svchost constantly trying to connecto to leaseweb

ok since soon after installing the operating system and firewall I noticed that 4 copies of svchost were making a lot of outbound connections. by a lot I mean about 6000 tries in an hr. the connection is always to 95.211.162.80 on ports 443-447 I’ve blocked the ip address but svchost is still trying to connect. does anyone know why this is happening? I can see connecting to Microsoft for updats or something but this is an Amsterdam ip.
below is a copy from killswitch. any help would be greatly appreciated

TCP 10.0.0.3 56309 95.211.162.80 443 SYN Sent
TCP 10.0.0.3 59917 95.211.162.80 446 SYN Sent
TCP 10.0.0.3 60473 95.211.162.80 446 SYN Sent
TCP 10.0.0.3 60477 95.211.162.80 445 SYN Sent
TCP 10.0.0.3 60481 95.211.162.80 446 SYN Sent
TCP 10.0.0.3 60485 95.211.162.80 443 SYN Sent
TCP 10.0.0.3 60490 95.211.162.80 444 SYN Sent
TCP 10.0.0.3 60495 95.211.162.80 446 SYN Sent

Not enough info to tell whats going on. The IP is cdn service i.e. Leasewebs and ports TCP 443 is for ssl encrypted communications and 446 is for Remote Reational Database Access. Your going to have to try to pin down what service running under the svchost wrapper is making the connections.

there is usually 5 copies of svchost running trying to access that address, win8 task manager gives no info on the services attached to those pid’s, process explorer just gives me the basic svchost info and doesn’t even have a services tab for these pid’s. svchost viewer lists the pid’s but no info on what is running them. comodo, malwarebytes, defender, kapersky and avg are all unable to find any malware or virus so at this point I am stumped

Are all the svchost.exe processes legitimate? In Process Explorer, you can do a quick check by adding ‘Virus Total’ and ‘Verified Signer’ columns and turning on checking for these in the Options Menu.

How about capturing the network traffic using Microsoft Network Monitor 3.4 and see what Host & URI it’s requesting? That may give you some clues. Or if it’s actually an encrypted connection to port 443 (so you can’t see the packet data), the captured DNS request may give you the domain name for that IP address.

ok, ran process explorer and checked virus total 0/54 and verified signer [verified].
not sure how to read network monitor to find the host and URI. here is the frame summarys

167 6:38:00 PM 6/23/2014 7.3968665 Unavailable 95.211.185.129 JOEWIN8 TCP TCP:Flags=…A…F, SrcPort=HTTP(80), DstPort=1038, PayloadLen=0, Seq=3119892170, Ack=109285323, Win=32 {TCP:50, IPv4:49}
168 6:38:00 PM 6/23/2014 7.3969865 Unavailable JOEWIN8 95.211.185.129 TCP TCP:Flags=…A…, SrcPort=1038, DstPort=HTTP(80), PayloadLen=0, Seq=109285323, Ack=3119892171, Win=1018 {TCP:50, IPv4:49}

and here are the details

Frame: Number = 168, Captured Frame Length = 54, MediaType = ETHERNET

  • Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[5C-57-1A-05-C6-A1],SourceAddress:[50-46-5D-66-02-EC]

    • DestinationAddress: 5C571A 05C6A1 [5C-57-1A-05-C6-A1]
      Rsv: (010111…)
      UL: (…0.) Universally Administered Address
      IG: (…0) Individual address (unicast)
    • SourceAddress: 50465D 6602EC [50-46-5D-66-02-EC]
      Rsv: (010100…)
      UL: (…0.) Universally Administered Address
      IG: (…0) Individual address (unicast)
      EthernetType: Internet IP (IPv4), 2048(0x800)
  • Ipv4: Src = 10.0.0.3, Dest = 95.211.185.129, Next Protocol = TCP, Packet ID = 25505, Total IP Length = 40

    • Versions: IPv4, Internet Protocol; Header Length = 20
      Version: (0100…) IPv4, Internet Protocol
      HeaderLength: (…0101) 20 bytes (0x5)
    • DifferentiatedServicesField: DSCP: 0, ECN: 0
      DSCP: (000000…) Differentiated services codepoint 0
      ECT: (…0.) ECN-Capable Transport not set
      CE: (…0) ECN-CE not set
      TotalLength: 40 (0x28)
      Identification: 25505 (0x63A1)
    • FragmentFlags: 16384 (0x4000)
      Reserved: (0…)
      DF: (.1…) Do not fragment
      MF: (…0…) This is the last fragment
      Offset: (…0000000000000) 0
      TimeToLive: 128 (0x80)
      NextProtocol: TCP, 6(0x6)
      Checksum: 29655 (0x73D7)
      SourceAddress: 10.0.0.3
      DestinationAddress: 95.211.185.129
  • Tcp: Flags=…A…, SrcPort=1038, DstPort=HTTP(80), PayloadLen=0, Seq=109285323, Ack=3119892171, Win=1018
    SrcPort: 1038
    DstPort: HTTP(80)
    SequenceNumber: 109285323 (0x6838FCB)
    AcknowledgementNumber: 3119892171 (0xB9F5C6CB)

