Unknown svchost.exe DNS port 53 network activity

[Raffi]

David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
>
> | It turns out it wasn't normal. I had recently installed a P2P program
> | on my PC and it had added a ton of entries in my hosts file. I'm
> | surprised none of the spyware programs gave me even the slightest
> | warning about these entries.
> |
> | Raffi
>
> Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was installed
> and the PC was NOT using the ISP provided DNS servers but a tainted, malicious, set of DNS
> servers.
>
> Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a Registry
> setting that sets the order of name to address resolution, first the OS calls the hosts
> files and if a name to IP address is listed the IP address of the .\etc\hosts table will be
> used. If a name (alias) is not in that hosts table then the TCP/.IP stack will cause a DNS
> call to a DNS server which will then return the IP address.
>
> The way you have your original post worded SVCHOST was found to communicate with your ISP's
> DNS server.
>
> One can only go by the wording of your original post and p\based upon what I read, I saw no
> normality. While having modifications to the hosts table can be indicative of malicious
> software, that is NOT always true. The owner/operator can apply the MVP Hosts file to their
> computer to block malicious sites and the application is not malicious. If you can post
> actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts of the hosts
> table, one can make a more definite determination of malware.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Thanks for the reply. Removing the P2P software and clearing the
\etc\hosts file did not correct the issue after all. I just logged in
with the administrator account and the network activity is no longer
there. This seems to be happenning only when I log into my personal
account. During my last login, SERVICES.EXE was making the connections
rather than SVCHOST.EXE. Is there a way to determine if these files
have been tampered with?

I'll try to get more information from netstat etc.

Raffi

[David H. Lipman]

From: "Raffi" <thegrizzzly@yahoo.com>

|
| Thanks for the reply. Removing the P2P software and clearing the
| \etc\hosts file did not correct the issue after all. I just logged in
| with the administrator account and the network activity is no longer
| there. This seems to be happenning only when I log into my personal
| account. During my last login, SERVICES.EXE was making the connections
| rather than SVCHOST.EXE. Is there a way to determine if these files
| have been tampered with?
|
| I'll try to get more information from netstat etc.
|
| Raffi

Yes. Download and use Process Explorer
http://www.microsoft.com/technet/sys...sExplorer.mspx

And look at not only the file name SERVICES.EXE but the fully qualified name and path.

SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32
If they are executed from any other location it is a sure sign of malware.

Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the
legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading
malicuious DLL files.

You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded
in you everyday account. You indicated the activity stopped when you logged on as admin.
thus what may be loaded to cause the activity is being loaded by that personal account.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Raffi]

David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
> |
> | Thanks for the reply. Removing the P2P software and clearing the
> | \etc\hosts file did not correct the issue after all. I just logged in
> | with the administrator account and the network activity is no longer
> | there. This seems to be happenning only when I log into my personal
> | account. During my last login, SERVICES.EXE was making the connections
> | rather than SVCHOST.EXE. Is there a way to determine if these files
> | have been tampered with?
> |
> | I'll try to get more information from netstat etc.
> |
> | Raffi
>
> Yes. Download and use Process Explorer
> http://www.microsoft.com/technet/sys...sExplorer.mspx
>
> And look at not only the file name SERVICES.EXE but the fully qualified name and path.
>
> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32
> If they are executed from any other location it is a sure sign of malware.
>
> Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the
> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading
> malicuious DLL files.
>
> You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded
> in you everyday account. You indicated the activity stopped when you logged on as admin.
> thus what may be loaded to cause the activity is being loaded by that personal account.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Dave,

Thanks for all the help and suggestions. I took the easy way out this
time. I created a new user and transferred all important files
(documents etc) to the new user. Then I deleted the original account.
This fixed the issue.

My guess is that this was some sort of malware. I did download process
explorer for future use. Sorry I couldn't chase this any longer but
this is my main workstation and I have alot of work to do which had
been on hold while I was chasing this.

Thanks,
Raffi

[Alun Jones]

