CheezWiz

Well, At work, we are corporate customers and have Technician's licenses for MBAM. However, the only computer I have access to for any length of time is a home user, so I am not using corporate MBAM products on it. So I would not feel comfortable proceeding as requested unless that is YOUR decision. Thanks!

If anyone can offer suggestions, we are encountering a new threat that we are unable to isolate. Any input on tracking it down is appreciated. First be aware that we have scanned with every live CD and tool available. It is easier for us to just re-image the system than spend time tracking it down, but after having three such systems at work and now another from a home user, I am determined to get some samples gathered and squash this. I have one infected system I can hold off on nuking for a couple of days. Description: When the system is booted up and logged in, the internet activity will go hot. one of the svchost processes (the netsvcs one) will start consuming resources. Looking with TCPView, that svchost will be opening many seemingly random http calls to IP's. As http calls close, more open. Additionally, after a while of this, the AV will start detecting various java exploits as they are downloaded to the system. Analysis?: So I am guessing that the malware has either infected one of the services being launched by svchost or svchost itself has been compromised. Possible Course?: So I am figuring that I could start by replacing each of the service DLL's launched by svchost one at a time and checking if the problem goes away. If it does, then I have nailed it down. Thoughts?

FOUND... Submitting now.

We have an XP system that has the SVCHost process trying to reach a foreign IP address of 111.148.252.76 This site is using the HTTP exploit NukeSploit. SAV 11 is blocking this traffic, but neither MBAM or SAV 11 can detect the files on the machine that are actively trying to reach this site at regular intervals. This particular instance of SVCHost is kicked off at login by an unknown process. Process Explorer gives us the PID of the process that kicks this off, but it is closed by the time we can get a look at it. Anyone have any suggestions about tracing bootup and login processes to track down the malware on this system. Please do not suggest HiJack-this or similar tools, we have been quite thorough in trying to figure out how this is launching and cannot find any discrepancies in the obvious parts of the registry that those types of tools display. Looking for some more advanced methods at finding this.. I have considered kicking off a command script early in the boot process that dumps the output from tasklist repeatedly to an appended text file in an attempt to catch the PID of the process launching the instance of SVC host.... SVCHost itself appears to be uninfected..

Nevermind the form post.. I know understand that this discussion should be in the forum marked HiJackThis logs...?

We have an XP system that has the SVCHost process trying to reach a foreign IP address of 111.148.252.76 This site is using the HTTP exploit NukeSploit. SAV 11 is blocking this traffic, but neither MBAM or SAV 11 can detect the files on the machine that are actively trying to reach this site at regular intervals. This particular instance of SVCHost is kicked off at login by an unknown process. Process Explorer gives us the PID of the process that kicks this off, but it is closed by the time we can get a look at it. Anyone have any suggestions about tracing bootup and login processes to track down the malware on this system. Please do not suggest HiJack-this or similar tools, we have been quite thorough in trying to figure out how this is launching and cannot find any discrepancies in the obvious parts of the registry that those types of tools display. I have considered kicking off a command script early in the boot process that dumps the output from tasklist repeatedly to an appended text file in an attempt to catch the PID of the process launching the instance of SVC host....

+1 on 64bit... Now that it is standard on Dell's and HP's with more than 3 gigs of RAM, 64bit is becoming mainstream now... I now have several clients in po-dunk middle Tennessee with 64 bit systems.... CW

A newer version of the software is triggering with this file.. GLCFC.zip GLCFC.zip

Ok.. File zipped and attached GLCF2.zip GLCF2.zip

Hello, I am trying to install a commercial program and it is being detected as Rouge.EvidenceEliminator. It can be downloaded here: http://download1DOTneatreceiptsDOTcom/Neat...sv4.0.8FULL.exe I see how to report a FP from a manual scan pinned up top, but not from the resident protection.. CW