Avast WEBforum
Other => Viruses and worms => Topic started by: Liza on January 08, 2005, 04:45:07 PM
-
Hi,
I hope you can help me. Since a few days before Christmas my computer is being constantly pinged by svchost.exe with the ip address and source dns of my isp provider, which prevents me from loading web pages ( this page can not be displayed) or very slow loading and downloading. ( For example downloading one 719KB program took 1 1/2 hours)
I am running XP,SP2
Avast AV
Zone Alarm firewall
Spybot
Adaware
Spyware Blaster
I have also tried to find the problem by running ewido, trojan hunter and trendmicro's housecall. I have also done all the other suggested fixes. i.e emptying temp files, deleting cookies etc. Only one bad program was found backattack.130 which was cleaned but still my woes continued. I have tried restoring to a point before my firewall log shows these constant attacks ( and rechecked to make sure the backattack thing was gone) and at one point was okay for a few days but my problems came right back. I have tried changing isp providers but even with then new provider the svchost.exe shows constant (every few seconds) attempts to contact my computer by my new isp addresses. I have configured my firewall to allow the isp address in the trusted zone, and even at one time on advice from my previous isp disengaged the firewall all to no avail.
When I did a search for svchost.exe I found several references to different types of worms. I am wonder if I could possibly have a new one that av programs don't recognize?
I downloaded and ran avast 4.5 today with the new 01/07 update but still it found nothing.
I am really getting to the limit of my patience ( which is not great to start with <g>) with this and hope that you maybe able to help me.
At this point the only solution that I can think of is to completely restore from scratch with the original disc's supplied.
Any and all help would be appreciated.
Thanks,
Liz
-
Give this a go.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
-
Follow the instructions in the malware removal section on my website (see my signature). Do as explained there, than come back here and let us know if the problem is solved.
If not, let us know what exact problems you are still facing.
-
Hi,
As previously stated I have tried all the updated malware removal programs, sybot, adaware and run spyware blaster. I have run avast many times including today with yesterdays update. I have run trojan hunter and ewido. Have run trendmicro's housecall on-line scanner. The only thing any of these programs found was that trojan hunter found backattack130 which if found in a program uninstall file which it cleaned.
Nothing has helped stop the problem. No changes have been made to my hosts file as I have that locked against changes.
The exact problem is that I my computer is being constantly pinged by something. Most times I am unable to load web pages, I get this page can not be displayed or sometimes when I am very lucky I am able to load these pages very slowly. While trying to fix the problems I have downloaded a few programs (Trojan Hunter, ewido and the on line virus scanner) which take an incredibly long time or not at all. It took 1 1/2 hours to download hijack This. According to my firewall logs almost every time I load a new web page svchost.exe is incoming on my computer about every two seconds. The address that is shows incoming is my isp. I have changed isp's and the same thing happens only it shows that my new isp is constantly pinging me.
I have zonealarm firewall installed and running. I have set my isp up in the trusted zone. Also on advice from my previous isp I have disabled the firewall and still the problem did not go away. I have tried running with just windows firewall nothing has helped. I have uninstalled and reinstall my firewall and still nothing. Only when I did a system restore back to the beginning of Nov. 2004 did my problems go away for a short while but then they returned a little at a time over the next few days.
When I did I google search on svchost.exe I found that many different worms operate in this way.
Any help in finding out what is causing this would be appreciated.
Because of my downloading problems I will wait to download another spyware program untill I hear from you, per DukeNukem's instructions.
Thanks,
Liz
-
Use the process viewer from Sysinternals and track down what exactly is using svchost
-
Hi,
I'm not sure exactly what you mean about process viewer.
If you are referring to the Task Manager process tab here is what it says:
svchost, local service, no cpu, 4212K
svchost, network service, no cpu, 4384K
svchost, system, no cpu, 4212K
svchost, newtwork service, no cpu, 4212K
svchost, system, no cpu, 4212K
Not sure if this is what I am supposed do to.
Thanks
-
Sysinternals is a company that provides a program similar but better with more detail than taskmanager, but you may have trouble getting thier software if you can't load thier page. Suggest you try running msconfig.exe from start>run then disable anything on the tabs you don't recognise. If you still have the problem you may have a trojan, if not then a setting in windows, possibly the time sync or file sync is set wrong.
