TechSpot

Svchost being naughty: What do you think?

By madboyv1
Sep 29, 2008
  1. Svchost being naughty: What do you think? [resolved]

    For a while before I disabled Kerio Personal Firewall, I was getting the following warning multiple times when starting up:

    Code:
    [26/Sep/2008 04:07:55]  "Hips" type = 'Code injection', action = 'denied', descr = 'Process C:\WINDOWS\system32\spoolsv.exe injected dangerous code into C:\WINDOWS\system32\svchost.exe (code address: 0x00406A67)
    Having Kerio pause on this often caused one of my svchost processes would lock up. terminating the process would fix it and it wouldn't come back until I restarted the computer.

    I disabled Kerio a little while ago because of it bluescreening me consecutively, and a number of hours ago NOD32 picked this up:

    Code:
    Time: 9/29/2008 16:20:26 PM
    Module : AMON
    Object	Name: file	C:\WINDOWS\system32\dts12.exe
    Threat: a variant of Win32/TrojanDropper.Agent.WZR trojan	
    Action: quarantined - deleted
    User: NT AUTHORITY\SYSTEM	
    Information: Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine.
    Now I've cleared my cache(s) and cleaned up my registry with CCleaner, I've run Super Antispyware, Malwarebyte, spybot, and ad-aware, but came up more or less empty handed.

    Seeing where the threat came from and the lack of being picked up by multiple scans, I don't think its gone.

    Any Idea's?

    edit: I've seen a couple times where RPC has been as well, causing the system to restart if the auto shutdown sequence is not aborted in the command prompt. Not sure if its part of the problem, but probably is.
     
  2. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Hi :

    The 1st thing that caught my eye was the "HIPS" in the Code Message ; do you
    have a "HIPS" ( Host-based Intrusion Prevention System ) type program on your
    computer and IF yes, which One ?

    Extremely risky disabling a firewall !? Based on the NOD32 Message, I feel you
    should be seeking assistance on their Support Forums at
    www.wilderssecurity.com/forumdisplay.php?f=16 IF you have not already done so .

    And concerning "svchost", I recommend the excellent Guide at
    www.bleepingcomputer.com/tutorials/tutorial129.html .
     
  3. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    Kerio Personal Firewall has built in HIPS.

    I have Process explorer, but forgot about tasklist.

    here's a screenshot of tasklist:

    [​IMG]

    Looking at the list the one at PID 820 seems to be the odd man out. Loading up Process Explorer...

    [​IMG]

    attempting to verify spooler using process explorer fails. hnn... =/
     
  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    highlight process in Process Explorer, rt click Properties
    • Image
      • Image File name and version info look OK?
      • Path - where was it loaded from?
      • Command line - what commands/options used to start it?
      • Parent - who is the parent process?
    • Strings - see if any interesting strings appear (including hard coded paths to directories)
    • TCP/IP - does it have any ports open?
    • Services - may as well see what's here (tho probably same as tasklist)
     
  5. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    for spooler:
    • Image
      • Image File - Spooler SubSystem App by (Unable to verify) Microsoft Corporation,
        Version 5.01.2600.5512, Time 4/13/2008 8:12 PM
      • Path - C:\WINDOWS\system32\spoolsv.exe
      • Command line - C:\WINDOWS\system32\spoolsv.exe
      • Parent - services.exe(1148)
    • Strings - see attached text file, I can't make much sense of it.
    • TCP/IP - Currently no connections
    • Services - Print Spooler

    for svchost connected to spooler:
    • Image
      • Image File - Generic Host Process for Win32 Services by (Verified) Microsoft Windows Component Publisher
        Version 5.01.2600.5512, Time 4/13/2008 8:12 PM
      • Path - C:\WINDOWS\system32\svchost.exe
      • Command line - "C:\WINDOWS\system32\svchost.exe"
      • Parent - spoolsv.exe(1532)
    • Strings - see attached text file, I can't make much sense of it.
    • TCP/IP - UDP: 127.0.0.1 (Local Host):1025
    • Services - no tab available. in tasklist services for this process is N/A.
     
  6. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Back.

    Don't want you to think i forgot about ya ;)

    Have been looking but other then Spooler won't verify... i haven't seen anything suspicious of what i looked for (My spooler doesn't verify either)
    • C:\WINDOWS\system32\spoolsv.exe is the real file name and directory for spooler
    • It's parent looks good, as well as version info etc. (many times malware doesn't bother with these details)

    Misc other things looked reasonable as well

    I found there is a dependency between rpc and spooler.(which may explain what you saw)

    Now, i don't (on my XP Pro machine) have an svchost child on spoolsv.exe but that could easily be due to any number of legit reasons.

