Can Someone Tell Me What's Going On?

Discussion in 'Computer Security' started by Baileys, Jul 27, 2005.

  1. Baileys

    Baileys Guest

    I've been having problems for a few weeks involving "svchost.exe"
    (100% CPU usage as well as a maxed out internet connection when *I*
    wasn't doing anything). I did a lot of Googling and found, among
    other things, that not only is this program required by Windows, it
    can also be associated with a virus.

    I've got updated virus, spyware and adware goodies, did scan after
    scan after scan (clean bill of health), searched my hard drive for a
    "svchost.exe" that didn't belong there (didn't find anything).

    But I still have this thing attempting to connect to the internet (I
    have Zone Alarm stopping it). What concerns me is the destination DNS
    is my ISP's mail server. Just in the last hour while I've been trying
    to research this, there have been over 1,000 connection attempts.

    I can't find a virus -- have I been hijacked by spammers (I haven't
    heard anything from my ISP)? And if I have, what do I do about it
    now? I Googled for this, too, and found plenty of "this could happen
    to you" articles, but nothing about how to solve the problem or even
    how to determine for sure that IS the problem.

    I don't open email attachments, I don't download crap -- I thought I
    had this thing locked down tight. That, plus the fact I'm on a cruddy
    26.4 dial-up connection, I thought I'd be alright.

    Can someone please point me in the right direction so I can end this?

    Thanks.


    July Goals: BG readings in normal range; Not hungry, don't eat
    Weight: 7 pounds gone since 07/01/2005
    Measurements: 8 inches gone 06/19/2005
    Cholesterol: 145
    FBG: < 100 since 07/01/2005 A1c 6.5
    Baileys, Jul 27, 2005
    #1
    1. Advertising

  2. Baileys

    Wheaty Guest

    Baileys babbled on about this news:1sqde19e5hcdbjkf6qgh6j9eqvjv7irt5k@
    4ax.com:

    > I've been having problems for a few weeks involving "svchost.exe"
    > (100% CPU usage as well as a maxed out internet connection when *I*
    > wasn't doing anything). I did a lot of Googling and found, among
    > other things, that not only is this program required by Windows, it
    > can also be associated with a virus.
    >
    > I've got updated virus, spyware and adware goodies, did scan after
    > scan after scan (clean bill of health), searched my hard drive for a
    > "svchost.exe" that didn't belong there (didn't find anything).
    >
    > But I still have this thing attempting to connect to the internet (I
    > have Zone Alarm stopping it). What concerns me is the destination DNS
    > is my ISP's mail server. Just in the last hour while I've been trying
    > to research this, there have been over 1,000 connection attempts.
    >
    > I can't find a virus -- have I been hijacked by spammers (I haven't
    > heard anything from my ISP)? And if I have, what do I do about it
    > now? I Googled for this, too, and found plenty of "this could happen
    > to you" articles, but nothing about how to solve the problem or even
    > how to determine for sure that IS the problem.
    >
    > I don't open email attachments, I don't download crap -- I thought I
    > had this thing locked down tight. That, plus the fact I'm on a cruddy
    > 26.4 dial-up connection, I thought I'd be alright.
    >
    > Can someone please point me in the right direction so I can end this?
    >
    > Thanks.
    >
    >
    > July Goals: BG readings in normal range; Not hungry, don't eat
    > Weight: 7 pounds gone since 07/01/2005
    > Measurements: 8 inches gone 06/19/2005
    > Cholesterol: 145
    > FBG: < 100 since 07/01/2005 A1c 6.5
    >
    >


    hmmm.... see if there is anything listening on common ports for an IRC
    channel. You may be an unwilling party to a DDoS attack. Somebody step in
    here pls.. is the default port 6667?
    Anyways.... use the netstat -an | find":xxxx" command (replace xxxx with
    the port number... I don't remember, or it may have changed) and if the
    output is blank, then it is likely clear of certain IRC bots, or the
    default port has been configured to something else. I believe many IRC
    servers require the IDENT port to be open as well... port 113. Though this
    is just a small drop in a huge bucket of things it might be. Could be
    something as simple as a piece of spyware that has hidden itself quite
    well. Try to scan it in safe mode and see what happens.
    Also, talk to your ISP and ask them if they can investigate the packets
    being sent... this can sure point you in the right direction.

    --
    Wheaty

    I would much rather have a bottle in front of me than a frontal
    labotomy....
    Wheaty, Jul 27, 2005
    #2
    1. Advertising

  3. Baileys

    Phil Guest

    Baileys wrote:
    > Can someone please point me in the right direction so I can end this?


    Have you done an anti-virus scan while in safe mode? Sometimes things don't
    get picked up unless you're in that mode. Also, have you tried more than
    one AV package? If you're using a paid-for AV package, you might like to
    try a free one, like AVG, as well.

    Good luck.
    Phil, Jul 27, 2005
    #3
  4. Baileys

    xsr Guest

    Baileys Wrote:
    > I've got updated virus, spyware and adware goodies, did scan after
    > scan after scan (clean bill of health), searched my hard drive for a
    > "svchost.exe" that didn't belong there (didn't find anything).


    I suspect that you did not searched hard enough judging by your story,
    did the search include files with the attribute hidden and/or system?
    If it did you might as well check for rootkits, which attempts to hide
    the file (although a descent rootkit also should've hidden the
    process).

