A really nasty virus
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
Whenever an infection is as bad as this I nuke the drive and reinstall the OS. Somehow it never feels like you can totally get rid of it, or what else might have been messed with.
// Steve McLenithan
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
NetDave wrote:
I didn't see any groups for virus discussions.
It's as good a place as any I can find. Svchost.exe has always been problematic; there's no easy way to see what it's doing, but it does almost everything (or seems to). I've tried identifying which program is using it many times, most recently using Spy++, but I've never found a way to peek into what all those threads are doing. There's a handy tool for finding out what apps or services are using a dll - Whoslocking - but I've never tried it on an exe file. If you could reach svchost from the Services applet in Admin tools, shutting it down would pop up a box to tell you what other goodies are dependent on it, but it's not there. You could try using Task Manager to end the process and see if it will give you a warning about other processes being affected, but I've never tried that. Theoretically a reboot will undo whatever instability that might cause, but I'm not about to trust MS to do anything right after my recent experiences. Really, there should be some well known tool for determining what the hell svchost is doing by now, but I haven't found one. Maybe some wizard at CP, upon reading of your plight, take up the task of writing one and publishing it here. That would make a truly useful article! :-D
"A Journey of a Thousand Rest Stops Begins with a Single Movement"
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
-
Whenever an infection is as bad as this I nuke the drive and reinstall the OS. Somehow it never feels like you can totally get rid of it, or what else might have been messed with.
// Steve McLenithan
Steve McLenithan wrote:
nuke the drive
Yeah, I know Steve. But if I do that then the bad guys win. :mad: I'm paranoid enough to make sure everything is backed up, so no problem there. But to rebuild a system from scratch is at least a full day just to start with, and then an ongoing process to add in the miscellaneous little bits as I find that I need them. What I do in a severe case like this is not to just flatten the drive, but instead buy a new one and build it up from scratch. I keep the other one around, either as another drive in the box or put it into and external drive case, so that I can grab stuff off of it as I need it. But again, that's a big price to pay in terms of reconfiguring my hardware and building a new main drive up from scratch. I don't want to give the bastards the satisfaction, and would rather locate all the nasty bits, kill them, and then pass that info on to others.
QRZ? de WAØTTN
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
NetDave wrote:
A: drive every few seconds. I stuck in a write-protected floppy
I would just remove the A: drive before anyone sees it. ;P
-
NetDave wrote:
A: drive every few seconds. I stuck in a write-protected floppy
I would just remove the A: drive before anyone sees it. ;P
I was thinking the same thing! :laugh:
Harvey Saayman - South Africa Software Developer .Net, C#, SQL
you.suck = (you.Passion != Programming & you.Occupation == jobTitles.Programmer)1000100 1101111 1100101 1110011 100000 1110100 1101000 1101001 1110011 100000 1101101 1100101 1100001 1101110 100000 1101001 1101101 100000 1100001 100000 1100111 1100101 1100101 1101011 111111 -
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
There are 4 tools I use when cleaning up a PC that have never failed me so far. 1) Hijack this[^] - Advanced scanner. Run it and analyse the results. (Watch out it gives a lot of false negatives. Only use this if you know what you are doing) 2) ProcessExplorer - from Sysinternals[^] - Better replacement for task manager. 3) CCleaner[^] - Cleans up the c*** and helps identify and disable auto run points. 4) format.exe - Handy little command line tool from MS that is guaranteed to get rid of all viruses. Just type "format c:\" and sit back and wait. ;)
Simon
-
NetDave wrote:
I didn't see any groups for virus discussions.
It's as good a place as any I can find. Svchost.exe has always been problematic; there's no easy way to see what it's doing, but it does almost everything (or seems to). I've tried identifying which program is using it many times, most recently using Spy++, but I've never found a way to peek into what all those threads are doing. There's a handy tool for finding out what apps or services are using a dll - Whoslocking - but I've never tried it on an exe file. If you could reach svchost from the Services applet in Admin tools, shutting it down would pop up a box to tell you what other goodies are dependent on it, but it's not there. You could try using Task Manager to end the process and see if it will give you a warning about other processes being affected, but I've never tried that. Theoretically a reboot will undo whatever instability that might cause, but I'm not about to trust MS to do anything right after my recent experiences. Really, there should be some well known tool for determining what the hell svchost is doing by now, but I haven't found one. Maybe some wizard at CP, upon reading of your plight, take up the task of writing one and publishing it here. That would make a truly useful article! :-D
"A Journey of a Thousand Rest Stops Begins with a Single Movement"
Roger Wright wrote:
Svchost.exe has always been problematic; there's no easy way to see what it's doing
Try Process Explorer[^], Roger - that's a task manager equivalent that (if you hover over the relevant process) will show you what services an svchost is running, or what DLL a rundll process is executing. And it comes from the guys @ SysInternals, so is trustworthy!
