Advertisement

01.24.2008 at 09:42AM PST, ID: 23108427
[x]
Attachment Details

Svchost.exe rootkit still there after format!!

Asked by Allan_Shiels in Operating Systems Network Security, Windows XP Operating System, Windows Network Security Questions

Tags: microsoft, windows xp pro, rootkits

I have a system that got infected with some kind of rootkit.  It infected the svchost.exe and sent out emails on port 25.  Virus scan 8.5 blocks the port 25 attempts and viewing active port, i can see the attempts being made.

I used 4 different rootkit scanners to no avail, virusscan 8.5 patch 3 does not pick up the svchost rootkit.

What's more concerning is that i just formatted the machine, re-installed XP Pro, did windows updates, installed virusscan 8.5 patch 3 and immediately it started blocking svchost.exe from sending out port 25 traffic!!!

Basically what happens is:

Active ports sees svchost connecting to a remote IP to download virus,
Virus activates,
Active port shows huge amounts of port 25 traffic.
virus scan flags up that it's deleted c:\windows\system32\drivers\smtpsvc.exe

This makes no difference as the machine is still infected because svchost.exe is going mad with port 25.

What is this? and How has it survived a format?

Could it be an MBR rootkit?


Start Free Trial
 
Keywords: Svchost.exe rootkit still there after for…
Title
1 SVCHOST.EXE
2 SVCHOST.EXE Errors
3 Svchost.exe
4 SVChost.exe
5 "Svchost.exe-Application Error " …
6 Svchost.exe
 
Loading Advertisement...
 
[+][-]01.24.2008 at 10:05AM PST, ID: 20735534

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01.24.2008 at 10:08AM PST, ID: 20735570

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01.24.2008 at 10:10AM PST, ID: 20735600

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01.24.2008 at 11:34AM PST, ID: 20736461

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01.24.2008 at 02:00PM PST, ID: 20737958

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Operating Systems Network Security, Windows XP Operating System, Windows Network Security Questions
Tags: microsoft, windows xp pro, rootkits
Sign Up Now!
Solution Provided By: rpggamergirl
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628