Blocking svchost.exe inbound from 109.163.233.98

[MegaPizza]

I'm not sure what this is but for the past hour MB has been blocking svchost.exe (inbound) from 109.163.233.98

I assume svchost.exe is a system process. Not sure about that particular ip address and why it is blocked.

[kevinf80]

Hello MegaPizza and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Next, Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Let me see those logs in your reply... Thank you, Kevin..

[MegaPizza]

Thanks for the reply kevinf.

At this stage I do not want to install more software. I'm curious about the current issue I'm having.

[kevinf80]

Yes i`m also very curious, hence the diagnostic scans i`ve asked you to run and post the produced logs. The scans will make no changes to your system at this point...

The IP address you quote is blacklisted, hence Malwarebytes blocks the connection attempt. Usually such connection probing can be attributed to malicious software or Browser hijackers already present on your system making outbound calls asking for an inbound connection....

IP Information for 109.163.233.98

Quick Stats

IP Location	Romania Bucharest Voxility S.r.l.
ASN	AS3223 VOXILITY, RO (registered Jul 23, 2009)
Resolve Host	lh25647.voxility.net
Whois Server	whois.ripe.net
IP Address	109.163.233.98

[steelwind]

Thanks for the diag help Kevin.

I have the same IP being blocked.  My cause was actually my VPN, 'PrivateInternetAccess.exe', was pinging out even though I wasn't connected.

Looks like they are aware though https://www.privateinternetaccess.com/forum/discussion/790/questions-regarding-the-backround-network-scans-of-rubyw-exe/p2

[MegaPizza]

Nothing detected with RogueKiller.

I'm not going to post logs because there is a lot of info in them and some may be private.

Possible it's a DNS issue like steelwind's.

 

[kevinf80]

If you will not post logs I cannot help.....

[MegaPizza]

6 minutes ago, kevinf80 said:

If you will not post logs I cannot help.....

I appreciate that, thank you.

The inbound requests have stopped for now. I guess it was a temporary thing. I was using TeamViewer at the time. Not sure if related.

I feel more safe with MB blocking potentially harmful inbound requests than I do sharing log files where I am unsure if there is information that could compromise my computer security.

[kevinf80]

We deal with many threads each day, all have requested logs posted. I do not see any threats to you from information in logs... Obviously it is your choice to post or not post logs.... The IP being blocked is definitely malicious... I can give instructions for two good scanners to check your system, there is no need for you to post the logs, just say if they find anything... Let me know what you want to do, if you do not want to progress we can just close your thread...

Thank you,

Kevin...

[steelwind]

Mind if I step in and ask for those "two good scanners" Kevin?  I'd like to just double check.

Better safe than sorry.

Thanks

[MegaPizza]

I currently have Avast antivirus and Malwarebytes. Both up-to-date. RogueKiller also found no issues.

I am happy to have a look at the scanners as well.

I will review the logs and may post them.

[kevinf80]

@MegaPizza Here are the scanners for you....

AdwCleaner: Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Indepth AV Scanner: Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop. Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how Right click on and select "Run as Administrator" In the new Window accept the terms of service In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings" In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan" In the new Window new virus database signatures will download, Do Not Select Stop The Window will progress showing the scan in action.... In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply... If threats are found the following Window will open: Click on "Select All" then "Save to Text file" name and save that file, attach to your reply. Now select "Do not clean" and then close out.... Thanks.....

Edited March 28, 2017 by kevinf80

[steelwind]

Nice, thank you