SVCHOST.EXE - IP-BLOCK (We can't find the loader).

cstav · July 19, 2012

Okay, heres a special one.

There appears to be something using svchost to connect outbound, the same port is used for a specific day, the next

day a new port is used, etc.

The outbound connection attempt happens 3 times a day (sometimes), often once in the morning, once in the middle of

the day and once at the end of the day.

Now I've come to MBAM forums to ask what these IP's are from and what they may indicate a sign to.

On the 17th.

2012/07/17 06:39:04 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 06:39:12 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 06:39:20 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 11:18:39 +0800 CHRIS-PC Chris IP-BLOCK 58.240.186.242 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe)

On the 18th

2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe)

On the 19th

2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe)

These are all the IP's that it's tried to connect to, the ones for the 19th I think you will find odd because it actually is a website and

the site is for "Chinese Intellectual ERP Systems" if you use Google Translate on it.

I've done so many scans I can't count and I've had help from bleepingcomputer; someone that works for WebRoot helped and even checked

all the info on the .dll's executables etc, nothing has been found, ESET, TDSSKiller, Kaspersky Rescue Disk 10 (advanced heuritistics), MBAM,

SecurityCheck, FSS, aswMBR, OTL and even going and running netstat -ano and using the PID in sysinternals to find the svchost (nothing found =/)

all provide no results, even HiJackThis and SpyBot 2.

Interesting fact: it only ever tries to connect outbound when my computer is locked/idle.

If you can tell me what these IP's may be a sign of, that would be greatly appreciated.

Thanks.

fivealive · July 19, 2012

-----------------------------------------------------------------

Sorry to hear you might be infected.

We cannot work on malware removal in this sub-section of the forum, so please read below for assistance with cleaning your system.

IMPORTANT: Please do NOT use any temporary file cleaners unless instructed to do so - they can cause data loss, making it hard to recover your system.

There are some excellent, self-help tutorials on getting MBAM to run on an infected system in the FAQ: HERE.

IF YOU PREFER EXPERT ASSISTANCE WITH MALWARE REMOVAL, PLEASE CHOOSE ONE OF THE FOLLOWING 3 OPTIONS:

OPTION 1: Free, one-on-one, expert assistance in the Malware Removal Forum.

OPTION 2: For paid users of MBAM PRO, free, one-on-one, expert assistance from MBAM support.

OPTION 3: Fee-based, one-on-one, expert assistance from Premium Support.

OPTION 1:

Please print out, read and carefully follow the instructions in the "I'm Infected - What Do I Do Now?" article.
If the infection has so crippled the computer that you cannot complete some or all of the steps, then just do the best you can and start a new topic as described below.

Then please start a new post in the Malware Removal Forum.
When starting your new post, please note the following:
Please do NOT post in a topic started by someone else, even if their problem sounds similar.
Please COPY/PASTE the requested logs into your post, rather than attaching them.
Under options, please be sure to select "track this topic" and "immediate email notification", so you'll know when a helper responds.

An authorized, trained malware expert will provide free, one-on-one assistance as soon as one becomes available.

Please be patient - it may be 48 hours or more before a helper can assist you, especially when the forum is very busy.
Please do NOT "bump" your topic or reply back to it for at least 48 hours.
Doing so may cause your topic to be overlooked, as it will appear that you are already being helped.

OPTION 2:

If you are a paid user of MBAM PRO and would like support via the helpdesk, please contact them here.

OPTION 3:

If you prefer the Malwarebytes Premium Services (comprehensive solutions to all your computer support needs – from installation and set-up to troubleshooting and tune-ups), please go to the Premium Support site here.

Please be patient – someone will assist you as soon as possible.

Thank you very much,

fivealive

cstav · July 19, 2012

I'm a paid user of MBAM and that didn't answer my question.

Basically just want to know why the IP's are blocked and what it may indicate a sign of.

Thanks.

Firefox · July 19, 2012

Hello and :welcome:

The fact that svchost.exe is trying to connect to the Internet and as you mentioned it is trying to connect to a Chinese website can be a sign of an infection on your computer. The fact that Malwarebytes is blocking these IP's is cause they are known to host malware.

This is why fivealive has given you instructions to have your computer checked out by our experts. Since you are a paying customer then you can use Option 2.

If this does not clarify what you were asking let me know.....

cstav · July 19, 2012

Thanks mate, Just to confirm these IP's aren't false positives then?

I don't think it's an infection as in my computers already infected, I'd say it's actually remanents of the sirefef.AL and wigon rootkits that

ESET/MBAM found and got rid of, and it's probably trying to call home to download malware to re-infect my system.

I'll continue on with BleepingComputer and if they can't find anything I'll contact support.

Is there any further information you can provide on these IP's and what they were hosting that caused this IP-Block in the first place? it may

help tracking whatever this is, down.

Thanks.

Firefox · July 19, 2012

If you are already being helped at BleepingComputer then continue with working with them to get the issue resolved. Let them know there that you are getting these blocks.

This is to avoid any confusion with the helpers...

cstav · July 19, 2012

Will do, just need to find out any further info on these IP's that may help tracking this resilient little bugger down.

fivealive · July 19, 2012

if experts over at bleeping computer are helping you clean your computer up. then id imagine just giving them the ip block logs would be enough for them to clean up your machine

myrti · July 19, 2012

Hi,

Yes, we did look at the IPs. However they do not show up as obviously malicious on google, the ones I've checked are not listed as malicious on hosts-file.net either. This is why I referred cstva here to ask about the IPs. From the logs I can't see why they are being blocked and I have to assume it has to do with the ISP or something else, but it would help to know for sure if the IP itself is malicious or the ISP is or some other reason entirely.

Thanks & regards

myrti

fivealive · July 19, 2012

well his best bet would be to post the logs into the false positive section and see what they have to say

myrti · July 19, 2012

Posted a new topic here:http://forums.malwarebytes.org/index.php?showtopic=112818

Firefox · July 19, 2012

@myrti, they will look over the IP's and get back to you...

Do these blocks happen while surfing the internet through a browser? If so have you checked for any add-ons? Maybe resetting the browser to defaults?

cstav · July 19, 2012

myrti has, so hopefully there will be a response in that thread soon, thanks firefox

Firefox · July 20, 2012

Your quite welcome, hope it gets resolved for you soon....

shadowwar · July 20, 2012

I posted here:

http://forums.malwarebytes.org/index.php?showtopic=112818

SVCHOST.EXE - IP-BLOCK (We can't find the loader).

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information