G_H_Ramsey
2013-03-17, 21:29
I have a wierd malware using the svchost that begins at startup, but I have not been able to find it's source program.
It runs a scvhost process with 50% of my CPU in use and prevent any and all internet access. It also seems to be making a bridged internet connection using the Internet Gateway in the Networking options.
If I disable my network adaptor or the virtualbox adaptor it resets the internet gateway. Under details of Internet Gateway this gateway is sending and reciving data. At the same time I'm unable to connect using IE or thunderbird.
Also, when I tracked down it's PID through the task manager and tried to analyze it in spybot S&D it hung spybot and then aborted itself.
I presume this is to prevent detection of it's source. I can kill it manually too in the task manager, but it resumes again at startup and so far no program has found where it's starting up from. It goes away and will resume again at startup but there are no unusual entries in the startup entries in the windows Registry. I've been over them manually and in Spybot which I've found to be the best tool for this. But nothing unusual is there.
I've run malwarebytes, hijackthis, Spybot, and my normal AVG AV scan, and none of them are finding the source of the infection.
I had a suspicious file with a long numerical string and a CDF extension that was locked found in Malwarebytes. Malwarebytes was able to delete it at startup and it hasn't reappeared. That is the only positive detection. The rest were false since I have some customized settings (I installed windows using Nlite) which were flagged as hijacks.
I'm not certain if this is related to the svchost malware though.
That showed up only this morning and my first time knowing about it was not being able to go online.
Any advice, or ideas will be appreciated. The malware doesn't seem to be doing anything when that svchost process is closed so my system returns to almost-normal. It's more of an annoyance.
I'm using windows XP as you may have guessed. System board is a GA-ES2L w/ Core2 6550, 2GB RAM 2TB HDD, soundblaster audigy (latest possible drivers are old), nVidia 8600gt video.
Henry
It runs a scvhost process with 50% of my CPU in use and prevent any and all internet access. It also seems to be making a bridged internet connection using the Internet Gateway in the Networking options.
If I disable my network adaptor or the virtualbox adaptor it resets the internet gateway. Under details of Internet Gateway this gateway is sending and reciving data. At the same time I'm unable to connect using IE or thunderbird.
Also, when I tracked down it's PID through the task manager and tried to analyze it in spybot S&D it hung spybot and then aborted itself.
I presume this is to prevent detection of it's source. I can kill it manually too in the task manager, but it resumes again at startup and so far no program has found where it's starting up from. It goes away and will resume again at startup but there are no unusual entries in the startup entries in the windows Registry. I've been over them manually and in Spybot which I've found to be the best tool for this. But nothing unusual is there.
I've run malwarebytes, hijackthis, Spybot, and my normal AVG AV scan, and none of them are finding the source of the infection.
I had a suspicious file with a long numerical string and a CDF extension that was locked found in Malwarebytes. Malwarebytes was able to delete it at startup and it hasn't reappeared. That is the only positive detection. The rest were false since I have some customized settings (I installed windows using Nlite) which were flagged as hijacks.
I'm not certain if this is related to the svchost malware though.
That showed up only this morning and my first time knowing about it was not being able to go online.
Any advice, or ideas will be appreciated. The malware doesn't seem to be doing anything when that svchost process is closed so my system returns to almost-normal. It's more of an annoyance.
I'm using windows XP as you may have guessed. System board is a GA-ES2L w/ Core2 6550, 2GB RAM 2TB HDD, soundblaster audigy (latest possible drivers are old), nVidia 8600gt video.
Henry