Svchost being naughty: What do you think?

highlight process in Process Explorer, rt click Properties

• Image
  • Image File name and version info look OK?
  • Path - where was it loaded from?
  • Command line - what commands/options used to start it?
  • Parent - who is the parent process?
• Strings - see if any interesting strings appear (including hard coded paths to directories)
• TCP/IP - does it have any ports open?
• Services - may as well see what's here (tho probably same as tasklist)

LookinAround said:

highlight process in Process Explorer, rt click Properties

• Image
  • Image File name and version info look OK?
  • Path - where was it loaded from?
  • Command line - what commands/options used to start it?
  • Parent - who is the parent process?
• Strings - see if any interesting strings appear (including hard coded paths to directories)
• TCP/IP - does it have any ports open?
• Services - may as well see what's here (tho probably same as tasklist)

Click to expand...

for spooler:

• Image
  • Image File - Spooler SubSystem App by (Unable to verify) Microsoft Corporation,
    Version 5.01.2600.5512, Time 4/13/2008 8:12 PM
  • Path - C:\WINDOWS\system32\spoolsv.exe
  • Command line - C:\WINDOWS\system32\spoolsv.exe
  • Parent - services.exe(1148)
• Strings - see attached text file, I can't make much sense of it.
• TCP/IP - Currently no connections
• Services - Print Spooler

for svchost connected to spooler:

• Image
  • Image File - Generic Host Process for Win32 Services by (Verified) Microsoft Windows Component Publisher
    Version 5.01.2600.5512, Time 4/13/2008 8:12 PM
  • Path - C:\WINDOWS\system32\svchost.exe
  • Command line - "C:\WINDOWS\system32\svchost.exe"
  • Parent - spoolsv.exe(1532)
• Strings - see attached text file, I can't make much sense of it.
• TCP/IP - UDP: 127.0.0.1 (Local Host):1025
• Services - no tab available. in tasklist services for this process is N/A.

Back.

Don't want you to think i forgot about ya

Have been looking but other then Spooler won't verify... i haven't seen anything suspicious of what i looked for (My spooler doesn't verify either)

• C:\WINDOWS\system32\spoolsv.exe is the real file name and directory for spooler
• It's parent looks good, as well as version info etc. (many times malware doesn't bother with these details)

Misc other things looked reasonable as well

I found there is a dependency between rpc and spooler.(which may explain what you saw)

Now, i don't (on my XP Pro machine) have an svchost child on spoolsv.exe but that could easily be due to any number of legit reasons.

Looking at spoolsv could also be a red herring just in thinking if Kerio stopped while displaying the messages the spoolsv issue didnt' cause the problem so much as was the result of kerio stopping. (and spoolsv being involved with spooling output)

And teh svchost with spoosv also appeared OK

One thing you can also look at are the MD5 hashsums of legit modules. Here's a HashCalc tool to calculate (fyi.. tho i never used it my self before today. just pulled it down from online)

I know MS has to have them listed (but didn't find after a quick look): a list of program modules, version number and MD5 checksum for it

After a quick search I can't seem to find a list either. If you can find it I'll do a checksum.

Any ideas about the whole svchost being reported of trying to drop an executable into my system32 folder part?

Granted NOD32 has not complained since then, but I had my firewall temporarily disabled for a day or two before the trojan warning. I'm going to re-enable my firewall and see what it does. I'll edit this post in 15ish minutes.

edit: So I bluescreened on the first restart. Kerio is really starting to get on my nerves, but it has almost everything I wanted and replaced Sygate for me... =(

Anyways, on the second restart that warning Kerio gave repeatedly before only happened once this time, and the system seems to be stable, though I'm a good deal paranoid right now.

