SVCHOST process is freezing system.

Discussion in 'Port Explorer' started by Close_Hauled, Apr 21, 2004.

Thread Status:
Not open for further replies.
  1. Close_Hauled

    Close_Hauled Guest

    I just bought Port Explorer to help me find a problem with my Windows XP Home system. The problem is that Windows XP freezes for about 30 seconds after booting to the desktop. During this freeze period, I cannot start any windows applications, I can only open the DOS window and issue DOS commands. I put Port Explorer and TaskMgr in the startup folder, so that they would both start before the freeze. Port Explorer showed me that one of the SVCHOST processes is the culprit. The process is trying to communicate with "baym-td3.msgr.hotmail.com".

    Port Explorer resolves the name, but cannot ping it. I am assuming that this server has something to do with Windows Instant Messanger. Whois shows that it is a Microsoft domain.

    What is the best way for me to track down what is starting SVCHOST to initiate the communication?

    By the way: I have scanned for viruses (McAfee) and spyware (Spybot). The system is clean.
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
  3. Close_Hauled

    Close_Hauled Guest

    Thanks. I am looking at it now. Wow! A lot of stuff in there. There are so many references to SVCHOST that I do not know where to begin. Here is a text output from AutoStart:

    -----------------------[ Begin ]-----------------------
    c:\autoexec.bat
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    SET CTSYN=C:\WINDOWS
    PATH=C:\WINDOWS\system32
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    C:\WINDOWS\dosstart.bat
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    c:\windows\wininit.bak [rename]
    NUL=C:\WINDOWS\SYSTEM\SENSOR~1.DLL
    NUL=C:\PROGRA~1\INTEL\INTEL(~1\IMONRES.LRC
    NUL=C:\PROGRA~1\INTEL\INTEL(~1\IMON98.EXE
    NUL=C:\PROGRA~1\INTEL\INTEL(~1\
    c:\windows\system.ini [drivers]
    timer=timer.drv
    wavemapper=*.drv
    MSACM.imaadpcm=*.acm
    MSACM.msadpcm=*.acm
    midi=mmsystem.dll
    wave=mmsystem.dll
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\SPEEDO~1.SCR
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\SPEEDO~1.SCR
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
    C:\WINDOWS\system32\SysTray.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
    C:\WINDOWS\UpdReg.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BluetoothAuthenticationAgent
    rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IMONTRAY
    C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Utility
    C:\WINDOWS\Logi_MwX.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Port Explorer.lnk
    D:\Program Files\Port Explorer\PortExplorer.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to taskmgr.
    C:\WINDOWS\SYSTEM32\taskmgr.exe
    C:\WINDOWS\system\iosubsys\
    C:\WINDOWS\system\iosubsys\Cdudf.vxd
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\the
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-0
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-0
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Ins
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-0
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.QuietI
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-0
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-0
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-0
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-0
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-0
    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-0
    RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\6to4\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\BthServ\
    C:\WINDOWS\system32\svchost.exe -k bthsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\HidServ\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\imonNT\
    C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    HKLM\System\CurrentControlSet\Services\Ip6FwHlp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\iSMBIOS\
    \??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
    HKLM\System\CurrentControlSet\Services\LanmanServer\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LanmanWorkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PfModNT\
    \??\C:\WINDOWS\System32\PfModNT.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SIODRV\
    \??\C:\WINDOWS\System32\drivers\SIODRV.SYS
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    -----------------------[ End ]-----------------------

     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Your log looks pretty clean trojan-wise, but can you please email this file to submit@diamondcs.com.au for checking

    C:\WINDOWS\system32\SysTray.Exe

    You could also disable a few services like Messenger, best to go to http://grc.com and get "The 3 musketeers" to disable those 3 nasty services.

    Some interesting entries such as the Bluetooth one, can you think of anything which was added recently which could cause this ? It is quite normal for userinit.exe and Windows boot process to take a while before actually allowing you to run programs, 30 seconds seems a bit excessive though..
     
  5. Close_Hauled

    Close_Hauled Guest

    Gavin;

    Thank you very much for your prompt response. I just spent a couple of hours browsing the GRC web site. An interesting read to say the least. I will gladly kill the Messenger Service and let you know how it goes. Unfortunatly, I cannot do it today. Perhaps Friday or Saturday. But I will certainly keep you posted. Meanwhile, I will e-mail the now.

     
  6. Close_Hauled

    Close_Hauled Guest

    Gavin;

    I ran Shoot the Messenger and re-booted. The process is still running.

