svchost virus

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I do have a SMTP relay program running somewhere on my computer.

Check my comuter with NOD32  Norman and AVG
they did not find anything on my computer

I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
illegal spammer right now)
But I can't find the source of it.

Installed comodo firewall, it seems that the svchost.exe is sending all the
spam
but i can's do anything with this. Svchost is a key prigram of Microsoft. It
has the same date time stamp anf file length as a other svchost program on a
not infected computer.

What to do,
I don't want to reinstall the whole windowsXP with all my program's

Can anybody advice me ????

 Rien



Re: svchost virus


| I do have a SMTP relay program running somewhere on my computer.
|
| Check my comuter with NOD32  Norman and AVG
| they did not find anything on my computer
|
| I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
| illegal spammer right now)
| But I can't find the source of it.
|
| Installed comodo firewall, it seems that the svchost.exe is sending all the
| spam
| but i can's do anything with this. Svchost is a key prigram of Microsoft. It
| has the same date time stamp anf file length as a other svchost program on a
| not infected computer.
|
| What to do,
| I don't want to reinstall the whole windowsXP with all my program's
|
| Can anybody advice me ????
|
|  Rien
|

It may be a RootKit based spambot!

Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is not required in the below before posting a log
http://www.thespykiller.co.uk/forum/?action=forum


NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security /
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: svchost virus

Rien Mulder wrote:
Quoted text here. Click to load it

Well, malware can circumvent and defeat every last one of them, under
the right condition.
Quoted text here. Click to load it

Well at least, you have discovered something.

Quoted text here. Click to load it

That's not correct that you can't do anything about it.

BTW, Comodo is not a FW. It's a personal packet filter that runs at the
machine level. A FW has two or more interfaces and separates two
networks. One interface protects from a network usually the
WAN/Internet. The other interface protects a network the usually the LAN.

Quoted text here. Click to load it

Well, if svchost.exe is not running out of c:/windows/system32 then it's
a Trojan.

On the other hand, svchost.exe is just the messenger for the O/S
programs and other programs such as malware that can use svchost.exe on
their behalf.

You need to look inside the svchost.exe process in question that's
hosting processes to see if you can spot a program or process that's
dubious.

You do that with Process Explorer that allows you to look inside a
running process such as svchost.exe and others.

<http://www.pcworld.com/downloads/file_description/0,fid,23780,00.asp

You go to Menu/View/Show Lower Pane and Lowe Pane View/Show DLLs.

That will show all programs/processes in the lower pane when you click
on a process in the upper pane. You can right-click in the upper pane on
a process and you can right-click on a program in the lower pane and go
to Properties to check location and other things about a given process.

<http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html






Re: svchost virus

wrote:

Quoted text here. Click to load it

If there is the possibility of this being a rootkit of some kind, wouldn't  
you guys suggest running some kind of rootkit detector/remover?  Most are  
listed and can be accessed from: http://antirootkit.com/software/index.htm

--
Posted via a free Usenet account from http://www.teranews.com


Re: svchost virus


| wrote:
|
Quoted text here. Click to load it
| If there is the possibility of this being a rootkit of some kind, wouldn't
| you guys suggest running some kind of rootkit detector/remover?  Most are
| listed and can be accessed from: http://antirootkit.com/software/index.htm
|

IF you are capable of understanding the output, Gmer is the anti rootkit utility
to use.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: svchost virus

On Sun, 11 Mar 2007 13:54:59 GMT, David H. Lipman wrote:

Quoted text here. Click to load it

Agreed.  But I've seen some novices really mess up their systems with Gmer.  

--
Posted via a free Usenet account from http://www.teranews.com


Re: svchost virus


Quoted text here. Click to load it
|
| Agreed.  But I've seen some novices really mess up their systems with Gmer.
|

That's why I posted this disclaimer...
"...capable of understanding the output...".

I really don't think the "average user" should run anti rootkit utilities as
they become way
over their head with technical aspects of the Operating System.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: svchost virus

David H. Lipman wrote:

Quoted text here. Click to load it

IMHO, most people should use rootkit scanners in the same fashion as
HijackThis. Run the scan, and then submit the output/log file to an
expert for analysis.

BTW, dated 12 March 2007,

  http://www.merijn.org /

Quote: " As some of you might have seen several IT news websites are
offering Trend Micro HijackThis 2.00 beta. An official statement will be
posted on their website soon, but since this is a public beta of theirs
I figured it'd be best if I answered the question I'm going to get asked
a lot, right now.

This is not fake, I sold HijackThis to TrendMicro. Their product
incorporates all changes, updates and fixes that I was planning on
adding in the v1.99.2 release. I made sure of that and I hope no one
will be disappointed with it.

While TrendMicro does not officially support HijackThis yet, I expect
they will once it goes final."

Ron :)

Re: svchost virus



|
| IMHO, most people should use rootkit scanners in the same fashion as
| HijackThis. Run the scan, and then submit the output/log file to an
| expert for analysis.
|
| BTW, dated 12 March 2007,
|
|   http://www.merijn.org /
|
| Quote: " As some of you might have seen several IT news websites are
| offering Trend Micro HijackThis 2.00 beta. An official statement will be
| posted on their website soon, but since this is a public beta of theirs
| I figured it'd be best if I answered the question I'm going to get asked
| a lot, right now.
|
| This is not fake, I sold HijackThis to TrendMicro. Their product
| incorporates all changes, updates and fixes that I was planning on
| adding in the v1.99.2 release. I made sure of that and I hope no one
| will be disappointed with it.
|
| While TrendMicro does not officially support HijackThis yet, I expect
| they will once it goes final."
|
| Ron :)

Hi Ron:

Yes, we were discussing this all day Yesterday thus the posted note Today.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php #

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline