svchost.exe

[Cyril]

Hi everybody!
After surfing the web for hours I can't find a solution to my problem. I'm sure to have a trojan but no antivirus can find it and it reappear after formating my disk...
I think it's perhaps a variant of backdoor.beast because the problem comes with the svchost.exe file which connect to the web everytime I start my system and send a lot of information on the web (I see a lot of activity with ZoneAlarm). When I block internet access to this file I can not connect to the web anymore... And when I try to delete the file (in the system32 folder, I have windows xp), it reappear only a few seconds later... I can't believe it! Also when I delete the process in the task manager, it reappear a few seconds later and wants to act as a local and a server service... very strange.  
Any idea from what trojan the problem comes?
Thanks in advance for help.

[.: Mac :.]

did you try http://housecall.trendmicro.com ?

[.: Mac :.]

they just released scan engine 6.810 for the housecall scanner  

[Cyril]

I have tried Norton, Bitdefender, trendmicro (updated), anti-trojan, avg, kaspersky, avast (which was the best for me), but none find this virus...

[raman]

First of all, the file svchost.exe in the System32 foder(under Win2000/xp) is a systemfile which is needed. If you want us to take a closer look at your "Problem" please post a Hijackthislog.
You can download the programm here:  http://mjc1.com/mirror/hjt/
Download,  unzip and start the Exefile. Press "scan", "save log",  after saving it, post the content(via copy/paste) of the Editor-windows, which will appear.

[Cyril]

Logfile of HijackThis v1.97.7
Scan saved at 16:33:42, on 27.11.2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\program files\amp winoff\winoff.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.fm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.1785300926

I see nothing special except the two svchohst.exe processes and the spoolsv.exe which also tries to connect to the web...
 

[raman]

The Problem is not a virus it seems to be a browser-hijacker. Maybe this infos will help: http://www.spywareinfo.com/~merijn/cwschronicles.html .
Please post a new log after using cwshredder.

[Cyril]

I think you're right because cwshredder found 5 infected startpages :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.fm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html

Cwshredder have fixed these infected files as you can see in the new hijackthis log :

Logfile of HijackThis v1.97.7
Scan saved at 11:03:02, on 28.11.2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\program files\amp winoff\winoff.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.fm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.1785300926

But the problem with the svchost.exe and the spoolsv.exe files has not dissapeared. I think it's perhaps a new variant of coolwebsearch browser hijack. My internet access has slowdown, I have some graphical problem in my internet browser when loading, and strange traffic while surfing... So I really think it's a browser hijack but I haven't any redirection to other website, perhaps because I use Crazybrowser which blocks popups windows.  Any ideas? Should I contact the cwschredder author?

[raman]

But the problem with the svchost.exe and the spoolsv.exe files has not dissapeared.  Any ideas? Should I contact the cwschredder author?

No, your log seems to be clear. You must remember it is normal that the svchost connects to the Internet. It depense which services you have started. You may take a look at this site: http://www.blackviper.com/WinXP/servicecfg.htm
But be aware of what you are doing!!

[Cyril]

You must remember it is normal that the svchost connects to the Internet. It depense which services you have started

Ok but is it normal that svchost and spoolsv services always connect to the web at windows startup and wants to act as local and server services?!

[raman]

I do not use a Desktop Firewall, but that is possible. SOme Parts of the services are used to automaticly update windows, univ.plug´n play, Timesync. and so on.

[Cyril]

I still haven't solved my problem and I experienced very strange things yesterday: I couldn't connect to the web anymore but I saw with my firewall that the svchost.exe file (generic host process for win32 service) was runinng and sending informations to the web... And today I can connect to the web again but the svchost.exe file is still running...

Here's a list of the services using the svchost.exe file and running:

Service                             Exécutable                    Statut   Démarrage

WZCSVC                  svchost.exe -k netsvcs   Running   Auto
wuauserv                svchost.exe -k netsvcs   Running   Auto
WmdmPmSp            svchost.exe -k netsvcs   Running   Auto
winmgmt                 svchost.exe -k netsvcs   Running   Auto
WebClient               svchost.exe -k LocalService   Running   Auto
W32Time                 svchost.exe -k netsvcs   Running   Auto
uploadmgr               svchost.exe -k netsvcs   Running   Auto
TrkWks                     svchost.exe -k netsvcs   Running   Auto
Themes                    svchost.exe -k netsvcs   Running   Auto
TermService             svchost.exe -k netsvcs   Running   Manual
SSDPSRV                  svchost.exe -k LocalServi ce   Running   Manual
srservice                  svchost.exe -k netsvcs   Running   Auto
ShellHWDetection    svchost.exe -k netsvcs   Running   Auto
SENS                        svchost.exe -k netsvcs   Running   Auto
seclogon                  svchost.exe -k netsvcs   Running   Auto
Schedule                  svchost.exe -k netsvcs   Running   Auto
RpcSs                       svchost -k rpcss                   Running   Auto
RemoteRegistry       svchost.exe -k LocalService   Running   Auto
Nla                           svchost.exe -k netsvcs   Running   Manual
Netman                    svchost.exe -k netsvcs   Running   Manual
Messenger               svchost.exe -k netsvcs   Running   Auto
LmHosts                   svchost.exe -k LocalService   Running   Auto
lanmanworkstation  svchost.exe -k netsvcs   Running   Auto
lanmanserver           svchost.exe -k netsvcs   Running   Auto
helpsvc                     svchost.exe -k netsvcs   Running   Auto
FastUser
Switching
Compatibility            svchost.exe -k netsvcs   Running   Manual
EventSystem            svchost.exe -k netsvcs   Running   Manual
ERSvc                       svchost.exe -k netsvcs   Running   Auto
Dnscache                 svchost.exe -k NetworkServiceRunning   Auto
dmserver                 svchost.exe -k netsvcs   Running   Auto
Dhcp                        svchost.exe -k netsvcs   Running   Auto
CryptSvc                  svchost.exe -k netsvcs   Running   Auto
Browser                   svchost.exe -k netsvcs   Running   Auto
AudioSrv                  svchost.exe -k netsvcs   Running   Auto

Does anyone see something unusual?

[Cyril]

I think the problem has gone!  
I have disabled the SSDPSRV service and the strange svchost.exe activity has disappeared...
I still haven't any idea of what kind of problem it was. Anyway thanks a lot for the help (the blackviper link was very usefull!)  

[Cyril]

Finally the problem has not dissapeared...  :'(
I still have the same problems. It's very strange because the problem appears only every thursday or friday: I can't connect to the web anymore and something is using the svchost.exe service and sends traffic to the web. I have disabled all useless and dangerous services which use the svchost.exe file but the problem is still remaining. And I found something strange too : I can connect the web again when I use a link in some application (for example the help link in zone alarm). Totally confusing...