    I finally sent that e-mail to the address that you gave me. I attached three text files:

    asview.txt
    Table.txt
    pelog.txt

     
  7. Close_Hauled

    Close_Hauled Guest

    More news:

    I used MSConfig to disable the startup of individual programs and services. I ruled out all items in the Startup tab. I then went to services and found the culprit. Its the "IPv6 Helper Service"! If I manually start this service, the computer immediatly starts communicating with the Hotmail system! Shut it down, and the communication stops!

    I am going to do some more research now. Preliminary Google searches have found little. I just know that it is a legitimate service from Microsoft. Do I need it?

     
  8. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I just read this article:

    http://www.winnetmag.com/Articles/ArticleID/40313/pg/2/2.html

    And here is a quote from it:

    The Svchost Mystery
    Windows 2000 and later also open many other ports (e.g., 500, 123) that are assigned to a service called svchost.exe. This generic host process resides in the \%windir%\system32 folder. It starts anytime Windows starts and loads into memory one or more services as defined in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost registry subkey.

    Often when you port enumerate, you'll find that svchost.exe is responsible for several separate port openings. For example, as I write this article, svchost.exe is loaded four times in my computer's memory; is hosting the RPCSS, EventSystem, Netman, NtmsSvc, RasMan, SENS, and TapiSrv services; and has ports 123, 135, 1025, 1026, 1900, and 5000 open. When you're searching for malicious software (malware), you can take comfort in knowing that the ports attached to svchost.exe aren't open for intentional malicious use. Of course, external attacks against those ports (e.g., remote procedure call—RPC—attacks against port 135) aren't out of the question.


    Does this mean that the SVCHost attempts to communicate with the server "baym-td3.msgr.hotmail.com" is not malicious? That it is some legitimate attempt by the OS to establish services (In this case the IPv6 Helper Service) critical to the functionality of IPv6? :rolleyes:

    Close Hauled *puppy*
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  10. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Jooske;

    Once again, thanks.

    I knew that you could uninstall IPv6, but never did find that Microsoft article 555059. What kind of solution is that?! They drive me nuts! I hate Band-Aid solutions. Notice that they do not explain what is going on?

    I suspect that what is going on is; Microsoft is trying to facilitate 6to4 conversion by having the OS communicate with the "baym-td3.msgr.hotmail.com" system.

    If anyone has any idea as to what is going on with the IPv6 Herper Service, please chime in.

    Close Hauled

     
  11. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    To All;


    I got the official word from Microsoft on this problem;


    ---------------------[ Begin ]---------------------
    Thank you for choosing Online Support for your Microsoft Technical Support offering. My name is Raymond and I will be assisting you with this service request. For your reference, the Case ID of this service request is SRX040428603725.

    To give the most accurate support possible, I would like to give a brief summary of the concern as I understand it:

    The svchost process freezes while trying to communicate with baym-td3.msgr.hotmail.com. According to the Knowledge Base 555059, you disabled the IPv6 related services, and the problem went away.

    If there is any misunderstanding, please feel free to let me know.

    Suggestions
    ========

    I understand that you are worried that you may use this protocol in the future and do not want to disable it. However, according to my knowledge, the IPv6 Protocol is not popular so far, and most of the ISP and network programs do not support this protocol. This protocol is normally not started aft er installing Windows XP; but if you install the Advanced Networking Pack, the IPv6 Protocol will automatically be started. In the future, if the IPv6 Protocol grows popular, more ISP and network programs will support it. At that time, we can reinstall the protocol.

    I suggest you follow the steps to remove the Advanced Networking Pack for Windows XP:

    1. Click "Start", and then click "Control Panel".

    2. Click "Add or Remove Programs".

    3. In the list of currently installed programs, click "Advanced Networking Pack for Windows XP", and then click "Remove".

    4. Follow the instructions on the screen to remove the Advanced Networking Pack for Windows XP from your computer.

    5. After the removal is complete, restart the computer.

    Please try these steps and let me know the result at your earliest convenience. If you have any further concerns, please do not hesitate to let me know. I look forward to hearing from you.

    Best regards,

    Raymond
    ---------------------[ End ]---------------------
     
  12. I'm running win2k Professional and i'm having a similar issue with svchost.exe. Whenever I play Diablo 2, and connect to battle.net my svchost.exe process jumps up to 99% processor usage and my game lags like hell. I exited the game and started looking around on the internet for this problem and my svchost.exe generated errors and an error log was created, the file size was 3124k and i had 3 entries in my list the one with 3124k disappeared and i'm still online I restarted diablo 2 and rejoined a game and i'm able to play without any lag. pretty weird
     
Thread Status:
Not open for further replies.