Java, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p
-
Steve McLenithan wrote:
nuke the drive
Yeah, I know Steve. But if I do that then the bad guys win. :mad: I'm paranoid enough to make sure everything is backed up, so no problem there. But to rebuild a system from scratch is at least a full day just to start with, and then an ongoing process to add in the miscellaneous little bits as I find that I need them. What I do in a severe case like this is not to just flatten the drive, but instead buy a new one and build it up from scratch. I keep the other one around, either as another drive in the box or put it into and external drive case, so that I can grab stuff off of it as I need it. But again, that's a big price to pay in terms of reconfiguring my hardware and building a new main drive up from scratch. I don't want to give the bastards the satisfaction, and would rather locate all the nasty bits, kill them, and then pass that info on to others.
QRZ? de WAØTTN
Well, this won't help you now, but after you get things cleaned up, you should use Acronis TrueImage to image the C: drive. Much simpler than reinstalling everything. I always set up the OS on the C: drive by itself, just for this reason.
Best wishes, Hans
[CodeProject Forum Guidelines] [How To Ask A Question] [My Articles]
-
Whenever an infection is as bad as this I nuke the drive and reinstall the OS. Somehow it never feels like you can totally get rid of it, or what else might have been messed with.
// Steve McLenithan
Steve McLenithan wrote:
I nuke the drive
I say we take off and nuke the site from the Sulaco.
If you truly believe you need to pick a mobile phone that "says something" about your personality, don't bother. You don't have a personality. A mental illness, maybe - but not a personality. - Charlie Brooker My Photos/CP Flickr Group - ScrewTurn Wiki
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
NetDave wrote:
found that svchost.exe is trying to write autorun.exe to it
Look what DLLs are loaded by the process. If you find something suspicious, remove it from safe mode or recovery console. I would also search for newly created .exe/.dll files with relatively small size in 'Windows' and 'Program Files' folders.
-
NetDave wrote:
found that svchost.exe is trying to write autorun.exe to it
Look what DLLs are loaded by the process. If you find something suspicious, remove it from safe mode or recovery console. I would also search for newly created .exe/.dll files with relatively small size in 'Windows' and 'Program Files' folders.
-
Roger Wright wrote:
Svchost.exe has always been problematic; there's no easy way to see what it's doing
Try Process Explorer[^], Roger - that's a task manager equivalent that (if you hover over the relevant process) will show you what services an svchost is running, or what DLL a rundll process is executing. And it comes from the guys @ SysInternals, so is trustworthy!
Java, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p
Good tip - Thanks! :-D
"A Journey of a Thousand Rest Stops Begins with a Single Movement"
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
-
Well I picked up a really nasty virus today, sysguard.exe. I managed to track down the executable and expunge it, but was still seeing some nasty side effects, which I eventually traced down to a file named shoba.dll that was being launched from both HKCU and HKLM Run in the registry. So I clobbered that file, removed the entries from the registry and rebooted. Lo and behold, the registry entries reappeared, but the shoba.dll (which is clearly an exe in diguise) was unable to run, and a popup message told me so. So then I noticed the explorer.exe had been tampered with and replaced that, and now the registry entries are gone for good. But I still have one remaining problem something is trying to write to my A: drive every few seconds. I stuck in a write-protected floppy, ran filemon on A:, and found that svchost.exe is trying to write autorun.exe to it (but failing due to the write protection). So now I'm totally stumped. I've run a complete virus check with eTrust (which is the one I'm forced to use by my company) and it turned up nothing. I've looked at all the running processes and system services and don't see anything suspicious. Which means it's likely a trojan hiding inside an otherwise normal process. :mad::mad::mad::mad::mad: Any suggestions on finding out who is asking svchost.exe to write to the floppy? Or ideas on how to track the remaining evil parts of this SOB down? BTW, not knowing what the heck might be going on with the computer, I yanked it's network cable to quarantine it. It won't be back on the network until it's either fixed or rebuilt. :(( p.s. Is the lounge a proper forum for this issue? I didn't see any groups for virus discussions.
QRZ? de WAØTTN
Well it looks hopeless. Thanks to everyone for your suggestions, and to Sohail for the tip on looking at the Service tab in Process Explorer. But in the end, the system is becoming more and more unstable as I try to lobotomize it. X| So I'm making a final backup and will start the long and tedious process of rebuilding from the ground up. Perhaps I'll give the machine a new name - Phoenix. Thanks everyone! :rose:
QRZ? de WAØTTN