svchost.exe virus

[Soul Tsukino]

I've been infected with an svchost.exe virus that is making svchost usage shoot through the roof after a few minutes of logging in. This is the second time I've been infected with such a virus but all the things I did last time to clear it up aren't working. Between Avast (That to put it bluntly let this virus in twice), Microsoft security essentials, Malware Bytes, Cccleaner, esat online scanner and the Windows Malicious software remover, nothing seems to clear it out (only stuff started by the virus itself). I also have process explorer and that isn't showing anything unusual either

I'm running Windows XP and I keep getting an Avast alert with 199.80.55.19 and pointing to the svchost.exe file

I've completely lost my patience for this whole thing so any help would be great

[Omid Farhang]

Are you sure you are infected and your problem is not a conflict of softwares or another windows problem?
If any software detected a malware, can you name them?

[spg SCOTT]

Omid:

I'm running Windows XP and I keep getting an Avast alert with 199.80.55.19 and pointing to the svchost.exe file

Soul Tsukino,

There is only one other thread that I can find on the forum, and seems that maybe essexboy will need to help.
Seems something is using svchost to call home...
http://forum.avast.com/index.php?topic=72125

Are there any detections in from the other tools you have run?

Just a side note, do you have avast and MSE installed at the same time?
This isn't advised and could cause issues in the long run.

[DavidR]

@ Soul Tsukino
Well svchost is as the name implies a service host and is most likely being misused by another function, either undetected or hidden (by a rootkit), this could be a trojan downloader.

In this case, fortunately the network shield is usually quite good at blocking access to the malicious site. See image, click to expand of the location of that IP address, does it ring any bells ?
Though the only time svchost should connect as far as I'm aware is for windows update.

So given all of the other tools you have thrown at this appears to come up clean, e.g. 'nothing seems to clear it out,' presumably because they didn't find anything ?
If they did what was it ?

Notably you you mention MSE, if that is also installed on your system with avast, that in itself could be causing issues, duplication of scanning, possible conflict, etc.

Having two resident scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

[Soul Tsukino]

Honstly I uninstalled Avast for a long time after it began letting antivirus 2010 and similer viruses into mysystem and went with MSE. However MSE decided to start letting in viruses after a while to so they seem to actually work when they are both running.

Hijack this scan:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:48:25 AM, on 4/13/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\USERNAME\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soultsukino.info/phpBB3/index.php
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: Advertising Cookie Opt-out - {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - C:\Program Files\Google\Advertising Cookie Opt-out\opt_out.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB100\WUSB100.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135611153187
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FD163A9A-A3D8-4F7D-8224-32F81AC29EDA} (VPlayer Control) - http://video.vividas.com/CDN1/5029_paramount/en/web/player/vivid_ocx.jpeg
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9a84eab0fbfaa) (gupdate1c9a84eab0fbfaa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8855 bytes

[DavidR]

Sorry but hijackthis is virtually worthless now as so many malware variations can avoid it and it doesn't look in areas were malware hides.

Add to that it hasn't had any development in years, so a security application has to be maintained to keep pace with developments, otherwise it is worthless.

So I would advise going to essexboy's post and start with OTS, http://forum.avast.com/index.php?topic=72125.msg601861#msg601861.

[Pondus]

However MSE decided to start letting in viruses after a while to so they seem to actually work when they are both running.

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

Use Malwarebytes PRO with protection module / IP block and autoupdate
price..a onetime fee for a lifetime license

[REDACTED]

O20 - Winlogon Notify: itlnfw32 - itlnfw32.dll (file missing)
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)

Fix in Hijack.

Look here is the file, according to the inscription he is no longer (file missing)
The virus is already known, most likely he's gone.


http://security.comprolive.com/2011/03/trojan-koblu-sopiclick-refpron.html

http://www.threatexpert.com/report.aspx?md5=ff061cc088bd21ed382a512c54b9158c

http://forums.malwarebytes.org/index.php?showtopic=73760

Try this

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.freedrweb.com/cureit/?lng=en

[dansorin]

I've been infected with an svchost.exe virus that is making svchost usage shoot through the roof after a few minutes of logging in. ... I also have process explorer and that isn't showing anything unusual either

I'm running Windows XP and I keep getting an Avast alert with 199.80.55.19 and pointing to the svchost.exe file...

is your XP up to date? because I have seen this behaviour on a previously infected computer which was cleaned. svchost.exe was "eating" all of the CPU, rendering the computer almost useless. scaning with several tools (besides avast) showed nothing. I brought XP up to date and the problem was gone.

[argus]

If malware was created svchost, update will not help. HJT can not show this malware.

> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Post log reports ( ComboFix.txt) back to topic.

[Soul Tsukino]

My OTL reports:

http://www.soultsukino.info/OTL.Txt

http://www.soultsukino.info/Extras.Txt


And yes, those are legit addresses. Godaddy was having a sale on .info addresses at the time.


Also here are the pop ups I'm getting from Avast.

First is a delete warning that has: MBR://physicaldrive 0

The other is a "suspicious" warning that has a bunch of: \??C:\...{10bc73c-cd25-411D-   followed by a:  \.\physicaldrive0 mbr:TD4

[essexboy]

OK first could you attach the OTL logs please - as on the uploaded site it destroys the formating

But first

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it


Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

[Soul Tsukino]

Here ya go

[essexboy]

Could you attach the OTL logs please


Re-Run aswMBR

Click Scan

On completion of the scan

Click the   Fix Button





Save the log as before and post in your next reply

[Soul Tsukino]

Here are the logs