salut a tous
 
nous avons un serveur dedié, et depui une semaine il est tres malade
 
un ver, du moins sa y ressemble, s appelant syshid.exe s est invité. sa particularité est de créer une bonne 40aine de processus , donc de pompé toute les ressource en faisant tourner le cpu a 100%, evidement, impossible d areter ces processus.
 
aussi, il empeche l execution des fichier .exe .
 
est ce que vous avez des info sur cette saleté, et est ce que vous savez comment s en debarasser ?
 
merci de votre aide.

On peut en savoir plus avec ça:
 
Télécharger "HijackThis" sur:
 
http://www.spywareinfo.com/~merijn/downloads.html
ou
http://www.lurkhere.com/~nicefiles/index.html
 
-Le poser dans un dossier spécialement créé pour lui (par exemple:
C:\HijackThis ).
-Le lancer -> "Scan" -> "Save log"
-Récupérer ce log/texte avec le bloc notes.
-Le copier/coller ici, dans une réponse,sans rien faire d'autre.

J'ai le meme soucis sur 2 postes de gens dans mon entourage, une vraie saleté.
 
Ce ver modifie les clés "exefile" dans la base de registre en y placant : syshid.exe "%1" %*
Cad qu'il s'auto-exécute au lancement de n'importe quel exe.
Il se mets également dans les clés "Run" pour s'exécuter au lancement du système.
 
On peut également le trouver avec les noms suivants :
svchsot.exe
srvsxc.exe
 
En général, il se place dans
C:\WINDOWS\SYSTEM
ou
C:\WUtemp
 
Pour l'instant pas réussit à le virer définitivement, mais réussit à conscrire ses exécutions.
 
Norton le voit, mais n'arrive pas à l'éradiquer.
 
Qqn a trouvé une solution ?
 
Update :
Sinon y a ca :
http://es.trendmicro-europe.com/en [...] .A&VSect=O
 
WFX

Hi everyone I'm definitely sorry if I can't explain in french (only read!) but PLEASE don't ban me...this is the only place on the Web speaking about this Virus, and I hope discussing is most important than language!
 
My problem is: every single App I try to launch gets a message box asking for a syshid.exe file which cannot be found. I can't run NAV, Enter registry or services or DOS, nothing.
 
Symptoms as above: a backdoor in C:\WUtemp a file Xlog.txt, a system.vbs file in autorun folder.
 
Hope to find some solution together. Thanks so much and forgive my english speaking!

brucomela
 
Could you do this:
 
Download HijackThis from:
http://www.cybertechhelp.com/html/ [...] .php/id/40
 
Create a new folder only for HijackThis (Example : C:\HJT).
Unzip it to this folder.
Click "Scan", after click "Save Log".
Save the log, and copy/paste it into your response to this thread.
Don't check or fix anything yet.

No, unfortunately I cant run HijackThis on my server cause it's a .exe and gets blocked before launching, by a dialog box asking to locate syshid.exe.
 
Don't know how to work out this situation cause I cant launch any App.

Take the HDD on another PC, run an AV software, then put it back in the server.

Have you tried in safe mode?

Those both seem to be good ways...at the moment I haven't tried em cause I'm controlling server on remote, and I should check if I can keep doing that in safe mode (using Symantec PC Anywhere, guess not).
 
I think I will phisically take a visit at my server and try safe mode first otherwise move HD, following your advices.
 
Thank u for the moment, I will let u know if any solution worked...it's a real mess being unable to front the virus with traditional instruments (AV, registry, services and so on)!!

Ok. Let me know if the safe mode helped you.
And if it's possible, post an HijackThis log.

Sure I will after Xmas Acrobaze, you've been very kind and helpful.  
 
Tnx And Bon Noel! (correct?! )

J'ai une solution, j'ai ete attaqué par le fameux syshid et j'ai pu m'en débarasser complétement, regardez à l'adresse suivante :
 
http://www.generation-nt.com/apps/ [...] opic=26714
 
 
bon courage  
 
Squal16

Yes! Merry Christmas!

Squal 16, tnx for suggestion: I've read the topic but my french speech is not so..technical!...to understand it (sigh!)...Could you possibly resume or try to xplain (in english possibly) how I should proceed according to that topic pliz? Thank u so much, you are all giving me a hope!

He deleted the files: SYSHID.exe, server.dll and system.vbs.
 
and edited the registry
from :
HKEY_CLASSES_ROOT\exefile\shell\open\command = syshid.exe "%1" %*
to:
HKEY_CLASSES_ROOT\exefile\shell\open\command = "%1" %*
 
-----
 
Ps :You have a tool for the registry here:
http://www.annoyances.org/exec/show/article07-102
(But delete the files before).

Ok: I deleted server.dll and system.vbs (second time, after reboot or some event they will be re-created) and I cant find any Syshid.exe. After deletion still I cant launch regedit or any app...should actually try safe mode...
 
Another hint: found a malicious presence in C:\wutemp srvsxc.exe, should be kind of backdoor: it's active in process group, impossible to stop cause in use, impossible to delete for same reason. I could remove it only immeditaly after reboot, but it was re-created...damn!!!

Make sure that you can see the hidden files and folders as explained here:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Done Acrobaze, I can see all files, hidden included...is it strange that also message box asks to locate syshid.exe after an app gets launched?
 
Shall I transfer syshid.exe spontaneously on my Server!? (harakiri!)...

 
It's because of this line in the registry:
HKEY_CLASSES_ROOT\exefile\shell\open\command = syshid.exe "%1" %*  
 
-----
 
Can you delete syshid.exe, now? (In safe mode if needed...)

Cant work in safe mode in this moment, Im in remote mode, Server is 50 km far, I'll reach it physically after Xmas.
 
Anyway I cant even find any syshid.exe, and sounds strange also to me the fact that registry points to an exe which is lacking (and was never deleted!)...unless the aim is to generate continuously the message box to locate syshid.exe...if only I could make regedit now!!...

U can perhaps try "Registrar Lite":
http://www.resplendence.com/reglite

Don't forget to disable Windows Restauration Service and purge the "Preftech" Directory.
 
TrendMicro announce, they can detect it, try an online scan !!!
 
Another solution, if you want to launch an EXE files, rename it as BAT file and launch it, it works fine, even for regedit.exe => regedit.bat.
 
"A fighter that came back from a long but victorious combat "
WFX

..good idea!!...I've tried with an App and it works...now I'm gonna spoil the whole registry...great, great, great...tnx I'm gonna fight...u'll receive news from me!

 
Et en mode sans échec ça donne quoi (safe mode)?

great, great...works!!...I've removed entry from registry and I'm running apps...NAV is running and I'm ready to win the battle!...thank u so much to u all, U gave me a great help!! Merry Xmas again my friends!

Congratulations !
 
Hope you won't receive another "gift" like this one tomorrow night LOL
 
P.S.
If you have 2 mins, browse the other forums and post your experience and your solution for people who are in trouble like you were ;-)

Great!

Salut
J'ai été "attaqué" par cette chose également.
Merci pour vos explications qui m'ont bien aidé !
j'utilise Remote Administrator (équivalent de PC-Anywhere) et j'ai entendu parler d'une faille sur le port 4889 (port par défaut de Remote administrator)
Bien pénible ce truc quand même.. ca m'a bouffé une matinée !
 
A+