svchost virus

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions RSS
Next:  URGENT. Please help guys!  
Author Message
Rien Mulder
External


Since: Mar 09, 2007
Posts: 1



PostPosted: Fri Mar 09, 2007 11:07 pm    Post subject: svchost virus
Archived from groups: alt>comp>anti-virus (more info?)

I do have a SMTP relay program running somewhere on my computer.

Check my comuter with NOD32 Norman and AVG
they did not find anything on my computer

I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
illegal spammer right now)
But I can't find the source of it.

Installed comodo firewall, it seems that the svchost.exe is sending all the
spam
but i can's do anything with this. Svchost is a key prigram of Microsoft. It
has the same date time stamp anf file length as a other svchost program on a
not infected computer.

What to do,
I don't want to reinstall the whole windowsXP with all my program's

Can anybody advice me ????

Rien
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2287



PostPosted: Sat Mar 10, 2007 12:07 am    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "Rien Mulder"

| I do have a SMTP relay program running somewhere on my computer.
|
| Check my comuter with NOD32 Norman and AVG
| they did not find anything on my computer
|
| I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
| illegal spammer right now)
| But I can't find the source of it.
|
| Installed comodo firewall, it seems that the svchost.exe is sending all the
| spam
| but i can's do anything with this. Svchost is a key prigram of Microsoft. It
| has the same date time stamp anf file length as a other svchost program on a
| not infected computer.
|
| What to do,
| I don't want to reinstall the whole windowsXP with all my program's
|
| Can anybody advice me ????
|
| Rien
|

It may be a RootKit based spambot!

Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is not required in the below before posting a log
http://www.thespykiller.co.uk/forum/?action=forum


NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Back to top
Mr. Arnold
External


Since: Dec 29, 2006
Posts: 14



PostPosted: Sat Mar 10, 2007 4:03 am    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Rien Mulder wrote:
> I do have a SMTP relay program running somewhere on my computer.
>
> Check my comuter with NOD32 Norman and AVG
> they did not find anything on my computer

Well, malware can circumvent and defeat every last one of them, under
the right condition.
>
> I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
> illegal spammer right now)
> But I can't find the source of it.

Well at least, you have discovered something.

>
> Installed comodo firewall, it seems that the svchost.exe is sending all the
> spam
> but i can's do anything with this. Svchost is a key prigram of Microsoft. It
> has the same date time stamp anf file length as a other svchost program on a
> not infected computer.

That's not correct that you can't do anything about it.

BTW, Comodo is not a FW. It's a personal packet filter that runs at the
machine level. A FW has two or more interfaces and separates two
networks. One interface protects from a network usually the
WAN/Internet. The other interface protects a network the usually the LAN.

>
> What to do,
> I don't want to reinstall the whole windowsXP with all my program's
>

Well, if svchost.exe is not running out of c:/windows/system32 then it's
a Trojan.

On the other hand, svchost.exe is just the messenger for the O/S
programs and other programs such as malware that can use svchost.exe on
their behalf.

You need to look inside the svchost.exe process in question that's
hosting processes to see if you can spot a program or process that's
dubious.

You do that with Process Explorer that allows you to look inside a
running process such as svchost.exe and others.

<http://www.pcworld.com/downloads/file_description/0,fid,23780,00.asp>

You go to Menu/View/Show Lower Pane and Lowe Pane View/Show DLLs.

That will show all programs/processes in the lower pane when you click
on a process in the upper pane. You can right-click in the upper pane on
a process and you can right-click on a program in the lower pane and go
to Properties to check location and other things about a given process.

<http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html>
Back to top
Bullseye
External


Since: Mar 10, 2007
Posts: 28



PostPosted: Sun Mar 11, 2007 5:30 am    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

On Fri, 09 Mar 2007 20:02:36 -0700, Mr. Arnold
wrote:

> On the other hand, svchost.exe is just the messenger for the O/S
> programs and other programs such as malware that can use svchost.exe on
> their behalf.
>

If there is the possibility of this being a rootkit of some kind, wouldn't
you guys suggest running some kind of rootkit detector/remover? Most are
listed and can be accessed from: http://antirootkit.com/software/index.htm

--
Posted via a free Usenet account from http://www.teranews.com
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2287



PostPosted: Sun Mar 11, 2007 3:07 pm    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "Bullseye"

| On Fri, 09 Mar 2007 20:02:36 -0700, Mr. Arnold
| wrote:
|
>> On the other hand, svchost.exe is just the messenger for the O/S
>> programs and other programs such as malware that can use svchost.exe on
>> their behalf.
>>
| If there is the possibility of this being a rootkit of some kind, wouldn't
| you guys suggest running some kind of rootkit detector/remover? Most are
| listed and can be accessed from: http://antirootkit.com/software/index.htm
|

