Windows 7 x64 CryptSvc under Svchost uploading data

[SomeUserName]

OK so it has been a while now on this and since setting it to Not allow remote connection I have been unable to see any more erratic activity as before. So what now? Re-enable it and if it has erratic activity like that again does that mean someone is trying to access my machine? Someone trying to access my my machine would be an INCOMING connection and show as yellow on the network meter would it not?

 

[Layback Bear]

If it was my computer I would not activate it. You found the problem and then fixed the problem. I would leave it fixed. I would NOT allow AVG to have remote access to my computers.

 

[Callender]

Disable RDP?

If it was my computer I would not activate it. You found the problem and then fixed the problem. I would leave it fixed. I would NOT allow AVG to have remove access to my computers.

Agreed. Leave it disabled and only enable it on a when needed basis.

 

[SomeUserName]

So its AVG that does all that weird uploading?

 

[Callender]

Don't know that it's AVG. Looking at your AVG settings you've got them set correctly. That IP Address resolves to somewhere in Vietnam.



Also read the article here: Remote Desktop (RDP) Hacking 101: I can see your desktop from here!

What firewall do you use?

 

[Layback Bear]

Good find Chris. Hanoi is scary.
It's hard for me to believe that AVG is using Hanoi.
Their must be some other bad thing in this system.
The thing I would do if found something in my computer from Hanoi.

I would suggest with a clean computer changing ALL passwords for everything. I would also suggest to notify all banks and credit card companies that your computer has been compromised.

At that point I wouldn't take any chances. I would do a Clean Install.

 

[SomeUserName]

Edit: Deleted/canceled post

 

[Callender]

Okay so I know you deleted your post but what would be really interesting is to get the process name from the process PID you gave. The ip address from your deleted post resolves to an OVH server and OVH have faced criticism for allowing malware and hackers to use their servers. Personally I run Peerblock and all OVH server ip address ranges are blocked. There's no good reason for your machine to be connecting to any OVH server.

 

[SomeUserName]

Did you get my entire post in a reply email? It had the netstat -ano results in it. I thought I had RDP disabled but I must have renabled it to see if it would happen again after a long time of no activity. I guess I forgot to disable it again. Once I had RDP disabled again I deleted that post.

If you got my full reply in an email is the IP you are talking about now the one I said was in Quebec Canada? If so The process associated with 4488 PID was svchost and the crptsvc process was under that host.

Definitely RDP related.

 

[Callender]

Seems like you've nailed it. If disabling RDP does the trick then I wouldn't worry about it. As far as disabling cryptsvc sevice is concerned - it's not a good idea if you need to keep windows updates working.

Also I got the email notification and details you posted were contained in the email.

 

[Callender]

Well after some more thought I have some suggestions. I know nothing about AVG Firewall though. I've use most free Firewall's but AVG's isn't one of them!

Check that your router firewall is enabled. I cannot give specific instuctions but if you log into your router you might well find a setting to enable/ disable it. This is an entirely different firewall than the one you use on your computer.

When you've done that run the tests here and report any problems:

Run tests 1 to 5: PC Flank: Make sure you're protected on all sides.

Edit: Do not be tempted to purchase the recommended firewall if your results are not perfect!

Then run the test here:

Shields Up! - click Proceed then "All service ports"