Here's at least numbers you can compare from my machine
C:\WINDOWS\system32\spoolsv.exe
File Version: 5.1.2600.5512
MD5: d8e14a61acc1d4a6cd0d38aebac7fa3b

C:\WINDOWS\system32\svchost.exe
File Version: 5.1.2600.5512
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18

LookinAround said:

Here's at least numbers you can compare from my machine
C:\WINDOWS\system32\spoolsv.exe
File Version: 5.1.2600.5512
MD5: d8e14a61acc1d4a6cd0d38aebac7fa3b

C:\WINDOWS\system32\svchost.exe
File Version: 5.1.2600.5512
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18

Click to expand...

C:\WINDOWS\system32\spoolsv.exe
File Version: 5.01.2600.5512
MD5: 712ffa1f64484ea463883cf6b9eaa51d

C:\WINDOWS\system32\svchost.exe
File Version: 5.01.2600.5512
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18

My spoolsv is different... I have an HP printer (and their junk software), would that potentially change spoolsv, or what?

I'll compare these to my desktop computer when I get the chance.

could you do the following:

1. In Explorer, Tools->Folder Options->View. Scroll thru
   - check/select: Show hidden files and folders
   - Uncheck: Hide extensions known types, Hide protected operating system files,
   - Unrelated to your issue: i'd uncheck Auto search for network folders and printer. It means you manually search ur net the first time needed but will reduce network "noise"
   - Hit OK
2. In Explorer, go to directory C:\Windows\Prefetch. Select All files in directory and delete them
3. See this thread for Steps 3, 6 and 7 to do some cleanup and install HJT and post HJT results back here
4. Is your printer connected over your LAN? or a printer cable into computer?
5. Do you use Windows File and Printer Sharing (accessing printers over the LAN or accessing other files/folders on other computers over the LAN?
6. You can undo item #1 above (or leave it if u prefer to see everything)

I would do what you mentioned, but I think I caught the culprit. I restarted the computer so I could get a clean wipe with CCleaner, and then get a fresh HJT log, but when I did, Nod32 threw the warning lights on:

win32/patched.N virus - file c:\windows\system32\spoolsv.exe

Kerio accessed it when it was trying to stop the code injection, Nod picked it up as a threat, and then the system froze up. My laptop is currently booted up in safe mode, while this post is being made from my desktop. I guess I was right to suspect spooler in the first place.

Doing a cursory search yielded this page: http://www.wilderssecurity.com/showthread.php?t=221660

I checked the checksum of spoolsv.exe in the thread mentioned above, and it doesn't match yours. I did a checksum of my desktop's spoolsv.exe, and it matches your checksum.

If I am going to copy spoolsv.exe from somewhere else, it'll definately be my desktop.

Suggestions, ideas?

------------------------------------------------
in relation to your previous post:

1. System already set up that way.
2. done
3. didn't get to ccleaner, Java is up to v6u7 right? I should be up to date, didn't get to HJT log
4. printer is connected via USB port.
5. at one point I had Windows File and Printer Sharing enabled to allow the desktop and laptop to communicate and share the printer. lately though the two have not been connected together.
6. No need to change.

definitley run HJT please so i can take a look

See attached log.

The laptop system is currently idling with the same threat aleart from Nod32 from before. I have a fresh copy of spoolsv.exe ready to transfer over.

spoolsv.exe by default is a process used to manage spooled print jobs. There are however several instances of viruses/trojans masquerading as it.
One of the ways to check its authencity is its location, which in your case is genuine. I believe that detection is simply a case of false positive.
You can go ahead with the replacement, but I doubt if the detections will stop.

momok said:

spoolsv.exe by default is a process used to manage spooled print jobs. There are however several instances of viruses/trojans masquerading as it.
One of the ways to check its authencity is its location, which in your case is genuine. I believe that detection is simply a case of false positive.
You can go ahead with the replacement, but I doubt if the detections will stop.

Click to expand...

I know what spooler does, and I know its supposed to be in the system32 folder.

However, considering the positive is under the family "win32/patched.N virus" and that a svchost process whose parent was spoolsv.exe tried to drop a trojan on my laptop, I am not willing to consider it a simple case of misidentification.

edit: I'll go ahead and switch it out, keeping the original in a non executable location.

