Inbound McSvHost.exe and svchost.exe websites being blocked constantly

[Brittany]

Hi there

I am having constant messages pop up with Malwarebytes blocking two different inbound files, from the IP address 103.225.137.62 which from what I could find belongs to some TV service in the Philippines. I turned the rootkit option on for scanning in malwarebytes also, but no scans have found anything. These seem to be the two files that are constantly popping up, with recent Malwarebytes reports copied below. Also attached is the FRST and Addition reports as completed with Farbar Recovery Scan Tool. Any help would be greatly appreciated, thank you!

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/24/17
Protection Event Time: 6:39 PM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1793
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain: 
IP Address: 103.225.137.62
Port: [62933]
Type: Outbound
File: C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/24/17
Protection Event Time: 6:33 PM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1793
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain: 
IP Address: 103.225.137.62
Port: [62933]
Type: Outbound
File: C:\Windows\System32\svchost.exe

(end)

Addition.txt

FRST.txt

[kevinf80]

Hello Brittany and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Continue with the following: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Please download Junkware Removal Tool to your desktop.   Shut down your protection software now to avoid potential conflicts. (re-enable when done) Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message. Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs, also tell me if there are any remaining issues or concerns.... Thank you, Kevin....

fixlist.txt

[kevinf80]

Do you still need assistance....?

[Brittany]

Yes please! Malwarebytes doesn't seem to be giving me the constant notifications at the moment, but I would like to make sure I have removed any threats. Attached is the malwarebytes export summary and copied here is the AdwCleaner[C0] text file.

# AdwCleaner v6.046 - Logfile created 30/04/2017 at 23:08:25
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-29.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : britt - LAPTOP-KQNSUSSV
# Running from : C:\Users\britt\Desktop\adwcleaner_6.046.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdpohbejnbclggljmoijjcpdhbaaijfm

***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mixidj.delta-search.com/?affID=121136&tt=gc_&babsrc=HP_ss&mntrId=B23684A6C88B4788
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2013-12-21 18:33:03&v=17.2.0.38&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-08 20:08:03&v=17.3.1.204&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://search.conduit.com/?ctid=CT3319434&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP40A6D9E0-B515-45A3-9AC0-A3321E79CA29&SSPV=
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com/?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2013-12-21%2018:33:03&v=17.2.0.38&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com/?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-08%2020:08:03&v=17.3.1.204&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-08 20:08:03&v=18.1.0.443&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-08 20:08:03&v=18.1.5.512&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://mysearch.avg.com?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-08 20:08:03&v=18.1.7.598&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxps://mysearch.avg.com?cid={3FBADCCC-F53C-428B-AE31-ADC3911EE30C}&mid=c9b0087a409947d3a1eb55ef8e6fae78-244066784179902a36a3312546bbb7833d48a589&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-08 20:08:03&v=18.1.9.799&pid=safeguard&sg=&sap=hp
[-] [C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: cdpohbejnbclggljmoijjcpdhbaaijfm

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4134 Bytes] - [30/04/2017 23:08:25]
C:\AdwCleaner\AdwCleaner[S0].txt - [3754 Bytes] - [30/04/2017 23:04:53]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4280 Bytes] ##########
 

Export Summary.txt

[Brittany]

The JRT text file.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64 
Ran by britt (Administrator) on Sun 30/04/2017 at 23:20:21.90
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 4 

Successfully deleted: C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio (Folder) 
Successfully deleted: C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gkojfkhlekighikafcpjkiklfbnlmeio (Folder) 
Successfully deleted: C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage-journal (File) 
Successfully deleted: C:\Users\britt\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage (File) 

Registry: 0 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 30/04/2017 at 23:26:05.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

[Brittany]

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.47, April 2017 (build 5.47.13703.0)
Started On Wed Apr 19 17:49:36 2017

Engine: 1.1.13601.0
Signatures: 1.239.313.0
Run Mode: Scan Run From Windows Update

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 19 17:54:03 2017

Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.47, April 2017 (build 5.47.13703.0)
Started On Sun Apr 30 23:32:42 2017

Engine: 1.1.13601.0
Signatures: 1.239.313.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Sun Apr 30 23:46:51 2017

Return code: 0 (0x0)
 

[kevinf80]

How is your PC behaving now, are there any issues or concerns...? If none lets clean up:

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

Edited May 9, 2017 by kevinf80

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.