-
I'm not sure exactly what you mean about process viewer.
http://sysinternals.com/files/procexpnt.zip
svchost = Application that works as a host process for services that run from dynamic link libraries.
svchost itself is not harmfull. But when it asks for permission to the net it depends on what is asking. Normally it is ok to allow it, but there are viruses/trojans that are using to svchost process for not so nice reasons. You can use this application to see what modules are used.
-
Hi,
I ran the process program but I have no idea what it means. There
does seem to be one that is upset about the time as per the post by Wolfie.
Here at the five that are running:
Process: svchost.exe Pid: 860
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\TermSrvReadyEvent
Event \BaseNamedObjects\WinMMConsoleAudioEvent
Event \BaseNamedObjects\ReconEvent
Event \BaseNamedObjects\TermSrv: machine GP event
Event \BaseNamedObjects\userenv: Machine Group Policy has been
applied
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\userenv: User Profile setup event
Process: svchost.exe Pid: 944
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\ScmCreatedEvent
Process: svchost.exe Pid: 980
Type Name
Desktop \Default
Desktop \SADesktop
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\RasAutodialNewLogonUser
Event \BaseNamedObjects\RasAutodialLogoffUser
Event \BaseNamedObjects\RasAutodialLogoffUserDone
Event \BaseNamedObjects\RasAutoDialSharedConnectionEvent
Event \BaseNamedObjects\Ready0: ESENT Performance Data Schema
Version 40
Event \BaseNamedObjects\IPNAT
Event \BaseNamedObjects\DHCPNEWIPADDRESS
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\Go0: ESENT Performance Data Schema Version 40
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\{7E372094-36D7-4ECE-8013-3EF85F01885E}ShellHWDetection
Event \BaseNamedObjects\{7E372094-36D7-4ECE-8013-3EF85F01885E}ShellHWDetection
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\PrefetchOverrideIdle
Event \BaseNamedObjects\PrefetchProcessingComplete
Event \BaseNamedObjects\PrefetchTracesReady
Event \BaseNamedObjects\SAConEvt
Event \BaseNamedObjects\PrefetchParametersChanged
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\AgentToWkssvcEvent
Event \BaseNamedObjects\wkssvc: MUP finished initializing event
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\SENS Started Event
Event \LanmanServerAnnounceEvent
Event \BaseNamedObjects\SRCounter
Event \BaseNamedObjects\SRStopEvent
Event \BaseNamedObjects\SRInitEvent
Event \BaseNamedObjects\SRIdleReqEvent
Event \BaseNamedObjects\SC_AutoStartComplete
Event \Security\TRKWKS_EVENT
Event\BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Event \BaseNamedObjects\userenv: Machine Group Policy has been
applied
Event \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event \BaseNamedObjects\WMI_SysEvent_LodCtr
Event \BaseNamedObjects\WMI_SysEvent_UnLodCtr
Event \BaseNamedObjects\WMI_RevAdap_Set
Event \BaseNamedObjects\WMI_RevAdap_ACK
Event \BaseNamedObjects\WMI_ProcessIdleTasksStart
Event \BaseNamedObjects\WMI_ProcessIdleTasksComplete
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
Event\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
This is the one that seems to be upset about the time Whether this
means anything I don't know.
Process: svchost.exe Pid: 1024
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
File \Device\WMIDataDevice
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\net\NtControlPipe5
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File C:\WINDOWS\system32
File C:\WINDOWS\system32\drivers\etc
File \Device\Tcp
File \Device\WMIDataDevice
This one does not list any events.
and finally:
Process: svchost.exe Pid: 1136
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent.
Once again any and all help is greatly appreciated.
Thanks,
Liz
-
HI again,
One thing that I forgot to mention a few programs have been trying to access the internet. I know these are legitimate programs but I can see no reason that they need internet access. I have denied them access.
One in particular spool.exe has tried 22 times, I know this is the printer spooler but why would it need internet access.
Sorry forgot to mention in last post.
Liz
-
spoolsv.exe is the print spooler.
spool.exe is the RdBot worm.
-
Sorry,
I meant to type file spoolsv.exe. I was in a hurry. Is there a legitimate reason that the print spooler would need access to the internet?
