svchost.exe

--
dP
"Malke" <malke DeleteThis @invalid.invalid> wrote in message
news:OsobE1mdIHA.4588@TK2MSFTNGP06.phx.gbl...
> DaveP wrote:
>
>> I have been cleaning a virus infected XPP machine. What i am down to I
>> havent seen before.
>> before connecting to the internet i have normal memory usage and 6
>> svchost
>> processes running.
>> After connecting to internet svchost processes jump to about 12.
>> I have used "tasklist /svc" and "process explorer" for viewing services
>> associated with but these extra svchost processes do not show any
>> services
>> running however they are using several hundred mb's of ram. My ram usage
>> is escalating to the point of the computer running out of virtual memory.
>>
>> A couple of these extra svchost processes are showing large amounts of
>> TCP
>> activity to
>> 216.195.56.227:2543
>> and
>> 208.66.194.240:2509
>> earler when i thought i had this problem fixed
>> it was connecting to
>> 208.72.169.19:1939
>>
>> CyberPatrol was on this computer but i believe I removed it successfully.
>
> The machine is still not clean. Review these general malware removal
> procedures to see if you did something similar, including the prep work
> and
> scanning in Safe Mode:
>
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> If you weren't that thorough, try again. If you were that thorough:
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!

Thank you for your response. I will review the link you posted. Obviously i
am missing something.

Thanks.
 >> Stay informed about: svchost.exe 

This message is not archived
 >> Stay informed about: svchost.exe 

--
dP
"Thee Chicago Wolf" <.@.> wrote in message
news:1k81s31630qftb891k87imn7e7vbecdq07@4ax.com...
> >I have been cleaning a virus infected XPP machine. What i am down to I
>>havent seen before.
>>before connecting to the internet i have normal memory usage and 6 svchost
>>processes running.
>>After connecting to internet svchost processes jump to about 12.
>>I have used "tasklist /svc" and "process explorer" for viewing services
>>associated with but these extra svchost processes do not show any services
>>running however they are using several hundred mb's of ram. My ram usage
>>is
>>escalating to the point of the computer running out of virtual memory.
>>
>>A couple of these extra svchost processes are showing large amounts of TCP
>>activity to
>>216.195.56.227:2543
>>and
>>208.66.194.240:2509
>>earler when i thought i had this problem fixed
>>it was connecting to
>>208.72.169.19:1939
>>
>>CyberPatrol was on this computer but i believe I removed it successfully.
>>
>>Any ideas would be greatly appreciated. Thanks for any help.
>>
>>DaveP
>
> Couple of tools to use to see if something is posing as svchost.exe
> and / or if it's hiding in some other directory.
>
> 1. Process Explorer: Let's you see the programs associated with the
> svchost.exe session.
>
> 2. tcpview: Let's you see the connections and ports associated with
> the exe's.
>
> - Thee Chicago Wolf

Thanks for your response, but as you can see from my post I did use process
explorer. There are no services associated with the svchost processes in
question.


Again thanks for your time.
 >> Stay informed about: svchost.exe 

--
dP
"Malke" <malke DeleteThis @invalid.invalid> wrote in message
news:OsobE1mdIHA.4588@TK2MSFTNGP06.phx.gbl...
> DaveP wrote:
>
>> I have been cleaning a virus infected XPP machine. What i am down to I
>> havent seen before.
>> before connecting to the internet i have normal memory usage and 6
>> svchost
>> processes running.
>> After connecting to internet svchost processes jump to about 12.
>> I have used "tasklist /svc" and "process explorer" for viewing services
>> associated with but these extra svchost processes do not show any
>> services
>> running however they are using several hundred mb's of ram. My ram usage
>> is escalating to the point of the computer running out of virtual memory.
>>
>> A couple of these extra svchost processes are showing large amounts of
>> TCP
>> activity to
>> 216.195.56.227:2543
>> and
>> 208.66.194.240:2509
>> earler when i thought i had this problem fixed
>> it was connecting to
>> 208.72.169.19:1939
>>
>> CyberPatrol was on this computer but i believe I removed it successfully.
>
> The machine is still not clean. Review these general malware removal
> procedures to see if you did something similar, including the prep work
> and
> scanning in Safe Mode:
>
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> If you weren't that thorough, try again. If you were that thorough:
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!

