Qu1ck
-
Posts
25 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Qu1ck
-
-
Yes I'd like to, thanks for the help by the way.
-
Browser is not the issue, anyway, when I leave my computer open for some time, the screen blacks out and then returns to normal in a matter of a second, now, this has been happening for some time now and I’m wondering what could have caused it.
-
Just did it, nothing was found.
-
Have you managed to find anything?
-
Domain ID: 197784869_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-05-07T20:21:36Z
Creation Date: 2005-08-18T02:10:45Z
Registry Expiry Date: 2024-01-16T04:59:59Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: R1.AMAZONAWS.COM
Name Server: R2.AMAZONAWS.COM
Name Server: U1.AMAZONAWS.COM
Name Server: U2.AMAZONAWS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-08-01T02:41:40Z <<<For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
I've also found this after clicking on Whois on the GDCAgent.exe -
After looking at the program itself, I think these have something to do with Chrome itself, the moment I close chrome, 2 svchost.exe connections dissappear. Really strange.
-
The most concerning to me are svchost.exe and also gdcagent.exe.
-
-
Well it kept connecting to 52.230.222.68 which is a suspicious IP according to the internet, so I blocked it through the firewall and now Windows is freezing for some time, and I see svchost.exe connecting to random IP addresses again.
-
-
Okay so I've just finished it, are we done?
-
Also, Bonjour is an app or extension because I don't seem to find it on my Windows search bar
-
Ron, I've just got 1 question, what does the fixlist.txt program do?
-
I did use Trend Micro and yes I've uninstalled it because it was too outdated, was too lazy to reinstall it again.
-
Just updated it.
-
There you go (I've also added Addition.txt, just in case you need it)
-
-
53 minutes ago, AdvancedSetup said:
No problem. Please do the following for me.
Please go to Control Panel, Programs. Add/Remove and uninstall all versions of Java (unless you're writing Java applications yourself that require old compromised versions of Java) Java should always be using the latest versions due to ongoing attempts at exploiting it.
Java 8 Update 151
Java 8 Update 162
Java 8 Update 172
Java 8 Update 181
Java SE Development Kit 8 Update 162Next, follow the directions from the topic below and reset your Google Chrome.
Ron
Hi Ron,
So it as it turns out, I already have it turned off. I've also removed all the Java installations, just like you've asked, I used to be a Java developer, but since then moved to other programming languages.
-
Here are the results from step 3. I'm sorry that these are in polish, my operating system is in polish.
-
Here's the AdwCleaner log
# -------------------------------
# Malwarebytes AdwCleaner 7.4.0.0
# -------------------------------
# Build: 07-23-2019
# Database: 2019-07-22.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 08-01-2019
# Duration: 00:00:16
# OS: Windows 10 Home
# Cleaned: 63
# Failed: 0
***** [ Services ] *****No malicious services cleaned.
***** [ Folders ] *****
Deleted C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare
Deleted C:\Program Files (x86)\IObit\Advanced SystemCare
Deleted C:\ProgramData\IOBIT\Driver Booster
Deleted C:\ProgramData\IObit\Advanced SystemCare***** [ Files ] *****
Deleted C:\END
***** [ DLL ] *****
No malicious DLLs cleaned.
***** [ WMI ] *****
No malicious WMI cleaned.
***** [ Shortcuts ] *****
No malicious shortcuts cleaned.
***** [ Tasks ] *****
No malicious tasks cleaned.
***** [ Registry ] *****
Deleted HKCU\Software\PRODUCTSETUP
Deleted HKCU\Software\csastats
Deleted HKCU\Software\win
Deleted HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
Deleted HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0ABF4A2D-DDE7-4C4F-870E-D54DA3C63F3D}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{83753F64-57A0-42F0-BDED-BA7AD322BC27}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{B2D122A3-1599-41E6-B85A-9EE046ACFE16}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{BCF53B02-86DD-4A5E-964F-A5D6880A5F48}
Deleted HKLM\Software\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}
Deleted HKLM\Software\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
Deleted HKLM\Software\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}
Deleted HKLM\Software\Wow6432Node\IOBIT\ASC
Deleted HKLM\Software\Wow6432Node\IObit\Advanced SystemCare
Deleted HKLM\Software\Wow6432Node\IObit\Driver Booster
Deleted HKLM\Software\Wow6432Node\IObit\RealTimeProtector
Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}
Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries cleaned.
***** [ Chromium URLs ] *****
No malicious Chromium URLs cleaned.
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries cleaned.