    Looking at spoolsv could also be a red herring just in thinking if Kerio stopped while displaying the messages the spoolsv issue didnt' cause the problem so much as was the result of kerio stopping. (and spoolsv being involved with spooling output)

    And teh svchost with spoosv also appeared OK

    One thing you can also look at are the MD5 hashsums of legit modules. Here's a HashCalc tool to calculate (fyi.. tho i never used it my self before today. just pulled it down from online)

    I know MS has to have them listed (but didn't find after a quick look): a list of program modules, version number and MD5 checksum for it
     
  7. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    After a quick search I can't seem to find a list either. If you can find it I'll do a checksum.

    Any ideas about the whole svchost being reported of trying to drop an executable into my system32 folder part?

    Granted NOD32 has not complained since then, but I had my firewall temporarily disabled for a day or two before the trojan warning. I'm going to re-enable my firewall and see what it does. I'll edit this post in 15ish minutes.

    edit: So I bluescreened on the first restart. Kerio is really starting to get on my nerves, but it has almost everything I wanted and replaced Sygate for me... =(

    Anyways, on the second restart that warning Kerio gave repeatedly before only happened once this time, and the system seems to be stable, though I'm a good deal paranoid right now.
     
  8. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Here's at least numbers you can compare from my machine
    C:\WINDOWS\system32\spoolsv.exe
    File Version: 5.1.2600.5512
    MD5: d8e14a61acc1d4a6cd0d38aebac7fa3b

    C:\WINDOWS\system32\svchost.exe
    File Version: 5.1.2600.5512
    MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
     
  9. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    C:\WINDOWS\system32\spoolsv.exe
    File Version: 5.01.2600.5512
    MD5: 712ffa1f64484ea463883cf6b9eaa51d

    C:\WINDOWS\system32\svchost.exe
    File Version: 5.01.2600.5512
    MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18

    My spoolsv is different... I have an HP printer (and their junk software), would that potentially change spoolsv, or what?

    I'll compare these to my desktop computer when I get the chance.
     
  10. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    could you do the following:
    1. In Explorer, Tools->Folder Options->View. Scroll thru
      - check/select: Show hidden files and folders
      - Uncheck: Hide extensions known types, Hide protected operating system files,
      - Unrelated to your issue: i'd uncheck Auto search for network folders and printer. It means you manually search ur net the first time needed but will reduce network "noise"
      - Hit OK
    2. In Explorer, go to directory C:\Windows\Prefetch. Select All files in directory and delete them
    3. See this thread for Steps 3, 6 and 7 to do some cleanup and install HJT and post HJT results back here
    4. Is your printer connected over your LAN? or a printer cable into computer?
    5. Do you use Windows File and Printer Sharing (accessing printers over the LAN or accessing other files/folders on other computers over the LAN?
    6. You can undo item #1 above (or leave it if u prefer to see everything)
     
  11. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    I would do what you mentioned, but I think I caught the culprit. I restarted the computer so I could get a clean wipe with CCleaner, and then get a fresh HJT log, but when I did, Nod32 threw the warning lights on:

    win32/patched.N virus - file c:\windows\system32\spoolsv.exe

    Kerio accessed it when it was trying to stop the code injection, Nod picked it up as a threat, and then the system froze up. My laptop is currently booted up in safe mode, while this post is being made from my desktop. I guess I was right to suspect spooler in the first place.

    Doing a cursory search yielded this page: http://www.wilderssecurity.com/showthread.php?t=221660

    I checked the checksum of spoolsv.exe in the thread mentioned above, and it doesn't match yours. I did a checksum of my desktop's spoolsv.exe, and it matches your checksum.

    If I am going to copy spoolsv.exe from somewhere else, it'll definately be my desktop.

    Suggestions, ideas?

    ------------------------------------------------
    in relation to your previous post:
    1. System already set up that way.
    2. done
    3. didn't get to ccleaner, Java is up to v6u7 right? I should be up to date, didn't get to HJT log
    4. printer is connected via USB port.
    5. at one point I had Windows File and Printer Sharing enabled to allow the desktop and laptop to communicate and share the printer. lately though the two have not been connected together.
    6. No need to change. ;)
     
  12. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    definitley run HJT please so i can take a look
     
  13. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    see attached log.

    The laptop system is currently idling with the same threat aleart from Nod32 from before. I have a fresh copy of spoolsv.exe ready to transfer over.
     

    Attached Files:

  14. momok

    momok TS Rookie Posts: 2,265

    spoolsv.exe by default is a process used to manage spooled print jobs. There are however several instances of viruses/trojans masquerading as it.
    One of the ways to check its authencity is its location, which in your case is genuine. I believe that detection is simply a case of false positive.
    You can go ahead with the replacement, but I doubt if the detections will stop.
     
