Svchost Receiving Many Ecatel IP Connections

[Woohookitty]

Hi everyone, i'm having a chronic problem with Svchost.exe having connections with random IPs. For the past 3 days now Mbam has been blocking many incoming IP connections under the Svchost process, with all IP addresses coming from Ecatel LTD in the Netherlands (except for 1 attempt yesterday from Harbin, China). I'm seeing these blocked connections about 10 times per day, and they seem to be from different Ecatel IPs each time. The latest IP was 93.174.93.67. All ports targeted were different each time. Also, today after another IP connection block, that same IP ended up invoking my BitDef firewall to prompt for permission for Chrome having an outgoing connection to that same IP few seconds later! I blocked it.

 

Yesterday I disconnected my internet and scanned my pc with MBAM, Bitdefender AV, Malwarebytes Anti-rootkit, TDSSkiller, Kaspersky Virus Removal tool, Microsoft Safety Scanner (msert.exe), Microsoft Malware Removal tool, and all these scans found nothing. Today i scanned using Rkill, Combofix, and Adwcleaner with results attached below.

 

This is a very chronic problem i've had for the past year, with Mbam blocking svchost connections or my former Comodo firewall prompting for svchost connections from random IPs from Brazil, China, Russia, Iceland, and now Ecatel, and each time i run an AV, MBAM, Rkill and Combofix scan it found no malware (except once combofix deleted a worm few months ago). The majority of these were inbound, although many were outbound too. I also reformatted my pc many times in the past few months ( as recently as 4 days ago), because I didn't know what problem is going on, but i don't think the marathon of reformatting is a lasting solution because it'll reoccur again sooner or later.

 

I also tried blocking svchost from having any incoming connections with my firewall, but it only worked for last night. For some reason, right after i made that firewall rule, i couldn't find it in the list of firewall rules...  

 

Is there any way I can make this problem stop once and for all? What is it that causes svchost to make these connections? Can i just block svchost altogether from connecting to the web? I would greatly appreciate any help to stop this madness. Thanks   

Rkill.txt

Rkill.txt

ComboFix.txt

AdwCleanerR0.txt

AdwCleanerS0.txt

[kevinf80]

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

 

Double click zip file and extract to your  Desktop:

 

 

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

 

 

Copy and paste the following script from the code box and paste into the field.

standardsearch;autoclean;emptyclsid;firefoxlook;Chromelook;autoclean;iedefaults;

Select the "Run Script" tab. The following window will open:

 

 

 

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

 

Post the produced log in your next reply…..

[Woohookitty]

Hi there, i just ran zoek with results attached. Also i would like to note, for 2 days now the blocked IP connections are all fromthe IP listed above, targeting port 21320

zoek-results.log

[kevinf80]

Please download RogueKiller from here:

 

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

 

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

• Make sure to get the correct version for your system.
  
• Quit all running programs
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  
• Wait until Prescan has finished...
  
• The following EULA will appear, please select accept
   
  
   
  
• Ensure MBR scan, Check faked and AntiRootkit are checked
  
• Select Scan
   
  
   
  
• When the scan completes select Report, copy and paste that to your reply.
   
  
   
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  
  

[Woohookitty]

Here's the report:

 

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : WL [Admin rights]

Mode : Scan -- Date : 10/31/2013 01:39:09

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 4 ¤¤¤

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD7500BPKT-75PK4T0 +++++

--- User ---

[MBR] 3835b3083c0c127b8a6b07735ad80c8f

[bSP] 16f4024e34566a678ac684a349fe1701 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 212992 | Size: 20000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41172992 | Size: 439298 Mo

3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 940857344 | Size: 256000 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_10312013_013909.txt >>

RKreport[0]_S_10282013_214302.txt

[kevinf80]

RogueKiller log is clean, no DNS entries flagged either. OK do the following:

 

Run Zoek again exactly as you did previously, copy the following script into the text field:

firefoxlook; FFdefaults;Chromelook; CHRdefaults;autoclean; iedefaults; 

Select the "Run Script" tab, wait until log is produced, copy to your reply. Let me know if that clears the IP issue..

 

Kevin

[Woohookitty]

***UPDATE***:

• There's aggressive attempts by another Dutch IP 88.208.33.4, from Advancedhosters Limited trying to make my web browser have an outbound connection to this ip thru port 50457, about once/twice per hour, which were blocked by Mbam. (Less but still aggressive) attempts by Dutch IP 141.0.172.225 from Amsterdam ServerStack, once every 1 - 2 hrs, also blocked. 
• 2 inbound connection attempts by IP 74.118.193.38
• There's slightly decreased attempts by the Ecatel IP mentioned above trying to make inbound connections under svchost.
• My Bitdefender AV can no longer update, even upon a manually executed update attempt.

