svchost.exe

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OmG8cYCeIHA.4852@TK2MSFTNGP05.phx.gbl...
> From: "dP" <d_powelson DeleteThis @xxx.hotmail.com>
>
>
> |
> | I did find the files. As it was loading as a device driver, besides
> manually
> | looking through windows folders, about the only other was would of been
> | doing a bootlog and reviewing loading device drivers to find this one.
> Then
> | cleaning registry of all entries etc etc.
> | My final "hard to kill" list included:
> |
> | hmq26.sys loading as a driver (various registry entries)
> | wlctrl32.dll that was being renamed on boot from wlctrl32.dl_ (registry
> | entry)
> | nkv2.sys
> | chl83.sys
> | rwb48.sys (device driver)
> | lshvahn.(i forget)
> | zllictbl.dat
> |
> | I used various virus and malware scanners and hijack this. nothing was
> | solving my problem nor even detecting the hmq26.sys while it was loading
> as
> | a device driver. It was only after i got it to stop loading that the
> virus
> | scanner able to scan and detect it. "Trojan Horse Win32:Agent-PTJ [Trj]"
> | This trojan horse was connecting to ip addresses at a very rapid rate. .
> |
> | It was also loading is safe mode which kept the file locked.
> |
> | this was a very heavily infected machine (not mine) that made it a
> challenge
> | to clean, but it is now CLEAN!
> |
>
> Are you sure ?
>
> The PC may ave a RootKit or have a file using Alternate Data Stream (ADS).
> http://www.securityfocus.com/infocus/1822>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
I am as sure as I can be. I have ran scans that are now coming up clean.
Used different scanners.
Do you have any suggestions to be REALLY sure?

System resources are no longer being taken over. All firewall logs are now
quiet. No unexplained activity. I am open to any suggestions you may have
to make sure it is clean.

DaveP
 >> Stay informed about: svchost.exe 

From: "dP" <d_powelson RemoveThis @xxx.hotmail.com>

| I use AVAST, apparently the file is not able to be scanned while loaded and
| it was loading as a device driver on boot, normal and safe mode. It was not
| detected until i got it to quit loading.
|
| Identified as: "Trojan Horse Win32:Agent-PTJ [Trj]"
|
| Trojan horse or virus, i dont like em.
|
| lol
|
| You want it?
|
| dP
|

Yes to make sure all AV vendors can recognize this Trojan.
Just remove ~nospam~ from my posting address.

Place it a password protected ZIP file with the password being; infected
{ password = infected }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe 

From: "dP" <d_powelson.TakeThisOut@xxx.hotmail.com>


| I uploaded the file. It was previously reported on 11 Feb08. The whole
| problem with this file is where it loads. It doesnt appear to be detectable
| when loaded as a device driver. I am no expert but that does make it harder
| to locate and deal with.
|

If when the file is loaded and its File Handle is held open by the OS then it is in effect
protecting itself from being scanned.

Malware uses many forms of self preservation techniques to keep itself running on the PC,
and delivering its payload, and keep the unitiated from removing it.

The Recovery Console is an effective way to deal with such a file. Load the Recovery
Console. Rename the file and it will no longer be able to be loaded and you can then go
about cleaing the PC as well as submitting it to places like Virus Total to understand what
it is and what it does.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe 

> The Recovery Console is an effective way to deal with such a file. Load
> the Recovery
> Console. Rename the file and it will no longer be able to be loaded and
> you can then go
> about cleaing the PC as well as submitting it to places like Virus Total
> to understand what
> it is and what it does.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>

I can get them killed if I can find them. Its the finding part that is a
challenge at times.
 >> Stay informed about: svchost.exe 

From: "dP" <d_powelson.RemoveThis@xxx.hotmail.com>


| I am as sure as I can be. I have ran scans that are now coming up clean.
| Used different scanners.
| Do you have any suggestions to be REALLY sure?
|
| System resources are no longer being taken over. All firewall logs are now
| quiet. No unexplained activity. I am open to any suggestions you may have
| to make sure it is clean.
|
| DaveP
|

Have you used programs such as AutoRuns and ProcessExplorer ?

Have you used an Anti RootKit utility such as Gmer ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OvdEghCeIHA.5164@TK2MSFTNGP03.phx.gbl...
> From: "dP" <d_powelson DeleteThis @xxx.hotmail.com>
>
>
> | I am as sure as I can be. I have ran scans that are now coming up
> clean.
> | Used different scanners.
> | Do you have any suggestions to be REALLY sure?
> |
> | System resources are no longer being taken over. All firewall logs are
> now
> | quiet. No unexplained activity. I am open to any suggestions you may
> have
> | to make sure it is clean.
> |
> | DaveP
> |
>
> Have you used programs such as AutoRuns and ProcessExplorer ?
>
> Have you used an Anti RootKit utility such as Gmer ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>

I have and did use process explorer. I did not find this file using process
explorer. I do not see any unidentifiable processes using process explorer.
Unfamiliar with the others.

DaveP
 >> Stay informed about: svchost.exe 

>> Have you used an Anti RootKit utility such as Gmer ?


Thanks for the heads up on Gmer. I have downloaded it and added it to my
collection of tools.

daveP
 >> Stay informed about: svchost.exe 

This message is not archived
 >> Stay informed about: svchost.exe 

This message is not archived
 >> Stay informed about: svchost.exe 

I have run Gmer, CatchMe, SDfix, Ad-Aware 2007 and Avast.
SDfix found one small thing. Looks great.
Thanks for all your input.

DaveP


--
dP
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OvdEghCeIHA.5164@TK2MSFTNGP03.phx.gbl...
> From: "dP" <d_powelson DeleteThis @xxx.hotmail.com>
>
>
> | I am as sure as I can be. I have ran scans that are now coming up
> clean.
> | Used different scanners.
> | Do you have any suggestions to be REALLY sure?
> |
> | System resources are no longer being taken over. All firewall logs are
> now
> | quiet. No unexplained activity. I am open to any suggestions you may
> have
> | to make sure it is clean.
> |
> | DaveP
> |
>
> Have you used programs such as AutoRuns and ProcessExplorer ?
>
> Have you used an Anti RootKit utility such as Gmer ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 >> Stay informed about: svchost.exe 

From: "DaveP" <d_powelson.DeleteThis@xxxhotmail.com>

| I have run Gmer, CatchMe, SDfix, Ad-Aware 2007 and Avast.
| SDfix found one small thing. Looks great.
| Thanks for all your input.
|
| DaveP
|

No sweat. I would still like that file or files

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe 

>
> No sweat. I would still like that file or files
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

sent
 >> Stay informed about: svchost.exe 

From: "DaveP" <d_powelson.RemoveThis@xxxhotmail.com>


| sent
|

Received and provided to researchers.

BTW: The files received were for a spambot using RootKit techniques.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: svchost.exe