SVCHOST connecting to unknown addresses

mondrawy · Oct 5, 2012

For a while now I've had one of my PC's connect to external addresses, which allows it to get reinfected with malware/spyware. I've taken several steps from the malware guide to combat this and haven't been successful. The main problem is I can clean the system completely, doing scans with antivirus or antispyware programs returns no hits (except for random cookies and such), which leads me to believe that the system is clean. However leave it alone for a few days and it gets reinfected. I occasionally spot it using internet access when nothing else is running.

I've used "netstat -ano" to view which process is in charge and it returns a PID of a process that doesn't exist, I've tried using ProcessExplorer and managed to trace an active tcp connection to explorer.exe and svchost.exe, yet scans on these files shows they are clean. I've used combofix and unhackme in attempts to find any rootkits but found nothing. So I've taken to manually blocking the IP addresses the PC attempts to connect to from my router, which seems to have somewhat helped. Usually I have to block 5 or 6 IP's before the PC loses connection with its remote partner. Then a week or more pass and it somehow reacquires a new addresslist to connect to, getting reinfected and forcing me to start the process all over again.

I just can't figure this one out, so any suggestions would help. So far I've blocked about 34 addresses, they lead to suspicious sounding domains and there is no reason for windows to connect to any of them.

Below is a netstat -ano example, all those syn_sent are addresses I've already blocked. It also seems to be attempting to connect to various network pc's as well. However the established connection to 192.168.0.98 is legitimate at the time of taking this.
Code:
  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1032
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       984
  TCP    127.0.0.1:1034         0.0.0.0:0              LISTENING       276
  TCP    127.0.0.1:1082         0.0.0.0:0              LISTENING       356
  TCP    192.168.0.6:139        0.0.0.0:0              LISTENING       4
  TCP    192.168.0.6:2244       192.168.0.98:3389      ESTABLISHED     3032
  TCP    192.168.0.6:2933       197.163.127.127:445    SYN_SENT        1812
  TCP    192.168.0.6:2934       197.163.79.79:445      SYN_SENT        1812
  TCP    192.168.0.6:2935       197.163.79.79:445      SYN_SENT        1812
  TCP    192.168.0.6:2937       197.163.78.78:445      SYN_SENT        1812
  TCP    192.168.0.6:2938       197.163.231.231:445    SYN_SENT        1812
  TCP    192.168.0.6:2939       197.163.166.166:445    SYN_SENT        1812
  TCP    192.168.0.6:2940       197.163.12.12:445      SYN_SENT        1812
  TCP    192.168.0.6:2942       197.163.217.217:445    SYN_SENT        1812
  TCP    192.168.0.6:2943       197.163.15.15:445      SYN_SENT        1812
  TCP    192.168.0.6:2944       197.163.222.222:445    SYN_SENT        1812
  TCP    192.168.0.6:2945       197.163.222.222:445    SYN_SENT        1812
  TCP    192.168.0.6:2946       197.163.172.172:445    SYN_SENT        1812
  TCP    192.168.0.6:3379       192.168.0.17:139       TIME_WAIT       0
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    832
  UDP    0.0.0.0:1025           *:*                                    1188
  UDP    0.0.0.0:4500           *:*                                    832
  UDP    127.0.0.1:123          *:*                                    1096
  UDP    127.0.0.1:1900         *:*                                    1256
  UDP    192.168.0.6:123        *:*                                    1096
  UDP    192.168.0.6:137        *:*                                    4
  UDP    192.168.0.6:138        *:*                                    4
  UDP    192.168.0.6:1900       *:*                                    1256

chaslang · Oct 5, 2012

It appears they are just part of your network in Africa

See: http://en.wikipedia.org/wiki/AfriNIC

mondrawy · Oct 7, 2012

I don't quite understand how that answers why only a single PC keeps trying to reconnect to those same IPs while the others don't, and why it keeps getting reinfected. Plus of the 30'ish IPs blocked, very few meet those IP ranges in the wiki article.

chaslang · Oct 9, 2012

mondrawy said: ↑

I don't quite understand how that answers why only a single PC keeps trying to reconnect to those same IPs while the others don't, and why it keeps getting reinfected. Plus of the 30'ish IPs blocked, very few meet those IP ranges in the wiki article.
Click to expand...

I can only go by what you posted. From the log you posted from netstat, all of those IPs are allocated to AfriNIC. See the below and you will see their range of IPs.

http://whois.arin.net/rest/nets;q=197.163.127.127?showDetails=true&showARIN=false&ext=netref2

If you wish to properly check your PC for malware, you can work thru the below and attach the logs we request:

READ & RUN ME FIRST. Malware Removal Guide

If you already ran it, then simply attach the 5 requested logs.

Also you can run a couple of tests online to see if you have any issues with port being open. Perhaps your firewall has not closed port 445.
The second link will require that you provide an email address to be provided.

http://www.auditmypc.com/digital-footprint.asp

http://www.auditmypc.com/firewall-test.asp

Log in or Sign up

SVCHOST connecting to unknown addresses

mondrawy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

mondrawy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member