"Raffi" <thegrizzzly@yahoo.com> wrote in message
news:1166691811.892612.183470@73g2000cwn.googlegro ups.com...
> David H. Lipman wrote:
>> From: "Raffi" <thegrizzzly@yahoo.com>
>>
>> |
>> | Thanks for the reply. Removing the P2P software and clearing the
>> | \etc\hosts file did not correct the issue after all. I just logged in
>> | with the administrator account and the network activity is no longer
>> | there. This seems to be happenning only when I log into my personal
>> | account. During my last login, SERVICES.EXE was making the connections
>> | rather than SVCHOST.EXE. Is there a way to determine if these files
>> | have been tampered with?
>> |
>> | I'll try to get more information from netstat etc.
>> |
>> | Raffi
>>
>> Yes. Download and use Process Explorer
>> http://www.microsoft.com/technet/sys...sExplorer.mspx
>>
>> And look at not only the file name SERVICES.EXE but the fully qualified
>> name and path.
>>
>> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
>> %windir%\system32
>> If they are executed from any other location it is a sure sign of
>> malware.
>>
>> Also, there are DLLs that can be loaded and use SERVICES.EXE and
>> SVCHOST.EXE such that the
>> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but
>> are loading
>> malicuious DLL files.
>>
>> You can also run MSCONFIG.EXE and compare what is loaded as administrator
>> vs. what is loaded
>> in you everyday account. You indicated the activity stopped when you
>> logged on as admin.
>> thus what may be loaded to cause the activity is being loaded by that
>> personal account.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
>
> Dave,
>
> Thanks for all the help and suggestions. I took the easy way out this
> time. I created a new user and transferred all important files
> (documents etc) to the new user. Then I deleted the original account.
> This fixed the issue.
>
> My guess is that this was some sort of malware. I did download process
> explorer for future use. Sorry I couldn't chase this any longer but
> this is my main workstation and I have alot of work to do which had
> been on hold while I was chasing this.

Since the problem is "fixed" by running under a different user, that really
strongly points the finger at malware.

However, I would definitely recommend that you not view this as being
"fixed".

It isn't.

You still have that malware, and the "work" that you do on it is now exposed
to the author of that malware, and anyone he chooses to share it with.

Your most reliable bet would be to "flatten" the machine - take your work
off to a backup device, reinstall the OS and your applications, and restore
your work.

And don't be running P2P applications on your work machine. P2P
"file-sharing" is a great way to pick up malware, because you're downloading
and then executing untrusted data and applications from unknown and
untrusted third parties. Is it any wonder you got infected? Unless you
remove the infection, and stop doing the things that got you infected,
you'll stay infected, and you'll get infected again with the next thing that
comes along. Eventually, your "work" will be spread around the world for
everyone to enjoy. I don't think you want that.