  15. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    I know what spooler does, and I know its supposed to be in the system32 folder.

    However, considering the positive is under the family "win32/patched.N virus" and that a svchost process whose parent was spoolsv.exe tried to drop a trojan on my laptop, I am not willing to consider it a simple case of misidentification.

    edit: I'll go ahead and switch it out, keeping the original in a non executable location.
     
  16. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Thanks for the input momok.

    As you;ve seen as well, haven't found any malware fingerprints but a final look through HJT seemed wise.

    OP was having a problem which pointed to spoolsv and svchost but, at this point, thinking they're not the cause of a problem;... but the after-effect. Will see from what is found in HJT
     
  17. momok

    momok TS Rookie Posts: 2,265

    I think if you wish to be very sure, it would be wise to seek alternative opinions: use different scanners, like the ones we recommend (malwarebytes/superantispyware from step 4 and 5 from my signature) instead of just one.

    Edit: I've looked through that log and its clean.
    or you could just rename it to "spoolsv.bak" =)
     
  18. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    I took a look at my HJT log and I thought it looked clean too.

    I already tried malwarebytes and superantispyware before I even posted, and again shortly before the positive.

    As for the replacement... so far so good. Nod32 is not complaining about anything, and Kerio has yet to complain about code injection. (edit: then again, kerio just gave me a bluescreen, so I am restarting now... but that had nothing to do with what is going on right now. =/)

    I renamed it "_bad_spool" before I saw your response. close enough right? :p
     
  19. momok

    momok TS Rookie Posts: 2,265

    Perhaps that file was infected somehow, but now that you've replaced it hope all goes well for you. Do let us know if you have any further problems.
     
  20. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    OK.

    Agreed, nothing is coming out smelling of malware...

    But the two issues (which can just be another subtlety of Windows)
    1. The different hash checks (from what i've seen so far.. i don't THINK HP would have changed it. And it does still have MS name on it

    2. The OP's version has a text field (i forget which now) that always comes out blank or N/A. Not so for the executable on other machines. Micrsooft file version number matches with others. But the MD5 hash check doesn't

    just two small bits - but am not sure they should be happening at all.. then again, not 100% there CAN'T be a good explaination
     
  21. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    Mostly the fact that the hash checksum from my laptop did not match your computer or my desktop was what worried me, especially since the desktop only upgraded to XP SP3 about 4 days ago and has recieved all the updates after SP3.

    Anywho, for now I think my problem is fixed for the meantime. I have another problem, but it warrents for its own thread, since its hardware based and a two parter.

    I probably should change my passwords huh, since there was a short period where I was running without my firewall enabled. =/

    thanks for sticking with me from more or less the beginning LookinAround. :)

    I'll edit in the word [resolved] into the title, if it needs to be revisited I'll remove it.
     
  22. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Hmmm... would have to double check (unless someone else knows off hand) but i believe spoolsv is only required if you remote printing on your LAN. Otherwise, not needed.

    If so, can just disable the service for your "production" times. Though probably still have "test" times to try and figure it out as at some point you're likely to want network printing.

    And last point, if you once had File and Printer Sharing (FPS) enabled (but any longer) may be just as well good to:
    - Remove the exception from your firewall for FPS
    - Go to the network adapter properties, and remove FPS
     
  23. madboyv1

    madboyv1 TechSpot Paladin Topic Starter Posts: 1,333   +267

    last time I checked spoolsv is part of the whole printing process regardless of the location (local or remote) of the printer, but I'm not 100% sure.

    I may consider disabling FPS for the mean time, but I've had a different reason for not using filesharing lately. Thanks for the suggestion.

    follow up:

    There were two malicious files previously undetected in my system32 folder, both identified by Nod as trojan variants:

    msxmle.dll and sensors.exe

    I checked the MS list of XML parsers and there was no "e" variant of said parser, and I have no idea what sensors.exe would be (the closest thing for me would be sensor.exe, which is for my thinkpads accelerometer).
     
  24. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    have you cleaned yet? would be curious if you go into Process Explorer.. Click Find and enter the .dll.. See if any hits on what's running

    /*********** EDIT **********/
    Not sure what to make of all this, but take a look here as well. Is it same? (compare MD5 hash)
     
  25. momok

    momok TS Rookie Posts: 2,265

    I realise that uptil now, we have no logs for reference. Since there are confirmed instances of detection of infection on your system, please run through the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Often times fixing infections do not just work by removing the bad files in question alone. That's why we need some logs to determine if there are nasties lurking elsewhere on your system, as NOD might not have detected all.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...