Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something undetectable is hooking my svchost.exe


  • Please log in to reply
1 reply to this topic

#1 No2

No2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 23 February 2009 - 02:10 PM

Hi Guys. To find what's doing this I've tried:

-Blacklight Rootkit Eliminator
-Sophos Anti-Rootikit
-Rootkit Revealer

I got 2 embeded null keys which I removed with DellRegNull.exe | psexec.exe

-SuperAntiSpyware
-SpyBot S&D
-Malwarebytes Anti Malware
-Nod32

(All system wide scans with all options maxed out)

Got a few old trojans in some old rar files and some tracking cookies. I also got a Vundo/variant-msfake alert in an old Winbuider Pico Xp build. All have been deleted. But nothing has stopped svchost beeing dialed out every 10 - 30 min.

Each time it trys (I'm blocking it of course) I get a slight graphics and sound hickup.

I have had a good look through Sysinternals Procesess Explorer and shut down most of the services that were using svchost.exe but it STILL keeps popping up.

The site it calls is raservers.com / speedytorrents.net (208.53.170.64) it seems to be a Spam server (they have two mail servers) or a password catcher... I really don't know. Help. I wonder what else this sneeky thing is doing.

I there any way to find out which process / service is trying to connect with out letting it do so?

Thanks for any help.



Here is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:52 p.m., on 23/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\RUNDLL32.EXE
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\DLOADS MISC\WEB\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:8118;gopher=127.0.0.1:8118;http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:9050
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CoolSwitch] C:\windows\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OTFSDMS] C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe /p
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [Skype] "F:\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Vidalia] "F:\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: GB-PVR Tray.lnk = F:\Devnz\GBPVR\GBPVRTray.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: JAP.lnk = F:\JAP\jap.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = F:\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: GB-PVR Tray.lnk = F:\Devnz\GBPVR\GBPVRTray.exe (User 'Default user')
O4 - .DEFAULT Startup: JAP.lnk = F:\JAP\jap.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = F:\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: GB-PVR Tray.lnk = F:\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: JAP.lnk = F:\JAP\jap.exe
O4 - Startup: OpenOffice.org 3.0.lnk = F:\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Privoxy.lnk = F:\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F755A888-3A72-4593-B704-E4CBE5EFE979}: NameServer = 192.168.0.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - F:\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: SFX - Unknown owner - C:\DOCUME~1\Back\LOCALS~1\Temp\SFX.exe (file missing)
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 5263 bytes

Edited by No2, 23 February 2009 - 02:21 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:04 PM

Posted 04 March 2009 - 04:43 PM

Hi No2,

sorry for delay, no shortage of posters.

must be using a port. Are you familiar with the netstat cmd? Sysinternals has a GUI version called TCPview. Another good tool to map a process to a port is fport. These tools can provide you with more information

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users