Guest GavTel in BC.CA Posted November 4, 2008 Posted November 4, 2008 Have SMTP Trojan embedded that uses svchost PID 560 or 432 opens ports UDP 3001, TCP 3002,3,4 and attaches either to RpcSs or Services and evades all Rootkit finders and Virus scanners. Shows up in Process Explorer and Open ports scanner. Have ripped registry apart looking for clues. Starts by downloading on port 443 from 195.190.13.198 writes to readable area in HKLM\\Software\\77 that has key a5 and contains code. destroy it and it is replaced. Also writes to software hive and software.bak.tmp . Malicious Tools scans clean, as do all Spyware scanners. McAfee no help either. Sysinternals shows it all happen using registered Microsoft components. This thing is in the registry and can be stopped.... I just want to find how this was done as I've tried everything Quote
Guest Leythos Posted November 4, 2008 Posted November 4, 2008 In article <10A13FC2-9C26-4E2C-A278-B338A160EC1E@microsoft.com>, GavTelinBCCA@discussions.microsoft.com says...<span style="color:blue"> > Have SMTP Trojan embedded that uses svchost PID 560 or 432 opens ports UDP > 3001, TCP 3002,3,4 and attaches either to RpcSs or Services and evades all > Rootkit finders and Virus scanners. Shows up in Process Explorer and Open > ports scanner. Have ripped registry apart looking for clues. Starts by > downloading on port 443 from 195.190.13.198 writes to readable area in > HKLM\Software\77 that has key a5 and contains code. destroy it and it is > replaced. Also writes to software hive and software.bak.tmp . Malicious Tools > scans clean, as do all Spyware scanners. McAfee no help either. Sysinternals > shows it all happen using registered Microsoft components. This thing is in > the registry and can be stopped.... > > I just want to find how this was done as I've tried everything</span> Have you tried these two antimalware tools? These sites are for downloading Anti-Malware and Anti-Spyware tools, in order that I would use them myself: Dave Lipman's tools: Download MULTI_AV.EXE from the URL -- (this is a non-english site, but it's a great tool) http://www.pctipp.ch/downloads/dl/35905.asp MalwareBytes Anti-Malware From http://www.bleepingcomputer.com/ http://download.bleepingcomputer.com/malwa.../mbam-setup.exe -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest David H. Lipman Posted November 4, 2008 Posted November 4, 2008 From: "GavTel in BC.CA" <GavTelinBCCA@discussions.microsoft.com> | Have SMTP Trojan embedded that uses svchost PID 560 or 432 opens ports UDP | 3001, TCP 3002,3,4 and attaches either to RpcSs or Services and evades all | Rootkit finders and Virus scanners. Shows up in Process Explorer and Open | ports scanner. Have ripped registry apart looking for clues. Starts by | downloading on port 443 from 195.190.13.198 writes to readable area in | HKLM\\Software\\77 that has key a5 and contains code. destroy it and it is | replaced. Also writes to software hive and software.bak.tmp . Malicious Tools | scans clean, as do all Spyware scanners. McAfee no help either. Sysinternals | shows it all happen using registered Microsoft components. This thing is in | the registry and can be stopped.... | I just want to find how this was done as I've tried everything I'm sorry but even with all you posted, your post is still vague at best. You said... "...evades all Rootkit finders and Virus scanners" Please indicate exactly what software you used. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.