Avast and svchost.exe

Hi All,

I’m a new user of avast! Antivirus… Just switched to it today after my subscription of ESET Smart Security ran out… Last I know, I didn’t have a virus and I’m a quite careful user…

I’m running avast! on Vista Service Pack 2… Whenever I restart my PC, avast! gives a few popups on the desktop saying it has blocked svchost.exe from opening a malicious URL… It gives around 8-12 such consecutive pop-ups and then stops… After this, if I open the Task Manager, I see one instance of svchost.exe using roughly 50% of CPU (there are few other instances running at 0 CPU use)… I have to kill that process, else any other app takes additional time to run/open…

Please help!

Thanks,

Well in other topics, svchost.exe trying to connect to malicious sites has been related to have a rootkit infection and possibly an MBR Rootkit.

Given your forum name have you tried blacklight to see if you have a rootkit ?

You can check if you have an MBR rootkit using this tool:

This latest version of aswMBR.exe can have avast do a QuickScan (image3) and depending on your system spec it could take a while, on my system it took a little under 15 minutes.

Apologies! I posted an incomplete log file, it’s still scanning… I will post the complete log once done…

Hi David, thanks for replying :)… No I have not run the Blacklight tool on my system…

aswMBR took lot more than 15 minutes to run for me :D… Here is the log of the scan:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-24 23:25:15

23:25:15.383 OS Version: Windows 6.0.6002 Service Pack 2
23:25:15.383 Number of processors: 2 586 0xF0D
23:25:15.383 ComputerName: MYDOOM UserName: Neil
23:25:19.018 Initialize success
23:25:20.438 AVAST engine defs: 11062400
23:25:58.174 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
23:25:58.174 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
23:25:58.205 Disk 0 MBR read successfully
23:25:58.205 Disk 0 MBR scan
23:25:58.205 Disk 0 unknown MBR code
23:25:58.205 Disk 0 scanning sectors +488394752
23:25:58.252 Disk 0 scanning C:\Windows\system32\drivers
23:26:14.958 Service scanning
23:26:17.189 Disk 0 trace - called modules:
23:26:17.251 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x873018b8]<<
23:26:17.267 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x872e8ac8]
23:26:17.267 3 CLASSPNP.SYS[8bed18b3] → nt!IofCallDriver → [0x8646c700]
23:26:17.267 5 acpi.sys[8b6456bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x86473028]
23:26:17.781 \Driver\iaStor[0x8644dc48] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x873018b8
23:26:18.717 AVAST engine scan C:\Windows
01:13:30.573 Scan finished successfully
01:14:06.500 Disk 0 MBR has been saved successfully to “C:\Users\Neil\Desktop\MBR.dat”
01:14:06.589 The log file has been saved successfully to “C:\Users\Neil\Desktop\aswMBR.txt”

OK, that looks a bit better in that it isn’t certain you have an MBR rootkit, but I believe there is a probability you do still have one as the report is showing you have an unknown MBR code.

You don’t have a dual boot system by any chance (as that could change the default MBR) ?

You can run this tool:

Hi David,

No, I do not have a dual boot system, it is just the Vista SP2 installed… At some point during the last year, I did mess up the MBR somehow when using some utilities; I had to run /fixMBR from a Vista Recovery Disc to be able to boot into Windows again… Dunno if that has anything to do with it…

I’ve attached the TDSSKiller log…

Well I would have though that the /fixmbr command should have set it back to a default MBR and not an unknown one, which is normally associated with either a dual boot system or something like a Dell or HP which might have a custom MBR to allow access to its recovery partition. So do you have a Dell/HP or other manufactures system ?

Well in a way that’s not good in that TDSSKiller didn’t find anything, so this is going to need investigation by someone more experienced than in malware removal using more analysis tools. I will try and get someone to take a look at it, but they are likely to be in bed now (UK time 00:05am). So it would be much later today before they are back on the forums.

When you say this happens 8-12 consecutive times, perhaps this to simplistic, but you could check your task scheduler and see if there are any tasks there that you didn’t create.