    Baileys Wrote:
    > But I still have this thing attempting to connect to the internet (I
    > have Zone Alarm stopping it). What concerns me is the destination DNS
    > is my ISP's mail server. Just in the last hour while I've been trying
    > to research this, there have been over 1,000 connection attempts.
    >
    > I can't find a virus -- have I been hijacked by spammers (I haven't
    > heard anything from my ISP)? And if I have, what do I do about it
    > now? I Googled for this, too, and found plenty of "this could happen
    > to you" articles, but nothing about how to solve the problem or even
    > how to determine for sure that IS the problem.


    Have you asked them about the usage of your ip on they're mailserver?
    Maybe you can try sniffing the connection from your ip to the ISP mail
    server, to determine what exactly is being sent to them. I suspect it
    is propagation of a virus using email, in an attempt to infect more
    victims.

    Baileys Wrote:
    > I don't open email attachments, I don't download crap -- I thought I
    > had this thing locked down tight. That, plus the fact I'm on a cruddy
    > 26.4 dial-up connection, I thought I'd be alright.


    Visitting sites can be all what it takes to get infected.

    Reminds me of a similair problem. At some point i used a keygen of
    some sort, which carried a virus as well, while Kaspersky AV did not
    even recognize the infection. It also used the name svchost.exe. After
    killing it, PGP desktop showed that the computer had been trying to
    connect to another email server (not an isp's). I'm not sure if the
    Sygate firewall stopped it or not. Anyway in order to exactly describe
    the actions how i removed it, i'd have to re-infect the computer
    again.. heh. I recall that some of the files where in either
    %HOMEPATH%\Local Settings\Temp or %HOMEPATH%\Local Settings\Temporary
    internet files (thats right it, used more then a single file).

    BTW, doesn't Zone Alarm give the full path to a program which is
    using, or trying to use the network? IMHO a descent firewall should.

    ----
    xsr
    08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
    http://www.research-labs.net/
    xsr, Jul 27, 2005
    #4
  5. Baileys

    Guest

    I think your cpmputer must be hijacked by spammers.It is a virus,too
    newest to AntiVirus software find it.You can use Security Expert to
    find and kill it.Security Expert can help you judge which
    process/startup program/services is suspicious process/startup
    program/services,and supply you to kill it.
    Goto http://securityexpert.cnns.net/process01.htm to know more.
    , Jul 27, 2005
    #5
  6. <> wrote in message
    news:...
    > I think your cpmputer must be hijacked by spammers.It is a virus,too
    > newest to AntiVirus software find it.You can use Security Expert to
    > find and kill it.Security Expert can help you judge which
    > process/startup program/services is suspicious process/startup
    > program/services,and supply you to kill it.
    > Goto http://securityexpert.cnns.net/process01.htm to know more.
    >

    You gotta be crazy to use this program. The link is to an overseas server
    that downloads a keylogger to your system .
    Michael Levengood, Jul 27, 2005
    #6
  7. Baileys

    Winged Guest

    Baileys wrote:
    <Snipped>

    I recommend figuring out what is calling svchost. Get Process explorer
    from:

    http://www.sysinternals.com/ProcessesAndThreadsUtilities.html

    It is a free utility that will tell you what processes are being called
    and what is calling the process (process thread). There are a couple
    other utilities on the page that will do things like identify what is
    being autorun at start-up and handles which may also aid in identifying
    what is calling the process.


    *****Last resort

    If you can not identify the offending starting process it may well be that:

    1: The schost.exe process you are seeing is a similarly named file in
    another directory, the utility above should identify the process .
    SVChost.exe should be located in your system32 directory under your
    windows directory which by default would be c:\windows\system32 however
    your system directory may be placed elsewhere if you have tweaked your
    system.

    2. The file may have been replaced, especially if you were running on
    the net with administrative permissions. On my system, with current
    patch levels (XP) is a 16,384 byte file dtd 8/4/2004 2:56 AM You should
    have a backup file on your system located in your
    c:\windows\servicepackfiles\i386 that should be similar in size and date.

    I would also check the system for a rootkit on the system. There is
    this free utility called Root kit revealer at:

    http://www.sysinternals.com/SecurityUtilities.html

    These things should identify either the offending process tree or what
    is causing your issue.

    Because I feel a system once compromised is like being a little bit
    pregnant, I would rebuild the system. I understand this can be
    problematic/traumatic for some folks who are not prepared for
    eventuality, but trusting my system is important. But the above items
    should at least give you a clue as to what is happening.

    Winged
    Winged, Jul 28, 2005
    #7
  8. On Tue, 26 Jul 2005 21:17:33 -0500, Baileys <.@,.> wrote:

    [snip]

    Thanks to everyone for the advice. While I might, indeed, have to do
    a clean install, I would like to know "what's up" and can use your
    pointers to try to figure that out.

    Much appreciated. :)
    Bailey's Girl, Jul 28, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?WmVscGhyaW4=?=

    HELP Can someone please tell me how to use a crossover cable!

    =?Utf-8?B?WmVscGhyaW4=?=, Mar 29, 2006, in forum: Microsoft Certification
    Replies:
    2
    Views:
    3,364
    =?Utf-8?B?UnVzc2VsbA==?=
    Mar 29, 2006
  2. valentin
    Replies:
    2
    Views:
    507
    news.verizon.net
    Jun 25, 2003
  3. °Mike°
    Replies:
    1
    Views:
    410
    gangle
    Nov 6, 2003
  4. El Llanero Solidario

    Can someone tell me what's wrong with my spellchecker?

    El Llanero Solidario, Feb 26, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    544
    °Mike°
    Feb 27, 2004
  5. zZz
    Replies:
    1
    Views:
    991
    SgtMinor
    Jan 12, 2005
Loading...

Share This Page