Unknown svchost.exe DNS port 53 network activity

[Raffi]

First off sorry for cross posting. I'm not sure what this is although
it resembles a trojan.

I noticed heavy activity on my router as well as my workstation LAN
connection icon in the tray. After some digging appears to be a svchost
process that is listening on port 53 with a remote address of my ISP's
DNS server. My router is not set to forward DNS traffic to a specific
system.

I have run the following without any success in catching this bug

AntiVir antivirus
Avast antivirus
Spybot S&D
Ad Aware
AVG antispyware

I got the following information for the related process from Port
Explorer

Command line: c:\windows\system32\svchost.exe -k Network Service

Any help in identifying this bug and cleaning will be greatly
appreciated.

Thanks,
Raffi

[jmatt@webace.com.au]

Raffi wrote:
After some digging appears to be a svchost
> process that is listening on port 53 with a remote address of my ISP's
> DNS server.

svchost port 53

http://www.google.com.au/search?hl=e...e+Search&meta=

[David H. Lipman]

From: "Raffi" <thegrizzzly@yahoo.com>

| First off sorry for cross posting. I'm not sure what this is although
| it resembles a trojan.
|
| I noticed heavy activity on my router as well as my workstation LAN
| connection icon in the tray. After some digging appears to be a svchost
| process that is listening on port 53 with a remote address of my ISP's
| DNS server. My router is not set to forward DNS traffic to a specific
| system.
|
| I have run the following without any success in catching this bug
|
| AntiVir antivirus
| Avast antivirus
| Spybot S&D
| Ad Aware
| AVG antispyware
|
| I got the following information for the related process from Port
| Explorer
|
| Command line: c:\windows\system32\svchost.exe -k Network Service
|
| Any help in identifying this bug and cleaning will be greatly
| appreciated.
|
| Thanks,
| Raffi

Yaeh exxcessive Cross-Posting for Domain Name Resolution !

Unless you can prove that there is something causing DNS calls outside your ISP Domain, this
is NORMAL.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Raffi]

David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
> | First off sorry for cross posting. I'm not sure what this is although
> | it resembles a trojan.
> |
> | I noticed heavy activity on my router as well as my workstation LAN
> | connection icon in the tray. After some digging appears to be a svchost
> | process that is listening on port 53 with a remote address of my ISP's
> | DNS server. My router is not set to forward DNS traffic to a specific
> | system.
> |
> | I have run the following without any success in catching this bug
> |
> | AntiVir antivirus
> | Avast antivirus
> | Spybot S&D
> | Ad Aware
> | AVG antispyware
> |
> | I got the following information for the related process from Port
> | Explorer
> |
> | Command line: c:\windows\system32\svchost.exe -k Network Service
> |
> | Any help in identifying this bug and cleaning will be greatly
> | appreciated.
> |
> | Thanks,
> | Raffi
>
> Yaeh exxcessive Cross-Posting for Domain Name Resolution !
>
> Unless you can prove that there is something causing DNS calls outside your ISP Domain, this
> is NORMAL.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

It turns out it wasn't normal. I had recently installed a P2P program
on my PC and it had added a ton of entries in my hosts file. I'm
surprised none of the spyware programs gave me even the slightest
warning about these entries.

Raffi

[David H. Lipman]

From: "Raffi" <thegrizzzly@yahoo.com>


| It turns out it wasn't normal. I had recently installed a P2P program
| on my PC and it had added a ton of entries in my hosts file. I'm
| surprised none of the spyware programs gave me even the slightest
| warning about these entries.
|
| Raffi

Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was installed
and the PC was NOT using the ISP provided DNS servers but a tainted, malicious, set of DNS
servers.

Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a Registry
setting that sets the order of name to address resolution, first the OS calls the hosts
files and if a name to IP address is listed the IP address of the .\etc\hosts table will be
used. If a name (alias) is not in that hosts table then the TCP/.IP stack will cause a DNS
call to a DNS server which will then return the IP address.

The way you have your original post worded SVCHOST was found to communicate with your ISP's
DNS server.

One can only go by the wording of your original post and p\based upon what I read, I saw no
normality. While having modifications to the hosts table can be indicative of malicious
software, that is NOT always true. The owner/operator can apply the MVP Hosts file to their
computer to block malicious sites and the application is not malicious. If you can post
actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts of the hosts
table, one can make a more definite determination of malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Raffi]

David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
>
> | It turns out it wasn't normal. I had recently installed a P2P program
> | on my PC and it had added a ton of entries in my hosts file. I'm
> | surprised none of the spyware programs gave me even the slightest
> | warning about these entries.
> |
> | Raffi
>
> Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was installed
> and the PC was NOT using the ISP provided DNS servers but a tainted, malicious, set of DNS
> servers.
>
> Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a Registry
> setting that sets the order of name to address resolution, first the OS calls the hosts
> files and if a name to IP address is listed the IP address of the .\etc\hosts table will be
> used. If a name (alias) is not in that hosts table then the TCP/.IP stack will cause a DNS
> call to a DNS server which will then return the IP address.
>
> The way you have your original post worded SVCHOST was found to communicate with your ISP's
> DNS server.
>
> One can only go by the wording of your original post and p\based upon what I read, I saw no
> normality. While having modifications to the hosts table can be indicative of malicious
> software, that is NOT always true. The owner/operator can apply the MVP Hosts file to their
> computer to block malicious sites and the application is not malicious. If you can post
> actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts of the hosts
> table, one can make a more definite determination of malware.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Thanks for the reply. Removing the P2P software and clearing the
\etc\hosts file did not correct the issue after all. I just logged in
with the administrator account and the network activity is no longer
there. This seems to be happenning only when I log into my personal
account. During my last login, SERVICES.EXE was making the connections
rather than SVCHOST.EXE. Is there a way to determine if these files
have been tampered with?

I'll try to get more information from netstat etc.

Raffi

[David H. Lipman]

From: "Raffi" <thegrizzzly@yahoo.com>

|
| Thanks for the reply. Removing the P2P software and clearing the
| \etc\hosts file did not correct the issue after all. I just logged in
| with the administrator account and the network activity is no longer
| there. This seems to be happenning only when I log into my personal
| account. During my last login, SERVICES.EXE was making the connections
| rather than SVCHOST.EXE. Is there a way to determine if these files
| have been tampered with?
|
| I'll try to get more information from netstat etc.
|
| Raffi

Yes. Download and use Process Explorer
http://www.microsoft.com/technet/sys...sExplorer.mspx

And look at not only the file name SERVICES.EXE but the fully qualified name and path.

SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32
If they are executed from any other location it is a sure sign of malware.

Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the
legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading
malicuious DLL files.

You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded
in you everyday account. You indicated the activity stopped when you logged on as admin.
thus what may be loaded to cause the activity is being loaded by that personal account.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm