Jump to content

Outbound access from Windows file


AT2014
 Share

Recommended Posts

I've spent hours trying to figure out what's going on. MWB keeps blocking access from a .net framework file called RegSvcs to a domain online. Every 2 seconds. I renamed the file and then it tried to do so from another version of .net install of the same file. I've ran rkill, MW bytes, adwkill and a bunch of other programs and still haven't figured it out. I ran the ,net removal tool and reinstalled .net through windows upgrade and it's still showing up. It wasn't yesterday. All I get from googleing is that it's a NANO Admin or w/e that means.

Link to post
Share on other sites

Hello AT2014,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image (may have changed to three (3) vertical dots.)
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

I also want to see a Protection log from Malwarebytes that shows the IP blocks from RegSvcs.exe. That is a legitimate executable file developed by Microsoft. That process is known as Microsoft .Net Services Installation Utility and it belongs to the software Microsoft .Net Framework.

Open Malwarebytes..
 
  • Click on the History tab > Application Logs.
  • Double click on the Protection Log which shows the most recent Date and time..
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your next reply...

Thank you,

Kevin...

 

 

Link to post
Share on other sites

Good morning, Kevin. Unfortunately, or rather fortunately, I think this thread should be closed.

 

I am the OP's brother. I came over early this morning to take a look. As he did, I, too, ran various scans and even used the same software that you guys recommend. Incidentally, it's something I use myself at work (S.SE) and couldn't find anything. I went ahead and looked at various parts of the system and couldn't figure out why RegSvcs.exe was behaving in this manner. I myself have used MalwareBytes since you guys were around in the very old days. Quality stuff here.

Anyway, I ran various tools again, even going and looking through the registry until I decided to unhide files and went digging. I found a file in a alphanumeric folder under %appdata%. The file within contained some three or four files. Do excuse me, I only got 4 hours of sleep last night before waking up to do this before work. Anyway, I noticed the extensions of the files were .lock which I'd only seen in test bed computers where they were exposed to ransomeware. I could not delete the file through explorer, but did install unlocker and looked at what file it was relating to. It pointed directly at the file in the OP's problem under the .Net Framework slash 4.0 319 whatsit. I booted into safe mode, ran RKill and some other scans, yet again, then was able to delete the files and then some suspicious ones. For some, I did have to use unlocker.

I dumped the %temp% folder as well, just in case, and then rebooted out of safe mode thru msconfig. I've been sitting at said computer for roughly 20 minutes it seems and reopening the log files occasionally. All I see is the unit starting and stating it is running. So far so good.

Going by the FRST files, I see nothing out of the ordinary. Which is nigh confusing seeing as it should show up unless he came across some nifty ransomware. Thankfully, MalwareBytes Pro stopped it from downloading and encrypting any files. I went ahead and opened a few hundred files here and there and nothing seems amiss. I'm still confused why it wasn't picking up in earlier scans. My skillset doesn't extend much into pen-testing so you guys will have to fill me in here. :)

Though from the logs I did google the dynamic dns address it was attempting to connect to. I googled that and found it had been brought up in research databases long ago. What I got from that was that it was connected to something called nanocore RAT, which I'd read about a couple of years ago.

This was a fresh Xeon build so I was very confused at how this could happen until I realized on the prior build I'd set up some Group Software Policies and cordoned off the majority of the C drive from typical ransomewares. It all started with the Cryptolocker debacle in late 2014 or was it earlier than that?

 

Anyway, I'll be leaving his computer on for the day and come back after work to check on the logs. I've sent the FRST logs to my work email to print them out in large text there and go over them. If still puzzled, I'll PM you if possible.

In closing, MalwareBytes rocks. Give a big hug to Marcin for me.

Link to post
Share on other sites

Actually, 1 question before I leave for work, his Windows doesn't seem to show the icon in the task bar but the software is running when you look for it in taskman~.exe. Was or is there an option to show the emblem down there or is something corrupt and I should reinstall the software?

Link to post
Share on other sites

No, the notifications area. Windows 7, but I ended up rebuilding the cache through Prompt as per a Microsoft answer, restarted and voila. Now, I do have a question for you. In order to prevent this again in the future which is both a waste of time for me and you, would it be wise for me to be a good brother and purchase a anti exploit license or rather purchase a combo license right now for him to prevent these drive by attacks in future?

Though I'm confused. Anti-ransomeware is currently in beta 8 per forum records. Is one or the other in addition to a quality AV and MalwareBytes Anti-Malware Premium with Anti-Exploit a better route?

To me they seem to be the same thing unless I'm missing something crucial here. I do wish MB would combine these programs together in one package but it makes more sense to split them apart to slow down an attack's ability to prevent or shut down service. Then again, there's Chameleon.

 

Have a good weekend and early happy holidays.

Link to post
Share on other sites

Thanks for the update, good to hear you`ve got your brother`s PC sorted out... Regarding security, yes I understand the confusion regarding all of the available Malwarebytes programs. Anti-Ransomware is in Beta as the intention was always to roll it up with Malwarebytes-Antimalware. The same goes for MB Anti-Exploit, AdwCleaner and JRT. As you can see MB will be a formidable security package when this comes to fruition. Another great addition will be an Anti-Virus component...

The tool I just describe (Malwarebytes Version 3) is actually out now and released as Public Beta for testing. probably a good idea to have a look at the following link before you make any security purchases.

https://forums.malwarebytes.org/forum/174-malwarebytes-30-beta/

Are we ok to close out this thread...? Have a great weekend yourself...

Regards,

Kevin

 

Link to post
Share on other sites

he asked me to post this.
 

Quote

 

Kevin, no problem, mate. I made a clone of his hard drive to see just what was installed in the time between it functioning normally and when this occurred. Two applications were installed between 11/16 and the thread's creation. Anything prior to the aforementioned date goes back 6+ months. HD Tune Pro trial from the official site on my recommendation due to a drive slowing down. It could be the vehicle for the driveby. I've gone ahead and contacted the developer, but I doubt I'll get an answer anytime soon. The sum data is a match, but who knows. Additionally, something called NOX Android Player showed up. There was also DropBox and Spotify, but these are valid services. I looked into NOX as I hadn't heard of it. Referencing data, I came across a few threads on Reddit where a person noticed it was communicating with several servers located in the PRC. I've asked him to uninstall the application and do another scan, which found nothing. I've gone ahead and purchased him a license from American Megatrends for their AMIDuOS product, which we use at work. It's fast, simple and it works. It's also clean.

 

I am considering slipping in a hosts file addition of advertising and known malware lists available online and vetted by community members. I've also recommended ditching Adblock Plus for Ublock Origin, but according to him the malware and adware lists lag the browser despite it being a multi core Xeon workstation. I'm surprised MalwareBytes Professional doesn't do this. Perhaps this can be a sweet suggestion for the higher-ups? I'd hope so. Thanks for the heads up on the new beta. I'm open to suggestions of software to prevent any download but sans execution of data. My home PC uses a blend of SRP and AppLocker. I could use SRPs on his computer but unfortunately I suspect it'll become frustrating. His OS is W7 Pro, which I thought supported AppLocker. It does not. I could buy a license for W10 Pro provided it has AppLocker. I'm open to suggestions on how to proceed this rather bizarre and troubling situation. MS screwed the pooch with that decision.

 

Cheers.

David

 

 

Link to post
Share on other sites

Hello David,

Thanks for the update and offered advice... I`m a volunteer here at Malwarebytes, however I can assure you all logs are monitored by Malwarebytes Professional Staff. Any suggestions you may offer will certainly be looked at and actioned if necessary.....

 
Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.