Author Topic: I think I might have a worm  (Read 21767 times)

0 Members and 1 Guest are viewing this topic.

Liza

  • Guest
I think I might have a worm
« on: January 08, 2005, 04:45:07 PM »

Hi,

I hope you can help me.  Since a few days before Christmas my computer is being constantly pinged by svchost.exe with the ip address and source dns of my isp provider, which prevents me from loading web pages ( this page can not be displayed) or very slow loading and downloading.  ( For example downloading one 719KB program took 1 1/2 hours)

I am running XP,SP2
Avast AV
Zone Alarm firewall
Spybot
Adaware
Spyware Blaster

I have also tried to find the problem by running ewido, trojan hunter and trendmicro's housecall.  I have also done all the other suggested fixes. i.e emptying temp files, deleting cookies etc. Only one bad program was found backattack.130 which was cleaned but still my woes continued.  I have tried restoring to a point before my firewall log shows these constant attacks ( and rechecked to make sure the backattack thing was gone) and at one point was okay for a few days but my problems came right back.  I have tried changing isp providers but even with then new provider the svchost.exe shows constant (every few seconds) attempts to contact my computer by my new isp addresses.  I have configured my firewall to allow the isp address in the trusted zone, and even at one time on advice from my previous isp disengaged the firewall all to no avail. 

When I did a search for svchost.exe I found several references to different types of worms.  I am wonder if I could possibly have a new one that av programs don't recognize?

I downloaded and ran avast 4.5 today with the new 01/07 update but still it found nothing.


I am really getting to the limit of my patience ( which is not great to start with <g>) with this and hope that you maybe able to help me. 

At this point the only solution that I can think of is to completely restore from scratch with the original disc's supplied.

Any and all help would be appreciated.

Thanks,

Liz

DukeNukem

  • Guest

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: I think I might have a worm
« Reply #2 on: January 08, 2005, 06:18:02 PM »
Follow the instructions in the malware removal section on my website (see my signature). Do as explained there, than come back here and let us know if the problem is solved.

If not, let us know what exact problems you are still facing.

Liza

  • Guest
Re: I think I might have a worm
« Reply #3 on: January 08, 2005, 09:11:44 PM »

Hi,

As previously stated I have tried all the updated malware removal programs, sybot, adaware and run spyware blaster.  I have run avast many times including today with yesterdays update.  I have run trojan hunter and ewido.  Have run trendmicro's housecall on-line scanner.  The only thing any of these programs found was that trojan hunter found backattack130 which if found in a program uninstall file which it cleaned.
Nothing has helped stop the problem.  No changes have been made to my hosts file as I have that locked against changes.

The exact problem is that I my computer is being constantly pinged by something.  Most times I am unable to load web pages, I get this page can not be displayed or sometimes when I am very lucky I am able to load these pages very slowly.  While trying to fix the problems I have downloaded a few programs (Trojan Hunter, ewido and the on line virus scanner) which take an incredibly long time or not at all.  It took  1 1/2 hours to download hijack This.  According to my firewall logs almost every time I load a new web page svchost.exe is incoming on my computer about every two seconds.  The address that is shows incoming is my isp.  I have changed isp's and the same thing happens only it shows that my new isp is constantly pinging me.
I have zonealarm firewall installed and running.  I have set my isp up in the trusted zone.  Also on advice from my previous isp I have disabled the firewall and still the problem did not go away. I have tried running with just windows firewall nothing has helped.  I have uninstalled and reinstall my firewall and still nothing.  Only when I did a system restore back to the beginning of Nov. 2004 did my problems go away for a short while but then they returned a little at a time over the next few days. 

When I did I google search on svchost.exe I found that many different worms operate in this way.

Any help in finding out what is causing this would be appreciated.

Because of my downloading problems I will wait to download another spyware program untill I hear from you, per DukeNukem's instructions.

Thanks,

Liz

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: I think I might have a worm
« Reply #4 on: January 08, 2005, 09:23:19 PM »
Use the process viewer from Sysinternals and track down what exactly is using svchost

Liza

  • Guest
Re: I think I might have a worm
« Reply #5 on: January 09, 2005, 05:51:59 PM »
Hi,

I'm not sure exactly what you mean about process viewer.