    • DataOffset: 80 (0x50)
      DataOffset: (0101…) 20 bytes
      Reserved: (…000.)
      NS: (…0) Nonce Sum not significant
    • Flags: …A…
      CWR: (0…) CWR not significant
      ECE: (.0…) ECN-Echo not significant
      Urgent: (…0…) Not Urgent Data
      Ack: (…1…) Acknowledgement field significant
      Push: (…0…) No Push Function
      Reset: (…0…) No Reset
      Syn: (…0.) Not Synchronize sequence numbers
      Fin: (…0) Not End of data
      Window: 1018
      Checksum: 0x6D15, Disregarded
      UrgentPointer: 0 (0x0)

    Frame: Number = 167, Captured Frame Length = 60, MediaType = ETHERNET

  • Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[50-46-5D-66-02-EC],SourceAddress:[5C-57-1A-05-C6-A1]

    • DestinationAddress: 50465D 6602EC [50-46-5D-66-02-EC]
      Rsv: (010100…)
      UL: (…0.) Universally Administered Address
      IG: (…0) Individual address (unicast)
    • SourceAddress: 5C571A 05C6A1 [5C-57-1A-05-C6-A1]
      Rsv: (010111…)
      UL: (…0.) Universally Administered Address
      IG: (…0) Individual address (unicast)
      EthernetType: Internet IP (IPv4), 2048(0x800)
      UnknownData: Binary Large Object (6 Bytes)
  • Ipv4: Src = 95.211.185.129, Dest = 10.0.0.3, Next Protocol = TCP, Packet ID = 26061, Total IP Length = 40

    • Versions: IPv4, Internet Protocol; Header Length = 20
      Version: (0100…) IPv4, Internet Protocol
      HeaderLength: (…0101) 20 bytes (0x5)
    • DifferentiatedServicesField: DSCP: 8, ECN: 0
      DSCP: (001000…) Differentiated services codepoint 8
      ECT: (…0.) ECN-Capable Transport not set
      CE: (…0) ECN-CE not set
      TotalLength: 40 (0x28)
      Identification: 26061 (0x65CD)
    • FragmentFlags: 16384 (0x4000)
      Reserved: (0…)
      DF: (.1…) Do not fragment
      MF: (…0…) This is the last fragment
      Offset: (…0000000000000) 0
      TimeToLive: 45 (0x2D)
      NextProtocol: TCP, 6(0x6)
      Checksum: 50315 (0xC48B)
      SourceAddress: 95.211.185.129
      DestinationAddress: 10.0.0.3
  • Tcp: Flags=…A…F, SrcPort=HTTP(80), DstPort=1038, PayloadLen=0, Seq=3119892170, Ack=109285323, Win=32
    SrcPort: HTTP(80)
    DstPort: 1038
    SequenceNumber: 3119892170 (0xB9F5C6CA)
    AcknowledgementNumber: 109285323 (0x6838FCB)

    • DataOffset: 80 (0x50)
      DataOffset: (0101…) 20 bytes
      Reserved: (…000.)
      NS: (…0) Nonce Sum not significant
    • Flags: …A…F
      CWR: (0…) CWR not significant
      ECE: (.0…) ECN-Echo not significant
      Urgent: (…0…) Not Urgent Data
      Ack: (…1…) Acknowledgement field significant
      Push: (…0…) No Push Function
      Reset: (…0…) No Reset
      Syn: (…0.) Not Synchronize sequence numbers
      Fin: (…1) End of data
      Window: 32
      Checksum: 0x70EF, Good
      UrgentPointer: 0 (0x0)

Hi kourgath,

please try this:

http://www.neuber.com/free/svchost-analyzer/SvchostAnalyzer.exe

Kind regards, REBOL.

(Make sure to run as administrator.)

It will look like the attached screenshots. However, if you’ve got it blocked by the firewall, then you may not be able to see the what it’s trying to request anyway. That’s one of the problems with trying to identify what something’s trying to connect to the internet for, if you block it you can’t capture the traffic and see what it’s doing, so is a catch-22 situation (although you should still be able to see the DNS requests without allowing it make connections, so I’d probably try to view that first).

[attachment deleted by admin]

ok unblocked it for a few seconds while capturing and it immediately connected to 95.211.185.129 with the domain name apparently turobina.com and it triggered another set of connections

0x2b60 turobina.com 1466 1:25:58 PM 6/24/2014 219.8768207 Unavailable JOEWIN8 turobina.com TCP TCP:Flags=…S., SrcPort=25643, DstPort=DDM-RFM(447), PayloadLen=0, Seq=2835445263, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:338, IPv4:337}

0x2868 /22860324/MjAwMDE0NA==/?l=eyJhYyI6MTE1LCJwYyI6NjAsInVpZCI6MTAwMjQsInN1YmlkIjoiMjAwMDE0NCIsImlwIjoiMjQuMTkuMTM4LjIxOSIsImNvdW50cnkiOiJVUyIsInEiOiJkaXNhYmxlIiwiYiI6MC4wMDIyLCJmIjo0NSwiYyI6IjM1IiwibCI6IjEiLCJ1cmwiOiJodHRwOlwvXC94bWwuc2l4c2hvdG1lZGlhLmNvbVwvY2xpY /22860324/MjAwMDE0NA==/ 19329 1:29:36 PM 6/24/2014 438.3004260 Unavailable JOEWIN8 88.214.194.199 HTTP HTTP: {HTTP:1911, TCP:1902, IPv4:1898}