You could also try this little tool, svchostanalyzer.exe (http://www.neuber.com/free/svchost-analyzer/index.html) and see what is assigned to the ID of the svchost.exe taking up the high cpu%

Hi David,

I took a few more screenshots of the problem. I got 6 avast! Network Shield warnings when I booted up today and a further 2-3 more once I opened my browser (Firefox 5). avast! seems to be blocking an instance of svchost.exe from opening derribazu.net/random file name & extension. I’m not 100% sure the process being blocked is the same with the high CPU %tage but seems most likely (PID 3620). I’m able to easily kill the process in Task Manager and all is fine after that (i.e. I get my CPU idle again). Could this be a false-positive? Following are attached:

  1. avast! warning popup
  2. Windows Task Manager shot (PID 3620)
  3. Svchost Analyzer shot (PID 3620)
  4. Security Task Manager shot (PID 3620) (next post)

Security Task Manager screenshot attached.

My system is Acer Aspire 6920G. I do faintly remember seeinga Windows XP logo sometimes, I do not rememebr if it was when booting into the recovery partition or into the “Media Only” mode… I thought I had lost all that when I overwrote the MBR a year back…

I just got another avast popup, will post in the next msg (attachment limit is very small)

Here is another avast! popup I got just now while working on Firefox 5

Unfortunately the images you posted aren’t any help.

The idea of the svchost-analyser that I suggested is to first identify which svchost.exe occurrence is the one with the high CPU% (as you mentioned before) and note the PID (Process Identifier) and that is the one you should look at in the svchost-analyser.

Once you open that one you will see all the different processes using that occurrence of svchost.exe as in my image. I would be looking for any strange looking processes, random looking names given their file location, etc.

But this does need further specialist analysis, the saving grace is that avast is blocking these attempts to connect to malicious sites.

Hi David,

The PID was 3620 and when checking in the analyzer, there are 0 processes/services running under it…That’s why the lower window is blank in the image…

I just now ran F-Secure Easyclean and it made me reboot once and found infection of Trojan.Generic.KDV. It said it has cleaned it. Now I’m not getting any more avast! popups… Perhaps its resolved now…

When I ran Easyclean, I ran it on a fresh reboot of windows with that 50% CPU svchost process running… When I ran aswMBR yesterday, it was after I had killed that process… Perhaps that made a difference in the detection?..

What was the file name and location of the detection by easyclean ?

Hi there methinks that a little analysis is required, and then mayhap dive in with a stronger dedicated tool

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

@DavidR, that was the most frustrating thing, “EasyClean” provided no details whatsoever of whatever it cleaned!!! :stuck_out_tongue: (other than the name)

@essexboy, thanks, will run the scan now and post once done…

Always hard to have faith in stuff like this when you can’t actually check out what it found.

Anyway hopefully now essexboy is on the case he will get to the bottom of it.

Cheers David!

@essexboy I’ve run the scan and uploaded the log to mediafire… btw there wasn’t a 64 bit option box to check (attached the screenshot)… Thanks,

