Jump to content

Many outbound connections (port 3389)

Recommended Posts

Hi Guys,

I have a bit of a strange one for you guys and was wondering if you could lend some insight into what is happening.

I had a customer report strange issues with their workstations connected to an SBS 2003 domain controller, they were logged off as if an incoming reote desktop connection kicked them off, it then told them that 'test1' was connected to their workstation.

I logged into the domain controller and saw 6 accounts with seemingly random names, some were added to the remote desktop users group and I saw the test1 account. On further investigation the customer told me that Test1 was used for testing by the old IT provider and the password was "test1" (now the possible origin of the intrusion is starting to make sense)

I removed the user accounts and also removed the test1 account, ran a Malware Bytes Anti Malware scan which found a couple of infections, then I ran a Super AntiSpyware scan which also found a couple of infections.

The server now comes up clean with both scanners and the trend worry free business security scanner which is installed on the server. I noticed however that the Malware Bytes protection agent was popping up saying "Blocked access to malicious website xxx.xxx.xxx.xxx".

I traced a couple of these IP's and found them to be in China, however when I ran TCPView I found about 50 established connections and some CLOSE_WAIT connections to random IP's using the remote port "ms-wbt-server" which I have researched to be port 3389.

Using TCPView I noted that all of these connections were using SVCHOST.EXE PID 1016, I used process explorer to look at this SVCHOST instance and found that it is running the following services; AeLookupSvc, BITS, Broser, CryptSvc, dmserver, EventSystem, helpdvc, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, ShellHWDetection, winmgmt, wuauserv.

All of these look legitimate to my research. Sadface.

My question is this, although the scanners are showing that the system is clean, I am suspicious that the server may be being used as a part of a botnet type network to attempt to infiltrate random servers using brute force methods. Is this plausible? and how can I identify/clean this malware?

TLDR: Infected by something using svchost to initiate outbound 3389 connections, scans come up clean. how to fix?

Thanks in advance, and thanks for the patient read ;)


Link to post
Share on other sites

  • Root Admin

Hi sar1981,

I've your same problem from about 20 days.

I've tried any type of antivirus existent in this world but without any type of success...

Do you have find any solution to this problem? can we exchange some information to solve it as soon as possible?

Thank you, and good luck.


Hello Paolo,

If you are a business customer then you should contact support as recommended. If you are a home/consumer user then please choose one of the options below and someone will assist you with this and get you fixed up.

Here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support


As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the
Malware Removal forum
so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the
    directions here
    , skipping any steps you are unable to complete. Then post a
    NEW topic here

  • After posting your new post, make sure under
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    , so that you're alerted when someone has replied to your post.

  • One of the
    expert helpers
    there will give you one-on-one assistance when one becomes available.

  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.


Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.


    • You may send a Private Message to a Moderator asking for assistance.


Alternatively, as a paying customer, you can contact the help desk at


If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
Malwarebytes Premium Services
support site.

Please be patient, someone will assist you as soon as it is possible.

PS: Please use the "ADDREPLY" Add-Reply.png button instead of other ones when you start replying. :)

Link to post
Share on other sites

  • Root Admin

It is possible to be a worm but typically confliker or others like it are easily detected (not always easily removed from the network) but so far in most cases the IP block is thousands and typically it is both inbound and outbound as your system is typically replying.

If none of the AV tools or MBAM is detecting anything then it's possible that the system has just been targeted for some reason for a remote attack. You should be able to determine more what's going on from router logs and the articles posted about denial of service attacks.

If needed you can also try a boot cd from one of the AV companies and see if they're able to detect something offline.

Link to post
Share on other sites

My company has had this same issue for the last day or so -- I've been working with Sophos, to no avail so far.

We've tried MSE, MWB, Sophos AV, and a few other virus scan products. We've also tried Sophos' Command Line Interface with the latest IDEs, and the Sophos Anti-Rootkit, all with no results.

This virus has been trying to RDP both inside (random 192.168.*.* IPs) and outside of our system (completely random? IPs, as far as we can tell), looking for new computers to infect. We've been able to mitigate the effects by blocking the outgoing port 3389, but we have been unable to track down exactly where it's coming from on our system. We've used ProcessMonitor & WireShark to track the outbound connections to svchost.exe, running netsvc.

The behavior is to create around 30 connections to the outbound port 3389 at once, using random ports between 2000 & 3000.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.