PDA

View Full Version : svchost accessing hundreds of ports



dayin
2010-08-25, 00:01
Alright, I know when I'm beat. . .

For a couple of months there has been a low hum of network traffic on one of my new machines when inactive. It never exceeded 6kb/s though, so I wasn't worried about it, until my ISP brought to my attention that it was accessing hundreds of ports at a time, and told me to fix it.

Using Netlimiter monitor I was able to confirm that services.exe and svchost.exe are the culprits, both of them frequently accessing dozens or hundreds of different ports, usually connecting to foreign IPs.

Repeated virus scans in both normal and safe mode from Malwarebytes, Spybot S&D, and windows defender have yielded no results.

As a temporary measure while I figured this out, I downloaded Comodo and told it to restrict all traffic to svchost.exe and services.exe, but that seems to have disabled my internet, as now I get either no, or very slow intermittent, connection in IE or Firefox.

Running Microsoft Vista, SP1, 32 bit.

Included below are my Hijackthis log, and a tasklist /svc scan. Please let me know if there's anything you see that could indicate a problem, as well as any other scans or measures I should do to help diagnose or repair. Thanks in advance for any help you can provide.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:36:59 PM, on 8/24/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18498)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\Windows\system32\cmd.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\msfeedssync.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 5557 bytes



Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Jon>tasklist /svc

Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 472 N/A
csrss.exe 540 N/A
wininit.exe 600 N/A
csrss.exe 608 N/A
services.exe 648 N/A
winlogon.exe 672 N/A
lsass.exe 696 SamSs
lsm.exe 704 N/A
svchost.exe 860 DcomLaunch, PlugPlay
nvvsvc.exe 904 nvsvc
svchost.exe 932 RpcSs
cmdagent.exe 996 cmdAgent
svchost.exe 1080 CryptSvc, Dnscache, NlaSvc, TapiSrv,
TermService
svchost.exe 1096 WinDefend
svchost.exe 1216 Audiosrv, Dhcp, Eventlog, lmhosts
svchost.exe 1244 AudioEndpointBuilder, EMDMgmt, hidserv,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc
svchost.exe 1256 AeLookupSvc, BITS, Browser, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt
audiodg.exe 1320 N/A
SLsvc.exe 1364 slsvc
svchost.exe 1424 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, netprofm, nsi, SSDPSRV,
SstpSvc, upnphost, W32Time, WebClient
nvvsvc.exe 1472 N/A
spoolsv.exe 1768 Spooler
svchost.exe 1800 BFE, DPS, MpsSvc
taskeng.exe 304 N/A
taskeng.exe 1308 N/A
dwm.exe 1352 N/A
explorer.exe 1896 N/A
MSASCui.exe 2064 N/A
VDeck.exe 2072 N/A
jusched.exe 2116 N/A
reader_sl.exe 2124 N/A
AdobeARM.exe 2132 N/A
networx.exe 2140 N/A
cfp.exe 2168 N/A
sidebar.exe 2184 N/A
TeaTimer.exe 2204 N/A
ONENOTEM.EXE 2248 N/A
PdaNetPC.exe 2260 N/A
SPUVolumeWatcher.exe 2276 N/A
nlsvc.exe 3028 N/A
NLClient.exe 3304 N/A
PnkBstrA.exe 3736 PnkBstrA
svchost.exe 3752 PolicyAgent
nvSCPAPISvr.exe 3772 Stereo Service
svchost.exe 3820 stisvc
svchost.exe 3852 WerSvc
SearchIndexer.exe 3916 WSearch
WUDFHost.exe 4012 N/A
cmd.exe 3288 N/A
tasklist.exe 3692 N/A
WmiPrvSE.exe 3700 N/A

tashi
2010-08-25, 01:15
Hello dayin,

Please see the forum FAQ which also includes instructions on posting a preliminary DDS log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

If this is a personal computer please start a new topic and a volunteer analyst will advise you when available.

Best regards. :)