http://www.mediafire.com/?d5cw52uul6vm5ca

Oops need to remove that line as it now autodetects

On completion of this run could you let me know what problems you are having

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\Neil\AppData\Roaming\Mozilla\FireFox\Profiles\nzoh2wg2.default\prefs.js
YN -> network.proxy.backup.ftp -> "127.0.0.1"
YN -> network.proxy.backup.ftp_port -> 9666
YN -> network.proxy.backup.gopher -> "127.0.0.1"
YN -> network.proxy.backup.gopher_port -> 9666
YN -> network.proxy.backup.socks -> ""
YN -> network.proxy.backup.socks_port -> 0
YN -> network.proxy.backup.ssl -> "127.0.0.1"
YN -> network.proxy.backup.ssl_port -> 9666
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 8580
YN -> network.proxy.share_proxy_settings -> true
YN -> network.proxy.socks_remote_dns -> true
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {0A87E45F-537A-40B4-B812-E2544C21A09F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\AutoRun\command -> 
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\AutoRun\command\\"" -> [yjkjfuo.cmd]
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\explore\Command -> 
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\explore\Command\\"" -> [yjkjfuo.cmd]
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\open\Command -> 
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\open\Command\\"" -> [yjkjfuo.cmd]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> ~rdjddrg hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
[Files/Folders - Created Within 30 Days]
NY ->  SecTaskMan -> C:\ProgramData\SecTaskMan
NY ->  Security Task Manager -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager
NY ->  Security Task Manager -> C:\Program Files\Security Task Manager
[Files/Folders - Modified Within 30 Days]
NY ->  Dat61AB.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat61AB.tmp.xsi
NY ->  Dat469B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat469B.tmp.xsi
NY ->  DatF771.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF771.tmp.xsi
NY ->  DatCCE7.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatCCE7.tmp.xsi
NY ->  Dat873F.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat873F.tmp.xsi
NY ->  DatAF06.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatAF06.tmp.xsi
NY ->  Dat933B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat933B.tmp.xsi
NY ->  Dat901E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat901E.tmp.xsi
NY ->  DatDF73.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatDF73.tmp.xsi
NY ->  DatBAE2.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatBAE2.tmp.xsi
NY ->  Dat7069.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat7069.tmp.xsi
NY ->  Dat55D7.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat55D7.tmp.xsi
NY ->  DatCF0A.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatCF0A.tmp.xsi
NY ->  DatE391.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE391.tmp.xsi
NY ->  DatE832.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE832.tmp.xsi
NY ->  Dat66C6.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat66C6.tmp.xsi
NY ->  Dat43CA.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat43CA.tmp.xsi
NY ->  DatD713.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatD713.tmp.xsi
NY ->  DatF0B9.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF0B9.tmp.xsi
NY ->  DatE331.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE331.tmp.xsi
NY ->  DatA343.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA343.tmp.xsi
NY ->  Dat457A.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat457A.tmp.xsi
NY ->  DatA0FF.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA0FF.tmp.xsi
NY ->  Dat508E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat508E.tmp.xsi
NY ->  Dat9B14.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat9B14.tmp.xsi
NY ->  Dat7847.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat7847.tmp.xsi
NY ->  Dat43EE.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat43EE.tmp.xsi
NY ->  DatFABD.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatFABD.tmp.xsi
NY ->  DatF7CF.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF7CF.tmp.xsi
NY ->  DatEE7B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatEE7B.tmp.xsi
NY ->  Dat5B12.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat5B12.tmp.xsi
NY ->  DatD904.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatD904.tmp.xsi
NY ->  DatA160.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA160.tmp.xsi
NY ->  Dat8B9E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat8B9E.tmp.xsi
NY ->  Dat732D.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat732D.tmp.xsi
NY ->  Dat618.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat618.tmp.xsi
NY ->  DatEF4D.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatEF4D.tmp.xsi
NY ->  DatC32D.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatC32D.tmp.xsi
NY ->  DatA7EF.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA7EF.tmp.xsi
NY ->  Dat888C.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat888C.tmp.xsi
NY ->  Dat5C2E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat5C2E.tmp.xsi
NY ->  DatE3F1.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE3F1.tmp.xsi
NY ->  DatA471.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA471.tmp.xsi
NY ->  Dat69E0.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat69E0.tmp.xsi
NY ->  DatD731.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatD731.tmp.xsi
NY ->  Dat715.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat715.tmp.xsi
NY ->  Dat9E83.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat9E83.tmp.xsi
NY ->  Dat8CB6.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat8CB6.tmp.xsi
NY ->  Dat782C.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat782C.tmp.xsi
NY ->  Dat67C7.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat67C7.tmp.xsi
NY ->  Dat4C1B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat4C1B.tmp.xsi
NY ->  DatF7A4.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF7A4.tmp.xsi
NY ->  Dat8D1E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat8D1E.tmp.xsi
NY ->  Dat6F22.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat6F22.tmp.xsi
NY ->  y2oyun7u.exe -> C:\Users\Neil\Desktop\y2oyun7u.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Hi essexboy, could you please tell me what the fix will be fixing? Thanks!

Certainly - there are some proxies set on firefox
There is a malware run key
Some malware mountpoints from an infected USB
A few BHo’s that are not nice to have
And the Virus defs taking up space from the f secure run

If this does not resolve the problem then I will use something stronger