Re: Unknown svchost.exe DNS port 53 network activity

Re: Unknown svchost.exe DNS port 53 network activity
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: Unknown svchost.exe DNS port 53 network activity David H. Lipman 12-20-2006
Posted by Raffi on December 21, 2006, 4:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
David H. Lipman wrote:
>
> |
> | Thanks for the reply. Removing the P2P software and clearing the
> | \etc\hosts file did not correct the issue after all. I just logged in
> | with the administrator account and the network activity is no longer
> | there. This seems to be happenning only when I log into my personal
> | account. During my last login, SERVICES.EXE was making the connections
> | rather than SVCHOST.EXE. Is there a way to determine if these files
> | have been tampered with?
> |
> | I'll try to get more information from netstat etc.
> |
> | Raffi
>
> Yes. Download and use Process Explorer
>
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
>
> And look at not only the file name SERVICES.EXE but the fully qualified name
and path.
>
> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
%windir%\system32
> If they are executed from any other location it is a sure sign of malware.
>
> Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE
such that the
> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are
loading
> malicuious DLL files.
>
> You can also run MSCONFIG.EXE and compare what is loaded as administrator vs.
what is loaded
> in you everyday account. You indicated the activity stopped when you logged
on as admin.
> thus what may be loaded to cause the activity is being loaded by that personal
account.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Dave,

Thanks for all the help and suggestions. I took the easy way out this
time. I created a new user and transferred all important files
(documents etc) to the new user. Then I deleted the original account.
This fixed the issue.

My guess is that this was some sort of malware. I did download process
explorer for future use. Sorry I couldn't chase this any longer but
this is my main workstation and I have alot of work to do which had
been on hold while I was chasing this.

Thanks,
Raffi


Posted by Alun Jones on December 21, 2006, 12:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> David H. Lipman wrote:
>>
>> |
>> | Thanks for the reply. Removing the P2P software and clearing the
>> | \etc\hosts file did not correct the issue after all. I just logged in
>> | with the administrator account and the network activity is no longer
>> | there. This seems to be happenning only when I log into my personal
>> | account. During my last login, SERVICES.EXE was making the connections
>> | rather than SVCHOST.EXE. Is there a way to determine if these files
>> | have been tampered with?
>> |
>> | I'll try to get more information from netstat etc.
>> |
>> | Raffi
>>
>> Yes. Download and use Process Explorer
>>
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
>>
>> And look at not only the file name SERVICES.EXE but the fully qualified
>> name and path.
>>
>> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
>> %windir%\system32
>> If they are executed from any other location it is a sure sign of
>> malware.
>>
>> Also, there are DLLs that can be loaded and use SERVICES.EXE and
>> SVCHOST.EXE such that the
>> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but
>> are loading
>> malicuious DLL files.
>>
>> You can also run MSCONFIG.EXE and compare what is loaded as administrator
>> vs. what is loaded
>> in you everyday account. You indicated the activity stopped when you
>> logged on as admin.
>> thus what may be loaded to cause the activity is being loaded by that
>> personal account.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
>
> Dave,
>
> Thanks for all the help and suggestions. I took the easy way out this
> time. I created a new user and transferred all important files
> (documents etc) to the new user. Then I deleted the original account.
> This fixed the issue.
>
> My guess is that this was some sort of malware. I did download process
> explorer for future use. Sorry I couldn't chase this any longer but
> this is my main workstation and I have alot of work to do which had
> been on hold while I was chasing this.

Since the problem is "fixed" by running under a different user, that really
strongly points the finger at malware.

However, I would definitely recommend that you not view this as being
"fixed".

It isn't.

You still have that malware, and the "work" that you do on it is now exposed
to the author of that malware, and anyone he chooses to share it with.

Your most reliable bet would be to "flatten" the machine - take your work
off to a backup device, reinstall the OS and your applications, and restore
your work.

