Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why is svchost.exe(NetworkService) making strange connections when I boot up?


  • Please log in to reply
5 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 05 June 2016 - 04:03 AM

When I boot up, I only have one program that loads that connects to the internet, Avast. Yet for some reason, NetworkService connects to addr.btopenworld.com, and either securenet, comodoca.crl or app.digsigtrust.com.

 

Some the the IP Addresses that I have also found when this happens are:

104.16.93.188- This one seems to download the most data when the connections happen.

93.184.220.20- This one appears on occasion.

 

It also makes the same connections to comodoca.crl when I am exiting adobe products like premiere pro or when I sometimes log into steam. These connections last the same length, only for 20sec to a minutes. When they do happen, I checked the disk activity on NetworkService and it seems to be reading CrypnetURL's. The only 4 services running in that group are NlaSvc, CryptSvc, LanmanWorkstation and Dnscache.

 

I checked autoruns and there doesn't seem to be anything odd loading when my PC boots up, and nothing listed in CCleaner either. I have run HitmanPro, ADWcleaner, MalwareBytes, and Avast. Nothing. I also used Process Monitor and found nothing out of the ordinary there either.

 

This has been going on for months now, and now I just want to know why? And help at all would be appreciated :)

 

Bit more information. I am running Windows 7 64 bit and I use  TP-Link Wireless adapter to connect to my Router.


Edited by HairyApricot, 05 June 2016 - 05:11 AM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 05 June 2016 - 10:25 AM

Heres my guess: Software updating, AVAST secure (HTTPS) server verification,  license checking in the case of Adobe? btopenworld maybe your ISP DNS? It certainly all is legitimate traffic.

​reference:

http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-7

https://support.mozilla.org/en-US/kb/secure-website-certificate


How Can I Reduce My Risk to Malware?


#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 05 June 2016 - 02:17 PM

Yeah my ISP is BT, I think they have a large CDN they use. I know YouTube uses it for sending data when I stream videos. I checked process explorer. According to it the dll that is making the connections is CryptSvc. So what is it doing, checking certificates when I start my PC and then checking it again if a certain amount of time has passed, or just everytime a certificate that sends data needs to be verified? I mean chrome must check dozens of certificates, but I have only seen it happen a few times, usually when I connect to sites like twitter that allow me to send messages. Is their a set pattern the service follows? Sorry if I am asking a lot, but I have been worried about this for so long, it seems stupid to me not to learn as much about it if, all this time, I was worried about a completely normal process.

 

Heres my guess: Software updating, AVAST secure (HTTPS) server verification,  license checking in the case of Adobe? btopenworld maybe your ISP DNS? It certainly all is legitimate traffic.

​reference:

http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-7

https://support.mozilla.org/en-US/kb/secure-website-certificate


Edited by HairyApricot, 05 June 2016 - 02:18 PM.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:29 AM

Posted 05 June 2016 - 05:46 PM

Sorry I dont really know a lot about it either as far as when exactly or its frequency/pattern  Maybe somebody else will reply.  CryptSvc is a Windows service.

 

 http://www.blackviper.com/windows-services/cryptographic-services/


How Can I Reduce My Risk to Malware?


#5 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 06 June 2016 - 10:10 AM

Thanks. The reason I was so curious is I could not reproduce these checks on my work PC, which I found quite odd.



#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 10 June 2016 - 05:05 AM

So a week ago I made this post: http://www.bleepingcomputer.com/forums/t/616398/why-is-svchostexenetworkservice-making-strange-connections-when-i-boot-up/#entry4015948

 

To recap:

When I first log in to my PC, I got connections via Svchost(NetworkService) to a few IP addresses including an addr.btopenworld, 104.16.93.188, 93.184.220.20, comodoca.crl and apps.digsigtrust. I first noticed all this months ago but couldn't find a reason, and various tools and scanner turned up nothing, my pc continued to run fine. The connections also occurred when connecting to Steam and when Premiere Pro or other adobe products were transmitting usage data. It also occasionally does it while I use chrome. I used Process Explorer and the service within Network Service that was making the connections was CryptSvc.

 

Based on the response on it and several other peoples opinions, along with the connections being very brief and reproducible, I don't think it was a virus or anything like that. My work PC makes a connection like the ones described above when it boots up, though its to akamai. My brothers computer also had many of the same connections that mine did. So now I want to actually know what is causing these checks? I have checked startup programs on my PC, all I have is Avast, intel usbmon 3.0 and something by creative technologies that I believe is sound related. Does anyone else experience similar connections?

 

I am on Window 7N, my connection is BT using a TP-Link adapter and a router.

 

Any help is appreciated, thank you :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users