Re: "we have been hacked"

From: Charles Otstot (saries_at_notmyreal.address.com)
Date: 12/16/03

• Next message: Jeff Cochran: "Re: Cannot access Web site after business hours"
• Previous message: Jeff Cochran: "Re: "we have been hacked""
• In reply to: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Next in thread: Andrew Davis [MS]: "RE: "we have been hacked""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 16 Dec 2003 10:31:50 -0500

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:uHz6LK1wDHA.2708@TK2MSFTNGP09.phx.gbl...
>
> "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
> news:3feafae8.446018090@msnews.microsoft.com...
> > On Fri, 12 Dec 2003 20:01:22 -0500, "Karl Levinson [x y] mvp"
> > <levinson_k@despammed.com> wrote:
>
> > >Also, I'm not familiar with this trojan / virus that both uses a file
> named
> > >SVCHOST.EXE and also modifies the hosts file. Which one is it? Or
have
> > >they possibly confused the welchia and qhosts removal instructions?
> >
> > It appears a combination of Welchia/Qhosts and possibly others. I
> > wouldn't think SVCHost would normally be an issue to pull out of
> > Startup, and it's a common method of loading several
> > viruses/trojans/malware/etc.
>
> FYI, I searched www.sarc.com to try to find a virus that used svchost.exe
> and modified the hosts file, couldn't find any. I have to wonder if the
> instructions on the website are misguided, or maybe they know something we
> don't.

I've run into a couple of servers hit by script kiddies loading warez FTP
sites using scripts that rename the Serv-U executable to *SCVHOST.EXE* (note
the reversal of "c" and "v") and create an scvhost service. If memory
serves, there was also a recent trojan/worm/virus that created scvhost.exe
as well.

Charlie

• Next message: Jeff Cochran: "Re: Cannot access Web site after business hours"
• Previous message: Jeff Cochran: "Re: "we have been hacked""
• In reply to: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Next in thread: Andrew Davis [MS]: "RE: "we have been hacked""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: StartUp Delay ... iexplore.exe is Internet Explorer, usually. ... > I removed all apps from the StartUp folders. ... > Then it pauses for 1-2 minutes. ... > The pause may be associated with the iexplore.exe process loading. ... (microsoft.public.windowsxp.general) Re: error message access denied new user ... What you likely need to do is disable the program from loading at startup ... You can still use it from your account, ... Windows help - www.rickrogers.org ... (microsoft.public.windowsxp.basics) Re: Bootup Launches 2 applications ... Start/.run msconfig and disable them on the startup tab. ... To locate where they are loading from, start/run msinfo32, expand the ... Windows isn't rocket science! ... > I can not find a way to make them stop launching at boot up. ... (microsoft.public.windowsxp.newusers) Re: Bootup Launches 2 applications ... Start/.run msconfig and disable them on the startup tab. ... To locate where they are loading from, start/run msinfo32, expand the ... Windows isn't rocket science! ... > I can not find a way to make them stop launching at boot up. ... (microsoft.public.windowsxp.newusers) Re: Takes almost five minutes to boot ... I am going to try Mike's applet. ... stopped most of the laundry list of icons from loading. ... > Startup process easier in Win2k. ... Control Device Driver Load Order ... (microsoft.public.win2000.general)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint