Posted 16 August 2007 - 05:29 AM
As is the usual, I made the mistake of installing software from an untrusted source, and ended up with a Remote Access Tool being disguised and run on my computer. Fortunately, I noticed the issue quickly, and was able to determine what, how, when and why everything happened.
A basic server/client RAT was places in my windows/system32 directory under the name svchost..exe (yes, two dots in the filename), which was executed at startup. TCPView and Process Explorer confirmed my suspicions about said file, as it had opened several ports for listening, and was infact called server.exe and renamed.
Since I have removed all registry entries related to the file (startup entry, list of authorised firewall apps, stubs etc), deleted the file and unchecked the process in msconfig. I am about to run a full AVG scan, as well as adaware and spybot s/d checks.
But is there anything else I can do to check for further damage? I know the best bet is to go for a complete format and reinstall, but this is particularly time consuming and since Im in the middle of revising for my exam retakes Im willing to risk it (at least until Ive got my exams out the way)