IF you are capable of understanding the output, Gmer is the anti rootkit utility to use.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Back to top
Bullseye
External


Since: Mar 10, 2007
Posts: 28



PostPosted: Sun Mar 11, 2007 10:07 pm    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

On Sun, 11 Mar 2007 13:54:59 GMT, David H. Lipman wrote:

> From: "Bullseye"
>
>| On Fri, 09 Mar 2007 20:02:36 -0700, Mr. Arnold
>| wrote:
>|
>>> On the other hand, svchost.exe is just the messenger for the O/S
>>> programs and other programs such as malware that can use svchost.exe on
>>> their behalf.
>>>
>| If there is the possibility of this being a rootkit of some kind, wouldn't
>| you guys suggest running some kind of rootkit detector/remover? Most are
>| listed and can be accessed from: http://antirootkit.com/software/index.htm
>|
>
> IF you are capable of understanding the output, Gmer is the anti rootkit utility to use.

Agreed. But I've seen some novices really mess up their systems with Gmer.

--
Posted via a free Usenet account from http://www.teranews.com
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2287



PostPosted: Mon Mar 12, 2007 1:05 am    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "Bullseye"

>> IF you are capable of understanding the output, Gmer is the anti rootkit utility to use.
|
| Agreed. But I've seen some novices really mess up their systems with Gmer.
|

That's why I posted this disclaimer...
"...capable of understanding the output...".

I really don't think the "average user" should run anti rootkit utilities as they become way
over their head with technical aspects of the Operating System.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Back to top
Ron Lopshire
External


Since: Mar 28, 2006
Posts: 202



PostPosted: Mon Mar 12, 2007 2:10 pm    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

David H. Lipman wrote:

> From: "Bullseye"
>
>>>IF you are capable of understanding the output, Gmer is the anti rootkit utility to use.
>
> |
> | Agreed. But I've seen some novices really mess up their systems with Gmer.
> |
>
> That's why I posted this disclaimer...
> "...capable of understanding the output...".
>
> I really don't think the "average user" should run anti rootkit utilities as they become way
> over their head with technical aspects of the Operating System.

IMHO, most people should use rootkit scanners in the same fashion as
HijackThis. Run the scan, and then submit the output/log file to an
expert for analysis.

BTW, dated 12 March 2007,

http://www.merijn.org/

Quote: " As some of you might have seen several IT news websites are
offering Trend Micro HijackThis 2.00 beta. An official statement will be
posted on their website soon, but since this is a public beta of theirs
I figured it'd be best if I answered the question I'm going to get asked
a lot, right now.

This is not fake, I sold HijackThis to TrendMicro. Their product
incorporates all changes, updates and fixes that I was planning on
adding in the v1.99.2 release. I made sure of that and I hope no one
will be disappointed with it.

While TrendMicro does not officially support HijackThis yet, I expect
they will once it goes final."

Ron Smile
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2287



PostPosted: Mon Mar 12, 2007 10:09 pm    Post subject: Re: svchost virus [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

From: "Ron Lopshire"


|
| IMHO, most people should use rootkit scanners in the same fashion as
| HijackThis. Run the scan, and then submit the output/log file to an
| expert for analysis.
|
| BTW, dated 12 March 2007,
|
| http://www.merijn.org/
|
| Quote: " As some of you might have seen several IT news websites are
| offering Trend Micro HijackThis 2.00 beta. An official statement will be
| posted on their website soon, but since this is a public beta of theirs
| I figured it'd be best if I answered the question I'm going to get asked
| a lot, right now.
|
| This is not fake, I sold HijackThis to TrendMicro. Their product
| incorporates all changes, updates and fixes that I was planning on
| adding in the v1.99.2 release. I made sure of that and I hope no one
| will be disappointed with it.
|
| While TrendMicro does not officially support HijackThis yet, I expect
| they will once it goes final."
|
| Ron Smile

Hi Ron:

Yes, we were discussing this all day Yesterday thus the posted note Today.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php#

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Warning: fopen(): open_basedir restriction in effect. File(/home/adsense_reject.txt) is not within the allowed path(s): (/home/helploc:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/helploc/public_html/Giga/GigaFunctions.php on line 1144

Warning: fopen(/home/adsense_reject.txt): failed to open stream: Operation not permitted in /home/helploc/public_html/Giga/GigaFunctions.php on line 1144

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/helploc/public_html/Giga/GigaFunctions.php on line 1145

Warning: fclose() expects parameter 1 to be resource, boolean given in /home/helploc/public_html/Giga/GigaFunctions.php on line 1146