Jump to content

SVCHOST.EXE - IP-BLOCK (We can't find the loader).


Recommended Posts

Okay, heres a special one.

There appears to be something using svchost to connect outbound, the same port is used for a specific day, the next

day a new port is used, etc.

The outbound connection attempt happens 3 times a day (sometimes), often once in the morning, once in the middle of

the day and once at the end of the day.

Now I've come to MBAM forums to ask what these IP's are from and what they may indicate a sign to.

On the 17th.

2012/07/17 06:39:04 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 06:39:12 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 06:39:20 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 11:18:39 +0800 CHRIS-PC Chris IP-BLOCK 58.240.186.242 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

On the 18th

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

On the 19th

2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

These are all the IP's that it's tried to connect to, the ones for the 19th I think you will find odd because it actually is a website and

the site is for "Chinese Intellectual ERP Systems" if you use Google Translate on it.

I've done so many scans I can't count and I've had help from bleepingcomputer; someone that works for WebRoot helped and even checked

all the info on the .dll's executables etc, nothing has been found, ESET, TDSSKiller, Kaspersky Rescue Disk 10 (advanced heuritistics), MBAM,

SecurityCheck, FSS, aswMBR, OTL and even going and running netstat -ano and using the PID in sysinternals to find the svchost (nothing found =/)

all provide no results, even HiJackThis and SpyBot 2.

Interesting fact: it only ever tries to connect outbound when my computer is locked/idle.

If you can tell me what these IP's may be a sign of, that would be greatly appreciated.

Thanks.

Link to post
Share on other sites

-----------------------------------------------------------------

Sorry to hear you might be infected.

We cannot work on malware removal in this sub-section of the forum, so please read below for assistance with cleaning your system.

IMPORTANT: Please do NOT use any temporary file cleaners unless instructed to do so - they can cause data loss, making it hard to recover your system.

There are some excellent, self-help tutorials on getting MBAM to run on an infected system in the FAQ: HERE.

IF YOU PREFER EXPERT ASSISTANCE WITH MALWARE REMOVAL, PLEASE CHOOSE ONE OF THE FOLLOWING 3 OPTIONS:

OPTION 1: Free, one-on-one, expert assistance in the Malware Removal Forum.

OPTION 2: For paid users of MBAM PRO, free, one-on-one, expert assistance from MBAM support.

OPTION 3: Fee-based, one-on-one, expert assistance from Premium Support.

OPTION 1:

  • Please print out, read and carefully follow the instructions in the "I'm Infected - What Do I Do Now?" article.
  • If the infection has so crippled the computer that you cannot complete some or all of the steps, then just do the best you can and start a new topic as described below.

  • Then please start a new post in the Malware Removal Forum.
  • When starting your new post, please note the following:
  • Please do NOT post in a topic started by someone else, even if their problem sounds similar.
  • Please COPY/PASTE the requested logs into your post, rather than attaching them.
  • Under options, please be sure to select "track this topic" and "immediate email notification", so you'll know when a helper responds.

  • Please be patient - it may be 48 hours or more before a helper can assist you, especially when the forum is very busy.
  • Please do NOT "bump" your topic or reply back to it for at least 48 hours.
  • Doing so may cause your topic to be overlooked, as it will appear that you are already being helped.

OPTION 2:

If you are a paid user of MBAM PRO and would like support via the helpdesk, please contact them here.

OPTION 3:

If you prefer the Malwarebytes Premium Services (comprehensive solutions to all your computer support needs – from installation and set-up to troubleshooting and tune-ups), please go to the Premium Support site here.

Please be patient – someone will assist you as soon as possible.

Thank you very much,

fivealive

Link to post
Share on other sites

Hello and :welcome:

The fact that svchost.exe is trying to connect to the Internet and as you mentioned it is trying to connect to a Chinese website can be a sign of an infection on your computer. The fact that Malwarebytes is blocking these IP's is cause they are known to host malware.

This is why fivealive has given you instructions to have your computer checked out by our experts. Since you are a paying customer then you can use Option 2.

If this does not clarify what you were asking let me know.....

Link to post
Share on other sites

Thanks mate, Just to confirm these IP's aren't false positives then?

I don't think it's an infection as in my computers already infected, I'd say it's actually remanents of the sirefef.AL and wigon rootkits that

ESET/MBAM found and got rid of, and it's probably trying to call home to download malware to re-infect my system.

I'll continue on with BleepingComputer and if they can't find anything I'll contact support.

Is there any further information you can provide on these IP's and what they were hosting that caused this IP-Block in the first place? it may

help tracking whatever this is, down.

Thanks.

Link to post
Share on other sites

Hi,

Yes, we did look at the IPs. However they do not show up as obviously malicious on google, the ones I've checked are not listed as malicious on hosts-file.net either. This is why I referred cstva here to ask about the IPs. From the logs I can't see why they are being blocked and I have to assume it has to do with the ISP or something else, but it would help to know for sure if the IP itself is malicious or the ISP is or some other reason entirely.

Thanks & regards

myrti

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.