry much. BUT it does appear that something is going on with your box so I'd try something up to date.

[kas187]

Hi Guys

Thanks for all the replies i really appreciate all your help, after all your advice i decided to download AVG from http://www.grisoft.com and it did find a torjan which it 'Healed'. Hopefully that was the only virus on my PC.

Prior to this I did have all my virus definitions updated but im bamboozled to why norton antivirus didnt pick up the trojan. I had also scanned my pc in safe mode and still norton didnt find anything, perhaps ill run AVG again in safe mode.

thanks again

kas

[Solarjetman]

it did find a torjan which it 'Healed'.

WOW! I am very supprised (not to mention if I actually wagered, I would be out some cash ). But I am also extremely happy you found it. You can rest easy now.

[The village idiot]

This is a typical Norton story. I've been using AVG for a while now. And it has been pretty good. Also get Adaware. Yes it to will find virus files. The combo is pretty good. And since both are free, you really have nothing to lose.



#1000, And it isn't even in the OT forum :P

[pyrate83]

Just a thought, but I run AVG now also and it detected the Welchia worm on my computer a couple weeks ago. It said it healed it but I wasn't believing it was gone completely. So I went to symantec's security response website and downloaded the tool to clean the syst. The welchia worm wasn't gone after all and the tool removed parts of it from diff. areas including the registry. Might want to just make sure your system is truely clean of the virus, Kas.

[kas187]

well guys guess what, looks like i didnt get rid of my 'trojan' after all.

While browsing the net today i was actually attempted by a hacker , luckly my firewall protected me. I managed to track this hacker down and got his/her isp number and other details but who should i report this matter to, symantec, aol or is there another body out there which deals with these matters.

Also my antivirus (norton antivirus 2002 and AVG6.0) can't find this hidden trojan and if i can't find it i only have a 3 options:
1) Do a clean install of my system and have a fresh clean pmachine.
2) Take my machine to a pc technician and have him/her look at it.
3) Remove the trojan myself, if i could find the f*****g thing.

Any other advice is apprciated,

kas

[pyrate83]

try going to symantec's security response site. It should have a removal tool talored to that particular virus. Try that first, it won't hurt!

[flaninacupboard]

the people to report the attempt would be the hackers ISP. i.e. "one of -your- customers tried to hack me!!"
Although if no damage was done i don't know how seriously they will take it.

I'm suprised AVG didn't kill it completely, it's been good to me in the past!

Did your firewall not give you any more info about what process/file was involved in the attempt?

[The village idiot]

Did you try Adaware?

[Roderz]

A: well guys guess what, looks like i didnt get rid of my 'trojan' after all.

B: While browsing the net today i was actually attempted by a hacker

What makes you think that B is 2 do with A?
My firewall pops up all the time telling me of 'attempted' hacks, even 2day I got a VPN attempt (new 1 4 me!) but the firewall informed me and stoped it
Doesn't mean u got a trojan - if you have, your firewall should tell u somethings trying to 'send out'

IMHO Norton sucks - tells u of a virus/trojan (and gets rid of it) but doesn't tell you it's got rid of it, leaving you in a wild goose chase (this problem happend at my last place of work - everyone in a panic and couldn't find anything cus it wern't there - it HAD blocked it)

BTW is Adaware still being updated ? I been using 'Spybot - Search & Destroy' instead - scary the stuff it found that Adaware didn't

Stick with AVG + Zone alarmpro + SpyBot and your 'pretty' safe

[The village idiot]

Yes adaware is still updated. But maybe I should try Spybot too.