If you are referring to the Task Manager process tab here is what it says:

svchost, local service, no cpu, 4212K
svchost, network service, no cpu, 4384K
svchost, system, no cpu, 4212K
svchost, newtwork service, no cpu, 4212K
svchost, system, no cpu, 4212K

Not sure if this is what I am supposed do to.

Thanks

Wolfie0827

  • Guest
Re: I think I might have a worm
« Reply #6 on: January 10, 2005, 05:52:44 AM »
Sysinternals is a company that provides a program similar but better with more detail than taskmanager, but you may have trouble getting thier software if you can't load thier page. Suggest you try running msconfig.exe from start>run then disable anything on the tabs you don't recognise. If you still have the problem you may have a trojan, if not then a setting in windows, possibly the time sync or file sync is set wrong.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I think I might have a worm
« Reply #7 on: January 10, 2005, 01:52:51 PM »
I'm not sure exactly what you mean about process viewer.

http://sysinternals.com/files/procexpnt.zip

svchost = Application that works as a host process for services that run from dynamic link libraries.
svchost itself is not harmfull. But when it asks for permission to the net it depends on what is asking. Normally it is ok to allow it, but there are viruses/trojans that are using to svchost process for not so nice reasons. You can use this application to see what modules are used.
The best things in life are free.

Liza

  • Guest
Re: I think I might have a worm
« Reply #8 on: January 10, 2005, 06:09:01 PM »

Hi,

I ran the process program but I have no idea what it means.  There
does seem to be one that is upset about the time as per the post by Wolfie.

Here at the five that are running:


Process: svchost.exe Pid: 860

Type   Name
Desktop   \Default
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
Event   \BaseNamedObjects\crypt32LogoffEvent
Event   \BaseNamedObjects\TermSrvReadyEvent
Event   \BaseNamedObjects\WinMMConsoleAudioEvent
Event   \BaseNamedObjects\ReconEvent
Event   \BaseNamedObjects\TermSrv:  machine GP event
Event   \BaseNamedObjects\userenv: Machine Group Policy has been

applied
Event   \BaseNamedObjects\DINPUTWINMM
Event   \BaseNamedObjects\userenv:  User Profile setup event


Process: svchost.exe Pid: 944

Type   Name
Desktop   \Default
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
Event   \BaseNamedObjects\ScmCreatedEvent

Process: svchost.exe Pid: 980

Type   Name
Desktop   \Default
Desktop   \SADesktop
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
Event   \BaseNamedObjects\RasAutodialNewLogonUser
Event   \BaseNamedObjects\RasAutodialLogoffUser
Event   \BaseNamedObjects\RasAutodialLogoffUserDone
Event   \BaseNamedObjects\RasAutoDialSharedConnectionEvent
Event   \BaseNamedObjects\Ready0:  ESENT Performance Data Schema
Version 40
Event   \BaseNamedObjects\IPNAT
Event   \BaseNamedObjects\DHCPNEWIPADDRESS
Event   \BaseNamedObjects\userenv: User Group Policy has been applied
Event   \BaseNamedObjects\Go0:  ESENT Performance Data Schema Version 40
Event   \BaseNamedObjects\crypt32LogoffEvent
Event   \BaseNamedObjects\{7E372094-36D7-4ECE-8013-3EF85F01885E}ShellHWDetection
Event   \BaseNamedObjects\{7E372094-36D7-4ECE-8013-3EF85F01885E}ShellHWDetection
Event   \BaseNamedObjects\DINPUTWINMM
Event   \BaseNamedObjects\PrefetchOverrideIdle
Event   \BaseNamedObjects\PrefetchProcessingComplete
Event   \BaseNamedObjects\PrefetchTracesReady
Event   \BaseNamedObjects\SAConEvt
Event   \BaseNamedObjects\PrefetchParametersChanged
Event   \BaseNamedObjects\WkssvcToAgentStartEvent
Event   \BaseNamedObjects\WkssvcToAgentStopEvent
Event   \BaseNamedObjects\AgentToWkssvcEvent
Event   \BaseNamedObjects\wkssvc:  MUP finished initializing event
Event   \BaseNamedObjects\userenv:  User Profile setup event
Event   \BaseNamedObjects\SENS Started Event
Event   \LanmanServerAnnounceEvent
Event   \BaseNamedObjects\SRCounter
Event   \BaseNamedObjects\SRStopEvent
Event   \BaseNamedObjects\SRInitEvent
Event   \BaseNamedObjects\SRIdleReqEvent
Event   \BaseNamedObjects\SC_AutoStartComplete
Event   \Security\TRKWKS_EVENT
Event\BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Event   \BaseNamedObjects\userenv: Machine Group Policy has been
applied
Event   \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
Event   \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event   \BaseNamedObjects\WMI_SysEvent_LodCtr
Event   \BaseNamedObjects\WMI_SysEvent_UnLodCtr
Event   \BaseNamedObjects\WMI_RevAdap_Set
Event   \BaseNamedObjects\WMI_RevAdap_ACK
Event   \BaseNamedObjects\WMI_ProcessIdleTasksStart
Event   \BaseNamedObjects\WMI_ProcessIdleTasksComplete
Event   \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event   \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event   \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event   \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event   \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
Event   \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
Event\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM

