Jump to content

Need help tracking down unknown threat.. trying to reach NukeSploit site


Recommended Posts

We have an XP system that has the SVCHost process trying to reach a foreign IP address of 111.148.252.76

This site is using the HTTP exploit NukeSploit. SAV 11 is blocking this traffic, but neither MBAM or SAV 11 can detect the files on the machine that are actively trying to reach this site at regular intervals. This particular instance of SVCHost is kicked off at login by an unknown process. Process Explorer gives us the PID of the process that kicks this off, but it is closed by the time we can get a look at it.

Anyone have any suggestions about tracing bootup and login processes to track down the malware on this system. Please do not suggest HiJack-this or similar tools, we have been quite thorough in trying to figure out how this is launching and cannot find any discrepancies in the obvious parts of the registry that those types of tools display. Looking for some more advanced methods at finding this..

I have considered kicking off a command script early in the boot process that dumps the output from tasklist repeatedly to an appended text file in an attempt to catch the PID of the process launching the instance of SVC host....

SVCHost itself appears to be uninfected..

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.