svchost.exe

[DaveP]

I have been cleaning a virus infected XPP machine. What i am down to I
havent seen before.
before connecting to the internet i have normal memory usage and 6 svchost
processes running.
After connecting to internet svchost processes jump to about 12.
I have used "tasklist /svc" and "process explorer" for viewing services
associated with but these extra svchost processes do not show any services
running however they are using several hundred mb's of ram. My ram usage is
escalating to the point of the computer running out of virtual memory.

A couple of these extra svchost processes are showing large amounts of TCP
activity to
216.195.56.227:2543
and
208.66.194.240:2509
earler when i thought i had this problem fixed
it was connecting to
208.72.169.19:1939

CyberPatrol was on this computer but i believe I removed it successfully.

Any ideas would be greatly appreciated. Thanks for any help.

DaveP

 

[Malke]

I have been cleaning a virus infected XPP machine. What i am down to I
havent seen before.
before connecting to the internet i have normal memory usage and 6 svchost
processes running.
After connecting to internet svchost processes jump to about 12.
I have used "tasklist /svc" and "process explorer" for viewing services
associated with but these extra svchost processes do not show any services
running however they are using several hundred mb's of ram. My ram usage
is escalating to the point of the computer running out of virtual memory.

A couple of these extra svchost processes are showing large amounts of TCP
activity to
216.195.56.227:2543
and
208.66.194.240:2509
earler when i thought i had this problem fixed
it was connecting to
208.72.169.19:1939

CyberPatrol was on this computer but i believe I removed it successfully.

The machine is still not clean. Review these general malware removal
procedures to see if you did something similar, including the prep work and
scanning in Safe Mode:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

If you weren't that thorough, try again. If you were that thorough:

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Malke

 

[Thee Chicago Wolf]

I have been cleaning a virus infected XPP machine. What i am down to I

havent seen before.
before connecting to the internet i have normal memory usage and 6 svchost
processes running.
After connecting to internet svchost processes jump to about 12.
I have used "tasklist /svc" and "process explorer" for viewing services
associated with but these extra svchost processes do not show any services
running however they are using several hundred mb's of ram. My ram usage is
escalating to the point of the computer running out of virtual memory.

A couple of these extra svchost processes are showing large amounts of TCP
activity to
216.195.56.227:2543
and
208.66.194.240:2509
earler when i thought i had this problem fixed
it was connecting to
208.72.169.19:1939

CyberPatrol was on this computer but i believe I removed it successfully.

Any ideas would be greatly appreciated. Thanks for any help.

DaveP

Couple of tools to use to see if something is posing as svchost.exe
and / or if it's hiding in some other directory.

1. Process Explorer: Let's you see the programs associated with the
svchost.exe session.

2. tcpview: Let's you see the connections and ports associated with
the exe's.

- Thee Chicago Wolf

 

[DaveP]

--
dP

Couple of tools to use to see if something is posing as svchost.exe
and / or if it's hiding in some other directory.

1. Process Explorer: Let's you see the programs associated with the
svchost.exe session.

2. tcpview: Let's you see the connections and ports associated with
the exe's.

- Thee Chicago Wolf

Thanks for your response, but as you can see from my post I did use process
explorer. There are no services associated with the svchost processes in
question.


Again thanks for your time.

 

[DaveP]

--
dP

The machine is still not clean. Review these general malware removal
procedures to see if you did something similar, including the prep work
and
scanning in Safe Mode:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

If you weren't that thorough, try again. If you were that thorough:

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

Thank you for your response. I will review the link you posted. Obviously i
am missing something.

Thanks.

 

[DaveP]

--
dP

The machine is still not clean. Review these general malware removal
procedures to see if you did something similar, including the prep work
and
scanning in Safe Mode:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

If you weren't that thorough, try again. If you were that thorough:

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

It took another closer manual file search to find 3 files that were causing
my problems.. Had to use my "magic cd" to get rid of them.

in windows\system32\
"WLCtrl32.dll"
"Zllictbl.dat"
in windows\system32\drivers\
"rwb48.sys"

Thanks again,
daveP

 

[DaveP]

--
dP

--
dP


It took another closer manual file search to find 3 files that were
causing my problems.. Had to use my "magic cd" to get rid of them.

in windows\system32\
"WLCtrl32.dll"
"Zllictbl.dat"
in windows\system32\drivers\
"rwb48.sys"

Thanks again,
daveP

I spoke too soon.ARGH!

