Re: Unknown svchost.exe DNS port 53 network activity

Re: Unknown svchost.exe DNS port 53 network activity
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: Unknown svchost.exe DNS port 53 network activity David H. Lipman 12-20-2006
Posted by David H. Lipman on December 20, 2006, 4:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| First off sorry for cross posting. I'm not sure what this is although
| it resembles a trojan.
|
| I noticed heavy activity on my router as well as my workstation LAN
| connection icon in the tray. After some digging appears to be a svchost
| process that is listening on port 53 with a remote address of my ISP's
| DNS server. My router is not set to forward DNS traffic to a specific
| system.
|
| I have run the following without any success in catching this bug
|
| AntiVir antivirus
| Avast antivirus
| Spybot S&D
| Ad Aware
| AVG antispyware
|
| I got the following information for the related process from Port
| Explorer
|
| Command line: c:\windows\system32\svchost.exe -k Network Service
|
| Any help in identifying this bug and cleaning will be greatly
| appreciated.
|
| Thanks,
| Raffi

Yaeh exxcessive Cross-Posting for Domain Name Resolution !

Unless you can prove that there is something causing DNS calls outside your ISP
Domain, this
is NORMAL.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Raffi on December 20, 2006, 8:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

David H. Lipman wrote:
>
> | First off sorry for cross posting. I'm not sure what this is although
> | it resembles a trojan.
> |
> | I noticed heavy activity on my router as well as my workstation LAN
> | connection icon in the tray. After some digging appears to be a svchost
> | process that is listening on port 53 with a remote address of my ISP's
> | DNS server. My router is not set to forward DNS traffic to a specific
> | system.
> |
> | I have run the following without any success in catching this bug
> |
> | AntiVir antivirus
> | Avast antivirus
> | Spybot S&D
> | Ad Aware
> | AVG antispyware
> |
> | I got the following information for the related process from Port
> | Explorer
> |
> | Command line: c:\windows\system32\svchost.exe -k Network Service
> |
> | Any help in identifying this bug and cleaning will be greatly
> | appreciated.
> |
> | Thanks,
> | Raffi
>
> Yaeh exxcessive Cross-Posting for Domain Name Resolution !
>
> Unless you can prove that there is something causing DNS calls outside your
ISP Domain, this
> is NORMAL.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

It turns out it wasn't normal. I had recently installed a P2P program
on my PC and it had added a ton of entries in my hosts file. I'm
surprised none of the spyware programs gave me even the slightest
warning about these entries.

Raffi


Posted by David H. Lipman on December 20, 2006, 8:22 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


| It turns out it wasn't normal. I had recently installed a P2P program
| on my PC and it had added a ton of entries in my hosts file. I'm
| surprised none of the spyware programs gave me even the slightest
| warning about these entries.
|
| Raffi

Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was
installed
and the PC was NOT using the ISP provided DNS servers but a tainted, malicious,
set of DNS
servers.

Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a
Registry
setting that sets the order of name to address resolution, first the OS calls
the hosts
files and if a name to IP address is listed the IP address of the .\etc\hosts
table will be
used. If a name (alias) is not in that hosts table then the TCP/.IP stack will
cause a DNS
call to a DNS server which will then return the IP address.

The way you have your original post worded SVCHOST was found to communicate with
your ISP's
DNS server.

One can only go by the wording of your original post and p\based upon what I
read, I saw no
normality. While having modifications to the hosts table can be indicative of
malicious
software, that is NOT always true. The owner/operator can apply the MVP Hosts
file to their
computer to block malicious sites and the application is not malicious. If you
can post
actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts
of the hosts
table, one can make a more definite determination of malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Raffi on December 20, 2006, 9:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

David H. Lipman wrote:
>
>
> | It turns out it wasn't normal. I had recently installed a P2P program
> | on my PC and it had added a ton of entries in my hosts file. I'm
> | surprised none of the spyware programs gave me even the slightest
> | warning about these entries.
> |
> | Raffi
>
> Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan
was installed
> and the PC was NOT using the ISP provided DNS servers but a tainted,
malicious, set of DNS
> servers.
>
> Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a
Registry
> setting that sets the order of name to address resolution, first the OS calls
the hosts
> files and if a name to IP address is listed the IP address of the .\etc\hosts
table will be
> used. If a name (alias) is not in that hosts table then the TCP/.IP stack
will cause a DNS
> call to a DNS server which will then return the IP address.
>
> The way you have your original post worded SVCHOST was found to communicate
with your ISP's
> DNS server.
>
> One can only go by the wording of your original post and p\based upon what I
read, I saw no
> normality. While having modifications to the hosts table can be indicative of
malicious
> software, that is NOT always true. The owner/operator can apply the MVP Hosts
file to their
> computer to block malicious sites and the application is not malicious. If
you can post
> actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts
of the hosts
> table, one can make a more definite determination of malware.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Thanks for the reply. Removing the P2P software and clearing the
\etc\hosts file did not correct the issue after all. I just logged in
with the administrator account and the network activity is no longer
there. This seems to be happenning only when I log into my personal
account. During my last login, SERVICES.EXE was making the connections
rather than SVCHOST.EXE. Is there a way to determine if these files
have been tampered with?

I'll try to get more information from netstat etc.

Raffi


Posted by David H. Lipman on December 20, 2006, 9:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

|
| Thanks for the reply. Removing the P2P software and clearing the
| \etc\hosts file did not correct the issue after all. I just logged in
| with the administrator account and the network activity is no longer
| there. This seems to be happenning only when I log into my personal
| account. During my last login, SERVICES.EXE was making the connections
| rather than SVCHOST.EXE. Is there a way to determine if these files
| have been tampered with?
|
| I'll try to get more information from netstat etc.
|
| Raffi

Yes. Download and use Process Explorer
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

And look at not only the file name SERVICES.EXE but the fully qualified name and
path.

SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
%windir%\system32
If they are executed from any other location it is a sure sign of malware.

Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE
such that the
legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are
loading
malicuious DLL files.

You can also run MSCONFIG.EXE and compare what is loaded as administrator vs.
what is loaded
in you everyday account. You indicated the activity stopped when you logged on
as admin.
thus what may be loaded to cause the activity is being loaded by that personal
account.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Similar ThreadsPosted
Unknown download activity in background - how to determine what it is? July 28, 2007, 3:51 am
svchost.exe virus? January 16, 2007, 5:19 pm
Strange svchost.exe April 23, 2008, 8:54 am
C:\WINDOWS\SYSTEM32\SVCHOST.EXE August 7, 2006, 6:00 pm
Help! Fake svchost.exe on my computer October 6, 2006, 7:27 am
What is C:\WINDOWS\system32\svchost.exe December 8, 2006, 10:03 pm
Port log April 22, 2008, 2:54 am
Scanning a port September 24, 2005, 2:27 am
What port Need Sdbot for Execute September 19, 2005, 2:21 pm
Port Block Allow NetBIOS changed November 9, 2005, 8:01 pm

The site map in XML format XML site map

Contact Us | Privacy Policy