Search the Community
Showing results for tags 'access'.
Found 4 results
Tuba posted a topic in Resolved Malware Removal LogsI have a Raspberry Pi set up to act as my DNS server on my network to block advertisements (Pi-Hole). It also tracks all DNS searches and has revealed that two domains are being accessed every 2 minutes by my Win7 PC - primewire.ag and 123netflix.com This happens even when the browsers on my PC are closed. I previously visited these domains using Chrome incognito mode so I thought they infected my PC. Malwarebytes and Avira find nothing. There are no suspicious add-ons to my browsers. I kept track of exactly when the Pi-Hole showed access to the two domains from my PC (every 2 minutes exactly). Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed: Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains. Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains. Double clicked the packets and scrolled down to find the Source Port numbers: 57098 and 65208 Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers. Double clicked and now I had: the PID (1576), the Path (C:\Windows\system32), the Command Line parameters (-k NetworkService) and the process name (svchost.exe) Unfortunately, it’s the ubiquitous svchost.exe Switch to Windows Powershell and checked out the results from when I ran the tasklist command. PS C:\Users\MyPC> tasklist /svc /fi “imagename eq svchost.exe” Image Name PID Services ========================= ======== ============================================ svchost.exe 1576 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc Now I have the Services behind svchost.exe. Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32: Ran system filechecker with command Scanned each file with MalwareBytes and Avira. Nothing found. Decided to check each service’s Display Name and Description: CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer’s name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start. LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Now I’m stumped. Other than Blacklisting those sites on the Pi-Hole, any ideas on how to find out why they are being accessed every 2 minutes?
slack7639 posted a topic in Anti-Ransomware BetaI'm not getting an answer on this in the MBAE forum. MBAR seems like it's most responsible for me seeing the TMP files. What's that about? MBAE and MBAR, Access Denied, visible TMP files - Anti-Exploit Beta - Malwarebytes Forums . . . https://forums.malwarebytes.com/topic/214152-mbae-and-mbar-access-denied-visible-tmp-files/
Using Win 10, MBAE and MBAR I was unable to rename folders, and move files from one folder to another. I did a Restart, and was able to, but then this would start again. I turned off MBAE - no effect . . . I turned of MBAR - back to normal. I'm working on an xlsx, and save it . . . What are these Temp files I see in File Explorer? I turn off MBAE . . . F5 to refresh the folder . . . they disappear I type something else into the xlsx, save it, and get the Temp files back I then turn off MBAR . . . no F5 required, they disappear on their own
Hello. I need help!! Sorry if I make it hard to help me--I've never done anything like this before. I've had the MPC Cleaner/Desktop/AdCleaner virus on my PC for quite the while. After several attempts of trying to get it removed I've only been met with frustration!! I'm simply at my end. People I know personally have offered help with it but it has been months and still I'm sitting here, infected. Whenever I try to delete the MPC folder, I'm told that I am not the administrator of the computer and so I cannot do it. Trying to end the MPC process results in a message telling me that my access is denied. I've tried multiple scans and uninstall softwares but nothing has worked for me. MPC remains unremovable even in safe mode. Please, help me!! I'm at my wit's end.