Thanks for the input momok.

As you;ve seen as well, haven't found any malware fingerprints but a final look through HJT seemed wise.

OP was having a problem which pointed to spoolsv and svchost but, at this point, thinking they're not the cause of a problem;... but the after-effect. Will see from what is found in HJT

I think if you wish to be very sure, it would be wise to seek alternative opinions: use different scanners, like the ones we recommend (malwarebytes/superantispyware from step 4 and 5 from my signature) instead of just one.

Edit: I've looked through that log and its clean.

edit: I'll go ahead and switch it out, keeping the original in a non executable location.

Click to expand...

or you could just rename it to "spoolsv.bak" =)

I took a look at my HJT log and I thought it looked clean too.

I already tried malwarebytes and superantispyware before I even posted, and again shortly before the positive.

As for the replacement... so far so good. Nod32 is not complaining about anything, and Kerio has yet to complain about code injection. (edit: then again, kerio just gave me a bluescreen, so I am restarting now... but that had nothing to do with what is going on right now. =/)

I renamed it "_bad_spool" before I saw your response. close enough right?

Perhaps that file was infected somehow, but now that you've replaced it hope all goes well for you. Do let us know if you have any further problems.

OK.

Agreed, nothing is coming out smelling of malware...

But the two issues (which can just be another subtlety of Windows)
1. The different hash checks (from what i've seen so far.. i don't THINK HP would have changed it. And it does still have MS name on it

2. The OP's version has a text field (i forget which now) that always comes out blank or N/A. Not so for the executable on other machines. Micrsooft file version number matches with others. But the MD5 hash check doesn't

just two small bits - but am not sure they should be happening at all.. then again, not 100% there CAN'T be a good explaination

Mostly the fact that the hash checksum from my laptop did not match your computer or my desktop was what worried me, especially since the desktop only upgraded to XP SP3 about 4 days ago and has recieved all the updates after SP3.

Anywho, for now I think my problem is fixed for the meantime. I have another problem, but it warrents for its own thread, since its hardware based and a two parter.

I probably should change my passwords huh, since there was a short period where I was running without my firewall enabled. =/

thanks for sticking with me from more or less the beginning LookinAround.

I'll edit in the word [resolved] into the title, if it needs to be revisited I'll remove it.

# printer is connected via USB port.
# at one point I had Windows File and Printer Sharing enabled to allow the desktop and laptop to communicate and share the printer. lately though the two have not been connected together.

Click to expand...

Hmmm... would have to double check (unless someone else knows off hand) but i believe spoolsv is only required if you remote printing on your LAN. Otherwise, not needed.

If so, can just disable the service for your "production" times. Though probably still have "test" times to try and figure it out as at some point you're likely to want network printing.

And last point, if you once had File and Printer Sharing (FPS) enabled (but any longer) may be just as well good to:
- Remove the exception from your firewall for FPS
- Go to the network adapter properties, and remove FPS

last time I checked spoolsv is part of the whole printing process regardless of the location (local or remote) of the printer, but I'm not 100% sure.

I may consider disabling FPS for the mean time, but I've had a different reason for not using filesharing lately. Thanks for the suggestion.

follow up:

There were two malicious files previously undetected in my system32 folder, both identified by Nod as trojan variants:

msxmle.dll and sensors.exe

I checked the MS list of XML parsers and there was no "e" variant of said parser, and I have no idea what sensors.exe would be (the closest thing for me would be sensor.exe, which is for my thinkpads accelerometer).

have you cleaned yet? would be curious if you go into Process Explorer.. Click Find and enter the .dll.. See if any hits on what's running

/*********** EDIT **********/
Not sure what to make of all this, but take a look here as well. Is it same? (compare MD5 hash)

I realise that uptil now, we have no logs for reference. Since there are confirmed instances of detection of infection on your system, please run through the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Often times fixing infections do not just work by removing the bad files in question alone. That's why we need some logs to determine if there are nasties lurking elsewhere on your system, as NOD might not have detected all.