svchost virus

[Rien Mulder]

I do have a SMTP relay program running somewhere on my computer.

Check my comuter with NOD32 Norman and AVG
they did not find anything on my computer

I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
illegal spammer right now)
But I can't find the source of it.

Installed comodo firewall, it seems that the svchost.exe is sending all the
spam
but i can's do anything with this. Svchost is a key prigram of Microsoft. It
has the same date time stamp anf file length as a other svchost program on a
not infected computer.

What to do,
I don't want to reinstall the whole windowsXP with all my program's

Can anybody advice me ????

Rien

 

[David H. Lipman]

From: "Rien Mulder" <[email protected]>

| I do have a SMTP relay program running somewhere on my computer.
|
| Check my comuter with NOD32 Norman and AVG
| they did not find anything on my computer
|
| I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
| illegal spammer right now)
| But I can't find the source of it.
|
| Installed comodo firewall, it seems that the svchost.exe is sending all the
| spam
| but i can's do anything with this. Svchost is a key prigram of Microsoft. It
| has the same date time stamp anf file length as a other svchost program on a
| not infected computer.
|
| What to do,
| I don't want to reinstall the whole windowsXP with all my program's
|
| Can anybody advice me ????
|
| Rien
|

It may be a RootKit based spambot!

Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is not required in the below before posting a log
http://www.thespykiller.co.uk/forum/?action=forum


NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

 

[Mr. Arnold]

I do have a SMTP relay program running somewhere on my computer.

Check my comuter with NOD32 Norman and AVG
they did not find anything on my computer

Well, malware can circumvent and defeat every last one of them, under
the right condition.

I see activity with Ethereal , al kinds of SMTP packet going out (so i am a
illegal spammer right now)
But I can't find the source of it.

Well at least, you have discovered something.

Installed comodo firewall, it seems that the svchost.exe is sending all the
spam
but i can's do anything with this. Svchost is a key prigram of Microsoft. It
has the same date time stamp anf file length as a other svchost program on a
not infected computer.

That's not correct that you can't do anything about it.

BTW, Comodo is not a FW. It's a personal packet filter that runs at the
machine level. A FW has two or more interfaces and separates two
networks. One interface protects from a network usually the
WAN/Internet. The other interface protects a network the usually the LAN.

What to do,
I don't want to reinstall the whole windowsXP with all my program's

Well, if svchost.exe is not running out of c:/windows/system32 then it's
a Trojan.

On the other hand, svchost.exe is just the messenger for the O/S
programs and other programs such as malware that can use svchost.exe on
their behalf.

You need to look inside the svchost.exe process in question that's
hosting processes to see if you can spot a program or process that's
dubious.

You do that with Process Explorer that allows you to look inside a
running process such as svchost.exe and others.

<http://www.pcworld.com/downloads/file_description/0,fid,23780,00.asp>

You go to Menu/View/Show Lower Pane and Lowe Pane View/Show DLLs.

That will show all programs/processes in the lower pane when you click
on a process in the upper pane. You can right-click in the upper pane on
a process and you can right-click on a program in the lower pane and go
to Properties to check location and other things about a given process.

<http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html>

 

[Bullseye]

On the other hand, svchost.exe is just the messenger for the O/S
programs and other programs such as malware that can use svchost.exe on
their behalf.

If there is the possibility of this being a rootkit of some kind, wouldn't
you guys suggest running some kind of rootkit detector/remover? Most are
listed and can be accessed from: http://antirootkit.com/software/index.htm

 

[David H. Lipman]

From: "Bullseye" <[email protected]>

| On Fri, 09 Mar 2007 20:02:36 -0700, Mr. Arnold <"Mr. Arnold"@Arnold.COM>
| wrote:
|| If there is the possibility of this being a rootkit of some kind, wouldn't
| you guys suggest running some kind of rootkit detector/remover? Most are
| listed and can be accessed from: http://antirootkit.com/software/index.htm
|

IF you are capable of understanding the output, Gmer is the anti rootkit utility to use.

 

[David H. Lipman]

|
| Agreed. But I've seen some novices really mess up their systems with Gmer.
|

That's why I posted this disclaimer...
"...capable of understanding the output...".

I really don't think the "average user" should run anti rootkit utilities as they become way
over their head with technical aspects of the Operating System.

 

[Bullseye]

From: "Bullseye" <[email protected]>

| On Fri, 09 Mar 2007 20:02:36 -0700, Mr. Arnold <"Mr. Arnold"@Arnold.COM>
| wrote:
|
| If there is the possibility of this being a rootkit of some kind, wouldn't
| you guys suggest running some kind of rootkit detector/remover? Most are
| listed and can be accessed from: http://antirootkit.com/software/index.htm
|

IF you are capable of understanding the output, Gmer is the anti rootkit utility to use.

Agreed. But I've seen some novices really mess up their systems with Gmer.

 

[Ron Lopshire]

|
| Agreed. But I've seen some novices really mess up their systems with Gmer.
|

That's why I posted this disclaimer...
"...capable of understanding the output...".

I really don't think the "average user" should run anti rootkit utilities as they become way
over their head with technical aspects of the Operating System.

IMHO, most people should use rootkit scanners in the same fashion as
HijackThis. Run the scan, and then submit the output/log file to an
expert for analysis.

BTW, dated 12 March 2007,

http://www.merijn.org/

Quote: " As some of you might have seen several IT news websites are
offering Trend Micro HijackThis 2.00 beta. An official statement will be
posted on their website soon, but since this is a public beta of theirs
I figured it'd be best if I answered the question I'm going to get asked
a lot, right now.

This is not fake, I sold HijackThis to TrendMicro. Their product
incorporates all changes, updates and fixes that I was planning on
adding in the v1.99.2 release. I made sure of that and I hope no one
will be disappointed with it.

While TrendMicro does not officially support HijackThis yet, I expect
they will once it goes final."

Ron

 

[David H. Lipman]

From: "Ron Lopshire" <[email protected]>


|
| IMHO, most people should use rootkit scanners in the same fashion as
| HijackThis. Run the scan, and then submit the output/log file to an
| expert for analysis.
|
| BTW, dated 12 March 2007,
|
| http://www.merijn.org/
|
| Quote: " As some of you might have seen several IT news websites are
| offering Trend Micro HijackThis 2.00 beta. An official statement will be
| posted on their website soon, but since this is a public beta of theirs
| I figured it'd be best if I answered the question I'm going to get asked
| a lot, right now.
|
| This is not fake, I sold HijackThis to TrendMicro. Their product
| incorporates all changes, updates and fixes that I was planning on
| adding in the v1.99.2 release. I made sure of that and I hope no one
| will be disappointed with it.
|
| While TrendMicro does not officially support HijackThis yet, I expect
| they will once it goes final."
|
| Ron

Hi Ron:

Yes, we were discussing this all day Yesterday thus the posted note Today.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php#