My question is:
1. If the svchost.exe is corrupted is there anyway to replace the file with
another clean and functional svchost.exe?
Thanks you for the answers.
best regards,
Baron
| best regards,
| Baron
It sounds like the Buffer Overflow detection kicked in in McAfee Enterprise v8.50i. Yes ?
You don't replace SVCHOSTS.EXE. That's the server of servers in Windows.
You have to find what was injected into the service.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
| Dear David,
| That right, do you have any suggestion on how to trace this infection?
| because it's cantaminating all the user PC's also. I think the mcafee still
| blocking it. but some of our servers have been disable. how to fix it without
| formatting the servers? because we tried to repair the windows but it didn't
| work.
| Thanks a lot for your answer.
You already have McAfee so use the following Multi AV Scanning Tool's Sophos and Trend
Micro modules to scan an infected server.
When using the Trend Micro module, you can disable the Spyware scanner capability.
You may want to concentrate on the c:\windows (c:\winnt) tree.
Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe
http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
baron
| One More thing Dave before I try this on. is there anyway to update this
| multiscan manualy? because the infected server cannot connect to the network
| properly so it could not get an update from the internet. an also do you have
| any suggestion to trace the source of this buffer overflow infection?
| Thanks,
| baron
Yes. Read the included PDF Help File on the use of a surrogate PC to download all files
and then transfer and run on an infected computer.
As for tracing this...
That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or
through SMB TCP 445 ?
Have you put a packet sniffer on any nodes ?
This problem appears to be related to the Microsoft Vulnerability that
allows remote code execution on ports 139 and 445.
Check to make sure you have hot fix 958644 installed.
http://www.microsoft.com/technet/sec.../MS08-067.mspx
There is a large amount of activity on the web with variants of a virus
published last week.
So install the Hot Fix and reboot, hopefully that will solve your problem.
Over and out.
This problem appears to be related to the Microsoft Vulnerability that
allows remote code execution on ports 139 and 445.
Check to make sure you have hot fix 958644 installed.
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
There is a large amount of activity on the web with variants of a virus
published last week.
So install the Hot Fix and reboot, hopefully that will solve your
problem.
Over and out.
--
JezRobinson
------------------------------------------------------------------------
JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm
View this thread: http://forums.techarena.in/security-virus/1077813.htm
--
bredtracer
------------------------------------------------------------------------
bredtracer's Profile: http://forums.techarena.in/members/bredtracer.htm
thanks.
Baron
The reporting about buffer overflow has been rare since I tried the hotfix
from jez robinson and other windows critical update from windows update.
We'll see for a couple days if something come out again I'll come back to
this forum. Thanks a lot for the antivirus though. It really useful.
best regards,
Baron
Thanks for your reply.
baron
| Dear Dave,
| You got some heavy duty antivirus there. but it doesn't find the cause of
| the bo:stack buffer overflow. it capture some virus in several servers but
| the virus was not the same in every servers.
| The reporting about buffer overflow has been rare since I tried the hotfix
| from jez robinson and other windows critical update from windows update.
| We'll see for a couple days if something come out again I'll come back to
| this forum. Thanks a lot for the antivirus though. It really useful.
| best regards,
| Baron
You need to do some packet sniffing and find what computers on your LAN are infected and
searching out OTHER computers through TCP ports 135 and 445.
You need to isolate your network from the WAN better with a FireWall as well.
You indicated that there were "...some virus in several servers..."
Please identify exactly what was found.
> Dear Jez.
> Thanks for the update. I've tried the hotfix. well, see in a couple of days.
> and I'll report in this newsgroup again.
> thanks.
> Baron
>
> "JezRobinson" wrote:
>>
>> Hi,
>> This problem appears to be related to the Microsoft Vulnerability that
>> allows remote code execution on ports 139 and 445.
Seconfig XP 1.1
http://seconfig.sytes.net/
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
and 445 (the most exploited Windows networking weak point) closed.)
| Seconfig XP 1.1
| http://seconfig.sytes.net/
| Seconfig XP is able configure Windows not to use TCP/IP as transport
| protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
| and 445 (the most exploited Windows networking weak point) closed.)
Kayman:
He indicated these are servers. They are not home computers and they are partipating in a
LAN.
Closing these ports could have disasterous effects on LAN communications.
Your advice is contraindicated.
everytime I go to run : \\computername it show:
the network connection could not be reach
this happen vise versa. is the hot fix close a port or something? if yes how
do you open it again?
Thanks
Thanks
"Faulting application svchost.exe, version 5.2.3790.3959, faulting module
shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e"
i already update the windows update and the antivirus also.
>Sorry for the late reply dave. it cought sality or something like that. i
>forgot cause i remove it once it detected. now it cause this in the event
>viewer :
>
>"Faulting application svchost.exe, version 5.2.3790.3959, faulting module
>shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e"
>
>
>i already update the windows update and the antivirus also.
>
Saw this thread and we recently went through a battle with a worm that
sounds like what you have. After patching the servers/pc's that were
infected, you still have to clean up those machines. The worm we had
created a service on the servers and PC's. So even though you patch
the machine, the service still ran...which would crash other machines
it was trying to spread to that weren't patched. We deleted the
registry keys mentioned in this alert on the infected machines...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=T
We also used a network sniffer to scan for port 445 requests and
usually those PC's making alot of requests had this virus service
still on them.
I had exactly the same problem on two of our 2003 servers (SP1).
It occurred 2 days ago for the first time.
I´ve found a workaround:
I installed, in order:
Hotfix KB914810 (included in SP2)
Hotfix KB932762
Security update KB958644
However the root cause is still unclear. But I suspect the auto update
service. It´s hosted by a svchost instance together with some important
networkservices.
greetings,
Michael
Thanks for your solution, I have download hot fix for 958644 and install it
and then restart, the virus not appear again.
| Dear Mike,
| If The computer already infected by using this hotfix can it restore the
| computer condition before it get infected?
| Thanks
NO !
A HotFix will only correct the vulnerability that was used in the exploit that got the PC
infected.
| Dear Dave,
| So how to restore the condition of the server before it get infected without
| have to reinstalling it?
Tape for one.
Otherwise you have to discern what was changed and undo said changes.
In this case, I don't know what infected your Server and thus have no idea what changes
were made.