SMTP Trojan uses SVCHOST on W2K Pro

microsoft.public.security.virus - Computer virus info for MS Windows users 

Subject Author Date SMTP Trojan uses SVCHOST on W2K Pro GavTel in BC.CA 11-04-2008  Re: SMTP Trojan uses SVCHOST on W2K Pro Leythos 11-04-2008  Re: SMTP Trojan uses SVCHOST on W2K Pro David H. Lipman 11-04-2008

Posted by GavTel in BC.CA on November 4, 2008, 1:23 pm Please log in for more thread options Have SMTP Trojan embedded that uses svchost PID 560 or 432 opens ports UDP 3001, TCP 3002,3,4 and attaches either to RpcSs or Services and evades all Rootkit finders and Virus scanners. Shows up in Process Explorer and Open ports scanner. Have ripped registry apart looking for clues. Starts by downloading on port 443 from 195.190.13.198 writes to readable area in HKLM\Software that has key a5 and contains code. destroy it and it is replaced. Also writes to software hive and software.bak.tmp . Malicious Tools scans clean, as do all Spyware scanners. McAfee no help either. Sysinternals shows it all happen using registered Microsoft components. This thing is in the registry and can be stopped.... I just want to find how this was done as I've tried everything Posted by Leythos on November 4, 2008, 2:41 pm Please log in for more thread options GavTelinBCCA@discussions.microsoft.com says... show/hide quoted text > Have SMTP Trojan embedded that uses svchost PID 560 or 432 opens ports UDP > 3001, TCP 3002,3,4 and attaches either to RpcSs or Services and evades all > Rootkit finders and Virus scanners. Shows up in Process Explorer and Open > ports scanner. Have ripped registry apart looking for clues. Starts by > downloading on port 443 from 195.190.13.198 writes to readable area in > HKLM\Software that has key a5 and contains code. destroy it and it is > replaced. Also writes to software hive and software.bak.tmp . Malicious Tools > scans clean, as do all Spyware scanners. McAfee no help either. Sysinternals > shows it all happen using registered Microsoft components. This thing is in > the registry and can be stopped.... > > I just want to find how this was done as I've tried everything Have you tried these two antimalware tools? These sites are for downloading Anti-Malware and Anti-Spyware tools, in order that I would use them myself: Dave Lipman's tools: Download MULTI_AV.EXE from the URL -- (this is a non-english site, but it's a great tool) http://www.pctipp.ch/downloads/dl/35905.asp MalwareBytes Anti-Malware From http://www.bleepingcomputer.com/ http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Posted by David H. Lipman on November 4, 2008, 4:08 pm Please log in for more thread options | Have SMTP Trojan embedded that uses svchost PID 560 or 432 opens ports UDP | 3001, TCP 3002,3,4 and attaches either to RpcSs or Services and evades all | Rootkit finders and Virus scanners. Shows up in Process Explorer and Open | ports scanner. Have ripped registry apart looking for clues. Starts by | downloading on port 443 from 195.190.13.198 writes to readable area in | HKLM\Software that has key a5 and contains code. destroy it and it is | replaced. Also writes to software hive and software.bak.tmp . Malicious Tools | scans clean, as do all Spyware scanners. McAfee no help either. Sysinternals | shows it all happen using registered Microsoft components. This thing is in | the registry and can be stopped.... | I just want to find how this was done as I've tried everything I'm sorry but even with all you posted, your post is still vague at best. You said... "...evades all Rootkit finders and Virus scanners" Please indicate exactly what software you used. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Similar Threads Posted Antivirus for SMTP Relay server March 13, 2007, 11:23 am svchost.exe virus? January 16, 2007, 5:19 pm Strange svchost.exe April 23, 2008, 8:54 am Modified svchost.exe November 9, 2008, 5:46 am C:\WINDOWS\SYSTEM32\SVCHOST.EXE August 7, 2006, 6:00 pm Help! Fake svchost.exe on my computer October 6, 2006, 7:27 am What is C:\WINDOWS\system32\svchost.exe December 8, 2006, 10:03 pm Re: Unknown svchost.exe DNS port 53 network activity December 20, 2006, 4:26 pm W32/IRCbot.gen.b makes svchost.exe crash on remote (uninfected) computers November 3, 2009, 8:55 am Trojan Horse downloader.Agent.6.Trojan March 17, 2005, 1:34 pm