And don't be running P2P applications on your work machine. P2P
"file-sharing" is a great way to pick up malware, because you're downloading
and then executing untrusted data and applications from unknown and
untrusted third parties. Is it any wonder you got infected? Unless you
remove the infection, and stop doing the things that got you infected,
you'll stay infected, and you'll get infected again with the next thing that
comes along. Eventually, your "work" will be spread around the world for
everyone to enjoy. I don't think you want that.

Alun.
~~~~



Posted by Raffi on December 21, 2006, 1:18 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Alun Jones wrote:
> > David H. Lipman wrote:
> >>
> >> |
> >> | Thanks for the reply. Removing the P2P software and clearing the
> >> | \etc\hosts file did not correct the issue after all. I just logged in
> >> | with the administrator account and the network activity is no longer
> >> | there. This seems to be happenning only when I log into my personal
> >> | account. During my last login, SERVICES.EXE was making the connections
> >> | rather than SVCHOST.EXE. Is there a way to determine if these files
> >> | have been tampered with?
> >> |
> >> | I'll try to get more information from netstat etc.
> >> |
> >> | Raffi
> >>
> >> Yes. Download and use Process Explorer
> >>
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
> >>
> >> And look at not only the file name SERVICES.EXE but the fully qualified
> >> name and path.
> >>
> >> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
> >> %windir%\system32
> >> If they are executed from any other location it is a sure sign of
> >> malware.
> >>
> >> Also, there are DLLs that can be loaded and use SERVICES.EXE and
> >> SVCHOST.EXE such that the
> >> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but
> >> are loading
> >> malicuious DLL files.
> >>
> >> You can also run MSCONFIG.EXE and compare what is loaded as administrator
> >> vs. what is loaded
> >> in you everyday account. You indicated the activity stopped when you
> >> logged on as admin.
> >> thus what may be loaded to cause the activity is being loaded by that
> >> personal account.
> >>
> >> --
> >> Dave
> >> http://www.claymania.com/removal-trojan-adware.html
> >> http://www.ik-cs.com/got-a-virus.htm
> >
> > Dave,
> >
> > Thanks for all the help and suggestions. I took the easy way out this
> > time. I created a new user and transferred all important files
> > (documents etc) to the new user. Then I deleted the original account.
> > This fixed the issue.
> >
> > My guess is that this was some sort of malware. I did download process
> > explorer for future use. Sorry I couldn't chase this any longer but
> > this is my main workstation and I have alot of work to do which had
> > been on hold while I was chasing this.
>
> Since the problem is "fixed" by running under a different user, that really
> strongly points the finger at malware.
>
> However, I would definitely recommend that you not view this as being
> "fixed".
>
> It isn't.
>
> You still have that malware, and the "work" that you do on it is now exposed
> to the author of that malware, and anyone he chooses to share it with.
>
> Your most reliable bet would be to "flatten" the machine - take your work
> off to a backup device, reinstall the OS and your applications, and restore
> your work.
>
> And don't be running P2P applications on your work machine. P2P
> "file-sharing" is a great way to pick up malware, because you're downloading
> and then executing untrusted data and applications from unknown and
> untrusted third parties. Is it any wonder you got infected? Unless you
> remove the infection, and stop doing the things that got you infected,
> you'll stay infected, and you'll get infected again with the next thing that
> comes along. Eventually, your "work" will be spread around the world for
> everyone to enjoy. I don't think you want that.
>
> Alun.
> ~~~~

The "problem" was back overnight. I'll post more information soon.

Raffi


Posted by David H. Lipman on December 21, 2006, 4:34 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


|
| The "problem" was back overnight. I'll post more information soon.
|
| Raffi



If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java
JRE/JSE
Version 6.0

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser
Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Raffi on December 21, 2006, 10:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

David H. Lipman wrote:
>
>
> |