Alun.
~~~~

[Raffi]

Alun Jones wrote:
> "Raffi" <thegrizzzly@yahoo.com> wrote in message
> news:1166691811.892612.183470@73g2000cwn.googlegro ups.com...
> > David H. Lipman wrote:
> >> From: "Raffi" <thegrizzzly@yahoo.com>
> >>
> >> |
> >> | Thanks for the reply. Removing the P2P software and clearing the
> >> | \etc\hosts file did not correct the issue after all. I just logged in
> >> | with the administrator account and the network activity is no longer
> >> | there. This seems to be happenning only when I log into my personal
> >> | account. During my last login, SERVICES.EXE was making the connections
> >> | rather than SVCHOST.EXE. Is there a way to determine if these files
> >> | have been tampered with?
> >> |
> >> | I'll try to get more information from netstat etc.
> >> |
> >> | Raffi
> >>
> >> Yes. Download and use Process Explorer
> >> http://www.microsoft.com/technet/sys...sExplorer.mspx
> >>
> >> And look at not only the file name SERVICES.EXE but the fully qualified
> >> name and path.
> >>
> >> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
> >> %windir%\system32
> >> If they are executed from any other location it is a sure sign of
> >> malware.
> >>
> >> Also, there are DLLs that can be loaded and use SERVICES.EXE and
> >> SVCHOST.EXE such that the
> >> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but
> >> are loading
> >> malicuious DLL files.
> >>
> >> You can also run MSCONFIG.EXE and compare what is loaded as administrator
> >> vs. what is loaded
> >> in you everyday account. You indicated the activity stopped when you
> >> logged on as admin.
> >> thus what may be loaded to cause the activity is being loaded by that
> >> personal account.
> >>
> >> --
> >> Dave
> >> http://www.claymania.com/removal-trojan-adware.html
> >> http://www.ik-cs.com/got-a-virus.htm
> >
> > Dave,
> >
> > Thanks for all the help and suggestions. I took the easy way out this
> > time. I created a new user and transferred all important files
> > (documents etc) to the new user. Then I deleted the original account.
> > This fixed the issue.
> >
> > My guess is that this was some sort of malware. I did download process
> > explorer for future use. Sorry I couldn't chase this any longer but
> > this is my main workstation and I have alot of work to do which had
> > been on hold while I was chasing this.
>
> Since the problem is "fixed" by running under a different user, that really
> strongly points the finger at malware.
>
> However, I would definitely recommend that you not view this as being
> "fixed".
>
> It isn't.
>
> You still have that malware, and the "work" that you do on it is now exposed
> to the author of that malware, and anyone he chooses to share it with.
>
> Your most reliable bet would be to "flatten" the machine - take your work
> off to a backup device, reinstall the OS and your applications, and restore
> your work.
>
> And don't be running P2P applications on your work machine. P2P
> "file-sharing" is a great way to pick up malware, because you're downloading
> and then executing untrusted data and applications from unknown and
> untrusted third parties. Is it any wonder you got infected? Unless you
> remove the infection, and stop doing the things that got you infected,
> you'll stay infected, and you'll get infected again with the next thing that
> comes along. Eventually, your "work" will be spread around the world for
> everyone to enjoy. I don't think you want that.
>
> Alun.
> ~~~~

The "problem" was back overnight. I'll post more information soon.

Raffi

[David H. Lipman]

From: "Raffi" <thegrizzzly@yahoo.com>


|
| The "problem" was back overnight. I'll post more information soon.
|
| Raffi



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/docum...=1-26-102557-1
http://sunsolve.sun.com/search/docum...=1-26-102648-1
http://sunsolve.sun.com/search/docum...=1-26-102622-1


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/supe...freevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadge...4332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Raffi]

David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
>
> |
> | The "problem" was back overnight. I'll post more information soon.
> |
> | Raffi
>
>
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are vulnerabilities in them and they are actively being exploited.
>
> It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
> Version 6.0
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/docum...=1-26-102557-1
> http://sunsolve.sun.com/search/docum...=1-26-102648-1
> http://sunsolve.sun.com/search/docum...=1-26-102622-1
>
>
> For non-viral malware...
>
> Please download, install and update the following software...
>
> * Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
> http://www.lavasoft.de/ms/index.htm
>
> * SpyBot Search and Destroy v1.4
> http://security.kolla.de/
> http://www.safer-networking.org/microsoft.en.html
>
> * SuperAntiSpyware
> http://www.superantispyware.com/supe...freevspro.html
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
> that may be on the PC.
>
> * BHODemon
>
> http://www.majorgeeks.com/downloadge...4332b4b8b8442d
>
> For viral malware...
>
> * Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

I have found the process responsible for the Port 53 traffic.
Suspending this process in Process Explorer stops the network activity.
Resuming it restarts the activity. Below are the details.

Process: svchost.exe Pid: 944

Type Name
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
File C:\WINDOWS\system32
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\net\NtControlPipe5
File \Device\Tcp
File \Device\Ip
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File C:\WINDOWS\system32\drivers\etc
File \Device\Tcp
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\WMIDataDevice
File \Device\WMIDataDevice
File \Device\NamedPipe\lsarpc
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
Key HKLM
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameter s
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameter s\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameter s
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parame ters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parame ters\NameSpace_Catalog5
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\DCS_grd
Port \RPC Control\DNSResolver
Process svchost.exe(944)
Section \BaseNamedObjects\DCS_raw
Section \BaseNamedObjects\DCS_LOGraw
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread svchost.exe(944): 948
Thread svchost.exe(944): 3036
Thread svchost.exe(944): 972
Thread svchost.exe(944): 976
Thread svchost.exe(944): 3036
Thread svchost.exe(944): 460
Thread svchost.exe(944): 460
Thread svchost.exe(944): 1344
Thread svchost.exe(944): 3548