Thanks
Liz
-
Actually it is not accessing the internet, but a network in general. That is only needed if it is a shared network printer. Other than that you can just block its access to the network in your firewall.
-
Hi,
I think at this point I'm going to give up on trying to find out whats wrong with my computer and just start from the beginning. Is there any site you can direct me to on the best way to restore from the original disc's and wipe out everything that's now on there and causing me all my problems.
Thanks for your time and effort in helping me.
Liz
-
Is there any site you can direct me to on the best way to restore from the original disc's and wipe out everything that's now on there and causing me all my problems.
Well, you gave up quickly... :-\
I think you just have to put your CD on the tray and start Windows XP installation... when asked, format the hard disk...
Oh, backup first 8)
-
Hi Technical,
Quickly, maybe, but as I said in my original post, unfortunately patience in not one of my virtues. ;) Three weeks I have been trying to figure out what is wrong. I guess at this point I really don't know what else I can do. I don't want to start from the beginning but I just don't know what else to do.
If you can think of anything else that I haven't tried I would be willing to do it.
Thanks,
Liz
-
Hi All
I would like to continue this thread as I too have been having a very similar problem and it started just after New Year. Basically I have ZoneAlarm and I noticed that there was a large amount of Network Activity (I thought it was Internet Activity) but my PC was not doing anything.
Zone Alarm told me it was one of the svchost.exe processes that was causing this. I found that the moment I went in to Task Manager and closed down the svchost.exe process that had the highest Mem Usage my network activity stopped.
I assumed I had some kind of worm or Trojan so I started the long road of researching why.
Eventually I saw a recommendation for Process Explorer as I really wanted to find out what application was piggybacking off the svchost.exe.
I don't really know what I found as I don;t have the technical knowledge to figure this out and I was wondering this extra information might help you guys figure this one out?
Should I start a new post?
I have a screen shot from Process Explorer that I have uploaded to my web site
http://home.exetel.com.au/delisle/scrnshot.gif
I am running WinXP Pro, SP2, Zone Alarm 4.5xxx, McAfee Anti Virus.
The thing is after seeing Process Explorer it occurred to me that perhaps this was a kosher Windows process going across a Network (I have 2 PC's networked in a WorkGroup). I am totally confused but being paranoid I immediately suspected the worst when I saw it.
Any help appreciated as I am not keen on reformatting, esp as I can get around the problem by simply killing the offending svchost.exe process in Task Manager.
Regards
Simon
-
I am running WinXP Pro, SP2, Zone Alarm 4.5xxx, McAfee Anti Virus.
Simon, I know very little about McAfee (I used it in last '90 but I quit it for NAV, then AVG and then avast! :)
Maybe you're lucky to found avast forums... 8)
-
Simon, I know very little about McAfee (I used it in last '90 but I quit it for NAV, then AVG and then avast! :)
Maybe you're lucky to found avast forums... 8)
Well I only bought it becasue ti was recommended. I posted to this forum because youguys seemed to know what you were talking about. I was hoping to find out if I actually did have a Trojan/Worm and if so what it was or what I might do to fix it.
My apologies if I should not be here.
Simon
-
Well I only bought it becasue ti was recommended.
It's good to know that the 'big' companies envy us ;D
I posted to this forum because you guys seemed to know what you were talking about.
I hope so ;D
I was hoping to find out if I actually did have a Trojan/Worm and if so what it was or what I might do to fix it.
In fact, it will be better if you uninstall McAfee for a while.
Download and install avast to scan you system.
If you're clean, then you got your answer.
You can uninstall avast and install McAfee after that 8)
My apologies if I should not be here.
Why? You're in the right place to find help ;)
Maybe you join the family in the future :)
-
Hi, welcome to the forums.
I think that you have learned a valuable lesson, no matter what the software, if there is no support, it is worthless. This is without doubt the best support of any AV software I have ever had installed.
There are many ex McAfee, Norton, AVG, etc. users who are now happy avast users, give it a try I don't think you will be disappointed.
In the meantime, check out these threads or links.
Advice & Tools for virus/trojan/malware Removal & Prevention (http://forum.avast.com/index.php?topic=5373.0) and Eddy's Website (http://members.home.nl/edeijl/) click the "HiJackThis Section" and also the "Malware removal instructions and applications" section.
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php