SVCHOST.exe

[Giarc86]

Good Day
Once again I seem to have contracted a Trojan or Malware that has attached itself to svchost.exe

I have net meter monitoring my internet connection and I notice now and then it suddenly goes mad, downloading the MB's away. This is eating into my cap. As soon as I close one of the svchost.exe processes it stops downloading for a few seconds. Then the process will reappear and start all over again. I have run spybot, avg and sdfix and they have not found or corrected the problem.

I got Process Explorer and can see the process starting up again a few seconds after I've disabled it. As soon as it's closed it stops.

The services in this process when I view its properties are:
BITS - system32/qmgr.dll
EventSystem - system32/es/dll
SENS - system32/sens.dll
W32Time - system32/w32time.dll
winmgmt - system32/wbem/WMIsvc.dll

What could be the cause? I don't have any applications open that would download anything in the background

Thanks

EDIT: I found that once I stop the BITS service inside the SVCHOST.exe process it stops downloading.

 

[Dark Agent]

Windows Updates MAybe

 

[Keeper]

i've seen this exe chow 100% resources, which have been linked to corrupted printer spooler files......

...but never seen it download before.

best to google "svchost" or "svchost downloading virus"

 

[AirWolf]

EDIT: I found that once I stop the BITS service inside the SVCHOST.exe process it stops downloading.

Windows Updates MAybe

http://msdn.microsoft.com/en-us/library/aa363167(VS.85).aspx

Looks like Windows Update from the above.

 

[Giarc86]

Windows Updates MAybe

I have automatic updates disabled, always have had it off. Don't know if somethings overriding it?

i've seen this exe chow 100% resources, which have been linked to corrupted printer spooler files......

...but never seen it download before.

best to google "svchost" or "svchost downloading virus"

And I been Googling it the past afternoon, just find topics as you mentioned bout using 100% resources, nothing about downloading.

It really is puzzling, surely if all my Windows Updates are disabled it shouldn't be doing anything?

 

[Dark Agent]

i've seen this exe chow 100% resources, which have been linked to corrupted printer spooler files......

...but never seen it download before.

best to google "svchost" or "svchost downloading virus"

if chows 100% resources then it a win problem....

Possible problems

1. Windows reading a corrupted File
2. A virus is trying to edit win file or delete which windows is replacing them every second
3. Spyware reading win Info and duplicated/Copying winRegs
4. I really don't know then

Edit: SVCHOST.exe cannot ever be edited, deleted, modified or stopped.

 

[Bizkit87]

Download Malware Anti-bytes, they pretty good @ picking up trojans, spyware etc...

or you could try HijackThis! perhaps? (bit more technical)???

 

[Park@82]

Windows Updates MAybe

Yeah the Microsoft virus.

 

[Dark Agent]

Yeah the Microsoft virus.

Windows Genuine Advantage Validation also updates by it self

only the crack version does not

 

[Giarc86]

This svchost.exe is always seperate from the others, and it can be stopped unlike the others.

I can post my hijack this log here if need be? Will give Malware Anti-bytes a try

 

[Dark Agent]

This svchost.exe is always seperate from the others, and it can be stopped unlike the others.

I can post my hijack this log here if need be? Will give Malware Anti-bytes a try

Is it a system or a Network Service?
I was talking about System svchost.exe.

 

[Giarc86]

It's System service

 

[mh348]

uaing processexplorer check the location of the processes svchost and post it here, also post a hijackthis log.

What antivirus are you using, if you don't have 1. go to www.eset.co.za and download the trial and do a full scan.

2. Go to www.malwarebytes.org/ download, update and do a quick scan,

 

[cyberbob1979]

BITS is for Background Intelligent Transfer Service - to allow for updates and information to be downloaded while your network is "idle"

Just right click on My Computer -> Manage -> Services and see if Background Intelligent Transfer Service is started or running. It should be on "Manual" by default.

