Malwarebytes Premium doing some odd blocking

[Archon Prime]

I've been seeing this on MY computer believe it or not since I've had Malwarebytes Premium installed on the system. I've noticed bouts of inbound/outbound blocking from svchost.exe. (glad I installed this software if this has been happening in the background)

I've run every scan you could possibly think of with everything on my usb stick for malware/viruses/rootkits/trojans, etc.
I've not found anything suspicious on the system at all, yet the svchost keeps getting blocked for communicating with overseas IP's, China, India, Netherlands, etc. It's random but I keep seeing this occur periodically. I don't have anything running besides Emsisoft, Plex (local only), Malwarebytes, and Kabuto. I went to the point to check each svchost process and they all pop up in the correct forlder for System32.

I think I need some extra set of eyes/brains on this one. It could be nothing, it could be something.

I've exported 4 of the blocked website log that occurred this afternoon:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/19/17
Protection Event Time: 1:27 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1762
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain:
IP Address: 94.102.52.6
Port: [3389]
Type: Outbound
File:



(end)
--------------------------------------
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/19/17
Protection Event Time: 1:27 PM
Logfile: dfdf.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1762
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain:
IP Address: 94.102.52.6
Port: [3389]
Type: Outbound
File:



(end)
----------------------------------
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/19/17
Protection Event Time: 1:27 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1762
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain:
IP Address: 94.102.52.6
Port: [3389]
Type: Outbound
File:



(end)
---------------------------------
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/19/17
Protection Event Time: 1:27 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1762
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain:
IP Address: 94.102.52.6
Port: [3389]
Type: Outbound
File:



(end)​

 

[oldtech]

Based on that outbound IP address being in the Netherlands I'd say offhand that you've got something well hidden from your existing tools. Make sure you do an offline scan and if it still comes up clean you have got some serious forensics ahead of you to find out exactly what it is. That or if pressed for time it's time for a new drive and install of your OS. Oh and stay off the porn

 

[ComputerRepairTech]

3389 is rdp isnt it? did you try turning off rdp?

 

[ABTECH]

3389 is RDP and the logs indicate that it's outbound. Block 3389 outbound and monitor your traffic if you have the ability to do so on your firewall.

 

[Archon Prime]

Windows Firewall has 3389 blocked. I noticed that too. I made sure remote desktop was turned off. which it is.

 

[ABTECH]

I would install ProcMon from Sysinsternals and see if I could narrow down the cause. I have had to use that program just recently and it is very thorough. Wireshark could also aid in your investigation.

 

[ComputerRepairTech]

Alright so what I would do (and I don't know if theres a better way that i'm not aware of) but what I would do is use something like process hackers network tab to determine which process is connecting to that port, you know its svchost.exe but you need the process id that process hacker will have in parenthesis. Once you have the process id you go to the processes tab of process hacker and mouse over the svchost.exe with that process ID and see if that list of services gives you a clue.

I suppose it could be something way more advance aside from a rogue service but these days that seems highly unlikely.

Edit: actually be sure to share with us what services you find under the process ID i'd be interested in knowing if theres a new trick out there.

 

[Archon Prime]

Thanks for the tip for Process hacker. forgot all about that tool. Grabbed it and I'll keep that hand the next time I see the notifications come up. I'm sure it's something stupid. I think it's time to nuke and pave anyway after this. it's been awhile.

 

[ABTECH]

Alright so what I would do (and I don't know if theres a better way that i'm not aware of) but what I would do is use something like process hackers network tab to determine which process is connecting to that port, you know its svchost.exe but you need the process id that process hacker will have in parenthesis. Once you have the process id you go to the processes tab of process hacker and mouse over the svchost.exe with that process ID and see if that list of services gives you a clue.

I suppose it could be something way more advance aside from a rogue service but these days that seems highly unlikely.

Edit: actually be sure to share with us what services you find under the process ID i'd be interested in knowing if theres a new trick out there.

I had never heard of Process hacker thank you for the recommendation I can add that to my toolkit.

 

[ComputerRepairTech]

Oh if its not something frequent you can also get the process id using process monitor like ABTECH mentioned. you would just deselect the other buttons and leave show network activity on.

 

[Archon Prime]

@ComputerRepairTech

So on network tab I'm seeing svchost.exe on local port 3389. i'm seeing several different IPs/servers coming up under remote address.
I was able to copy and paste the stuff that popped up

here is some of them:

svchost.exe (1336), NX-01, 3389, hostby.chnet.se, 59793, TCP, Established, CryptSvc

svchost.exe (1336), NX-01, 3389, hostby.chnet.se, 55504, TCP, Established, CryptSvc

svchost.exe (1336), NX-01, 3389, hst-93-115-28-31.balticservers.eu, 59519, TCP, Established,

svchost.exe (1336), NX-01, 3389, powered-by.xenosite.net, 41289, TCP, Established, CryptSvc

svchost.exe (1336), NX-01, 3389, 94.231.131.78, 50322, TCP, Established, CryptSvc

svchost.exe (1336), NX-01, 3389, 46.166.188.211, 60565, TCP, Established, CryptSvc


Edit: so I'm looking at the 1336 process ID in Processes tab.. and nothing is showing under it.

 

[ComputerRepairTech]

I mean when you mouse over the svchost.exe in the processes list, you sure rdp is off? that kind of looks like its checking certs for connections coming into ur port 3389

 

[Archon Prime]

Hmm apparently I can't disable it. Get this message now when attempting to "Don't allow connections to this computer.

Edit: I was like F*ck that. I went into gpedit and disabled it from there. It's disabled now.

 

[Archon Prime]

3389 port is no longer showing up on Process Hacker or in the Svchost process section either. I think I should be good. I was damn sure it was turned off until I saw that error pop up for windows firewall.

 

[freedomit]

I would be very concerned about this. It sounds like your computer is infected with something and it's being used as a bot to make outbound connections to computers/servers that have RDP open.

 

[ComputerRepairTech]

I would be very concerned about this. It sounds like your computer is infected with something and it's being used as a bot to make outbound connections to computers/servers that have RDP open.

Well the information he got from process hacker shows local port 3389 so it was others trying to connect to him. That is not to say that its not possible that he has something else doing outbound connections to port 3389 like malware bytes says but I think its unlikely. I'm sure malware bytes will continue to complain if the problem isn't resolved.

 

[Archon Prime]

So far so good. no traffic at all on the 3389 anymore. I'm pretty sure I nipped it in the butt. I've had pretty decent security on my machine. It's just Malwarebytes going the extra step to let me know something fishy was going on. Thanks for the help guys.

 

[freedomit]

Well the information he got from process hacker shows local port 3389 so it was others trying to connect to him. That is not to say that its not possible that he has something else doing outbound connections to port 3389 like malware bytes says but I think its unlikely. I'm sure malware bytes will continue to complain if the problem isn't resolved.

If that's the case then why is port 3389 open to the outside world?

 

[ABTECH]

I use a robust UTM device in my home office. One of the areas that made sense of course was limiting the inbound connections on the device however I did not limit the outbound connections as vigorously. I intended on making that change this week and this has only hastened that decision.

 

[Slaters Kustum Machines]

I use a robust UTM device in my home office. One of the areas that made sense of course was limiting the inbound connections on the device however I did not limit the outbound connections as vigorously. I intended on making that change this week and this has only hastened that decision.

Which device do you use?