Qu1ck

I'd also like to add that for some reason Windows Defender is taking more CPU processing power and Memory than Chrome for some reason. Here's the location of the file, it was changed 6 days ago I think C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\MsMpEng.exe maybe that has to do something with anything?

Yes I'd like to, thanks for the help by the way.

Browser is not the issue, anyway, when I leave my computer open for some time, the screen blacks out and then returns to normal in a matter of a second, now, this has been happening for some time now and I’m wondering what could have caused it.

Just did it, nothing was found.

Have you managed to find anything?

Domain ID: 197784869_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-05-07T20:21:36Z Creation Date: 2005-08-18T02:10:45Z Registry Expiry Date: 2024-01-16T04:59:59Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: R1.AMAZONAWS.COM Name Server: R2.AMAZONAWS.COM Name Server: U1.AMAZONAWS.COM Name Server: U2.AMAZONAWS.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2019-08-01T02:41:40Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. I've also found this after clicking on Whois on the GDCAgent.exe

After looking at the program itself, I think these have something to do with Chrome itself, the moment I close chrome, 2 svchost.exe connections dissappear. Really strange.

The most concerning to me are svchost.exe and also gdcagent.exe.

There you go. TCPViewlog.txt

Well it kept connecting to 52.230.222.68 which is a suspicious IP according to the internet, so I blocked it through the firewall and now Windows is freezing for some time, and I see svchost.exe connecting to random IP addresses again.

Here it is. Fixlog.txt

Okay so I've just finished it, are we done?

Also, Bonjour is an app or extension because I don't seem to find it on my Windows search bar

Ron, I've just got 1 question, what does the fixlist.txt program do?

I did use Trend Micro and yes I've uninstalled it because it was too outdated, was too lazy to reinstall it again.

Just updated it.

There you go (I've also added Addition.txt, just in case you need it) Addition.txt FRST.txt

Also, I've got no detections from Malwarebytes

Hi Ron, So it as it turns out, I already have it turned off. I've also removed all the Java installations, just like you've asked, I used to be a Java developer, but since then moved to other programming languages.

Here are the results from step 3. I'm sorry that these are in polish, my operating system is in polish. Addition.txt FRST.txt

Here's the AdwCleaner log # ------------------------------- # Malwarebytes AdwCleaner 7.4.0.0 # ------------------------------- # Build: 07-23-2019 # Database: 2019-07-22.1 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 08-01-2019 # Duration: 00:00:16 # OS: Windows 10 Home # Cleaned: 63 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** Deleted C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare Deleted C:\Program Files (x86)\IObit\Advanced SystemCare Deleted C:\ProgramData\IOBIT\Driver Booster Deleted C:\ProgramData\IObit\Advanced SystemCare ***** [ Files ] ***** Deleted C:\END ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** Deleted HKCU\Software\PRODUCTSETUP Deleted HKCU\Software\csastats Deleted HKCU\Software\win Deleted HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare Deleted HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare Deleted HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare Deleted HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0ABF4A2D-DDE7-4C4F-870E-D54DA3C63F3D} Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{83753F64-57A0-42F0-BDED-BA7AD322BC27} Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B2D122A3-1599-41E6-B85A-9EE046ACFE16} Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{BCF53B02-86DD-4A5E-964F-A5D6880A5F48} Deleted HKLM\Software\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D} Deleted HKLM\Software\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99} Deleted HKLM\Software\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B} Deleted HKLM\Software\Wow6432Node\IOBIT\ASC Deleted HKLM\Software\Wow6432Node\IObit\Advanced SystemCare Deleted HKLM\Software\Wow6432Node\IObit\Driver Booster Deleted HKLM\Software\Wow6432Node\IObit\RealTimeProtector Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99} Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B} ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.CyberLinkShellExtension Deleted Preinstalled.LenovoCCSDK Deleted Preinstalled.LenovoExperienceImprovement Deleted Preinstalled.LenovoIMController Deleted Preinstalled.LenovoPhotoMaster Deleted Preinstalled.LenovoPower2Go Deleted Preinstalled.LenovoPowerDVD Deleted Preinstalled.LenovoQuickOptimizer Deleted Preinstalled.LenovoREACHit Deleted Preinstalled.LenovoSHAREit Deleted Preinstalled.LenovoSolutionCenter Deleted Preinstalled.LenovoUtility ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [4102 octets] - [01/08/2019 01:35:05] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

I've attached the log from Malwarebytes, and I'll upload FRST.txt and Addition.txt in a seperate reply hi.txt

C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.1_none_a590904aa2d8e5ca C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.1_none_9b3be5f86e7823cf C:\Windows\SysWOW64 C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_a1b08abc8fc86a8f C:\Windows\System32 C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_975be06a5b67a894 I don't know how to get the hashes of these files. It does seem as if these files were modified nearly the same time (except for the first file), in 9th of January 2019, is it possible to check if these were downloaded by a Windows update? Is there a way I can check my update history for Windows (to make sure these files are indeed Window's)? The files I've listed are in the same order of the files in the screenshot.

I would like to add this, which shows it is the svchost.exe file making the connection

Hello, so honestly, I've found out this problem quite recently, About a year ago I registered a server, which in the past few weeks has been getting port scanned, now I, frustrated, registered a new one, and the moment I did, it started getting the same type of attack (I checked the login attempts log), anyway, this behaviour is strange to me, so I decided to netstat -b and net-stat -nao and found some random IPs which I searched on the internet and found were reported for malicious action. netstat -b is showing my computer is connecting through svchost.exe and so I decided to search on my file explorer where svchost.exe might be (It is supposed to be in System32 only), now, I've got 6 instances and oddly enough, after 5 Malwarebytes Threat scan, Custom scan (on all the hard drives) and Hyper Scan, I've got no threats detected. I would love to have some help to figure out which svchost.exe are indeed malicious and if there's a way to remove them. Thanks a lot, Dan (Qu1ck)