PDA

View Full Version : RAT on my pc



Unregistered
11-23-2002, 02:20 PM
I think I have VHM on my machine, but I cant find the EXE. command. How do I get rid of this thing????????

Thanks to anyone who can help!!!!

fEš·.·šEr
11-23-2002, 04:40 PM
Originally posted by Unregistered
I think I have VHM on my machine, but I cant find the EXE. command. How do I get rid of this thing????????

Thanks to anyone who can help!!!!
=============================================
Hi

>Are you running a WinNT kernel OS or not?
in other words is it Win*x or WinNT/2K/XP

>Do you have the chance to open a task manager and a have a look on all active processes to see a suspicious EXE?

>Do you have any application on your PC that could show you what are the open ports of your system?

>What make you say that you have VHM?


------------
fEš·.·šEr

Unregistered
11-25-2002, 10:52 PM
well in my fire wall log I referenced the ports in TDS-* pro and it told me that prt 4242 was a RAT port, maybe itwas just telling me what that port is used for. I am pretty green as far as TCP/UDP, ports, hacks and such. I keep seeing port **7 trying to be accessed so I blocked that prt. I keep seeing
GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_*00
GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
GUI%GUICONFIG#SRULE@NBENABLEYOU#BLOCKALL
so I just referenced the ports to see what they are. NetBios-NS is **7 so I set my firewall to block it. I am looking at processes but I dont know what to look for exactly. Any help would be much aprreciated.

Unreg
11-27-2002, 10:07 AM
Originally posted by Unregistered
well in my fire wall log I referenced the ports in TDS-* pro and it told me that prt 4242 was a RAT port, maybe itwas just telling me what that port is used for. I am pretty green as far as TCP/UDP, ports, hacks and such. I keep seeing port **7 trying to be accessed so I blocked that prt. I keep seeing
GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_*00
GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
GUI%GUICONFIG#SRULE@NBENABLEYOU#BLOCKALL
so I just referenced the ports to see what they are. NetBios-NS is **7 so I set my firewall to block it. I am looking at processes but I dont know what to look for exactly. Any help would be much aprreciated.

Run netstat -a to see what ports are open and what they belong to. Is port 4242 still open after you reboot? Does TDS just say the ports open or that you really have the trojan? If it says you're infected does it offer to clean the trojan? Are you up to date on definitions for TDS and your AV program?

Don't worry about the incoming hits on port **7. Someone elses machine infected by a worm is checking for open ports. I get several hits per hour. As long as your firewall blocks that port ignore it.

What firewall are you seeing those entries from? Do you just see them when you start the firewall? If so it's just it initializing itself.