This is the one that seems to be upset about the time Whether this

means anything I don't know.

Process: svchost.exe Pid: 1024

Type   Name
Desktop   \Default
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
File   \Device\WMIDataDevice
File   \Device\Udp
File   \Device\Afd\Endpoint
File   \Device\Afd\Endpoint
File   \Device\Udp
File   \Device\Afd\Endpoint
File   \Device\Udp
File   \Device\KsecDD
File   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File   \Device\NamedPipe\net\NtControlPipe5
File   \Device\Tcp
File   \Device\Ip
File   \Device\Ip
File   C:\WINDOWS\system32
File   C:\WINDOWS\system32\drivers\etc
File   \Device\Tcp
File   \Device\WMIDataDevice

This one does not list any events.

and finally:

Process: svchost.exe Pid: 1136

Type   Name
Desktop   \Default
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
Event   \BaseNamedObjects\crypt32LogoffEvent.

Once again any and all help is greatly appreciated.

Thanks,

Liz

Liza

  • Guest
Re: I think I might have a worm
« Reply #9 on: January 10, 2005, 07:46:17 PM »

HI again,

One thing that I forgot to mention a few programs have been trying to access the internet.  I know these are legitimate programs but I can see no reason that they need internet access.  I have denied them access.

One in particular spool.exe has tried 22 times, I know this is the printer spooler but why would it need internet access.

Sorry forgot to mention in last post.

Liz



Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: I think I might have a worm
« Reply #10 on: January 11, 2005, 10:58:58 AM »
spoolsv.exe is the print spooler.
spool.exe is the RdBot worm.

Liza

  • Guest
Re: I think I might have a worm
« Reply #11 on: January 11, 2005, 08:33:20 PM »


Sorry,

I meant to type file spoolsv.exe.  I was in a hurry.  Is there a legitimate reason that the print spooler would need access to the internet?

Thanks

Liz

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: I think I might have a worm
« Reply #12 on: January 11, 2005, 08:38:48 PM »
Actually it is not accessing the internet, but a network in general. That is only needed if it is a shared network printer. Other than that you can just block its access to the network in your firewall.

Liza

  • Guest
Re: I think I might have a worm
« Reply #13 on: January 11, 2005, 09:07:28 PM »
Hi,

I think at this point I'm going to give up on trying to find out whats wrong with my computer and just start from the beginning.  Is there any site you can direct me to on the best way to restore from the original disc's and wipe out everything that's now on there and causing me all my problems.

Thanks for your time and effort in helping me.

Liz

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I think I might have a worm
« Reply #14 on: January 12, 2005, 03:55:20 AM »
Is there any site you can direct me to on the best way to restore from the original disc's and wipe out everything that's now on there and causing me all my problems.

Well, you gave up quickly...  :-\
I think you just have to put your CD on the tray and start Windows XP installation... when asked, format the hard disk...
Oh, backup first  8)
The best things in life are free.