# Suspicious Svchost.exe internet activity



## john2004 (May 29, 2004)

Hi everyone,

Every now and then when I am on-line I hear my computer fan kick on very high and when I look at system performance under the task manager, something is using almost all of the CPU power. This has been happening every now and then for a long time.

Yesterday, I checked the connections with my comodo firewall (version 3.0.13.268) and Svchost.exe located at C:\windows\system32\svchost.exe was as using most of the INTERNET connection.

My computer IP address was the source using port 4732, and the destination IP address was issued to my ISP using port 80. What surprised me is that it had downloaded 17 MB of data and uploaded over 1 MB of data. This is just a 56k dial up connection. After about 17 MB, more data started to download using port 1569. I have Microsoft automatic updates set to just notify me if anything is available, not to download automatically. I generally turn off automatic updates on all installed programs as well.

I closed the browser (running sandboxie) and even deleted the sandbox and it just kept on downloading and uploading.

I terminated the connection in the firewall but it reconnected, this time my IP was using port 2421 and the destination address kept using port 80

I tend to think it's not malware because I did a full system scan with Avira a couple of weeks ago and it said everything was OK. I don't do full scans that often since the disk is so full and it takes so long. I also did a quick scan with Malwarebytes, superantispyware, and bitdefedner's online quickscan. They all say everything is OK. Windows defender also does it's regular quick-scan and reports no problems. I even uploaded the svchost.exe file to virustotal and all scanners said the file was OK.

Regadless of whether it's malware or not, I would like to know what program is using Svchost.exe to download and upload the information, why it takes so much processor power, what data is being downloaded and uploaded, and where the 17 MB of data went to on my computer. I realize I will probably have to wait for it to happen again in order to be able to track things down.

I downloaded a free program called "svchost analyzer" http://www.neuber.com/free/svchost-analyzer/ and under the local service group, it said that "remote registry" is active and it can allow remote users to modify the registry. That does not sound like a good thing to me. Should I turn off remote registry and how do I do it ? The svchost analyzer program also lists three instances of Svchost.exe that cannot be accessed. The program svchost analyzer lists the three instances of svchost.exe and says "access denied" "run program as administrator" but I am already using an administrator account. I don't know how to find out what these three instances of Svchost are. I also downloaded the "security task manager" program from the same site that svchost analyzer came from but after running the program I did not really see anything that looked that suspicious.

Can anyone please tell me the best methods or programs to use to track down the information I need regarding this svchost.exe activity ?

I would appreciate any advice or thoughts on what might be causing this and whether it's anything to worry about or not.

Thanks
John

Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows XP Professional, Service Pack 2, 32 bit
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+, x86 Family 15 Model 43 Stepping 1
Processor Count: 2
RAM: 958 Mb
Graphics Card: NVIDIA GeForce 6150 LE , 256 Mb
Hard Drives: C: Total - 296227 MB, Free - 4742 MB; D: Total - 8996 MB, Free - 776 MB; 
Motherboard: ASUSTek Computer INC., NAGAMI2, 2.00, MS1C66S15801957
Antivirus: AntiVir Desktop, Updated: Yes, On-Demand Scanner: Enabled
Windows XP SP2 on an HP Pavilion a1520n


----------



## Elvandil (Aug 1, 2003)

Your Task Manager will tell you what specific services are controlled by that host.

What AV and/or antimalware do you have and does it update automatically?

Look in ssytem32. Do you have more than one svchost.exe? Are you sure it is spelled the same?


----------



## john2004 (May 29, 2004)

The problem with the task manager is that it lists 6 instances of svchost.exe and I don't know which one is downloading the data. In the task manager under user name, it just says things like "network service" , "local service", system, etc.. How do I track it down from there ? This machine has 61 processes running which seem ridiculous to me. 

I don't have anything set to update automatically except Avira Antivir. I also have superantispyware, windows defender, and malwarebytes, but they are not set for automatic updates. Besides Avira & windows defenders real time protection, I just use the other two as on demand scanners every now and then. 

There is only one instance of svchost.exe in the system 32 folder but there is another instance at 

C:\WINDOWS\system32\dllcache

But it has the same name and MD5 Check sum as the one in the system 32 folder and both files check out at virustotal

Am I being paranoid or does this sound like strange behavior for svchost.exe ?