> | The "problem" was back overnight. I'll post more information soon.
> |
> | Raffi
>
>
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are vulnerabilities in them and they are actively being exploited.
>
> It is highly suggested that you update to the latest version which is Sun Java
JRE/JSE
> Version 6.0
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
>
>
> For non-viral malware...
>
> Please download, install and update the following software...
>
> * Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
> http://www.lavasoft.de/ms/index.htm
>
> * SpyBot Search and Destroy v1.4
> http://security.kolla.de/
> http://www.safer-networking.org/microsoft.en.html
>
> * SuperAntiSpyware
> http://www.superantispyware.com/superantispywarefreevspro.html
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any Browser
Helper Objects
> that may be on the PC.
>
> * BHODemon
>
>
http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
>
> For viral malware...
>
> * Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot
the PC.
>
> You can choose to go to each menu item and just download the needed files or
you can
> download the files and perform a scan in Normal Mode. Once you have downloaded
the files
> needed for each scanner you want to use, you should reboot the PC into Safe
Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to
run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

I have found the process responsible for the Port 53 traffic.
Suspending this process in Process Explorer stops the network activity.
Resuming it restarts the activity. Below are the details.

Process: svchost.exe Pid: 944

Type        Name
Desktop        \Default
Directory        \KnownDlls
Directory        \Windows
Directory        \BaseNamedObjects
File        C:\WINDOWS\system32
File        \Device\KsecDD
File        C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File        \Device\NamedPipe\net\NtControlPipe5
File        \Device\Tcp
File        \Device\Ip
File        \Device\Tcp
File        \Device\Ip
File        \Device\Ip
File        C:\WINDOWS\system32\drivers\etc
File        \Device\Tcp
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\WMIDataDevice
File        \Device\WMIDataDevice
File        \Device\NamedPipe\lsarpc
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
File        \Device\Afd\Endpoint
File        \Device\Udp
Key        HKLM
Key        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key        HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key        HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key        HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key        HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key        HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key        HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
KeyedEvent        \KernelObjects\CritSecOutOfMemoryEvent
Mutant        \BaseNamedObjects\DCS_grd
Port        \RPC Control\DNSResolver
Process        svchost.exe(944)
Section        \BaseNamedObjects\DCS_raw
Section        \BaseNamedObjects\DCS_LOGraw
Semaphore        \BaseNamedObjects\shell.
Thread        svchost.exe(944): 948
Thread        svchost.exe(944): 3036
Thread        svchost.exe(944): 972
Thread        svchost.exe(944): 976
Thread        svchost.exe(944): 3036
Thread        svchost.exe(944): 460
Thread        svchost.exe(944): 460
Thread        svchost.exe(944): 1344
Thread        svchost.exe(944): 3548
Thread        svchost.exe(944): 3548
Thread        svchost.exe(944): 1392
Thread        svchost.exe(944): 1392
Thread        svchost.exe(944): 1404
Thread        svchost.exe(944): 1708
Thread        svchost.exe(944): 1404
Thread        svchost.exe(944): 1708
WindowStation        \Windows\WindowStations\Service-0x0-3e4$
WindowStation        \Windows\WindowStations\Service-0x0-3e4$


Similar ThreadsPosted
Unknown download activity in background - how to determine what it is? July 28, 2007, 3:51 am
my network server has a virus and i can not conect to the network. November 1, 2008, 6:19 pm
svchost.exe virus? January 16, 2007, 5:19 pm
Strange svchost.exe April 23, 2008, 8:54 am
Modified svchost.exe November 9, 2008, 5:46 am
C:\WINDOWS\SYSTEM32\SVCHOST.EXE August 7, 2006, 6:00 pm
Help! Fake svchost.exe on my computer October 6, 2006, 7:27 am
What is C:\WINDOWS\system32\svchost.exe December 8, 2006, 10:03 pm
SMTP Trojan uses SVCHOST on W2K Pro November 4, 2008, 1:23 pm
Port log April 22, 2008, 2:54 am

The site map in XML format XML site map

Contact Us | Privacy Policy