Jump to content

Qu1ck

Honorary Members
  • Posts

    25
  • Joined

  • Last visited

Posts posted by Qu1ck

  1. Domain ID: 197784869_DOMAIN_COM-VRSN
       Registrar WHOIS Server: whois.markmonitor.com
       Registrar URL: http://www.markmonitor.com
       Updated Date: 2019-05-07T20:21:36Z
       Creation Date: 2005-08-18T02:10:45Z
       Registry Expiry Date: 2024-01-16T04:59:59Z
       Registrar: MarkMonitor Inc.
       Registrar IANA ID: 292
       Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
       Registrar Abuse Contact Phone: +1.2083895740
       Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
       Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
       Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
       Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
       Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
       Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
       Name Server: R1.AMAZONAWS.COM
       Name Server: R2.AMAZONAWS.COM
       Name Server: U1.AMAZONAWS.COM
       Name Server: U2.AMAZONAWS.COM
       DNSSEC: unsigned
       URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
    >>> Last update of whois database: 2019-08-01T02:41:40Z <<<

    For more information on Whois status codes, please visit https://icann.org/epp

    NOTICE: The expiration date displayed in this record is the date the
    registrar's sponsorship of the domain name registration in the registry is
    currently set to expire. This date does not necessarily reflect the expiration
    date of the domain name registrant's agreement with the sponsoring
    registrar.  Users may consult the sponsoring registrar's Whois database to
    view the registrar's reported date of expiration for this registration.

    TERMS OF USE: You are not authorized to access or query our Whois
    database through the use of electronic processes that are high-volume and
    automated except as reasonably necessary to register domain names or
    modify existing registrations; the Data in VeriSign Global Registry
    Services' ("VeriSign") Whois database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information
    about or related to a domain name registration record. VeriSign does not
    guarantee its accuracy. By submitting a Whois query, you agree to abide
    by the following terms of use: You agree that you may use this Data only
    for lawful purposes and that under no circumstances will you use this Data
    to: (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail, telephone,
    or facsimile; or (2) enable high volume, automated, electronic processes
    that apply to VeriSign (or its computer systems). The compilation,
    repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of VeriSign. You agree not to
    use electronic processes that are automated and high-volume to access or
    query the Whois database except as reasonably necessary to register
    domain names or modify existing registrations. VeriSign reserves the right
    to restrict your access to the Whois database in its sole discretion to ensure
    operational stability.  VeriSign may restrict or terminate your access to the
    Whois database for failure to abide by these terms of use. VeriSign
    reserves the right to modify these terms at any time.

    The Registry database contains ONLY .COM, .NET, .EDU domains and
    Registrars.
     I've also found this after clicking on Whois on the GDCAgent.exe

  2. 53 minutes ago, AdvancedSetup said:

    No problem. Please do the following for me.

    Please go to Control Panel, Programs. Add/Remove and uninstall all versions of Java (unless you're writing Java applications yourself that require old compromised versions of Java) Java should always be using the latest versions due to ongoing attempts at exploiting it.

    Java 8 Update 151
    Java 8 Update 162
    Java 8 Update 172
    Java 8 Update 181
    Java SE Development Kit 8 Update 162

     

    Next, follow the directions from the topic below and reset your Google Chrome.

     

     

    Ron

     

    Hi Ron,

    So it as it turns out, I already have it turned off. I've also removed all the Java installations, just like you've asked, I used to be a Java developer, but since then moved to other programming languages.

    Capture.PNG

  3. Here's the AdwCleaner log

    # -------------------------------
    # Malwarebytes AdwCleaner 7.4.0.0
    # -------------------------------
    # Build:    07-23-2019
    # Database: 2019-07-22.1 (Cloud)
    # Support: https://www.malwarebytes.com/support
    #
    # -------------------------------
    # Mode: Clean
    # -------------------------------
    # Start:    08-01-2019
    # Duration: 00:00:16
    # OS:       Windows 10 Home
    # Cleaned:  63
    # Failed:   0


    ***** [ Services ] *****

    No malicious services cleaned.

    ***** [ Folders ] *****

    Deleted       C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare
    Deleted       C:\Program Files (x86)\IObit\Advanced SystemCare
    Deleted       C:\ProgramData\IOBIT\Driver Booster
    Deleted       C:\ProgramData\IObit\Advanced SystemCare

    ***** [ Files ] *****

    Deleted       C:\END

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    No malicious tasks cleaned.

    ***** [ Registry ] *****

    Deleted       HKCU\Software\PRODUCTSETUP
    Deleted       HKCU\Software\csastats
    Deleted       HKCU\Software\win
    Deleted       HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
    Deleted       HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
    Deleted       HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
    Deleted       HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare
    Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0ABF4A2D-DDE7-4C4F-870E-D54DA3C63F3D}
    Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{83753F64-57A0-42F0-BDED-BA7AD322BC27}
    Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B2D122A3-1599-41E6-B85A-9EE046ACFE16}
    Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{BCF53B02-86DD-4A5E-964F-A5D6880A5F48}
    Deleted       HKLM\Software\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}
    Deleted       HKLM\Software\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
    Deleted       HKLM\Software\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
    Deleted       HKLM\Software\Wow6432Node\IOBIT\ASC
    Deleted       HKLM\Software\Wow6432Node\IObit\Advanced SystemCare
    Deleted       HKLM\Software\Wow6432Node\IObit\Driver Booster
    Deleted       HKLM\Software\Wow6432Node\IObit\RealTimeProtector
    Deleted       HKLM\Software\Wow6432Node\\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
    Deleted       HKLM\Software\Wow6432Node\\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries cleaned.

