Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe Worm Exploit


  • Please log in to reply
2 replies to this topic

#1 CanRaps

CanRaps

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 09 January 2010 - 06:59 AM

Hello, I'm sure that i got this worm from my website that is infected with Javascript injection..Anyway i cleaned up all the malicious code from the website, i hope it wont happen again..

What this worm does ?
Svchost.exe from original system location tries to connect to 85.17.90.210 = forhomesale.ru from port 80 and as soon as it connects the svchost.exe consumes %50 of the cpu thereby after 15 minutes i get Cpu overtemperature error..I analyzed it with Process Explorer and it shows connection to service Dcom launch..If i disable dcom launch then it activates itself by RPC Service..And if i disable those services i cannot connect to msn, copy and paste you know the rest..
Ive just installed sygate firewall and blocked outgoing connection to that IP and
With Combofix I can clean up the worm COMPLETELY but i can't find out where the virus is located and what should others do if they got this worm especially if they find out about connecting to that IP/Domain..Kaspersky is still unable to identify the virus nor the malicious code on my website..

My PC is Xp Professional SP2
What can you suggest me ?

BC AdBot (Login to Remove)

 


#2 CanRaps

CanRaps
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 January 2010 - 05:08 AM

bump the problem still continue but forhomesale.ru 's ip has been changed to 67.215.66.182

Already combo fixed but cannot get rid of this trojan/worm its embedded to svchost.exe

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:48 PM

Posted 31 January 2010 - 09:41 PM

Please download Sysclean Package and the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number) and save them to your desktop.
  • Be sure to print out and follow the instructions provided in the How to Use System Cleaner for performing a scan.
  • If you get a message that "required files are missing", click Ok and wait for sysclean.com to unpack them.
  • This tool generates a log file (sysclean.log) in the same folder where you ran it - C:\Sysclean.
-- When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

-- Some anti-virus programs will alert you of a virus attack when running sysclean so it's best to disable them before performing a scan.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users