Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans seemed cleared, but pfirewall.log reveals connections


  • Please log in to reply
5 replies to this topic

#1 saczel

saczel

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Fort Smith, AR
  • Local time:05:45 AM

Posted 08 June 2009 - 11:44 PM

I'm using Windows XP Professional, recently (on Friday 5 May) updated to SP3. Hardware: Intel Q6600 processor, 4GB Ram (Windows reading 3.25GB), wired DSL internet connection.

Since last November, my computer was infected by Twext.exe a couple of times (once in December and once in February) and at least once (in April) by other malware. This was by an iframe insertion on a webpage, which redirected me to a website that opened the Adobe Acrobat on my computer, which it used to insert the malware. To get rid of Twext, I had to delete it, and then manually repair my registry by using a boot disk with a registry editor on it. I also used SuperAntiSpyware to clean out my computer.

These trojans disabled my Windows XP firewall, and I didn't catch that for about a week or two. It seems to be working again, but I'm not confident that it's functioning correctly. One of the "exceptions" listed for that two week period was Windows Explorer itself.

During the repair of these problems, I somehow disabled my Internet Explorer browser. It took me a long time to figure out how to re-install it, but I accomplished that last Friday. It was version 6. I immediately used it to update my Windows XP, which hadn't been done since early in 2009. But in the short time between getting IE working again, and using Windows Update to get caught up on security patches, I was infected with multiple malwares; I'm sure that they exploited vulnerabilities in my unpatched, newly-restored IE v6, and in XP itself. I used SuperAntiSpyware again, and it cleaned out these problems (there were about 50 infections, about half as Cookies and half as registry and Windows folder insertions). After cleaning these out, SuperAntiSpyware said that I had no problems, but I used the Kaspersky free online scan, and it detected "Trojan-Downloader.Win32.Small.akgn" using my svchost.exe program. Last night I found a copy of, if I remember correctly, "svchost.exe" in my Windows\system32\drivers folder, which several online sources say is a location used by malware for a similarly-named file. I also found a file in my main Windows folder that several sites said was malware, renamed something that sounds legitimate.

I do have several instances of "svchost.exe" running, and when I looked at their details with a program called Process Explorer, I saw a large quantity of suspicious data. Some of these svchost.exe programs are using strange user identities that I don't recognize (some of which had a question-mark icon next to them); one even had an entry that said "WBEM_EES_OPEN_FOR_BUSINESS".

I've also looked at my firewall log, and my machine is constantly opening and closing TCP connections, a new one every three-to-five seconds. I checked some of the IP addresses, and they're listed online as malware sites; for example, one is a site with "spyware-protector" in its name.

I've run HiJack this and I don't seem to be seeing anything too suspicious most of the time, although every once in a while, something will pop up, such as an Adobe Reader-type program. SuperAntiSpyWare usually doesn't see anything, except for the times I described above.

When I go to "Speedtest.net" my upload speeds are very slow, far below average for my ISP, and I see strange behavior when I upload (I run an online fantasy baseball league and upload large quantities of html statistics reports), my uploads always start out at a fast speed (around 200Kbps), then gradually slow down to a rate that I consider reasonable or normal (70Kbps) about, then they abruptly jump down to 40Kbps.

I'm fairly computer saavy and I need help diagnosing and solving my problems. I appreciate any assistance I receive. Thank you for your attention to this matter.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 AM

Posted 09 June 2009 - 10:02 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

There are several ways to investigate and see what services a Svchost.exe process is controlling and using Process Explorer is one of them. For a more detailed quide to using this tool, please refer to How to determine what services are running under a Svchost.exe process.

Other tools to investigate running processes and gather additional information to identify them and resolve problems:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 saczel

saczel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Fort Smith, AR
  • Local time:05:45 AM

Posted 09 June 2009 - 10:16 AM

Thanks very much for this information. I will check out my instances of svchost.exe more closely, using these tools.

I'm still concerned about the constant opening of TCP connections to suspect internet locations. Is there anything I can do to analyze this activity?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 AM

Posted 09 June 2009 - 11:22 AM

There are third party utilities that will allow you to manage and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:You can use netstat from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it.

You can use Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various Internet Traffic Monitoring Tools for troubleshooting and malware investigation.

You can investigate IP addresses and gather additional information at:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 saczel

saczel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Fort Smith, AR
  • Local time:05:45 AM

Posted 09 June 2009 - 04:15 PM

I offer my sincere thanks.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 AM

Posted 09 June 2009 - 04:18 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users