Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange outgoing traffic from svchost.exe(netsvcs)


  • Please log in to reply
25 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 December 2016 - 02:57 PM

I usually update my PC every few weeks or so, keeping windows update and the like disabled until I need them. I got it to check for updates, and netsvcs made connections. One was to an IP microsoft own, so that is normal, as it was updates I was checking for. However the other one was to mail.FGSfurnishings.co.uk. Now this seems very unusual to me, and I haven't seen it do this before. Any ideas what could be going on here?



BC AdBot (Login to Remove)

 


#2 Baron42

Baron42

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 AM

Posted 08 December 2016 - 03:21 PM

Malware. Download Combofix and run it if its a windows 7 machine. For win 10 I say wipe it and put win 7. If that isn't an option then this site has many malware scanners that will get rid of it.


Edited by Baron42, 08 December 2016 - 03:21 PM.


#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 09 December 2016 - 05:16 AM

Yeah made a post in Am I Infected, as I am unsure how this could have even happened, and its the first time I have seen this occur.



#4 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 08 January 2017 - 12:32 PM

Alright so I was confirmed clean by 2 different malware removal users, ran many tools, and its been a month and their has been no other activity. I checked it the second time I seen it happen using Process Explorer, It was definitely Svchost(netsvcs) that made the connections, and the actual service was windows update. The other IP addresses were 134.170.51.190, 109.159.156.188, 81.150.21.120 and 131.253.14.153. All proper ones from Microsoft. So any ideas why it happened if malware isn't the cause?



#5 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 08 January 2017 - 02:54 PM

5 posts?

Oh ya a furnishing store is malware.

http://www.fgsfurnishings.co.uk/

 

Most likely it was a advert.

 

HA you need to go up a couple of levels and quit looking at the fine print.  Unless you are going to take a course on programming and hacking/malware you are worrying about stuff you don't need to worry about.

 

Keep your computer up-to-date with patches/updates and you should be fine.  It's knowing how to do safe computing [like not clicking on a unknown email link] that will keep you as safe as possible.  There is risk in everything.  It is all about degrees.

 

Google safe computing for a better understanding.



#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 09 January 2017 - 11:27 AM

Hi wand3r3r

 

Bit confused on what you mean by 5 posts? Also, the address was mail.FGSfurnishings.co.uk. The reason I find this odd as it was windows update making the connection that that IP address. Not chrome or anything like that. Windows update, the service, is not meant to do that, hence my query. I detailed all of this in the above comment and the head of the body of the post. The connection was made when I was updating windows. I originally assumed malware as someone on this very post suggested it was, so I had to make the a post on am I infected, and it was escalated by moderators from there.


Edited by HairyApricot, 09 January 2017 - 11:27 AM.


#7 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:02:21 PM

Posted 09 January 2017 - 02:12 PM

"Windows update, the service, is not meant to do that,"

 

Why do you assume that? I am no expert, but a quick google makes those IP look to belong to Microsoft update and CDNs on BT in London for their servers. Microsoft keeps it updates in servers all over the world, that way people not in the US don't have to wait longer. Atleast that is the theory...but try updating Windows 7 sometimes in India... I will see you next year. :-(

 

PS. Do you think this activity is related to you being black listed from that forum from your other thread?


Edited by Trikein, 09 January 2017 - 02:13 PM.


#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 09 January 2017 - 04:15 PM

Yeah the other IP addresses are legit. Well its windows update. If the other IP's are CDN's, why is that one some random furnishing website. I just don't see how mail.FGSfurnishings.co.uk is correct. When I lookup the address, this is its IP 82.69.183.166.

 

I don't think it could be. That seemed to just be related to my current ip address. I mean I haven't noticed any other strange connections being made, and I am not blocked right now.



#9 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 10 January 2017 - 01:21 PM

5 posts was from the person saying it was malware. Don't believe everything your read on the internet.  I regularly find garbage.

 

 I know its mail to the furnishings store.  At best its a popup.  Unclear how you associate that with windows update but I reiterate you need to work at the program level and trust your anti everything programs to be working.

 

Doesn't mean you can't infect yourself hence the suggestion of safe computing.



#10 toofarnorth

toofarnorth

  • Members
  • 379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 PM

Posted 10 January 2017 - 01:27 PM

if you have windows 10 what you might have seen is the new way microsoft distributes windows updates

read more about it here:
https://redmondmag.com/articles/2016/08/16/windows-10-p2p-update-controls.aspx

if you want to disable someone using your bandwidth have a look here:
http://www.pcworld.com/article/2955491/windows/how-to-stop-windows-10-from-using-your-pcs-bandwidth-to-update-strangers-systems.html

hth

 

tfn



#11 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 12 January 2017 - 02:43 PM

Hi Toofarnorth. I don't have windows 10.

 

Wand3r3r, the reason I associated it with windows update is that I was looking at resource monitor when I noticed the connection. It said the connection was coming from Svchost(netsvcs). I then used Process Explorer to check what the service was making the connection, and it was windows update. If it was just chrome making the connection I wouldn't have went asking around. The reason I have found all of this so confusing is because I pay attention to safe computing, so I don't understand how it could be malware, which I why I wanted to know what the actual cause was.



#12 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 23 January 2017 - 03:09 PM

So I checked for updates again, and the strange address happened again. This is, the only 2 IP addresses in TCP were the official microsoft one, and 213.123.255.23, which is part of the BT openworld CDN I believe. So why is the IP address resolving to some random mail address if the IP address is part of the CDN. If I type in mail.FGSfurnishings.co.uk, the ip address is something completely different for that site? Usually, for these cdn ones. its hosts213-123-255-23,in-addr.btopenworld, or something similar?



#13 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 23 January 2017 - 03:13 PM

OK yeah I set TCPview to only show the IP addresses. The IP address is definitely 213.123.255.23. What the hell? Its Port 80 if that makes any difference. 


Edited by HairyApricot, 23 January 2017 - 03:14 PM.


#14 toofarnorth

toofarnorth

  • Members
  • 379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 PM

Posted 23 January 2017 - 04:15 PM

It sounds like a dns issue to me.
Check what dns servers are reported in ipconfig /all

If the router is the only dns server listed then check what it is set up with
 

 

This is a tool I often use when trying to figure out what is going on with network connections.
It will list all the dns lookups done from your computer and also report where it points

http://www.nirsoft.net/utils/dns_query_sniffer.html

HTH!

tfn


 



#15 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 25 January 2017 - 11:22 AM

Yeah I connect to my router through my wireless adaprter. 3 other ones come up, Local Area Connection, isatap.home and ISATAP Interface. But they all say media disconnected. So if it is a DNS issue, I assume that's either microsofts responsibility or BT's? Avast, Steam and Chome all use IP addresses like this one hosts213-123-255-23,in-addr.btopenworld and they always resolve like that, never to some random name. So can I do anything here or no?

Thanks :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users