Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Something undetectable is hooking my svchost.exe

  • Please log in to reply
1 reply to this topic

#1 No2


  • Members
  • 1 posts
  • Local time:08:23 AM

Posted 23 February 2009 - 02:10 PM

Hi Guys. To find what's doing this I've tried:

-Blacklight Rootkit Eliminator
-Sophos Anti-Rootikit
-Rootkit Revealer

I got 2 embeded null keys which I removed with DellRegNull.exe | psexec.exe

-SpyBot S&D
-Malwarebytes Anti Malware

(All system wide scans with all options maxed out)

Got a few old trojans in some old rar files and some tracking cookies. I also got a Vundo/variant-msfake alert in an old Winbuider Pico Xp build. All have been deleted. But nothing has stopped svchost beeing dialed out every 10 - 30 min.

Each time it trys (I'm blocking it of course) I get a slight graphics and sound hickup.

I have had a good look through Sysinternals Procesess Explorer and shut down most of the services that were using svchost.exe but it STILL keeps popping up.

The site it calls is raservers.com / speedytorrents.net ( it seems to be a Spam server (they have two mail servers) or a password catcher... I really don't know. Help. I wonder what else this sneeky thing is doing.

I there any way to find out which process / service is trying to connect with out letting it do so?

Thanks for any help.

Here is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:52 p.m., on 23/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=;gopher=;http=;https=;socks=
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CoolSwitch] C:\windows\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OTFSDMS] C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe /p
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [Skype] "F:\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Vidalia] "F:\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: GB-PVR Tray.lnk = F:\Devnz\GBPVR\GBPVRTray.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: JAP.lnk = F:\JAP\jap.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = F:\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: GB-PVR Tray.lnk = F:\Devnz\GBPVR\GBPVRTray.exe (User 'Default user')
O4 - .DEFAULT Startup: JAP.lnk = F:\JAP\jap.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = F:\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: GB-PVR Tray.lnk = F:\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: JAP.lnk = F:\JAP\jap.exe
O4 - Startup: OpenOffice.org 3.0.lnk = F:\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Privoxy.lnk = F:\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F755A888-3A72-4593-B704-E4CBE5EFE979}: NameServer =
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - F:\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: SFX - Unknown owner - C:\DOCUME~1\Back\LOCALS~1\Temp\SFX.exe (file missing)
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

End of file - 5263 bytes

Edited by No2, 23 February 2009 - 02:21 PM.

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • Gender:Male
  • Location:@localhost
  • Local time:08:23 AM

Posted 04 March 2009 - 04:43 PM

Hi No2,

sorry for delay, no shortage of posters.

must be using a port. Are you familiar with the netstat cmd? Sysinternals has a GUI version called TCPview. Another good tool to map a process to a port is fport. These tools can provide you with more information

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users