Re: Svchost.exe Internet exploit
From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 08/09/03
- Next message: Sandi - Microsoft MVP: "Re: new downloads"
- Previous message: James: "Downloading "Updates" from MS"
- In reply to: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Next in thread: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Reply: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 9 Aug 2003 13:11:07 +0800
I'm pretty sure that HP has been known for a while to 'phone home' - its
some sort of self-updating service IIRC. I would hope that phoning home
could be disabled somewhere in the programme's options.
The main ways, when using IE, to protect from spyware like this is to:
1. Tell your users they are NOT allowed to install freeware, shareware,
messenger programmes on office computers; they have no place in an office
environment.
2. Ensure IE is set at internet zone to at least medium, and especially make
sure that signed activex downloads are set to prompt, and unsigned set to
disabled.
3. Susan et al will be able to advise about network policies and
restrictions that need to be set up; I concentrate on looking after the home
user and know sweet-***-all about network security.
-- Hyperlinks are used to ensure answers remain current. ________________________________________ Sandi Hardmeier - Microsoft MVP since 1999 http://www.mvps.org/inetexplorer "Sal Zumpano" <sal.zumpano@rl.af.mil> wrote in message news:090a01c35db4$40601140$a601280a@phx.gbl... > Sandi - > Thanks for all the useful recommendations. I have spent > quite a bit of time the last 3 days analyzing whats been > happening on the questionable PC described previously. > To my suprise Ad-Aware, SysBot Search and Destroy, and > BHODemon identified and cleaned SpyWare/Hyjackware found > on ALL PC's on our network. I also used Sygate Personal > FW Pro v5.1 (trial mode) to identify, via the logs, the > Rouge application that attempted random connections to > 66.220.17.x as being HP Web Jet Admin Service > (hpwebjetd.exe). This all has led me to ask what is the > the best way to stay Protected (besides running these apps, > and updating to IE 6.x SP1) ? It looks like scanning for > these exploits will need to be done regularly ... Has > anyone had similar problem/exploit with this Application > hpwebjetd.exe ? > > > > > >-----Original Message----- > >It is essential to check for spyware/hijackware/foistware. > > > >Go to IE tools, internet options, general tab. Click on > the cache settings > >button and then 'view objects'. Delete anything you don't > recognise. If you > >are unsure, or no objects appear, for diagnosis purposes > I REALLY like > >BHODemon, available at > http://www.definitivesolutions.com/bhodemon.htm. It > >does not need installing - simply unzip and run the EXE > programme. It is > >very easy to use. > > > >Also, you may like to use a programme called BHOCop > available here: > > > >http://www.pcmag.com/article2/0,4149,2023,00.asp > > > >I find this programme is a better option than IE6's > ability to turn off > >"Enable third-party browser extensions (requires > restart)". This disables > >*all* plug-ins and makes troubleshooting very difficult. > > > >Many people like AdAware, available at www.lavasoft.de . > Make sure you keep > >the signature files up to date and remember, AdAware may > only remove the > >current installation of spyware; it may not do anything > about software that > >reinstalls itself, so unless you want to get stuck in an > endless loop of > >hijack/cleanout/hijack/cleanout make sure you get rid of > whatever is > >installing the junk. See my Troubleshooting advice for > information about > >how to track down and get rid of spyware completely. > >http://www.mvps.org/inetexplorer/Darnit.htm#tshoot > > > >An excellent replacement for AdAware is Spybot. Again, it > is a free > >programme which can be downloaded from: > >http://spybot.eon.net.au/ > > > >-- > >Hyperlinks are used to ensure answers remain current. > >________________________________________ > >Sandi Hardmeier - Microsoft MVP since 1999 > >http://www.mvps.org/inetexplorer > > > >"Sal Zumpano" <sal.zumpano@rl.af.mil> wrote in message > >news:002501c35b75$fc3d8fa0$a501280a@phx.gbl... > >> I have a PC that has an unknown application installed on > >> it that attempts to connect to a specific site > >> (66.220.17.X) at random times, at least 1-3 times a day > >> (usually from 12-7am) using a SVCHOST.EXE process. I > have > >> downloaded an application that monitors TCP/IP port > >> connections and captures the task manager process info > to > >> a file. I have identified the process id attempting to > >> make the connection via the captured log. I have also > >> run "tlist -s pid" from the Windows Platform SDK to > >> identify the services associated with each instance of > >> svchost running. Unfortunately, the questionable process > >> does not always exist at the time I analyze the capured > >> logs so I have not been able to determing the program > >> being executed. I have also set auditing > on "scvhost.exe" > >> to see if I can capture the activity causing this > exploit. > >> > >> I have also gotten a Windows Performance "Trace Log" > (.etl > >> file) which I am unable to parse via "Tracefmt.exe" also > >> from the Windows Platform SDK. Any suggestions on how > to > >> proceed to identify the rouge application ? (Thanks) > >> i have but am unable to parse with f > > > >. > >
- Next message: Sandi - Microsoft MVP: "Re: new downloads"
- Previous message: James: "Downloading "Updates" from MS"
- In reply to: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Next in thread: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Reply: Sal Zumpano: "Re: Svchost.exe Internet exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
