Trojan virus trying to call home?

Louie1961a

Member
Sep 19, 2001
146
0
0
I am not sure if this question is appropriate here or in the networking room, so I will post in both. I apologize in advance for the redundancy.

I was recently infected with two viruses in one download..
trojan.w32.firekill and trojan.msrexe. NAV picked up on both, and I thought had cleaned them both up/removed them. However, the msrexe file remained on my hard drive as I found out later. The next time I booted up, my firewall (zonealarm 2.6) caught this trojan in its attempt to "phone home".

I finally figured out from the Symantec web site how to remove this virsus and its "fingerprints" from the win.ini, system.ini, the registry, etc., etc.

I thought I was in the clear until this afternoon, when zonealarm blocked an attempt by an outside IP address to connect to port 1034 (UDP transfer I think it said??). Turns out the IP address that tried to get in today was the same IP address that the virus had originally tried to contact. HERE is the really wierd thing..I called my cable internet provider and they indicated that the IP address was one of their DNS servers.

My question is this..what is going on?? I thought I had the virus taken care of...does this mean I don't? If not, what more can I do? I updated NAV with the latest definitions, etc, and it scans and indicates all clear. I have modified the registry, system.ini, etc. all per Symantec's instructions. I have zone alarm installed, and I am behind a SMC barricade which should also provide me some firewall protection. I am at a loss as to what else I can do. Any advice would be appreciated. Thanks.
 

Louie1961a

Member
Sep 19, 2001
146
0
0
OK, I will download McAfee today, but what gives with the virus trying to reach the DNS server and then the DNS server pinging me back days later? Am I wrong, or is this highly unusual behavior for an ISP DNS server? The ISP is earthlink. Could they have an infected server and not know it?

I called them with this question and they were no help whatsoever.:Q