Thread svchost.exe(944): 3548
Thread svchost.exe(944): 1392
Thread svchost.exe(944): 1392
Thread svchost.exe(944): 1404
Thread svchost.exe(944): 1708
Thread svchost.exe(944): 1404
Thread svchost.exe(944): 1708
WindowStation \Windows\WindowStations\Service-0x0-3e4$
WindowStation \Windows\WindowStations\Service-0x0-3e4$

[Stefan Kanthak]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

> From: "Raffi" <thegrizzzly@yahoo.com>
>
>
> |
> | The "problem" was back overnight. I'll post more information soon.
> |
> | Raffi
>
>
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are vulnerabilities in them and they are actively being exploited.

Stop spreading FUD!
1.5.0_10 as well as 1.4.2_13 have no known vulnerabilities!

> It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
> Version 6.0

It's completely sufficient to have the latest version of 1.5.0 or 1.4.2
installed and all previous versions (manually!) removed.
There are still quite some applets and java applications out there which
won't run with JRE6 or even JRE5!

> Simple check, look under...
> C:\Program Files\Java

| dir "C:\Program Files\"
|
| File not found

When will you learn to use "%ProgramFiles%"?

> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/docum...=1-26-102557-1
> http://sunsolve.sun.com/search/docum...=1-26-102648-1
> http://sunsolve.sun.com/search/docum...=1-26-102622-1
>
>
> For non-viral malware...
>
> Please download, install and update the following software...

Alun already gave the ONLY CORRECT advice: flatten and rebuild.

Stefan

fup microsoft.public.security

[Gabriele Neukam]

On this special day, David H. Lipman wrote :

> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.

You should replace the six with a nine or ten.

http://sunsolve.sun.com/search/docum...=1-26-102729-1
http://sunsolve.sun.com/search/docum...=1-26-102731-1
http://sunsolve.sun.com/search/docum...=1-26-102732-1

are the newest alerts by Sun.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
Bei Windows haut man raus was man nicht braucht.
Bei Linux haut man rein was man braucht.
(René 'vollmi' Vollmeier in de.comp.security.misc)

[William]

On 12/21/2006 9:49 AM, something possessed Alun Jones to write:
> "Raffi" <thegrizzzly@yahoo.com> wrote in message
> news:1166691811.892612.183470@73g2000cwn.googlegro ups.com...
>> David H. Lipman wrote:
>>> From: "Raffi" <thegrizzzly@yahoo.com>
>>>
>>> |
>>> | Thanks for the reply. Removing the P2P software and clearing the
>>> | \etc\hosts file did not correct the issue after all. I just logged in
>>> | with the administrator account and the network activity is no longer
>>> | there. This seems to be happenning only when I log into my personal
>>> | account. During my last login, SERVICES.EXE was making the connections
>>> | rather than SVCHOST.EXE. Is there a way to determine if these files
>>> | have been tampered with?
>>> |
>>> | I'll try to get more information from netstat etc.
>>> |
>>> | Raffi
>>>
>>> Yes. Download and use Process Explorer
>>> http://www.microsoft.com/technet/sys...sExplorer.mspx
>>>
>>> And look at not only the file name SERVICES.EXE but the fully qualified
>>> name and path.
>>>
>>> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
>>> %windir%\system32
>>> If they are executed from any other location it is a sure sign of
>>> malware.
>>>
>>> Also, there are DLLs that can be loaded and use SERVICES.EXE and
>>> SVCHOST.EXE such that the
>>> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but
>>> are loading
>>> malicuious DLL files.
>>>
>>> You can also run MSCONFIG.EXE and compare what is loaded as administrator
>>> vs. what is loaded
>>> in you everyday account. You indicated the activity stopped when you
>>> logged on as admin.
>>> thus what may be loaded to cause the activity is being loaded by that
>>> personal account.
>>>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> http://www.ik-cs.com/got-a-virus.htm
>> Dave,
>>
>> Thanks for all the help and suggestions. I took the easy way out this
>> time. I created a new user and transferred all important files
>> (documents etc) to the new user. Then I deleted the original account.
>> This fixed the issue.
>>
>> My guess is that this was some sort of malware. I did download process
>> explorer for future use. Sorry I couldn't chase this any longer but
>> this is my main workstation and I have alot of work to do which had
>> been on hold while I was chasing this.
>
> Since the problem is "fixed" by running under a different user, that really
> strongly points the finger at malware.
Agrees with you here
>
> However, I would definitely recommend that you not view this as being
> "fixed".
>
> It isn't.
It could be, but a more thourogh checkup is in order
>
> You still have that malware, and the "work" that you do on it is now exposed
> to the author of that malware, and anyone he chooses to share it with.
>
> Your most reliable bet would be to "flatten" the machine - take your work
> off to a backup device, reinstall the OS and your applications, and restore
> your work.
Yes, that is the only way to entirely be sure that you're using a clean
machine. However, that probably isn't necessary. I would recommend
using David Lipman's multi-AV scan either in Safe Mode as administrator
(so that you'll have access to all files) or using BartPE (if these AV
proggies can be incorporated into a BartPE disc).
>
> And don't be running P2P applications on your work machine.
Depends on which P2P and what its used fore
> P2P
> "file-sharing" is a great way to pick up malware, because you're downloading
> and then executing untrusted data and applications from unknown and
> untrusted third parties.
Not necessarily. If you're just using it to illegally download music
and videos (not program executables), and you're careful about how you
play these (I wouldn't rely on Windows to launch them, for example, but
load them in Winamp, and don't let Winamp connect to Internet), than
you're more or less safe. Also, more than likely, the P2P proggie you
used had its own malware (like Navaccel or something like that).
Finally, some P2P proggies (such as Bittorrent) can be used safely (like
for downloading Linux distros), since even though you're downloading
from other computers, the tracker is administered by the Linux
Distribution and, to my knowledge, it's not possible yet to alter a file
or set of files once the tracker has already been posted without posting
a new torrent tracker.
> Is it any wonder you got infected? Unless you
> remove the infection, and stop doing the things that got you infected,
> you'll stay infected, and you'll get infected again with the next thing that
> comes along. Eventually, your "work" will be spread around the world for
> everyone to enjoy. I don't think you want that.
>
> Alun.
> ~~~~
>
>