Jump to content

Tuba

Members
  • Content Count

    9
  • Joined

  • Last visited

About Tuba

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Devin, Thanks for clarifying. Wish we would have met 3 weeks ago. :] I suspected it was something like that but I considered such behavior more appropriate for a user addition to a blacklist rather than a user addition to a whitelist. DNS propagation can take 24-48 hours. Checking every 2 minutes for something that can only change every day or two at most seems like overkill. Especially since the user can see if a website on the whitelist is being blocked by MalwareBytes. And at that point a forced DNS refresh option in the settings would solve the problem. Any idea why I wasn’t able to trace the DNS query back to MalwareBytes as the process. As per my initial post, I was only able to see svchost and CryptSvc, Dnscache, LanmanWorkstation and NlaSvc services beyond it.
  2. Ron, I found it! I remembered that the issue went away when I used msconfig to run a clean boot of my PC by disabling everything except the Microsoft services. So I started removing non-Microsoft services and then adding them back gradually, rebooting each time, to see if I could find one service that I could stop that would cure the problem. It worked. It's been over 10 minutes running without any access to either domain. The service that I stopped to cure the problem was MalwareBytes! So I re-enabled MalwareBytes and rebooted. As soon as MalwareBytes loaded, there was a DNS check on both websites. I then manually exited MalwareBytes and waited 10 minutes. The access was stopped. Digging further I realized that those two websites were the only ones I had whitelisted in the Exclusions section of the MalwareBytes settings. To further test it, I also added ‘forums.malwarebytes.com’ to the Exclusions section. BAM! My PC did a DNS check on ‘primewire.ag’, ‘123netflix.com’ and ‘forums.malwarebytes.com’ all at the same time! So the call was coming from inside the house. Any thoughts on how to stop MalwareBytes from DNS checking whitelisted domains?
  3. Ron, I turned off the PI and followed your instructions. Here are the results (note that 192.168.1.15 is my PC’s IP address): PS C:\Users\sager> netstat -b -n -o Active Connections Proto Local Address Foreign Address State PID TCP 127.0.0.1:5357 127.0.0.1:49186 TIME_WAIT 0 TCP 127.0.0.1:49174 127.0.0.1:49175 TIME_WAIT 0 TCP 127.0.0.1:49275 127.0.0.1:49276 TIME_WAIT 0 TCP 127.0.0.1:49279 127.0.0.1:49280 TIME_WAIT 0 TCP 127.0.0.1:49301 127.0.0.1:2559 SYN_SENT 3668 [nvtray.exe] TCP 192.168.1.15:49173 112.106.186.155:443 TIME_WAIT 0 TCP 192.168.1.15:49180 192.168.1.1:80 CLOSE_WAIT 3656 [Avira.ServiceHost.exe] TCP 192.168.1.15:49185 65.202.184.40:80 TIME_WAIT 0 TCP 192.168.1.15:49195 23.73.177.242:443 ESTABLISHED 7088 [mbamtray.exe] TCP 192.168.1.15:49205 54.186.155.102:443 CLOSE_WAIT 4400 [mbamservice.exe] TCP 192.168.1.15:49226 23.212.158.252:80 ESTABLISHED 5524 [wmiprvse.exe] TCP 192.168.1.15:49274 112.106.186.155:443 TIME_WAIT 0 TCP 192.168.1.15:49278 112.106.186.155:443 TIME_WAIT 0 TCP [::1]:2869 [::1]:49190 TIME_WAIT 0 Afterwards I ran Wireshark. My PC is still reaching out to resolve the DNS on those 2 websites.
  4. Ron, Not trying to steal software so no need to help me with that! But appreciate your continued help to cure my PC of malware. I reset all 3 browsers as per your instructions. Rebooted and it's still happening. Then I ran the Kaspersky Virus Removal Tool. It didn't find any viruses. Please let me know what else I should try.
  5. Ron, Thanks for helping. 2 things to note before I respond to your instructions: My PC does a DNS check on the two domains with the Pi-Hole but it does not seem to be sending packets to those domains. I filter Wireshark using the “ip ==” for the IP addresses of those sites (104.25.83.57, 104.25.84.57, 104.31.16.3 and 104.31.17.3) and nothing shows up. I used msconfig to run a clean boot of my PC by disabling everything except the Microsoft services. Upon reboot, my PC was not checking those two domains (primewire and 123netflix). I ran a few programs and still OK. I didn’t see anything unusual in my services but I assume it must be something in there causing this issue. Might be best to try slowly adding back services to see which triggers the issue. I followed all 3 steps. Some changes were made but my PC is still checking the two domains every 2 minutes. FYI, I have MalwareBytes Premium and Avira Free Version. Attached are the MalwareBytes and AdwClean log files. It looks like the Farbar log files contains some activation codes for some of my software. Can I send these to you privately? AdwCleaner[C0] 10 Feb 2018 cleaned.txt MalwareBytes Scan 10 Feb 2018.txt
  6. I have a Raspberry Pi set up to act as my DNS server on my network to block advertisements (Pi-Hole). It also tracks all DNS searches and has revealed that two domains are being accessed every 2 minutes by my Win7 PC - primewire.ag and 123netflix.com This happens even when the browsers on my PC are closed. I previously visited these domains using Chrome incognito mode so I thought they infected my PC. Malwarebytes and Avira find nothing. There are no suspicious add-ons to my browsers. I kept track of exactly when the Pi-Hole showed access to the two domains from my PC (every 2 minutes exactly). Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed: Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains. Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains. Double clicked the packets and scrolled down to find the Source Port numbers: 57098 and 65208 Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers. Double clicked and now I had: the PID (1576), the Path (C:\Windows\system32), the Command Line parameters (-k NetworkService) and the process name (svchost.exe) Unfortunately, it’s the ubiquitous svchost.exe Switch to Windows Powershell and checked out the results from when I ran the tasklist command. PS C:\Users\MyPC> tasklist /svc /fi “imagename eq svchost.exe” Image Name PID Services ========================= ======== ============================================ svchost.exe 1576 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc Now I have the Services behind svchost.exe. Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32: Ran system filechecker with command Scanned each file with MalwareBytes and Avira. Nothing found. Decided to check each service’s Display Name and Description: CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer’s name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start. LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Now I’m stumped. Other than Blacklisting those sites on the Pi-Hole, any ideas on how to find out why they are being accessed every 2 minutes?
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.