 

[Malke]

I spoke too soon.ARGH!

When all else fails, run HijackThis and post your log in one of the
specialty forums listed below (not here, please).

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5

Malke

 

[Thee Chicago Wolf]

Thanks for your response, but as you can see from my post I did use process
explorer. There are no services associated with the svchost processes in
question.


Again thanks for your time.

Sorry about that, must have jumped the gun a bit. It does seem like
something else must be still on the PC. Other than SpyBot or Adaware,
have you tried running the Malicious Software Removal Tool? Start >
Run > mrt.exe and click ok.

- Thee Chicago Wolf

 

[DaveP]

--
dP

Sorry about that, must have jumped the gun a bit. It does seem like
something else must be still on the PC. Other than SpyBot or Adaware,
have you tried running the Malicious Software Removal Tool? Start >
Run > mrt.exe and click ok.

- Thee Chicago Wolf

No problem, I finally found a file "hmq26.sys" that was loading as a device.
It did take some time to do a file by file search to find this culprit.
Then a major manual registry cleaning to follow. At this time i do believe
that I am clean.
I appreciate your input.

DaveP

 

[David H. Lipman]

From: "DaveP" <[email protected]>

|

Please submit a sample of "hmq26.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[dP]

I am not real comfortable handling this file. I would have to turn my
anti-virus protection off to send the file. It is picked up with my virus
scanner since it does not load as a device on boot. Apparently when it is
loaded as a device it is locked and not able to be scanned. I am not in a
hurry to be reinfected by this file.

Do you have any specific instructions on handling?
Thanks,
DaveP

 

[David H. Lipman]

From: "dP" <[email protected]>

| I am not real comfortable handling this file. I would have to turn my
| anti-virus protection off to send the file. It is picked up with my virus
| scanner since it does not load as a device on boot. Apparently when it is
| loaded as a device it is locked and not able to be scanned. I am not in a
| hurry to be reinfected by this file.
|
| Do you have any specific instructions on handling?
| Thanks,
| DaveP
|

It is a .SYS file so it is a Trojan and not a virus and it is not executable.

It is safe to handle.

You said...
"It is picked up with my virus scanner..."

What anti virus application and what was it identified as ?
That is what is the name of this Trojan ?

 

[dP]

When all else fails, run HijackThis and post your log in one of the
specialty forums listed below (not here, please).

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

I did find the files. As it was loading as a device driver, besides manually
looking through windows folders, about the only other was would of been
doing a bootlog and reviewing loading device drivers to find this one. Then
cleaning registry of all entries etc etc.
My final "hard to kill" list included:

hmq26.sys loading as a driver (various registry entries)
wlctrl32.dll that was being renamed on boot from wlctrl32.dl_ (registry
entry)
nkv2.sys
chl83.sys
rwb48.sys (device driver)
lshvahn.(i forget)
zllictbl.dat

I used various virus and malware scanners and hijack this. nothing was
solving my problem nor even detecting the hmq26.sys while it was loading as
a device driver. It was only after i got it to stop loading that the virus
scanner able to scan and detect it. "Trojan Horse Win32:Agent-PTJ [Trj]"
This trojan horse was connecting to ip addresses at a very rapid rate. .

It was also loading is safe mode which kept the file locked.

this was a very heavily infected machine (not mine) that made it a challenge
to clean, but it is now CLEAN!

 

[dP]

From: "dP" <[email protected]>

| I am not real comfortable handling this file. I would have to turn my
| anti-virus protection off to send the file. It is picked up with my
virus
| scanner since it does not load as a device on boot. Apparently when it
is
| loaded as a device it is locked and not able to be scanned. I am not in
a
| hurry to be reinfected by this file.
|
| Do you have any specific instructions on handling?
| Thanks,
| DaveP
|

It is a .SYS file so it is a Trojan and not a virus and it is not
executable.

It is safe to handle.

You said...
"It is picked up with my virus scanner..."

What anti virus application and what was it identified as ?
That is what is the name of this Trojan ?

I use AVAST, apparently the file is not able to be scanned while loaded and
it was loading as a device driver on boot, normal and safe mode. It was not
detected until i got it to quit loading.