I would stop it and set it to manual / disabled to stop it from downloading while you are trying to spot whats causing the crap

 

[Giarc86]

It is located in C:\WINDOWS\System32\svchost.exe

Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:46:26 PM, on 2009/04/15
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NetMeter\NetMeter.exe
C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Active Desktop Calendar\ADC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Temp\Process Explorer\procexp.exe
C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.irfanview.net/faq.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239192236125
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5764 bytes

Malwarebytes found 3 disabled security centre entries

 

[Giarc86]

BITS is for Background Intelligent Transfer Service - to allow for updates and information to be downloaded while your network is "idle"

Just right click on My Computer -> Manage -> Services and see if Background Intelligent Transfer Service is started or running. It should be on "Manual" by default.

I would stop it and set it to manual / disabled to stop it from downloading while you are trying to spot whats causing the crap

There we go Thanks for that it seems to of solved the problem. Why it was on automatic, I have no idea, I certainly didn't put it on.
Normally the simplest of things work.

Thanks to all for your help

 

[rnieckau]

Funny, actually.

Since my re-install of Vista Ultimate, my security package updates me virtually every time i reboot to a system process (svchost.exe) asking for permission to access the internet at various destinations(ip addy's listed beneath) as well as acting as 'server' which is unusual. I think I can rule out infection, almost sure. WUS is also ruled out, as that has all been completed manually and subsequently switched 'off'.

I attempt to block access and it simply re issues the request to a different destination IP or Port. I ran a Tracert on the IPs and its somewhere in the States. But this new issue has eaten into two of my internet caps..as much as 500mb's in one day. My bandwidth meter is always d/l something - what could it possibly be up too?

ZA Alert Log:

Host service for windows services was unable to obtain permission for connecting to the Internet
(235.255.255.250 p:3702)
(235.255.255.250 p:1900)
(235.255.255.250 p:67)

(192.168.1.1 P:53) my router's local address?

 

[mh348]

It is located in C:\WINDOWS\System32\svchost.exe

Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:46:26 PM, on 2009/04/15
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NetMeter\NetMeter.exe
C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Active Desktop Calendar\ADC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Temp\Process Explorer\procexp.exe
C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.irfanview.net/faq.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239192236125
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5764 bytes

Malwarebytes found 3 disabled security centre entries

Google RavMonE.exe search for a remover

 

[Giarc86]

Google RavMonE.exe search for a remover

lol Yeah I have had my ravmon episodes before, I have smartantivirus which removes it always, I was just a bit careless today and put my sisters flash drive in, which picks up all the undesirables from UCT, and didn't scan it before hand.

I should of removed ravmon before I did the hijackthis scan.

But the BITS was what was causing the problem, not ravmon.

Thanks though

 

[mh348]

lol Yeah I have had my ravmon episodes before, I have smartantivirus which removes it always, I was just a bit careless today and put my sisters flash drive in, which picks up all the undesirables from UCT, and didn't scan it before hand.

I should of removed ravmon before I did the hijackthis scan.

But the BITS was what was causing the problem, not ravmon.

Thanks though

Are you referring to smartantivirus2009, if so thats not good as thats a derivative of antivirus2009 which is a virus/rogue ware.

Install nod32, visit www.eset.co.za and download it.

Smart Antivirus 2009 is dangerous malware. It pretends to be anti-virus, but it causes much damage on the infected computer and it’s useless as a security tool. SmartAntivirus2009 attacks people with large numbers of security notifications and requires paying $50 for removing detected threats. Smart Antivirus 2009 is not capable of locating or deleting infections; all the alerts are fabricated. This malware loads plenty of falsified pop-ups messages related to computer security, but some system errors might be true because SmartAntivirus 2009 may damage some vital components of Windows operating system. It may also install additional malwares. Do not trust Smart Antivirus 2009 and remove it immediately upon detection.

Smart Antivirus 2009 is distributed on s-avirus2009.com and other malicious websites. Block s-avirus2009.com using your HOSTS files and don't trust any website that sells SmartAntivirus 2009.