Network Connections - svchost.exe - port 7680 - 1GB

[Stratego 0]

Hi there,

Just finished up re-setting my laptop after a complete wipe from a suspected hack / malicious activity and already I'm seeing unexplained network connectivity and transfers.

Details: Lenovo X1 Carbon - Gen 8 - Windows 10 Pro 19045. All Windows and Lenovo updates and firmware. Running ESET Smart Security Premium.

Whether I'm at home or at the office, I'm noticing unwanted connections coming from 20+ IP addresses. 

From my office, I've had over 3000x attempt and attacks by 7 workstations, 2 phones, and 1 printer, through ports: 137, 138, 7680, 1900, and 5355. I noticed over 1GB of data transfer so far.

From Home, I'm getting similar attacks as well from the above mentioned ports.

Everything is going through masks uses of svchost.exe, spoolsv.exe, jhi_service.exe, msedge.exe. I believe they've manipulated ESET as well, because when I see the IP addresses and I try to right click it, I can't Deny the connection, it won't allow me too. I can't Deny the service of the file as well as it's greyed out.

My browser also had the Green Border missing earlier this afternoon.

 

I don't believe there's any Malware on the system itself as I didn't click on anything or install anything unwanted or questionable as it's a brand new setup.

I have also been going through this for the last 2 months. This is some sort of script or a really bored indivdual(s) using Windows exploits to get in.

How do I stop this? What can I do?

 

Thank you,

[Stratego 0]

In addition to the above, this is the 3rd time Windows Update has notified me that 22H2 update is available and ready to be installed. I've done this twice already. WTH is going on here!?

[Stratego 0]

600MB Has been sent to ESET so far???

 

 

[Stratego 0]

Normal for all these connections?

[itman 1,746]

14 hours ago, Stratego said:

From my office, I've had over 3000x attempt and attacks by 7 workstations, 2 phones, and 1 printer, through ports: 137, 138, 7680, 1900, and 5355. I noticed over 1GB of data transfer so far.

From Home, I'm getting similar attacks as well from the above mentioned ports.

For starters, set your Eset network connection profile to Public. When the network connection is set to Public, it will block any inbound connections from both the Internet and your local subnet to ports 137, 138, 1900, and 5355.

As far as port 7680 goes, it is used for Delivery Optimization for Win 10 updating: https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq . Refer to the below screen shot. If you haven't disabled "Allow downloads from other PCs settings," your PC is basically being used as part a Microsoft botnet for updating of its software. This will also account for the high volume of Internet network traffic you are observing. Also, allowing this network traffic is a potential security risk.

Edited September 8 by itman

[itman 1,746]

15 hours ago, Stratego said:

In addition to the above, this is the 3rd time Windows Update has notified me that 22H2 update is available and ready to be installed. I've done this twice already. WTH is going on here!?

Appears to be a Windows Update issue. Refer to this posting: https://answers.microsoft.com/en-us/windows/forum/all/windows-10-22h2-repeatedly-updates-despite-the/edaef2f5-ffa0-488b-8b6a-385d751569ce .