svchost.exe

Hi everybody!
After surfing the web for hours I can’t find a solution to my problem. I’m sure to have a trojan but no antivirus can find it and it reappear after formating my disk…
I think it’s perhaps a variant of backdoor.beast because the problem comes with the svchost.exe file which connect to the web everytime I start my system and send a lot of information on the web (I see a lot of activity with ZoneAlarm). When I block internet access to this file I can not connect to the web anymore… And when I try to delete the file (in the system32 folder, I have windows xp), it reappear only a few seconds later… I can’t believe it! Also when I delete the process in the task manager, it reappear a few seconds later and wants to act as a local and a server service… very strange. ???
Any idea from what trojan the problem comes?
Thanks in advance for help.

did you try http://housecall.trendmicro.com ?

they just released scan engine 6.810 for the housecall scanner :smiley:

I have tried Norton, Bitdefender, trendmicro (updated), anti-trojan, avg, kaspersky, avast (which was the best for me), but none find this virus…

First of all, the file svchost.exe in the System32 foder(under Win2000/xp) is a systemfile which is needed. If you want us to take a closer look at your “Problem” please post a Hijackthislog.
You can download the programm here: http://mjc1.com/mirror/hjt/
Download, unzip and start the Exefile. Press “scan”, “save log”, after saving it, post the content(via copy/paste) of the Editor-windows, which will appear.

Logfile of HijackThis v1.97.7
Scan saved at 16:33:42, on 27.11.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32[b]svchost.exe[/b]
C:\WINDOWS\System32[b]svchost.exe[/b]
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32[b]spoolsv.exe[/b]
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\program files\amp winoff\winoff.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.fm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [DeltTray] DeltTray.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU..\Run: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.1785300926

I see nothing special except the two svchohst.exe processes and the spoolsv.exe which also tries to connect to the web…
:-[

The Problem is not a virus it seems to be a browser-hijacker. Maybe this infos will help: http://www.spywareinfo.com/~merijn/cwschronicles.html .
Please post a new log after using cwshredder.

I think you’re right because cwshredder found 5 infected startpages :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.fm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html

Cwshredder have fixed these infected files as you can see in the new hijackthis log :

Logfile of HijackThis v1.97.7
Scan saved at 11:03:02, on 28.11.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\program files\amp winoff\winoff.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.di.fm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [DeltTray] DeltTray.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU..\Run: [AMP WinOFF] c:\program files\amp winoff\winoff.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37927.1785300926

But the problem with the svchost.exe and the spoolsv.exe files has not dissapeared. I think it’s perhaps a new variant of coolwebsearch browser hijack. My internet access has slowdown, I have some graphical problem in my internet browser when loading, and strange traffic while surfing… So I really think it’s a browser hijack but I haven’t any redirection to other website, perhaps because I use Crazybrowser which blocks popups windows. Any ideas? Should I contact the cwschredder author?

No, your log seems to be clear. You must remember it is normal that the svchost connects to the Internet. It depense which services you have started. You may take a look at this site: http://www.blackviper.com/WinXP/servicecfg.htm
But be aware of what you are doing!!

You must remember it is normal that the svchost connects to the Internet. It depense which services you have started

Ok but is it normal that svchost and spoolsv services always connect to the web at windows startup and wants to act as local and server services?!

I do not use a Desktop Firewall, but that is possible. SOme Parts of the services are used to automaticly update windows, univ.plug´n play, Timesync. and so on.

I still haven’t solved my problem and I experienced very strange things yesterday: I couldn’t connect to the web anymore but I saw with my firewall that the svchost.exe file (generic host process for win32 service) was runinng and sending informations to the web… And today I can connect to the web again but the svchost.exe file is still running…

Here’s a list of the services using the svchost.exe file and running:

Service Exécutable Statut Démarrage

WZCSVC svchost.exe -k netsvcs Running Auto
wuauserv svchost.exe -k netsvcs Running Auto
WmdmPmSp svchost.exe -k netsvcs Running Auto
winmgmt svchost.exe -k netsvcs Running Auto
WebClient svchost.exe -k LocalService Running Auto
W32Time svchost.exe -k netsvcs Running Auto
uploadmgr svchost.exe -k netsvcs Running Auto
TrkWks svchost.exe -k netsvcs Running Auto
Themes svchost.exe -k netsvcs Running Auto
TermService svchost.exe -k netsvcs Running Manual
SSDPSRV svchost.exe -k LocalServi ce Running Manual
srservice svchost.exe -k netsvcs Running Auto
ShellHWDetection svchost.exe -k netsvcs Running Auto
SENS svchost.exe -k netsvcs Running Auto
seclogon svchost.exe -k netsvcs Running Auto
Schedule svchost.exe -k netsvcs Running Auto
RpcSs svchost -k rpcss Running Auto
RemoteRegistry svchost.exe -k LocalService Running Auto
Nla svchost.exe -k netsvcs Running Manual
Netman svchost.exe -k netsvcs Running Manual
Messenger svchost.exe -k netsvcs Running Auto
LmHosts svchost.exe -k LocalService Running Auto
lanmanworkstation svchost.exe -k netsvcs Running Auto
lanmanserver svchost.exe -k netsvcs Running Auto
helpsvc svchost.exe -k netsvcs Running Auto
FastUser
Switching
Compatibility svchost.exe -k netsvcs Running Manual
EventSystem svchost.exe -k netsvcs Running Manual
ERSvc svchost.exe -k netsvcs Running Auto
Dnscache svchost.exe -k NetworkServiceRunning Auto
dmserver svchost.exe -k netsvcs Running Auto
Dhcp svchost.exe -k netsvcs Running Auto
CryptSvc svchost.exe -k netsvcs Running Auto
Browser svchost.exe -k netsvcs Running Auto
AudioSrv svchost.exe -k netsvcs Running Auto

Does anyone see something unusual?

I think the problem has gone! ;D
I have disabled the SSDPSRV service and the strange svchost.exe activity has disappeared…
I still haven’t any idea of what kind of problem it was. Anyway thanks a lot for the help (the blackviper link was very usefull!) :wink:

Finally the problem has not dissapeared… :cry:
I still have the same problems. It’s very strange because the problem appears only every thursday or friday: I can’t connect to the web anymore and something is using the svchost.exe service and sends traffic to the web. I have disabled all useless and dangerous services which use the svchost.exe file but the problem is still remaining. And I found something strange too : I can connect the web again when I use a link in some application (for example the help link in zone alarm). Totally confusing… :-[