Remote grab trojan detected...

[jotto]

Norton internet security keeps popping up and telling me there was an attempt to connect to the local computer using the remote grab trojan. The ip address its given me was...my pc?
How does this work then or is it a clever little trojan pretending to be me?
Run xoftspy, lavasoft adaware and spybot all found nothing. Just running trojan hunter at mo, nothing as yet...
Any ideas?

[dajogejr]

What software did you recently install?

[Prushka]

Is this trojan listed in your HOSTS file?
...\system32\drivers\etc\HOSTS

Do you have any remote access services running
Admin. tools> services

Services info. and advice on settings here
http://www.overclockersclub.com/guid...services_2.php

http://www.ss64.com/ntsyntax/services.html

[jotto]

ok, No software installed recently, There doesnt appear to be anything in my hosts file just the MS garb followed by 127.0.0.1
As for remote access, only RPC is set to auto, with a couple of others set to manual.
and thanks for links, am looking now.....

[Prushka]

Jotto...Try this 1... Seems like they worked in conjunction with Kaspersky.
The site is translated German.
The free AV/trojan/etc program is 'Escan' by MicroWorld and is very comprehensive

Referenced it this thread:
http://www.sysopt.com/forum/showthre...ighlight=Escan

[jotto]

Thanks Prushka,
that link for Escan, the first of the 2 links posted works but I cant get the 2nd which I assume is to a download, to work, any ideas?
Cheers
jotto

DOH! ok found the homepage and am looking at all the escan products, which would you recommend, the internet suite, pro version etc etc...

[crusious31]

Try here!

[jotto]

Downloaded the pro version last night, it crashed my pc and when I eventually got it uninstalled, couldnt run norton as I didnt have the correct priviliges!!!!! only user, administrator....

Reinstalled norton......

[Prushka]

Jotto...sorry to hear that

I should have specified that you need to turn off/disable any AV program before running another AV. From what I have heard Nortan can be a bit fickle in this regard

Although, I alluded to it in that thread:
quote:I think you'll like this one. Set's up in temp, so you can run it and delete it and turn your favorite AV program back on.

I apologize for any confusion, I resently downloaded this program from MicroWorld, which is Escan Antivirus Toolkit Utility, which is called MWAV...a bit confusing from the German site...thinking this was MicroWorld's Escan AV program...now knowing there are several AV programs they offer

The link posted on that thread leads to the Escan Antivirus Utility "MWAV" which is what I have used
http://www.mwti.net/antivirus/mwav.asp

I have used this program several times without any problems and thought it was well worth recommending.
The link to the screen shots also shows Escan Antivirus Toolkit Utility
http://www.trojaner-info.de/hijacker/escan.shtml

I really try to present accurate info. and will make it a point to more thorough in the future

[jotto]

Thanks Prushka! wasnt having a moan or a groan dude, any help on these forums is greatly appreciated!

Actually, gave me a chance to try out NIS 2005 instead of the 2004 pro version I was using.

All software scans so far have shown no trojans....will disable norton for a few min and try escan once more...hehehe


Thanks again man.

[Prushka]

Glad your not A Begrudgian

Hope it works

[Prushka]

Jotto...assuming this is grab and not garb/typo

Found this at a tech forum:
Do you play Mir...Mir Client connects to login.legendofmir.net
using port 7000

And here:Trojan remote grab uses port 7000
http://www.cybercity-online.net/Trojan.html

Actually, I'm going to use that Dos Listening port thingy
I always gain something when helping others.

If this applies, open new thread ask, "how to close port 7000"
And mention the game? if you want it.

See if I can find a specific Remote Grab cleaner

[Prushka]

Hopefully, Escan will solve your problem

Apparantly several games, including EverQuest use port 7000
more info on port 7000
http://seclists.org/lists/firewall-w.../Sep/0031.html


If you're still having trouble
One of the files you're looking for is simply [grab.exe]
I would try this...search files/folders for grab.exe
R-click the file and click properties
look for the creation date and exact time and write it down
Rename the file to grab

Now use search> files/folders>l(leave text field blank)> when modified> specify date (day garb was created assuming it's resent)> click search...which will bring up everything from that day
Now on toolbar click view> when modified...this will list all files sequencially in time.
What you're looking for are any files that were created within a minute/seconds of the garb creation time.
This may give you related files

If you don't recognize a file google search it
Rename each file you find suspect and write them down
Prefetch files ending with .pf can be safely deleted and will reset as need on reboot

[jotto]

Tried the escan link and did a scan ( only scanned my c drive for some reason ) but it found no probs, NIS is not showing any probs and cant find grab.exe in any folders, standard or hidden.

No games Im running use port 7000 as far as Im aware.

What is best online security checker? will check out which ports are open/closed/stealthed.

[Rocketmech]

My guess your clean, and its a false positive. Just the other day my resident AV was claiming Panda Online scanner as a trojan. You might also look to see if any related screen capture programs are running or installed that might be mistaken as 'grab' .
Here's some tools to add to your security toolbelt :

Netstat
http://www.microsoft.com/resources/d...s/netstat.mspx

Process Explorer
http://www.sysinternals.com/

Shield's UP! and Leak Test
https://www.grc.com/x/ne.dll?bh0bkyd2
http://grc.com/lt/leaktest.htm

PCFlank
http://www.pcflank.com/index.htm

Firewall Leak Tester
http://www.pcflank.com/index.htm