Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TCP connections from Svchost(NetworkService) CryptSvc


  • Please log in to reply
5 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 11 June 2016 - 04:12 AM

So a week ago I made this post: http://www.bleepingcomputer.com/forums/t/616398/why-is-svchostexenetworkservice-making-strange-connections-when-i-boot-up/#entry4015948

 

To recap:

When I first log in to my PC, I got connections via Svchost(NetworkService) to a few IP addresses including an addr.btopenworld, 104.16.93.188, 93.184.220.20, comodoca.crl and apps.digsigtrust. The most data received seems to be from the 93.184.220.20. I first noticed all this months ago but couldn't find a reason, and various tools and scanner turned up nothing, my pc continued to run fine. The connections also occurred when connecting to Steam and when Premiere Pro or other adobe products were transmitting usage data. It also occasionally does it while I use chrome. I used Process Explorer and the service within Network Service that was making the connections was CryptSvc.

 

Based on the response on it and several other peoples opinions, along with the connections being very brief and reproducible, I don't think it was a virus or anything like that. My work PC makes a connection like the ones described above when it boots up, though its to akamai. My brothers computer also had many of the same connections that mine did. So now I want to actually know what is causing these checks? I have checked startup programs on my PC, all I have is Avast, intel usbmon 3.0 and something by creative technologies that I believe is sound related. Does anyone else experience similar connections?

 

I am on Window 7N, my connection is BT using a TP-Link adapter and a router.

 

Any help is appreciated, thank you  :)

 

Just some more info. MalwareBytes, Avast and HitmanPro turned up nothing. AdwCleaner found a file, but it seems to be an auto generated file when you save in Deus Ex Human Revolution. I ran TDSSKiller. It found 1 suspicious file. RazerService.exe located inside Razer file. I have a Razer keyboard, and the reason it flagged it was it was not digitally signed. Removed the file anyway but it seems to have been a false positive.


Edited by HairyApricot, 11 June 2016 - 12:05 PM.


BC AdBot (Login to Remove)

 


#2 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:04:20 AM

Posted 11 June 2016 - 08:09 AM

Looks like different two things; Windows verification of license and possible malware. I would suggest trying on the malware forum and see what scans they suggest. 



#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 11 June 2016 - 11:28 AM

Which part of it looks like Malware exactly?



#4 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:04:20 AM

Posted 12 June 2016 - 03:15 AM

From what I can figure 93.184.220.20 is/was a C&C for ZueS malware. Do you have any router logs of HTTP requests? If so, look for "config.bin" to confirm. Zbot has been going around lately, try tool, Norton Power Eraser . If you get any hits, try the malware forum. 


Edited by Trikein, 12 June 2016 - 03:20 AM.


#5 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 12 June 2016 - 05:19 AM

Yeah those tools turned up nothing. The forum you linked also says several websites and a very large CDN use that IP as well. How would I get router logs of HTTP requests? Wouldn't such traffic turn up in my pc network?



#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 12 June 2016 - 05:26 AM

Also the NPE tool also connected the addr.btopenworld. Is that just BT's CDN?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users