15

The firewall of my company has detected and blocked a repetitive (every 15 min) HTTP request from a PC, which tries to start a download of a file called ..._chrome_installer.exe(or so) from the host:

http://r9---sn-4g57kner.gvt1.com

Chrome is not installed on that PC. Neither is there any suspicious process, service or task launched. I checked scheduled tasks, the registry (Run, RunOnce etc.), msconfig and boot-scripts: nothing suspicious. With Microsoft Message Analyzer I figured out the PID and processname, which are the same. The PID leads to svchost.exe (netsvcs). So my question is, how to go on behind svchost or how can I find the origin of that request? (If that is possible). I use Windows 7.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Kuronashi
  • 349
  • 1
  • 2
  • 7
  • You are most likely infected by a rootkit. Reinstall from backup... – Deer Hunter Jul 15 '15 at 12:07
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Deer Hunter Jul 15 '15 at 12:08
  • This question as asked (how to discover what called svchost), appears more to be a Windows-internals-specific question, and might be better asked over at SuperUser (despite viruses being a factor). If the reeal question you're asking is how to deal with this infection, then @DeerHunter has your answer. – schroeder Jul 15 '15 at 14:50
  • Thanks for your reply DeerHunter. At superuser.com i was told that that question might be better at security.stackexchange. – Kuronashi Jul 16 '15 at 06:14
  • In Task Manager on the Services tab you can sort by PID and see which services are running in a particular `svchost.exe` process, and you can stop each service to see which one results in the network requests stopping. But as @DeerHunter said, it's probably a virus. – dave_thompson_085 Jul 16 '15 at 12:41
  • Thank you @dave_thompson_085, i can try that. but even so, i checked all Services that run in the Process with that PID, they are all windows services. – Kuronashi Jul 16 '15 at 20:35
  • I assume you mean all the services in the process look like legitimate Microsoft-supplied ones. But if one of them is infected by a virus it can still be doing evil things even though its name and description are good. – dave_thompson_085 Jul 18 '15 at 05:59

3 Answers3

9

I found the origin. Both Answers have given me the right indications to go on. With ProcessExplorer i picked the right svchost process (the same PID) and opened the TCP/IP tab, with wireshark i waited for the request, as it was sent, the TCP/IP tab from ProcessExplorer showed me the service wich was trying to establish a connection: BITS Service (Background Intelligent Transfer Service). I opened cmd and with 

BITSAdmin /List [/allusers] [/verbose]

i listed all jobs. And there we have the crux of the matter. All full with jobs from google-update. The files listed for each job pointed to a non-existing google-update.exe. So i think the first answers might is right, that this is not a virus. I don't know why there were 9 google-update jobs and nothing else. I deleted all. Since then the requests are gone.

Kuronashi
  • 349
  • 1
  • 2
  • 7
  • 1
    For reference, on OS X this domain is also used to update Google software (Google Software Update via ksfetch): `~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent` The domain does look suspicious, but it's legit, Google owned: https://who.is/whois/gvt1.com – Vexter Jun 18 '16 at 09:39
8

It seems that "gvt1.com" its owned by Google (whois shows:)

Registrant Name: DNS Admin
Registrant Organization: Google Inc.
Registrant Street: 1600 Amphitheatre Parkway
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6506234000
Registrant Phone Ext: 
Registrant Fax: +1.6506188571
Registrant Fax Ext: 
Registrant Email: dns-admin@google.com

And checking the location of that specific domain (r9---sn-4g57kner.gvt1.com) points to near San Francisco (which matches).

Checking further, it shows a relation between "gvt1.com" and "googlevideo.com" (example: https://github.com/lennylxx/ipv6-hosts/wiki/YouTube) and chromium, for example: https://code.google.com/p/chromium/issues/detail?id=423590

Google site check: http://google.com/safebrowsing/diagnostic?site=gvt1.com/

I'm almost sure its not a virus but something related to a Google service. (look for "gvt1.com" in google, you will find many more links)

lepe
  • 2,184
  • 2
  • 15
  • 29
  • It's good to know the owner of the URL: https://www.virustotal.com/en/url/3577b016766bb09ed7df582441efc7cf17a0ec3e49d02e41f69a70185dc2571e/analysis/ but I'm not sure this answers the OP's question. – schroeder Jul 17 '15 at 02:53
  • 1
    This is likely to be [Google Update](https://support.google.com/installer/answer/98805?hl=en) process that is scheduled to run every 15min on computers with Google Chrome installed or improperly removed. To view the process behind, OP can install, for example, [Svchost viewer](http://www.techrepublic.com/blog/windows-and-office/decipher-svchost-processes-in-windows-with-svchost-viewer/). – Question Overflow Jul 17 '15 at 03:31
  • 1
    I would start by looking at any Google related software installed in that computer. As "Question Overflow" suggested, some google related update (perhaps running as system service). If you can't find anything, you can check the network interface with something like [wireshark](https://www.wireshark.org/) to know the exact URL and information being posted there (as its HTTP, should be clear) to narrow it. – lepe Jul 17 '15 at 04:04
2

Go to sysinternals and install a trace tool. Record 20m of activity and locate that request. Then go back to the orign of that request.

Nils
  • 121
  • 7