----------



## flavallee (May 12, 2002)

Why haven't you upgraded Windows XP Professional SP2 to SP3?

-------------------------------------------------------------

You're still using the original 1024 MB(1 GB) of RAM that came in that desktop.

It supports up to 4096 MB(4 GB) and uses 184-pin DDR PC3200 SDRAM modules.

You might consider adding another 1024 MB(1 GB).

------------------------------------------------------------


----------



## lunarlander (Sep 22, 2007)

Go here and download Process Explorer: 
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Start the program, pull down the view menu, choose "select column", then checkmark "command line". This will show you the how each svchost is started. Highlight each svchost occurance, right click choose Properties, then Services tab to see what services each svchost is hosting. Svchost is a "common library" kind of program that works with various services. Highlight each service there, and below is a description of what that service does,.

Also you should install SP3 like Flavallee says. Microsoft will only provide support to those that are running Service Pack 3 now.


----------



## john2004 (May 29, 2004)

> Why haven't you upgraded Windows XP Professional SP2 to SP3?


I tried when SP3 first came out and got a blue screen of death and had to do a system restore. I am pretty sure my computer needs an update patch from HP prior to installing SP3 (I think it's sp37394.exe). I did not think it was worth messing up the system and having to reinstall windows so I never installed it. After I get all my data backed up, I may still try to upgrade to SP3.



> You're still using the original 1024 MB(1 GB) of RAM that came in that desktop.


I know, I want to install the maximum memory on this computer but it just comes down to time and money.

Thanks Lunarlander, I will give process explorer a try.

Hopefully this is a legitimate service running, it just seemed suspicious to me, what do you guys think ?


----------



## flavallee (May 12, 2002)

Yep. It looks like you need to install the sp37394.exe patch first before installing the SP3 upgrade.

----------------------------------------------------------------


----------



## Elvandil (Aug 1, 2003)

Sorry. The Task Manager in Vista and beyond shows what services attach to each svchost.exe, but not XP's, I don't believe. I installed Prio in XP and that adds some functions to the Task Manager and maybe that is what I am remembering.


----------



## john2004 (May 29, 2004)

Should I turn of the "remote registry" feature ? That seems like a source for a significant vulnerability to me. Do you guys have this enabled ? This is not a network computer, is there any reason to leave this feature active ? I could always activate it if I need it.

Here is a link I found on it

http://www.windowsreference.com/security/how-to-disablerestrict-remote-registry-access-in-windows/

Also, the XP default seems to be to have "simple file sharing" activated. Should I un-check this ? Is there any reason to have file sharing active on a single non-networked computer ? Do I need this to transfer files between a host computer and Microsoft virtual machine ?


----------



## lunarlander (Sep 22, 2007)

I have remote registry disabled in services.msc, haven't noticed any ill effects. 

The way to disable file sharing is through Control Panel> Network Connections > Local Area Connection >Properties and uncheckmark 'File and Printer Sharing'. And if you are not accessing any file shares on other PCs, then you can also uncheckmark 'Client for MS Networks'. 

When you uncheck 'Simple File Sharing' it only means that every user who connects to your file share needs to supply a username and password.


----------



## john2004 (May 29, 2004)

Hi everyone,

I found some more information on this problem. I used a program called currports http://www.nirsoft.net/utils/cports.html which shows all of the active system ports and the processes that are accessing them. I used the comodo firewall to see that port 2805 was being used to download and upload data to and from my computer (a little over 17 mb in and a little over 1 mb out) This happened just as it did before as mentioned in my earlier post.

Using currports, I found the module file name behind everything is c:\windows\system32\WINHTTP.dll.

What is winhttp.dll actually used for and what and why would it be downloading data to and uploading data from my PC ? I do not have automatic updates activated and even if I did, I dont think SP2 is still getting updates. I also have all programs set for manual updates.

Why is the remote IP address the IP of my ISP ? My ISP has no reason to be downloading data to my PC or uploading data from my PC. Should I use the Comodo firewall to block internet access for the winhttp.dll ?

Using Process explorer, it looked liked wuauclt.exe may be the program that was actually downloading

C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[578]SUSDSfe8c07a6cff3f9479b8babdd128e2ef5

I know wuauclt.exe is related to windows update, but I have automatic updates turned off. Windows defender is set to just notify me when updates are available, and I am also using SP2 so why would windows updates be downloading data to my computer and uploading over 1 mb of data from my computer ? The only thing I get from windows updates are defender updates and the malicious software removal tool. I suppose it's possible it's trying to download something that did not get downloaded all the way, but I doubt it. Everything is set to just notify me and not download unless I authorize it.

Currports had a listing in it for www.007guard.com but when I reopened currports and checked it again, I could not find it. I searched the registry for 007guard and as it was searching, my system crashed and restarted. Using a program called "open ports viewer" http://www.gaijin.at/en/index.php there seem to be three instances of www.007guard.com listening on tcp protocol (www.007guard.com is listed as the local address). However, the instances of 007guard seem to be using legitimate processes, namely, alg, jqs, and connectivity.edmws.server. There are two other instances of 007guard that simply list svchost.exe as the process. I have spybot search and destroy installed and I don't know if the 007guard instances have something to do with that. As I understand it, sypbot modifies the hosts file and redirects 007guard to your 127.0.0.1 home IP, so that it can never connect to it's home site.

Currports listed 12 unknown process names in a time wait state, most of these are associated to googles IP address using port 80 with various local port numbers in the 1400s ? There are also a couple of connections with the IP address of Akamai Technologies.

Here is the information report presented by Currports for the suspicious downloading / uploading activity on port 2805...

svchost.exe = Process Name	
1400 - Process ID 
TCP - protocol	
2805 - Local port
Local Address = My IP
Remote Address = MY ISPs IP 
User Name = NT AUTHORITY\SYSTEM
Process services = AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, helpsvc, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS
Process Path = C:\WINDOWS\System32\svchost.exe
Module Filename = c:\windows\system32\WINHTTP.dll

How many of the processes listed above could I permanently disable in order to try to stop this thing from downloading / uploading ? It seems prudent to disable all unnecessary services and processes.

After a little over 17 MB was downloaded on port 2805, the connection was reestablished on port 3498 and the download and upload process started over, but all the data listed directly above with respect to the activity on port 2805 remained the same for port 3498. The last time this happened, it seemed to reset itself after 17 mb of data had been downloaded, just as it did this time.

I went to start, run, services.msc, and I have disabled remote-registery, terminal services, and server but it did not stop this from happening. I also turned off file-sharing but it did not have any effect.

I still have not found out what is being downloaded or where it is being downloaded / uploaded to ?? Are there any network traffic tools or any ways to obtain this data ? I should be able to find where 17 Mb + of data went to on my computer.

Whether this is legitimate or not, it seems to me svchost.exe is a security risk. If you cannot tell what is happening with a process or service or you cannot track down what is happening with downloads / uploads on your machine, then that is a security risk.

What would happen if I deny INTERNET access to svchost.exe all together ? Should I get a new hosts file ?

I am using and older version of Comodo firewall, 3.0.13.268, but it has always seemed to work well. Should I upgrade to the new version ?

I would appreciate your opinions and advice.

Thanks
John


----------



## flavallee (May 12, 2002)

I wouldn't recommend disabling a bunch of services. It's safer to set their "startup type" on Manual.

I don't use a third-party firewall nor anything else that my computers don't need.

--------------------------------------------------------------


----------



## john2004 (May 29, 2004)

I think I may have found what was going on here. As the suspicious activity was happening, I used the free version of the program "network miner" http://www.netresec.com/?page=NetworkMiner to try and see what might be going on. I noticed some IP addresses I did not see before.

I ran a whois on the addresses and was alarmed that they were from the Ukraine. Then when I looked closer the addresses were for n1.p.returnilvirtualsystem.com.

I went to the program returnil and found that it was set for automatic updates (I could have sworn I had turned it off) and the last attempted update was right as the suspicious activity was occurring. I turned off automatic updates and I suspect the suspicious activity should stop for good.