I'll run Zoek in ~1 hr from this post. I'm just wondering, if i had my IP address changed, would these Dutch IP hackers "follow me" to my new address?  

[kevinf80]

Post Zoek log when you`re ready. Let me know if the IP issue persists

[Woohookitty]

Hi, sorry for the delay in posting. Here's the zoek log.

 

Zoek.exe Version 4.0.0.5 Updated 26-October-2013

Tool run by WL on 11/03/13 at  2:36:39.62.

Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64

Running in: Normal Mode Internet Access Detected

Launched: C:\Users\WL\Desktop\zoek\zoek.exe [script inserted] 

 

==== Older Logs ======================

 

C:\zoek-results2013-10-30-055647.log 128735 bytes

 

==== Deleting CLSID Registry Keys ======================

 

 

==== Deleting CLSID Registry Values ======================

 

 

==== Deleting Services ======================

 

 

==== Firefox Extensions Registry ======================

 

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]

"ffpwdman@bitdefender.com"="C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman" [10/17/13 02:03 PM]

 

==== Chrome Look ======================

 

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

ccahoghmggldkcdjiebjkidpfongdfbl - C:\Program Files\Bitdefender\Bitdefender\Antispam32\pmbxcr.crx[09/25/13 03:05 PM]

 

Bejeweled - WL - Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm

Your Second Phone - WL - Default\Extensions\afgcliennfocnaoenlkmlhoakpaflpgo

BIODIGITAL HUMAN - WL - Default\Extensions\agoenciogemlojlhccbcpcfflicgnaak

Angry Birds - WL - Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj

Google Docs - WL - Default\Extensions\aohghmighlieiainnegkcijnfilokake

Task Timer - WL - Default\Extensions\aomfjmibjhhfdenfkpaodhnlhkolngif

Lucidchart Diagrams Online - WL - Default\Extensions\apboafhkiegglekeafbckfjldecefkhn

Google Drive - WL - Default\Extensions\apdfllckaahabafndbhieahigkjlhalf

TV - WL - Default\Extensions\beobeededemalmllhkmnkinmfembdimh

Desmos Graphing Calculator - WL - Default\Extensions\bhdheahnajobgndecdbggfmcojekgdko

WOT - WL - Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp

SKiD Racer - WL - Default\Extensions\bhoaojooagiaaiidlnfhkkafjpbbnnno

YouTube - WL - Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo

Bitdefender Wallet - WL - Default\Extensions\ccahoghmggldkcdjiebjkidpfongdfbl

Last updated at time on date - WL - Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb

Bouncy Mouse - WL - Default\Extensions\cgdllcbmneiklcmbeclfegccdjholomb

Yendo Accounting - WL - Default\Extensions\cgllmndceblpkjnakpnceoafddbechmp

Useful Periodic Table - WL - Default\Extensions\chachkegffmilnmdlonllkhkfkakghie

OneTab - WL - Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall

Google Search - WL - Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf

MaskMe - WL - Default\Extensions\dpkiidbpeijnaaacjlfnijncdlkicejg

Gmail Offline - WL - Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk

ZenMate for Google Chrome\u2122 - WL - Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme

Full Screen Weather - WL - Default\Extensions\fkkaebihfmbofclegkcfkkemepfehibg

Springpad - WL - Default\Extensions\fkmopoamfjnmppabeaphohombnjcjgla

Digital Clock - WL - Default\Extensions\gdkjifoifglkpcdffkenpinlbjgephlo

Picadilo - WL - Default\Extensions\geljjpapbfokifgnlnpdbiplebdhlein

AdBlock - WL - Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom

Clock - WL - Default\Extensions\hoihofapbdnldlhecnhefifbcddgdkhm

Pixlr Editor - WL - Default\Extensions\icmaknaampgiegkcjlimdiidlhopknpk

Concentrate - WL - Default\Extensions\idfmgklhndkcggamadboiaepmohpjhjj

Stealthy - WL - Default\Extensions\ieaebnkibonmpbhdaanjkmedikadnoje

ButtonBass Xylophone - WL - Default\Extensions\indlkficjfpogfdndmffegpjapkfaeoh

Wave Accounting - WL - Default\Extensions\knpkfcpnjfbniadmfchjpcigfhookhaa

Build with Chrome - WL - Default\Extensions\lbbbhbjeecagnlfgggogfclkdjamoapf

Evernote Web - WL - Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol

Planner 5D - WL - Default\Extensions\mcafejemebbngbglfoinpoaannbihjna

ChemReference Periodic Table - WL - Default\Extensions\mjpnebljmdbglkmlnijcaplhfhkhdnib

