svchost problem

[ph0bYx]

Hello everyone!

I have a little problem. A svchost on my computer is downloading something, and I have no idea what it is.
The first thing that came on my mind is that I have a false svchost.
But before exploring that option I turned off my modem and started with the malware scan routine.
NOD32 reported mvbswe-8 to be a potential trojan but just a part was downloaded
SpywareTerminator reported reboot.exe to be on my computer among the usual cookies false-positives
So I delete those files and reboot, turn my modem back on and waited. And it still was downloading something big.
I start TCPView and close the connection and start googling about false svchosts.
I've found on a forum that a virus called Blaster is using false svchosts and that I should check the registry, but before doing that I've cleaned the registry with CCleaner.
If it was the Blaster virus, then it had to have an entry in:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

but there wasn't anything unusual.
The svchost was still downloading something and I have automatic updates turned off.
Didn't know what to do more but to restore my system. So I go to the SystemRestore and find that I have no restore points other then today.

Now I need your help to find out what it is and to try and solve it.
Here's the HijackThis log file if it helps:

Code: Select all

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:56, on 18.3.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\DOCUMENTS AND SETTINGS\ADMIN\DESKTOP\PROCEXP.EXE
C:\Documents and Settings\Admin\Desktop\Tcpview.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\Admin\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9287 bytes

Currently I'm scanning my computer with NOD again after it updated, and closing connections for the svchost
Hope to hear from you soon!

*edit*
Maybe this screenshot of TCPView while the svchost was downloading could help:
http://img205.imageshack.us/img205/9727/catsm.jpg

[bad_brain]

notice the little difference:

Code: Select all

C:\WINDOWS\System32\svchost.exe 
C:\WINDOWS\system32\svchost.exe

I am not 100% sure, but it's at least suspicious....check if you have a duplicate system32 folder named System32.
if you want to check the strange traffic get Wireshark and capture it, you can send the capture file to me via email...but please make sure that you have no other network activity at the same time (like a download or surfing)...

p.s. and this one is at least spyware:

Code: Select all

C:\PROGRA~1\Crawler\CToolbar.exe

[ph0bYx]

I've searched for svchost on C:\WINDOWS last night and it resulted in only one svchost in that folder, and now I searched for system32 which also resulted as only one.
As for the wireshark, well I never used it but last night I've monitored the traffic with TCPView and a packet sniffer. I caught 2 locations with TCPView while the svchost was download (see picture) but I don't know if they're the hosts from where the svchost is downloading :/

About C:\PROGRA~1\Crawler\CToolbar.exe
well that's SpywareTerminators browser toolbar which comes with a Crawler quick search and what's more important Web Security Guard which alerts me if I enter any sites that were reported to have and malice in them.


Altogether I think I've got rid of it somehow because last night for about 2 hours there wasn't any svchost downloading and today neither...

[bad_brain]

hm, ok...but you should keep an eye one it...

[DrVirus]

since we are talking about svchost I thought about letting you guys know about mine. My svchost is trying to send email. It's making me nuts. Every 3rd second my quickheal antivirus is asking me whether i should allow it send email yes or no. Any idea ?

[bad_brain]

um, this is VERY suspicious....what email client are you using? Outlook?

[DrVirus]

Yeah I use outlook express.

[bad_brain]

it's very likely there is a worm infection and the worm tries to distribute itself via Outlook now....you should instantly run a full system scan...
if possible you should also use a email client that is more secure, Outlook is a malware magnet....I recommend Thunderbird...

[DrVirus]

Well I am infected with Cutwail. Which is located as the Winctrl32.dll. I am trying to get rid of it for quite a while. I use quickheal 10.0 (legal) as my AV. And it always prompts me to do a boot time scan. When I do that, it deletes the file and on reboot. Voila ! It's back.

[bad_brain]

seems it can't get rid of all the components....get the Avira rescue disk here:
http://www.free-av.de/en/tools/12/avira ... ystem.html

- place the rescue disc in the infected computer and boot from it. Choose optiopn 2 (Boot from Rescue CD)
- choose English language and watch the progress at the end of the boot, you should see a menu
- choose the second option: "Scan your system with AntiVir"

depending on the amount of files you have on the HDD the scan can take 1-2 hours....but afterwards the system should be clean again...

[DrVirus]

On it. THanks man.

[ph0bYx]

OK, I got those strange downloads again. This time it was from this site (twice):

Code: Select all

http://whois.domaintools.com/87.248.217.108

First I thought it was something related to LimeWire and uninstalled it, but it happened again so I tried google-ing around a bit and found this:

Code: Select all

http://www.webmasterworld.com/analytics/3560874.htm

but this is related to servers and not users.

So I sent them a message:

Hello

I'm having a problem that is connected to your host in Netherlands. Lately svchost on my computer has been downloading something without my permission, and I terminated the connection, but it keeps trying to download something big. Then I start to investigate a little. With a connection tracking program I have discovered that it's downloading something from your hosts:

http://img212.imageshack.us/img212/8228/catsb.jpg

I tried everything to find out whats going on, but can't find any answers. I've scanned my computer for malicious programs multiple times with various anti virus/spyware/adware etc. but couldn't find anything.

I am hoping that you could provide me with some answers.
Also I hope that I've informed you on an error on your host so you can fix it, because I don't think that I'm the only one with this kind of problem.

Thank you in advance

Hope it helps because right now svchost is again trying to download, and I'm running out of ideas.

------------------------------------------------------

Here's a packet of the attempted download:

Code: Select all

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=15461829-15645315
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=15645316-15827306
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=15827307-16011148
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=16011149-16193867
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=16193868-16377423
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=16377424-16560758
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=16560759-16744121
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=16744122-16925870
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

GET /download/5/2/E/52EB299A-E4DE-43E2-8D55-510D7FB03610/en/wlsetup-cvr.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=16925871-17108385
User-Agent: Microsoft BITS/6.7
Host: msgr.dlservice.microsoft.com
Connection: Keep-Alive

I've also found something related here:

Code: Select all

http://www.outpostfirewall.com/forum/showthread.php?p=158400

[bad_brain]

k, I checked the IP and the hostname (cds68.frf.llnw.net) appears in a couple of google entries....the only promising one is in russian, but it is a virus research site (seems it's in context with Kaspersky Labs), so it's most likely not a report of "how nice" this IP/host is.

to be honest I really recommend you to do a full new setup, there is something going on on your system....and even if we don't know what it is the fact alone is reason enough not to trust the system anymore....

[ph0bYx]

I've done a few hours google-ing on similar cases and there are a few identical, but no answers there neither nor did anyone found out in the mean while, and to tell you the truth I'm a bit excited about this one.
So before making a complete new setup I'd like to investigate this further, God knows when will I ever stumble upon something like this again

So guys I'll need your help in this because these are the stuff I want to do in the future, or to exaggerate: I live for this shit (

What I would need is some advice on what should I do, what programs should I use to get more info here?

Oh and a little update on the downloads:
It seems they've stopped for a while. Now I don't know if it's just a pause like it was before or if it's because I've disabled BITS.
And this is the svchost that is doing the downloads, or at least I think it's the one:
http://img53.imageshack.us/img53/9569/catsbwj.jpg

[DNR]

right the last strip of packets were from
User-Agent: Microsoft BITS/6.7

I have said in another thread about MS BITS - it acts as if it is NOT disabled.

I would not be upset over BITS.

Again using Process Explorer you can click on the svchost.exe that is running and click on the TCP/IP tab to see what is it connecting to.
you should have several svchost running..

DNR