Hackers / Security Experts Please Read This
 

I recently discovered a file on my PC from Foundrystone.com called "Fscan" However, it was renamed "services.exe" so when you check PROCESSES under task manager you'd confuse it with Windows' own services.exe Anyway, this program was actually sending out information from my PC. I have a network monitor and it reads the info being sent out as around 24K to 16Kbits

I finally found a way to kill this sucker : renaming it and rebooting then deleting.

My question to you guys,
How does this program get installed? Was it hidden in a script?

What the hell does this program do anyway? I checked Foundrystone's site and Fscan is supposed to be a scanning device. Was it installed on my system via trojan then it is activated to ping other systems while reporting back to whoever sent it?

Any help would be greatly appreciated.

G Sharp

werid, I have it 5 or so mb ?

Pipecrew,

I think you're referring to the full program of Fscan. The file that was loaded on my system was less than 20K, I right clicked for Properties and the creator was Foundrystone. System label is FSCAN but it was relabelled "service.exe"--apparently to throw off someone trying to delete it via Task manager.

I'm wondering, how the hell did this get on my system. My hunch--one of those email-based trojans.

G

you mean foundstone? http://www.foundstone.com/knowledge/proddesc/fscan.html

this is a 'port scanner', people use it to see a list of open services on servers to look for applications they can exploit/hack. most likely there is another program installed which uses fscan to do the scan, then sends the result somewhere else. it may be remotely controlled, ie someone initiates scans on an individual basis, but it probably just scans a pre-defined ip range all day long (probably dsl or cable modem addresses) and reports to someone as soon as a it finds a new host with a set of services which are possibly exploitable. you need to run a virus scanner to start off with, if that doesn't find anything, post again and i'll help you further.

I ran Norton antivirus and it found 5 variants of the trojan--DigiSpid.B. worm

This may be the program that uses fscan to do the portscanning.

If this is the case, how did it get into my system? Email? But I don't open attachments. Is it possible for it to load via java script or active x?

this looks like the latest evolution of that trojan: http://www.incidents.org/diary/diary.php?id=156. it's not eazy to figure out where the virus came from, it could have been any number of things. do you use kazaa or limewire or anything like that? maybe you downloaded a program from someplace legit that didn't realize the file was infected, etc. One thing you can try:

if you still have any files left associated with the trojan, right click on one and select properties, look at the 'created:' field, then

go to start -> search
search by 'when was file modified?'
select 'specify dates'
then use the dropdown box to select 'creation time'
set the "from" and "to" boxes to be the same day of the creation time on the trojan file

this should show you all of the files downloaded or otherwise created the day the virus was installed. hopefully that will help to narrow done the possibilities.

Dude,

Thanks for the help and info. I appreciate it. I used kazaa last night. That may be it.

Thanks again,

G Sharp

I'm sure an active X could have installed that without you wanting it...