J
JohnG
This morning I got an alert warning about 2 issues:
.. a trojan backdoor:
http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:WinNT/Nuwar.D!sys&threatid=2147597707
.. a trojan downloader:
http://go.microsoft.com/fwlink/?lin...Downloader:Win32/Renos.AS&threatid=2147610970
I immediately removed them.
A little later, when I logged on, I got a warning that my firewall was off,
& I turned it back on.
I looked through the system log & saw ForeFront warnings about changes to
system configuration & autostart for SVCHost:
.. Microsoft Forefront Client Security Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Microsoft Forefront Client Security can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {CBEDFA11-54C6-4DC4-82E4-B82FAFCDBAE8}
Agent: Auto Start
User: DAD2002\John
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1690843657-2136417557-4012481799-1006\Software\Microsoft\Windows\CurrentVersion\Run\\SVCHOST.EXE;runkey:HKCU@S-1-5-21-1690843657-2136417557-4012481799-1006\Software\Microsoft\Windows\CurrentVersion\Run\\SVCHOST.EXE;file:C:\WINDOWS\system32\drivers\svchost.exe
Alert Type: Unclassified software
Process Name:
Detection Type:
Status:
.. Microsoft Forefront Client Security Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Microsoft Forefront Client Security can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {798D8A3D-3D01-4FD2-BBF6-A2731F43B974}
Agent: System Configuration
User: DAD2002\John
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe;file:C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe
Alert Type: Unclassified software
Process Name:
Detection Type:
Status:
Are these changes valid or could they be related to my firewall being turned
off?
Thanks,
John
.. a trojan backdoor:
http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:WinNT/Nuwar.D!sys&threatid=2147597707
.. a trojan downloader:
http://go.microsoft.com/fwlink/?lin...Downloader:Win32/Renos.AS&threatid=2147610970
I immediately removed them.
A little later, when I logged on, I got a warning that my firewall was off,
& I turned it back on.
I looked through the system log & saw ForeFront warnings about changes to
system configuration & autostart for SVCHost:
.. Microsoft Forefront Client Security Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Microsoft Forefront Client Security can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {CBEDFA11-54C6-4DC4-82E4-B82FAFCDBAE8}
Agent: Auto Start
User: DAD2002\John
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1690843657-2136417557-4012481799-1006\Software\Microsoft\Windows\CurrentVersion\Run\\SVCHOST.EXE;runkey:HKCU@S-1-5-21-1690843657-2136417557-4012481799-1006\Software\Microsoft\Windows\CurrentVersion\Run\\SVCHOST.EXE;file:C:\WINDOWS\system32\drivers\svchost.exe
Alert Type: Unclassified software
Process Name:
Detection Type:
Status:
.. Microsoft Forefront Client Security Real-Time Protection agent has
detected changes. Microsoft recommends you analyze the software that made
these changes for potential risks. You can use information about how these
programs operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the software
publisher. Microsoft Forefront Client Security can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {798D8A3D-3D01-4FD2-BBF6-A2731F43B974}
Agent: System Configuration
User: DAD2002\John
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe;firewallokfile:HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe;file:C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe
Alert Type: Unclassified software
Process Name:
Detection Type:
Status:
Are these changes valid or could they be related to my firewall being turned
off?
Thanks,
John