OK so it has been a while now on this and since setting it to Not allow remote connection I have been unable to see any more erratic activity as before. So what now? Re-enable it and if it has erratic activity like that again does that mean someone is trying to access my machine? Someone trying to access my my machine would be an INCOMING connection and show as yellow on the network meter would it not?
If it was my computer I would not activate it. You found the problem and then fixed the problem. I would leave it fixed. I would NOT allow AVG to have remote access to my computers.
Last edited by Layback Bear; 29 Apr 2015 at 13:01. Reason: spelling
So its AVG that does all that weird uploading?
Don't know that it's AVG. Looking at your AVG settings you've got them set correctly. That IP Address resolves to somewhere in Vietnam.
Also read the article here: Remote Desktop (RDP) Hacking 101: I can see your desktop from here!
What firewall do you use?
Good find Chris. Hanoi is scary.
It's hard for me to believe that AVG is using Hanoi.
Their must be some other bad thing in this system.
The thing I would do if found something in my computer from Hanoi.
I would suggest with a clean computer changing ALL passwords for everything. I would also suggest to notify all banks and credit card companies that your computer has been compromised.
At that point I wouldn't take any chances. I would do a Clean Install.
Edit: Deleted/canceled post
Okay so I know you deleted your post but what would be really interesting is to get the process name from the process PID you gave. The ip address from your deleted post resolves to an OVH server and OVH have faced criticism for allowing malware and hackers to use their servers. Personally I run Peerblock and all OVH server ip address ranges are blocked. There's no good reason for your machine to be connecting to any OVH server.
Did you get my entire post in a reply email? It had the netstat -ano results in it. I thought I had RDP disabled but I must have renabled it to see if it would happen again after a long time of no activity. I guess I forgot to disable it again. Once I had RDP disabled again I deleted that post.
If you got my full reply in an email is the IP you are talking about now the one I said was in Quebec Canada? If so The process associated with 4488 PID was svchost and the crptsvc process was under that host.
Definitely RDP related.
Seems like you've nailed it. If disabling RDP does the trick then I wouldn't worry about it. As far as disabling cryptsvc sevice is concerned - it's not a good idea if you need to keep windows updates working.
Also I got the email notification and details you posted were contained in the email.
Quote