Google Wallet - WL - Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

Docs PDFPowerPoint Viewer by Google - WL - Default\Extensions\nnbmlagghjjcbdhgmkedmbmedengocbn

Background Tab - WL - Default\Extensions\oehpjpccmlcalbenfhnacjeocbjdonic

Tetris 3D - WL - Default\Extensions\pdkeccfoknbfheljdlnicdlbflmfkdpm

Gmail - WL - Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

 

==== Set IE to Default ======================

 

Old Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

 

New Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

 

==== All HKCU SearchScopes ======================

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google  Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}"

 

==== Reset Google Chrome ======================

 

C:\Users\WL\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully

C:\Users\WL\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

 

==== Empty IE Cache ======================

 

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\WL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\WL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

 

==== Empty FireFox Cache ======================

 

No FireFox Profiles found

 

==== Empty Chrome Cache ======================

 

C:\Users\WL\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

 

==== Empty All Flash Cache ======================

 

Flash Cache Emptied Successfully

 

==== Empty All Java Cache ======================

 

Java Cache cleared successfully

 

==== After Reboot ======================

 

==== Empty Temp Folders ======================

 

C:\Windows\Temp successfully emptied

C:\Users\WL\AppData\Local\Temp successfully emptied

 

==== Empty Recycle Bin ======================

 

C:\$RECYCLE.BIN successfully emptied

 

==== EOF on 11/03/13 at  2:49:11.65 ======================

[Woohookitty]

From the time my internet connection was fixed Saturday morning, these were the additional IPs that were attempting inbound connections to svchost, atop of the first ecatel ip mentioned in the first post, and some attempted outbound connections from my web browser:

 

*93.174.88.31 port 4921, port 28223

*94.102.49.213 port 19

*222.186.34.28 port 8080

*222.186.42.43 port 1433

*94.102.48.167 port 14075

[kevinf80]

OK, run the following:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

 

7. The following image opens, select Update

 

 

8. When the update completes select Next.

 

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 

• 
       
• Internet access
       
• Windows Update
       
• Windows Firewall
  

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Next,

 

If the logs from MBAR are clean also do this:

 

Go to the following link: http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html follow the instructions and reset your router.

 

Next,

 

Please download MiniToolBox, save it to your desktop and run it.

 

Checkmark the following checkboxes:

• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• Report FF Proxy Settings
  
• Reset FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Devices
  
• List Users, Partitions and Memory size.
  
• List Minidump Files
  

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

 

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

[Woohookitty]

Hi, i'm waiting to change my static IP address, because i contacted my ISP and they told me that they changed my IP address yesterday , yet the IP attacks kept coming! These are the new IPs, along with the Ecatel ones:

• 46.246.111.54 port 8080
• 93.174.93.139, 94.102.51.225 port 19
• 109.230.220.126 port 5060
• 211.198.225.149 port 21869
• 222.186.34.31 port 1433
• 218.7.37.194 port 22

As well, my PC froze twice on the Nov. 5th and 6th , with my input devices disabled, and any text box that i have open (like a web browser address bar, stickynote i'm writing on) would have number 2's being entered continuously non-stop (ie 2222222222222222222...), and i had to power-off the machine abruptly to stop it.

 

I ran MBAM Anti-rootkit and logs attached below (i ran it twice).

 

The ISP tech assistance rep told me that my problem is likely working in a 2 way direction, just like addressed in the previous post, and told me i probably have deeply-hidden malicious code on my pc that's contacting the hacker IPs, and the IPs keep pinging, port-scanning and contacting my machine, and he proposed that i have my PC cleaned or reformatted, and have my IP change simultaneously, to prevent any contact with the malicious IPs whatsoever. However, my IP would change only at times when my IP lease expires (November-07-13 10:41:34 PM New York time, mentioned from my Networking Sharing Center's LAN details), and having my modem disconnected for 4 - 24hrs to release my IP to someone else...

 

I'll make updated posts as soon as i can

 

mbar-log-2013-11-03 (14-25-05).txt

system-log.txt

mbar-log-2013-11-06 (23-08-00).txt

system-log.txt

[Woohookitty]

I just received this on my stickynote, same type of my pc crashing and having relentless number 2s being entered, however this time i pressed the F1 key then it stopped... this is part of what was entered in the note (enlarged for viewing purposes):

22222222☻22☻2222☻22222222222

[kevinf80]

Did you reset the your router, did you run minitoolbox, can I see mini toolbox log

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!