virus false positive? Firewall problems.

Comodo Internet Security - CIS AntiVirus Help - CIS
1

So I got this message today…Heur.Suspicious@21929188

I don’t know if that’s a virus or not, but just wanted to know.

Also, how can you tell if your being hacked ? Is it possible to use Comodo Firewall to see what connections are being sent OUT and IN?

SVC Host seems to always run when I access the internet.

heres the ip adresses i caught it going to while refreshing my browser on www.msn.com

the " " equal the same previous adress, i just didnt want to repeat the numbers.
C:\WINDOWS\system32\svchost.exe
Protocol Destination Bytes in Bytes out.
UDP OUT 69.78.96.14:53 6.1KB 352 B
UDP OUT " " 3.9 KB 72B
UDP OUT " " 1.7KB 827B
UDP OUT " " 1.3KB 1.1KB
UDP OUT " " 265 B 71B

Is this normal? I tried closing the process down, but it disconnects me from the internet.

I have a Windows XP Pro , using Up to date Firefox browser and I just bought this laptop at a pawnshop, used) ,my Service Provider is Verizon wireless access.

2

It seems that 69.78.96.14 is Mobile Windows Live! and UDP on port 53 is a DNS request. I suspect that’s MSN doing that.

3

Then again, considering the origin of the laptop (how long have you had it?)… if you intend to use this laptop for personal data or financial transactions, then would I recommend caution… download a bunch of malware scanners & wot not (erm… MalwareBytes AntiMalware… or is it Animalware? and SuperAntiSpyware, a2 free, etc. these are always cited). Scan the whole thing… hard. Personally, I’d also open the case to ensure there was nothing extra inside.

Have you installed any security software or was it all already present?

4

Ive installed several anti virus software. I have spybot search and destroy, the whole comodo (virus, firewall ,defense+) bundle, and have some tracking software like active ports, hijack this, rootkit hook analyzer.

Just because its convenient I’ll go ahead and put up a hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:56 PM, on 9/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE

(This scan was done in normal mode, not safe mode)

I just got this computer 1 week and a half ago. Got it cheap. 200 dollars and it runs pretty fast. I figured its worth it if I get all the viruses out. It’s a hassle though. Also, I noticed that the computer model I have was supposed to have a floppy disk drive but it seems someone took it out, and replaced it with a black cover(unless the factory made it that wayl). As for extra stuff added inside the laptop, is there a way you can see under installed drives, or do I have to physically take it apart. I’m afraid of taking it apart, since I’m afraid I’ll forget how to put the laptop back together. I’m eager to learn though. I’ve learned this much, and I don’t mind doing it myself.

Also under Windows Firewall, I’ve noticed an exception is added everytime i reboot my computer, even if I delete it. It’s called iwtnhed. Port 3490 is opened , under TCP Protocol. I’m guessing its a way for a remote hacker to access my network. So I’m guessing a virus must still be reseting this exception every time I reboot my computer.

My laptop is a Presario 2100 Compaq laptop. I do have the inkling something is still wrong with it, but most of the viruses that are still in the computer have been blocked from accessing any networks with Comodo’s firewall. It seems i’ve done a good job preventing outside communication from coming in. Although I still can’t figure out what virus is preventing me from accessing Microsoft and other anti spyware websites. GET THIS: I am now able to access Microsoft’s website and all the other sites, I haven’t done anything new except block more connections on my firewall. And 2 viruses that comodo detected while I was doing everyday activities were deleted. I’m really close to just updating my OS to XP service pack 3. Maybe this will keep the old viruses from working?

5

No…
If you still have virus in your PC, it will still survive even if you update SP3.
I recommend you clean install.(format and install Windows XP)

6

Thanks, I’ve posted a response on my other post to this.
Now the big question bothering me. I’ll repeat what I wrote.

"
Also, I noticed that the computer model I have was supposed to have a floppy disk drive but it seems someone took it out, and replaced it with a black cover(unless the factory made it that wayl). As for extra stuff added inside the laptop, is there a way you can see under installed drives, or do I have to physically take it apart. I’m afraid of taking it apart, since I’m afraid I’ll forget how to put the laptop back together. I’m eager to learn though."

So an eerie question comes to mind… :frowning:

Is it possible to put hacking hardware on a slot as big as the floppy disk drive that used to be there?

If so, wouldn’t I be able to tell that kind of hardware running on my computer under some kind of settings?

I say this , and I picture like CIA type stuff, you know, bugging a computer so it keeps track of what you write and then send it out through its own network, or even my network, while using my computer power.

Is this possible? Does this type of hardware exist out there for hackers to put on laptops, to later sell to a pwanshop in hopes of getting an unsuspecting civilians info.?