Re: Svchost.exe Internet exploit
From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 08/06/03
- Next message: Sandi - Microsoft MVP: "Re: excess pop-ups"
- Previous message: Sandi - Microsoft MVP: "Re: MS03-026 Help Needed for NT4 Workstation!"
- In reply to: Sal Zumpano: "Svchost.exe Internet exploit"
- Next in thread: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Reply: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Aug 2003 19:46:32 +0800
It is essential to check for spyware/hijackware/foistware.
Go to IE tools, internet options, general tab. Click on the cache settings
button and then 'view objects'. Delete anything you don't recognise. If you
are unsure, or no objects appear, for diagnosis purposes I REALLY like
BHODemon, available at http://www.definitivesolutions.com/bhodemon.htm. It
does not need installing - simply unzip and run the EXE programme. It is
very easy to use.
Also, you may like to use a programme called BHOCop available here:
http://www.pcmag.com/article2/0,4149,2023,00.asp
I find this programme is a better option than IE6's ability to turn off
"Enable third-party browser extensions (requires restart)". This disables
*all* plug-ins and makes troubleshooting very difficult.
Many people like AdAware, available at www.lavasoft.de . Make sure you keep
the signature files up to date and remember, AdAware may only remove the
current installation of spyware; it may not do anything about software that
reinstalls itself, so unless you want to get stuck in an endless loop of
hijack/cleanout/hijack/cleanout make sure you get rid of whatever is
installing the junk. See my Troubleshooting advice for information about
how to track down and get rid of spyware completely.
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot
An excellent replacement for AdAware is Spybot. Again, it is a free
programme which can be downloaded from:
http://spybot.eon.net.au/
-- Hyperlinks are used to ensure answers remain current. ________________________________________ Sandi Hardmeier - Microsoft MVP since 1999 http://www.mvps.org/inetexplorer "Sal Zumpano" <sal.zumpano@rl.af.mil> wrote in message news:002501c35b75$fc3d8fa0$a501280a@phx.gbl... > I have a PC that has an unknown application installed on > it that attempts to connect to a specific site > (66.220.17.X) at random times, at least 1-3 times a day > (usually from 12-7am) using a SVCHOST.EXE process. I have > downloaded an application that monitors TCP/IP port > connections and captures the task manager process info to > a file. I have identified the process id attempting to > make the connection via the captured log. I have also > run "tlist -s pid" from the Windows Platform SDK to > identify the services associated with each instance of > svchost running. Unfortunately, the questionable process > does not always exist at the time I analyze the capured > logs so I have not been able to determing the program > being executed. I have also set auditing on "scvhost.exe" > to see if I can capture the activity causing this exploit. > > I have also gotten a Windows Performance "Trace Log" (.etl > file) which I am unable to parse via "Tracefmt.exe" also > from the Windows Platform SDK. Any suggestions on how to > proceed to identify the rouge application ? (Thanks) > i have but am unable to parse with f
- Next message: Sandi - Microsoft MVP: "Re: excess pop-ups"
- Previous message: Sandi - Microsoft MVP: "Re: MS03-026 Help Needed for NT4 Workstation!"
- In reply to: Sal Zumpano: "Svchost.exe Internet exploit"
- Next in thread: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Reply: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
