Jump to content

Need help tracking down unknown threat.. trying to reach NukeSploit site


CheezWiz

Recommended Posts

We have an XP system that has the SVCHost process trying to reach a foreign IP address of 111.148.252.76

This site is using the HTTP exploit NukeSploit. SAV 11 is blocking this traffic, but neither MBAM or SAV 11 can detect the files on the machine that are actively trying to reach this site at regular intervals. This particular instance of SVCHost is kicked off at login by an unknown process. Process Explorer gives us the PID of the process that kicks this off, but it is closed by the time we can get a look at it.

Anyone have any suggestions about tracing bootup and login processes to track down the malware on this system. Please do not suggest HiJack-this or similar tools, we have been quite thorough in trying to figure out how this is launching and cannot find any discrepancies in the obvious parts of the registry that those types of tools display.

I have considered kicking off a command script early in the boot process that dumps the output from tasklist repeatedly to an appended text file in an attempt to catch the PID of the process launching the instance of SVC host....

Link to post
Share on other sites

Nevermind the form post.. I know understand that this discussion should be in the forum marked HiJackThis logs...?

Exactly :rolleyes:

Propably you'll need that HijackThis or others anyway. Because I don't have that redirect post form ready here, I'll just content to ask you to go to the "HijackThis-logs"-subforums and read the manual ;)

:lazy:

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.