Identified as: "Trojan Horse Win32:Agent-PTJ [Trj]"


Trojan horse or virus, i dont like em.

lol

You want it?

dP

 

[David H. Lipman]

From: "dP" <[email protected]>


|
| I did find the files. As it was loading as a device driver, besides manually
| looking through windows folders, about the only other was would of been
| doing a bootlog and reviewing loading device drivers to find this one. Then
| cleaning registry of all entries etc etc.
| My final "hard to kill" list included:
|
| hmq26.sys loading as a driver (various registry entries)
| wlctrl32.dll that was being renamed on boot from wlctrl32.dl_ (registry
| entry)
| nkv2.sys
| chl83.sys
| rwb48.sys (device driver)
| lshvahn.(i forget)
| zllictbl.dat
|
| I used various virus and malware scanners and hijack this. nothing was
| solving my problem nor even detecting the hmq26.sys while it was loading as
| a device driver. It was only after i got it to stop loading that the virus
| scanner able to scan and detect it. "Trojan Horse Win32:Agent-PTJ [Trj]"
| This trojan horse was connecting to ip addresses at a very rapid rate. .
|
| It was also loading is safe mode which kept the file locked.
|
| this was a very heavily infected machine (not mine) that made it a challenge
| to clean, but it is now CLEAN!
|

Are you sure ?

The PC may ave a RootKit or have a file using Alternate Data Stream (ADS).
http://www.securityfocus.com/infocus/1822

 

[David H. Lipman]

From: "dP" <[email protected]>

| I use AVAST, apparently the file is not able to be scanned while loaded and
| it was loading as a device driver on boot, normal and safe mode. It was not
| detected until i got it to quit loading.
|
| Identified as: "Trojan Horse Win32:Agent-PTJ [Trj]"
|
| Trojan horse or virus, i dont like em.
|
| lol
|
| You want it?
|
| dP
|

Yes to make sure all AV vendors can recognize this Trojan.
Just remove ~nospam~ from my posting address.

Place it a password protected ZIP file with the password being; infected
{ password = infected }

 

[dP]

From: "DaveP" <[email protected]>

|

Please submit a sample of "hmq26.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

I uploaded the file. It was previously reported on 11 Feb08. The whole
problem with this file is where it loads. It doesnt appear to be detectable
when loaded as a device driver. I am no expert but that does make it harder
to locate and deal with.

 

[dP]

From: "dP" <[email protected]>


|
| I did find the files. As it was loading as a device driver, besides
manually
| looking through windows folders, about the only other was would of been
| doing a bootlog and reviewing loading device drivers to find this one.
Then
| cleaning registry of all entries etc etc.
| My final "hard to kill" list included:
|
| hmq26.sys loading as a driver (various registry entries)
| wlctrl32.dll that was being renamed on boot from wlctrl32.dl_ (registry
| entry)
| nkv2.sys
| chl83.sys
| rwb48.sys (device driver)
| lshvahn.(i forget)
| zllictbl.dat
|
| I used various virus and malware scanners and hijack this. nothing was
| solving my problem nor even detecting the hmq26.sys while it was loading
as
| a device driver. It was only after i got it to stop loading that the
virus
| scanner able to scan and detect it. "Trojan Horse Win32:Agent-PTJ [Trj]"
| This trojan horse was connecting to ip addresses at a very rapid rate. .
|
| It was also loading is safe mode which kept the file locked.
|
| this was a very heavily infected machine (not mine) that made it a
challenge
| to clean, but it is now CLEAN!
|

Are you sure ?

The PC may ave a RootKit or have a file using Alternate Data Stream (ADS).
http://www.securityfocus.com/infocus/1822>

I am as sure as I can be. I have ran scans that are now coming up clean.
Used different scanners.
Do you have any suggestions to be REALLY sure?

System resources are no longer being taken over. All firewall logs are now
quiet. No unexplained activity. I am open to any suggestions you may have
to make sure it is clean.

DaveP

 

[David H. Lipman]

From: "dP" <[email protected]>


| I uploaded the file. It was previously reported on 11 Feb08. The whole
| problem with this file is where it loads. It doesnt appear to be detectable
| when loaded as a device driver. I am no expert but that does make it harder
| to locate and deal with.
|

If when the file is loaded and its File Handle is held open by the OS then it is in effect
protecting itself from being scanned.

Malware uses many forms of self preservation techniques to keep itself running on the PC,
and delivering its payload, and keep the unitiated from removing it.

The Recovery Console is an effective way to deal with such a file. Load the Recovery
Console. Rename the file and it will no longer be able to be loaded and you can then go
about cleaing the PC as well as submitting it to places like Virus Total to understand what
it is and what it does.