Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Data usage...svchost.exe PID 1008


  • Please log in to reply
1 reply to this topic

#1 Thaumaturge Jay

Thaumaturge Jay

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 26 March 2015 - 04:52 PM

Hey team!

 

Needing a little help here...I have a customer who is using a Verizon USB for her internet service it is limited to 20GB per month and in the months of Feb and March she has used nearly 100GB....this has been in place for YEARS and never had this kind of usage.  She is using a Cradelpoint brand router with the USB plugged into that to provide internet on her entire network.  Since this problem started I have killed all Wireless connections and changed passwords, then installed a Netgear 750t2 switch with the router's only hardwired connection going into port 1, plugged a laptop into port 2 (for monitoring purposes) and all others to various other ports on the switch.  I have mirrored all traffic on the switch to be mirrored to Port 2 with WireShark monitoring all traffic.  I haven't caught the spike in usage via this method.  I have been able to find that 1 desktop PC (LAN IP 192.168.0.90 for later reference). 
What I am seeing is spikes of right around 500MB downloads spread across about 30 min at random times, this sample is around 4:30 AM we've had some at 1 in the afternoon and etc... see below report (nearly worthless) from Verizon.  They claim that all they can tell is that this is Firmware and App usage:

(this is just and example of the bumps of data used measured in GB)

3/23/2015 10:28 PM  0.081543603

3/23/2015 2:49 PM    0.072999627

3/23/2015 8:50 AM    0.337126942

3/23/2015 4:53 AM    0.29702143

3/23/2015 4:49 AM    0.500473945

3/23/2015 4:45 AM    0.499601998

3/23/2015 4:42 AM    0.500174085

3/23/2015 4:39 AM    0.499349141

3/22/2015 10:48 PM  0.469276153

3/22/2015 4:49 PM    0.132055443

3/22/2015 10:49 AM  0.06130449

 

 

(again Wireshark for some reason isn't seeing any of this usage I have been logging continuously with WireShark for almost 2 straight weeks now and have the hourly files saved if needed)

 

Once I found that the data was being used by this one PC I installed NetBalancer and let that monitor processes that have internet usage, this DID catch this large amount of traffic and it was being used by svchost.exe with a PID of 1008. 

 

 

 

Now that I've pinned all this down I ran all my malware scans ( RKill, JRT, ADWCleaner, RogueKiller, Malwarebytes and Malwarebytes Anti Rootkit), below are the log files from those.  All were inconclusive,  AntiRootkit found nothing at all...I just don't know what to do with the information that I've gathered at this point.  I am at a complete loss here...anyone have anything that can point me in a direction to try to resolve this.  This poor woman is being charged $10 for every Gig she goes over 20....she's at 53GB this month alone....

 


 

Rkill 2.6.3 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2015 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/23/2015 11:50:33 AM in x64 mode.

Windows Version: Windows 8

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\System32\mmlweb.exe (PID: 1328) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

C:\Users\Janet's\Desktop\rkill\rkill-03-23-2015-11-50-39.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 03/23/2015 11:52:16 AM

Execution time: 0 hours(s), 1 minute(s), and 42 seconds(s)

 

RogueKiller V10.0.1.0 (x64) [Oct 10 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Janet's [Administrator]
Mode : Delete -- Date : 03/23/2015  12:18:32

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2929378518-1253625194-1182583516-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://lebanoncpafirm.com/  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2929378518-1253625194-1182583516-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://lebanoncpafirm.com/  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x2]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[IE:Addon] System : Classic Explorer Bar [{553891B7-A0D5-4526-BE18-D3CE461D6310}] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM001-1CH164 +++++
--- User ---
[MBR] 40195535e2577b60250bedf6122f6a0d
[BSP] ffc491923f42de61da7036f6bf668ec5 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk Cruzer Switch USB Device +++++
--- User ---
[MBR] 881f2f1a9d3716988c4ec960bd0b0360
[BSP] 5a85ff476ab2a63af83df8cdd7c3608c : Unknown MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0xb) [VISIBLE] Offset (sectors): 63 | Size: 3812 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_03232015_121639.log

 

 

# AdwCleaner v3.019 - Report created 23/03/2015 at 12:43:19

# Updated 17/02/2014 by Xplode

# Operating System : Windows 8 (64 bits)

# Username : Janet's - JANET

# Running from : G:\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

 

***** [ Files / Folders ] *****

 

***** [ Shortcuts ] *****

 

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17267

 

*************************

AdwCleaner[R0].txt - [1222 octets] - [23/03/2015 12:42:12]

AdwCleaner[S0].txt - [1157 octets] - [23/03/2015 12:43:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1217 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.3.3 (10.14.2014:1)

OS: Windows 8 x64

Ran by Janet's on Mon 03/23/2015 at 12:04:30.07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

~~~ Services

 

 

~~~ Registry Values

 

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}

Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}

Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}

Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}

 

 

~~~ Files

 

 

~~~ Folders

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Mon 03/23/2015 at 12:09:26.84

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 
 

 

 


 



BC AdBot (Login to Remove)

 


#2 Thaumaturge Jay

Thaumaturge Jay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 27 March 2015 - 04:32 PM

Okay, so my post has been viewed over 100 times and no response? Am I doing this wrong or am I not the only one who is completely confused by this?  Since my initial post she has been hit 2 more times for more than 3GB each so it has cost her an additional $60 in under 24 hours.  PLEASE HELP!  Or someone let me know what I'm doing wrong in my posting, should it be somewhere else?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users