***** [ Firefox URLs ] *****
No malicious Firefox URLs cleaned.
***** [ Preinstalled Software ] *****
Deleted Preinstalled.CyberLinkShellExtension
Deleted Preinstalled.LenovoCCSDK
Deleted Preinstalled.LenovoExperienceImprovement
Deleted Preinstalled.LenovoIMController
Deleted Preinstalled.LenovoPhotoMaster
Deleted Preinstalled.LenovoPower2Go
Deleted Preinstalled.LenovoPowerDVD
Deleted Preinstalled.LenovoQuickOptimizer
Deleted Preinstalled.LenovoREACHit
Deleted Preinstalled.LenovoSHAREit
Deleted Preinstalled.LenovoSolutionCenter
Deleted Preinstalled.LenovoUtility
*************************[+] Delete Tracing Keys
[+] Reset Winsock*************************
AdwCleaner[S00].txt - [4102 octets] - [01/08/2019 01:35:05]
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
-
I've attached the log from Malwarebytes, and I'll upload FRST.txt and Addition.txt in a seperate reply
-
51 minutes ago, AlexSmith said:
At first glance, this does not look like malware but actually rather normal. When you starting digging under the hood of Windows internals, things can get very complex. There are multiple legit instances of svchost.exe that will return if you do a search due to how Windows stores and services/updates critical OS files. Plus, you'll have versions for native 64-bit (amd64) and native 32-bit (wow64).
For example, the instances in the WinSxS folders (aka the Windows Component Based Servicing Store) are the original versions in their component package folder. Your going to have the two architecture versions plus multiple releases depending on Windows Updates that are installed. The ones in the System32 and SysWoW64 folders are actually just NTFS hard links to "current version" ones stored in WinSxS.
If you want to get a true second set of eyes on it, get us the full path to all instances (the full WinSxS path is very useful). If possible, the SHA-1 or MD5 hash of those files would be helpful too.C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.1_none_a590904aa2d8e5ca
C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.1_none_9b3be5f86e7823cf
C:\Windows\SysWOW64
C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_a1b08abc8fc86a8f
C:\Windows\System32
C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_975be06a5b67a894
I don't know how to get the hashes of these files.
It does seem as if these files were modified nearly the same time (except for the first file), in 9th of January 2019, is it possible to check if these were downloaded by a Windows update? Is there a way I can check my update history for Windows (to make sure these files are indeed Window's)?
The files I've listed are in the same order of the files in the screenshot.
-
Just now, Qu1ck said:
Hello, so honestly, I've found out this problem quite recently,
About a year ago I registered a server, which in the past few weeks has been getting port scanned, now I, frustrated, registered a new one, and the moment I did, it started getting the same type of attack (I checked the login attempts log), anyway, this behaviour is strange to me, so I decided to netstat -b and net-stat -nao and found some random IPs which I searched on the internet and found were reported for malicious action. netstat -b is showing my computer is connecting through svchost.exe and so I decided to search on my file explorer where svchost.exe might be (It is supposed to be in System32 only), now, I've got 6 instances and oddly enough, after 5 Malwarebytes Threat scan, Custom scan (on all the hard drives) and Hyper Scan, I've got no threats detected.
I would love to have some help to figure out which svchost.exe are indeed malicious and if there's a way to remove them.
Thanks a lot,
Dan (Qu1ck)
I would like to add this, which shows it is the svchost.exe file making the connection
-
Hello, so honestly, I've found out this problem quite recently,
About a year ago I registered a server, which in the past few weeks has been getting port scanned, now I, frustrated, registered a new one, and the moment I did, it started getting the same type of attack (I checked the login attempts log), anyway, this behaviour is strange to me, so I decided to netstat -b and net-stat -nao and found some random IPs which I searched on the internet and found were reported for malicious action. netstat -b is showing my computer is connecting through svchost.exe and so I decided to search on my file explorer where svchost.exe might be (It is supposed to be in System32 only), now, I've got 6 instances and oddly enough, after 5 Malwarebytes Threat scan, Custom scan (on all the hard drives) and Hyper Scan, I've got no threats detected.
I would love to have some help to figure out which svchost.exe are indeed malicious and if there's a way to remove them.
Thanks a lot,
Dan (Qu1ck)
svchost.exe shows in 6 different locations
in Resolved Malware Removal Logs
Posted
I'd also like to add that for some reason Windows Defender is taking more CPU processing power and Memory than Chrome for some reason.
Here's the location of the file, it was changed 6 days ago I think C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\MsMpEng.exe maybe that has to do something with anything?