It took another closer manual file search to find 3 files that were causing
my problems.. Had to use my "magic cd" to get rid of them.

in windows\system32\
"WLCtrl32.dll"
"Zllictbl.dat"
in windows\system32\drivers\
"rwb48.sys"

Thanks again,
daveP
 >> Stay informed about: svchost.exe 

--
dP
"DaveP" <d_powelson RemoveThis @xxxhotmail.com> wrote in message
news:%23fjUE6tdIHA.4712@TK2MSFTNGP04.phx.gbl...
>
>
> --
> dP
> "Malke" <malke RemoveThis @invalid.invalid> wrote in message
> news:OsobE1mdIHA.4588@TK2MSFTNGP06.phx.gbl...
>> DaveP wrote:
>>
>>> I have been cleaning a virus infected XPP machine. What i am down to I
>>> havent seen before.
>>> before connecting to the internet i have normal memory usage and 6
>>> svchost
>>> processes running.
>>> After connecting to internet svchost processes jump to about 12.
>>> I have used "tasklist /svc" and "process explorer" for viewing services
>>> associated with but these extra svchost processes do not show any
>>> services
>>> running however they are using several hundred mb's of ram. My ram
>>> usage
>>> is escalating to the point of the computer running out of virtual
>>> memory.
>>>
>>> A couple of these extra svchost processes are showing large amounts of
>>> TCP
>>> activity to
>>> 216.195.56.227:2543
>>> and
>>> 208.66.194.240:2509
>>> earler when i thought i had this problem fixed
>>> it was connecting to
>>> 208.72.169.19:1939
>>>
>>> CyberPatrol was on this computer but i believe I removed it
>>> successfully.
>>
>> The machine is still not clean. Review these general malware removal
>> procedures to see if you did something similar, including the prep work
>> and
>> scanning in Safe Mode:
>>
>> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>>
>> If you weren't that thorough, try again. If you were that thorough:
>>
>> When all else fails, run HijackThis and post your log in one of the
>> specialty forums listed at the first link above (not here, please).
>>
>> Malke
>> --
>> MS-MVP
>> Elephant Boy Computers
>> www.elephantboycomputers.com
>> Don't Panic!
>
> It took another closer manual file search to find 3 files that were
> causing my problems.. Had to use my "magic cd" to get rid of them.
>
> in windows\system32\
> "WLCtrl32.dll"
> "Zllictbl.dat"
> in windows\system32\drivers\
> "rwb48.sys"
>
> Thanks again,
> daveP
>
I spoke too soon.ARGH!
 >> Stay informed about: svchost.exe 

DaveP wrote:

> I spoke too soon.ARGH!

When all else fails, run HijackThis and post your log in one of the
specialty forums listed below (not here, please).

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 >> Stay informed about: svchost.exe 

This message is not archived
 >> Stay informed about: svchost.exe 

--
dP
"Thee Chicago Wolf" <.@.> wrote in message
news:knk5s319giouiecrr4jjltulaodtphf1h3@4ax.com...
> On Sat, 23 Feb 2008 20:39:01 -0600, "DaveP"
> <d_powelson DeleteThis @xxxhotmail.com> wrote:
>
>>Thanks for your response, but as you can see from my post I did use
>>process
>>explorer. There are no services associated with the svchost processes in
>>question.
>>
>>
>>Again thanks for your time.
>
> Sorry about that, must have jumped the gun a bit. It does seem like
> something else must be still on the PC. Other than SpyBot or Adaware,
> have you tried running the Malicious Software Removal Tool? Start >
> Run > mrt.exe and click ok.
>
> - Thee Chicago Wolf


No problem, I finally found a file "hmq26.sys" that was loading as a device.
It did take some time to do a file by file search to find this culprit.
Then a major manual registry cleaning to follow. At this time i do believe
that I am clean.
I appreciate your input.