    ***** [ Chromium URLs ] *****

    No malicious Chromium URLs cleaned.

    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries cleaned.

    ***** [ Firefox URLs ] *****

    No malicious Firefox URLs cleaned.

    ***** [ Preinstalled Software ] *****

    Deleted       Preinstalled.CyberLinkShellExtension
    Deleted       Preinstalled.LenovoCCSDK
    Deleted       Preinstalled.LenovoExperienceImprovement
    Deleted       Preinstalled.LenovoIMController
    Deleted       Preinstalled.LenovoPhotoMaster
    Deleted       Preinstalled.LenovoPower2Go
    Deleted       Preinstalled.LenovoPowerDVD
    Deleted       Preinstalled.LenovoQuickOptimizer
    Deleted       Preinstalled.LenovoREACHit
    Deleted       Preinstalled.LenovoSHAREit
    Deleted       Preinstalled.LenovoSolutionCenter
    Deleted       Preinstalled.LenovoUtility


    *************************

    [+] Delete Tracing Keys
    [+] Reset Winsock

    *************************

    AdwCleaner[S00].txt - [4102 octets] - [01/08/2019 01:35:05]

    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
     

  4. 51 minutes ago, AlexSmith said:

    At first glance, this does not look like malware but actually rather normal. When you starting digging under the hood of Windows internals, things can get very complex. There are multiple legit instances of svchost.exe that will return if you do a search due to how Windows stores and services/updates critical OS files. Plus, you'll have versions for native 64-bit (amd64) and native 32-bit (wow64).

    For example, the instances in the WinSxS folders (aka the Windows Component Based Servicing Store) are the original versions in their component package folder. Your going to have the two architecture versions plus multiple releases depending on Windows Updates that are installed. The ones in the System32 and SysWoW64 folders are actually just NTFS hard links to "current version" ones stored in WinSxS.

    If you want to get a true second set of eyes on it, get us the full path to all instances (the full WinSxS path is very useful). If possible, the SHA-1 or MD5 hash of those files would be helpful too.

    C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.1_none_a590904aa2d8e5ca

    C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.1_none_9b3be5f86e7823cf

    C:\Windows\SysWOW64

    C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_a1b08abc8fc86a8f

    C:\Windows\System32

    C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_975be06a5b67a894

     

    I don't know how to get the hashes of these files.

    It does seem as if these files were modified nearly the same time (except for the first file), in 9th of January 2019, is it possible to check if these were downloaded by a Windows update? Is there a way I can check my update history for Windows (to make sure these files are indeed Window's)?

    The files I've listed are in the same order of the files in the screenshot.

     

    Capture.PNG

  5. Just now, Qu1ck said:

    Hello, so honestly, I've found out this problem quite recently,

    About a year ago I registered a server, which in the past few weeks has been getting port scanned, now I, frustrated, registered a new one, and the moment I did, it started getting the same type of attack (I checked the login attempts log), anyway, this behaviour is strange to me, so I decided to netstat -b and net-stat -nao and found some random IPs which I searched on the internet and found were reported for malicious action. netstat -b is showing my computer is connecting through svchost.exe and so I decided to search on my file explorer where svchost.exe might be (It is supposed to be in System32 only), now, I've got 6 instances and oddly enough, after 5 Malwarebytes Threat scan, Custom scan (on all the hard drives) and Hyper Scan, I've got no threats detected.

    I would love to have some help to figure out which svchost.exe are indeed malicious and if there's a way to remove them.

    Thanks a lot,

    Dan (Qu1ck)

    Capture.PNG

    Capture.PNG

    I would like to add this, which shows it is the svchost.exe file making the connection

    Capture.PNG

  6. Hello, so honestly, I've found out this problem quite recently,

    About a year ago I registered a server, which in the past few weeks has been getting port scanned, now I, frustrated, registered a new one, and the moment I did, it started getting the same type of attack (I checked the login attempts log), anyway, this behaviour is strange to me, so I decided to netstat -b and net-stat -nao and found some random IPs which I searched on the internet and found were reported for malicious action. netstat -b is showing my computer is connecting through svchost.exe and so I decided to search on my file explorer where svchost.exe might be (It is supposed to be in System32 only), now, I've got 6 instances and oddly enough, after 5 Malwarebytes Threat scan, Custom scan (on all the hard drives) and Hyper Scan, I've got no threats detected.

    I would love to have some help to figure out which svchost.exe are indeed malicious and if there's a way to remove them.

    Thanks a lot,

    Dan (Qu1ck)

    Capture.PNG

    Capture.PNG

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.