scchost.exe

Purdue_Boiler · #1 10-19-2005, 12:35 AM

I am getting a Symantec warning of a quarantined file that I can not see or find.

The PC is a Dell P4 running Windows 2000, networked, Symantec antivirus corporate edition 8.whatever.

Symantec file real time scanner comes up with scchost.exe and scchostc.exe

It looks somewhat similar to an older virus (w32.hllw.donk) but after updating Windows and Symantec to 10/17/2005, it still is infected. It also does not have the registry key that Symantec said it does (services host=scchost.exe)

The interesting part is that the PC boots up fine, and logs in fine, and then the right (received) activity light is on and stays on till around 1000 and then Symantec warns of a new quarantined file.

This PC is behind a firewall, and should not have any internet access what so ever. Also, I have noticed the same threat log on two other PCs (Windows 2000)

I have booted in safe mode and done a full system scan, as well as a stinger that McAfee released 10.05.2005 with no luck.

I am in the process of running HiJackThis on the PC to get any other information, but was wondering if anyone else has seen this in the past 24 hours

Thanks for any help

Overclocked Doc · #2 10-27-2005, 03:04 PM

Where is Norton telling you that the infected files lives?
Have you changed the folders option (control panel) to "show hidden files"?

Purdue_Boiler · #3 10-27-2005, 03:23 PM

Quote:

Originally Posted by Overclocked Doc

Where is Norton telling you that the infected files lives?
Have you changed the folders option (control panel) to "show hidden files"?

The infected files lived in WINNT\system32

Some of the other IT guys I work with found some things to remove that seemed to work. Not sure if anyone esle has seen this... or if we removed some files that we shouldn't have

... but all seems well now

Basicly its:
Search the registry for the following and delete
- Nsdat.exe
- Sysql.exe
- Scchost
- Internat.exe
Navigate to Hkey_Local_Machine\system\controlset001\services\
- Delete the folder WindowsSysBoot
Go to the C:\ drive and delete the following
- Pxro.exe
- Fc.exe
Go to WinNT\System32
- find the file labeled "i" (there is no extention to this file, but when you open it in notepad it has an IP address and thats who infected you)
Delete the following files in WINNT\system32
- i
- scchostc.exe (if not quarantined by antivirus)
- scchost.exe (if not quarantined by antivirus)
Open Task Manager and stop all SYSQL.EXE processes
Reboot

Symantec said that scchostc.exe is a Backdoor.Daemonize threat and that scchost.exe is a Backdoor.Trojan

I am used to McAfee and not sure exactly what is meant by "threat"

. Is it the clasification of the virus, or is this the name of it?

Thanks

Purdue_Boiler · #4 11-29-2005, 11:31 AM

The infected computers were using Symantec Antivirus Corporate Edition 8.0.0.9374 and 8.1.0.825

It warned about the threat Trojan.Dropper (file names dc2.exe and prox[1].exe) and moved them to Quarantine, but the infected computers still were eating up the bandwidth of the network / internet line

Symantec seems to work really well, and the Symantec System Center Console is extremely useful monitoring multiple sites virus activity / infection

We are renewing our contract with them at the beginning of the year, do you have any suggestions of a better antivirus program with the a virus console to maintain, administer all antivirus clients?