DaveP
 >> Stay informed about: svchost.exe 

From: "DaveP" <d_powelson.DeleteThis@xxxhotmail.com>

|

Please submit a sample of "hmq26.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe 

I am not real comfortable handling this file. I would have to turn my
anti-virus protection off to send the file. It is picked up with my virus
scanner since it does not load as a device on boot. Apparently when it is
loaded as a device it is locked and not able to be scanned. I am not in a
hurry to be reinfected by this file.

Do you have any specific instructions on handling?
Thanks,
DaveP


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23Ad3SVAeIHA.4704@TK2MSFTNGP03.phx.gbl...
> From: "DaveP" <d_powelson RemoveThis @xxxhotmail.com>
>
> |
>
> Please submit a sample of "hmq26.sys" to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 >> Stay informed about: svchost.exe 

"Malke" <malke.RemoveThis@invalid.invalid> wrote in message
news:%23g2W9MzdIHA.6092@TK2MSFTNGP06.phx.gbl...
> DaveP wrote:
>
>> I spoke too soon.ARGH!
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed below (not here, please).
>
> http://aumha.org/downloads/hijackthis.zip
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
> tutorial
> http://aumha.net/ - Click on the HijackThis forum. Read the announcement
> and
> the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://spywarewarrior.com/viewforum.php?f=5
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!

I did find the files. As it was loading as a device driver, besides manually
looking through windows folders, about the only other was would of been
doing a bootlog and reviewing loading device drivers to find this one. Then
cleaning registry of all entries etc etc.
My final "hard to kill" list included:

hmq26.sys loading as a driver (various registry entries)
wlctrl32.dll that was being renamed on boot from wlctrl32.dl_ (registry
entry)
nkv2.sys
chl83.sys
rwb48.sys (device driver)
lshvahn.(i forget)
zllictbl.dat

I used various virus and malware scanners and hijack this. nothing was
solving my problem nor even detecting the hmq26.sys while it was loading as
a device driver. It was only after i got it to stop loading that the virus
scanner able to scan and detect it. "Trojan Horse Win32:Agent-PTJ [Trj]"
This trojan horse was connecting to ip addresses at a very rapid rate. .

It was also loading is safe mode which kept the file locked.

this was a very heavily infected machine (not mine) that made it a challenge
to clean, but it is now CLEAN!
 >> Stay informed about: svchost.exe 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23Ad3SVAeIHA.4704@TK2MSFTNGP03.phx.gbl...
> From: "DaveP" <d_powelson.DeleteThis@xxxhotmail.com>
>
> |
>
> Please submit a sample of "hmq26.sys" to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

I uploaded the file. It was previously reported on 11 Feb08. The whole
problem with this file is where it loads. It doesnt appear to be detectable
when loaded as a device driver. I am no expert but that does make it harder
to locate and deal with.
 >> Stay informed about: svchost.exe 

From: "dP" <d_powelson.TakeThisOut@hotmail.com>

| I am not real comfortable handling this file. I would have to turn my
| anti-virus protection off to send the file. It is picked up with my virus
| scanner since it does not load as a device on boot. Apparently when it is
| loaded as a device it is locked and not able to be scanned. I am not in a
| hurry to be reinfected by this file.
|
| Do you have any specific instructions on handling?
| Thanks,
| DaveP
|

It is a .SYS file so it is a Trojan and not a virus and it is not executable.

It is safe to handle.

You said...
"It is picked up with my virus scanner..."

What anti virus application and what was it identified as ?
That is what is the name of this Trojan ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe