Can Someone Tell Me What's Going On?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've been having problems for a few weeks involving "svchost.exe"
(100% CPU usage as well as a maxed out internet connection when *I*
wasn't doing anything).  I did a lot of Googling and found, among
other things, that not only is this program required by Windows, it
can also be associated with a virus.  

I've got updated virus, spyware and adware goodies, did scan after
scan after scan (clean bill of health), searched my hard drive for a
"svchost.exe" that didn't belong there (didn't find anything).  

But I still have this thing attempting to connect to the internet (I
have Zone Alarm stopping it).  What concerns me is the destination DNS
is my ISP's mail server.  Just in the last hour while I've been trying
to research this, there have been over 1,000 connection attempts.  

I can't find a virus -- have I been hijacked by spammers (I haven't
heard anything from my ISP)?  And if I have, what do I do about it
now?  I Googled for this, too, and found plenty of "this could happen
to you" articles, but nothing about how to solve the problem or even
how to determine for sure that IS the problem.

I don't open email attachments, I don't download crap -- I thought I
had this thing locked down tight. That, plus the fact I'm on a cruddy
26.4 dial-up connection, I thought I'd be alright.  

Can someone please point me in the right direction so I can end this?


July Goals:    BG readings in normal range; Not hungry, don't eat
Weight:        7 pounds gone since 07/01/2005
Measurements:  8 inches gone 06/19/2005
Cholesterol:   145
FBG:           < 100 since 07/01/2005  A1c 6.5

Re: Can Someone Tell Me What's Going On?

I think your cpmputer must be hijacked by spammers.It is a virus,too
newest to AntiVirus software find it.You can use Security Expert to
find and kill it.Security Expert can help you judge which
process/startup program/services is suspicious process/startup
program/services,and supply you to kill it.
Goto to know more.

Re: Can Someone Tell Me What's Going On?

Quoted text here. Click to load it
You gotta be crazy to use this program. The link is to an overseas server
that downloads a keylogger to your system .

Re: Can Someone Tell Me What's Going On?

Quoted text here. Click to load it

hmmm.... see if there is anything listening on common ports for an IRC
channel. You may be an unwilling party to a DDoS attack. Somebody step in
here pls.. is the default port 6667?
Anyways.... use the netstat -an | find":xxxx" command (replace xxxx with
the port number... I don't remember, or it may have changed) and if the
output is blank, then it is likely clear of certain IRC bots, or the
default port has been configured to something else. I believe many IRC
servers require the IDENT port to be open as well... port 113. Though this
is just a small drop in a huge bucket of things it might be. Could be
something as simple as a piece of spyware that has hidden itself quite
well. Try to scan it in safe mode and see what happens.
Also, talk to your ISP and ask them if they can investigate the packets
being sent... this can sure point you in the right direction.


I would much rather have a bottle in front of me than a frontal

Re: Can Someone Tell Me What's Going On?

Baileys Wrote:
Quoted text here. Click to load it

I suspect that you did not searched hard enough judging by your story,
did the search include files with the attribute hidden and/or system?
If it did you might as well check for rootkits, which attempts to hide
the file (although a descent rootkit also should've hidden the

Baileys Wrote:
Quoted text here. Click to load it

Have you asked them about the usage of your ip on they're mailserver?
Maybe you can try sniffing the connection from your ip to the ISP mail
server, to determine what exactly is being sent to them. I suspect it
is propagation of a virus using email, in an attempt to infect more

Baileys Wrote:
Quoted text here. Click to load it

Visitting sites can be all what it takes to get infected.

Reminds me of a similair problem. At some point i used a keygen of
some sort, which carried a virus as well, while Kaspersky AV did not
even recognize the infection. It also used the name svchost.exe. After
killing it, PGP desktop showed that the computer had been trying to
connect to another email server (not an isp's). I'm not sure if the
Sygate firewall stopped it or not. Anyway in order to exactly describe
the actions how i removed it, i'd have to re-infect the computer
again.. heh. I recall that some of the files where in either
%HOMEPATH%\Local Settings\Temp or %HOMEPATH%\Local Settings\Temporary
internet files (thats right it, used more then a single file).

BTW, doesn't Zone Alarm give the full path to a program which is
using, or trying to use the network? IMHO a descent firewall should.

08eb d563 c78f 85a9 2f4b  571b 9177 22e6 65ad ac05 /

Re: Can Someone Tell Me What's Going On?

Baileys wrote:
Quoted text here. Click to load it

Have you done an anti-virus scan while in safe mode? Sometimes things don't
get picked up unless you're in that mode. Also, have you tried more than
one AV package? If you're using a paid-for AV package, you might like to
try a free one, like AVG, as well.

Good luck.

Re: Can Someone Tell Me What's Going On?

Baileys wrote:

I recommend figuring out what is calling svchost.  Get Process explorer

It is a free utility that will tell you what processes are being called
and what is calling the process (process thread).  There are a couple
other utilities on the page that will do things like identify what is
being autorun at start-up and handles which may also aid in identifying
what is calling the process.

*****Last resort

If you can not identify the offending starting process it may well be that:

    1: The schost.exe process you are seeing is a similarly named file in
another directory, the utility above should identify the process .
SVChost.exe should be located in your system32 directory under your
windows directory which by default would be c:\windows\system32 however
your system directory may be placed elsewhere if you have tweaked your

    2.  The file may have been replaced, especially if you were running on
the net with administrative permissions.  On my system, with current
patch levels (XP) is a 16,384 byte file dtd 8/4/2004 2:56 AM  You should
have a backup file on your system located in your
c:\windows\servicepackfiles\i386 that should be similar in size and date.

I would also check the system for a rootkit on the system.  There is
this free utility called Root kit revealer at:

These things should identify either the offending process tree or what
is causing your issue.

Because I feel a system once compromised is like being a little bit
pregnant, I would rebuild the system.  I understand this can be
problematic/traumatic for some folks who are not prepared for
eventuality, but trusting my system is important.  But the above items
should at least give you a clue as to what is happening.


Re: Can Someone Tell Me What's Going On?


Thanks to everyone for the advice.  While I might, indeed, have to do
a clean install, I would like to know "what's up" and can use your
pointers to try to figure that out.  

Much appreciated.  :-)

Site Timeline