What I don't understand is why the destination IP address shown by the firewall was the IP address of my own ISP ? It's as if returnil was hiding it's IP address behind the IP of my ISP. You should be able to open your firewall and tell where data is coming from and where it is going. In this case it appeared something was being downloaded from my ISP to my computer and uploaded from my computer to my ISP. However, the data was really being downloaded from returnil's IP and uplaoded to returnil's IP. I also think uploading over 1MB of data to them each time, seems a little strange. The downloads themselves also seemed large, they were over 17 MB each time, unless it was trying to download a whole new program version. I also have the virus definition updates turned off, and the remote control turned off.

Microsoft needs to change the way svchost.exe works so that it does not hide or mask what is really going on with downloads and uploads. IMHO, it would be too easy for malware to use the legitimate svchost.exe program to download and upload things and most people would never even notice.

Here are two of the IP addresses I found...

91.193.166.92

80.91.172.203

Hopefully this will take care of it, but it still seems a little like odd behavior from a legitimate program. Prior to finding this out, I ran the bootable Avira rescue disk and scanned every file on the system and it came back clean. I figured any malware would not be able to hide if the OS were not booted up. I followed up with a quick scan via malwarebytes and superantispyware. All came back clean. I ran the Norman Malware cleaner too, it only found a couple of suspicious registry entries it moved to quarantine but I may restore them as they look like false positives.


----------



## john2004 (May 29, 2004)

This is regarding Returnil System Safe 2011 Version 3.2.10351.5418-REL3

Even though I have selected the option for returnil to never update, this internet connection is still being established and data is still being downloaded to, and uploaded from, my computer. The "remote control" feature of returnil is disabled, and I have the real time virus monitoring disabled. As far as I can tell, all automatic updates are disabled and nothing should be downloading. 

Here are the IP addresses that are once again, behind svchost.exe...

91.193.166.92

80.91.172.203

In my firewall, I have just blocked all INTERNET access to all of the returnIL exe files in the RVS3 folder. What else do I need to block with the firewall in order to stop this activity ? I terminate the connection with the firewall, and it just starts back up again. I guess I have to block the IP addresses but it might just use different ones if it finds those are blocked. 

I scanned all of the Returnil exe files and the one dll file in the RVS3 folder at virustotal and they all came back clean. 

As I was using "TCP view" from Microsoft, the connection was showing the destination IP as the IP of my own ISP, then every now and then it would turn red and It would reveal that it was returnil that was really behind the connection (it actually showed the returnil web address). This agrees with the data retrieved from the program network miner. I know returnil is behind this connection. At one point, the connection went from "established" to "Syn_sent".

I also scanned with prevx 3.0 free as the suspicious download was happening and it said the system is clean. Same with bitdefender quickscan. 

I would appreciate any help, advice, or thoughts anyone can provide. I don't like stealthy INTERNET connections even if they are from legitimate programs and I don't like a program I cannot control, even if it is legitimate. 

Hopefully I won't need to un-install the Returnil program but if I cannot stop this I will have to.

Thanks
John


----------



## lunarlander (Sep 22, 2007)

Here's Returnil's forum, you might get them to answer your questions:

http://www.wilderssecurity.com/forumdisplay.php?f=100


----------



## john2004 (May 29, 2004)

I gave ReturnIL my software installation ID so they could check their server logs. I just got a post back from Mike at the wilders ReturnIL forum



> Hi John,
> First, thank you for the report as you have identified a previously unknown bug at at the server which is causing this to happen. The lead for the server project has investigated and reports that it will take a little time to correct and then test.
> 
> The gist of the issue is that you have the data collection policy changed to 'do not send' but the server for some reason is still sending requests for any suspicious file/behavior information. IOWs, the server keeps asking for the information and the client keeps telling the server that it cannot send the requested information because the option is changed to do not send.
> ...


I'm glad to hear this was not malware, I was worried since all of this seemed suspicious and stealthy. It was hard to track down what was going on here but I knew *something* was going on.

I blocked all the returnil exe files with my firewall (as the connection was active) and it did not stop it, but after restarting my computer, I have not noticed any new connections since blocking the returnil .exe files. Perhaps the firewall settings on the .exe files do not apply to active connections and are only applied to new connections or after a computer restart, I'm not sure.

John


----------

