Jump to content

Recommended Posts

Greetings,

So, as mentioned in my title, for a while now since installing MWB Premium, I will have the occasional notification from MBW that SVCHost.exe is being blocked (I think mostly outbound connections). The latest notification I got was from Monday, and using Whois IP lookup, the IP belonged to the Philippines. I have no idea what was trying to connect to it.

I am currently running both Bitdefender Internet Security 2017 and Malwarebytes Premium. A full system scan on both reveals nothing. RTKill shows no malware processes to terminate and Hitmanpro shows nothing. I have also checked my IPV4 DNS and it is set to "obtain DNS automatically". A further check using F-Secure Router Checker webpage shows that eveything is also running fine and my router has not been hijacked (if it was I think the other housemates would also notice). I have experience no redirecting or pop-up ads during browsing.

I hope experts would chime in and help me solve my issue be it using FRST or other programs.

Thank-you  
 

Link to post
Share on other sites

Dear Ron,

May I kindly know how can I access he protection log?

Thank-you

P.S. I no longer have reports of the block as I have recently clear my reports so I can monitor new reports. There was a lot of backlog of old reports.  

EDIT: From my FSRT logs, can you make-out any form of malware or rootkit infections?

Thank-you

Edited by TechNewb
Link to post
Share on other sites

  • Root Admin

Did not see anything obvious. Let me have you run the following though and it will check things a bit deeper.

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Cheers

Ron

 

Link to post
Share on other sites

Dear Ron, 

Here are the log files requested. I disabled all my antivirus before running JRT but I am unsure if I fully disabled them although I followed all the instructions provided.
Surprisingly, ADWCleaner found a program MP3Tagger and a Chrome cookie(?) as malicious even when MWB Premium or BitDefender Internet Security 2017 found nothing.
I have also completed a Sophos scan and found nothing. Therefore, no logs of Sophos will be provided.

By the way, prior to signing up for this forum to inquire about my issue, I have also followed the instructions provided here:
https://www.bleepingcomputer.com/virus-removal/fix-malicious-web-site-blocked-alert-from-svchost.exe/
but to no avail. Steps 13 mentions that if I encounter such issues, my DNS would be hijacked. I am pretty worried about the issue. How can I know if my DNS has been Hijacked?
I have checked my  IPV4 Properties and it is set to "Obtained DNS automatically". To be sure, I have logged into my Wifi router to check my DNS. I contacted my ISP and verified that it is indeed a valid DNS provided by my ISP (Both primary and secondary DNS). 
Thank-you
  

FRST.txt

Addition.txt

JRT.txt

AdwCleaner[C0].txt

Link to post
Share on other sites

  • Root Admin

As your computer is installed with an English version of Windows, I find this entry with Unicode characters a bit odd, but maybe you link to a non English website?

ShortcutWithArgument: C:\Users\user\Desktop\グランブルーファンタジー[ChromeApps版].lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=eablgejicbklomgaiclcolfilbkckngf


ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\グランブルーファンタジー[ChromeApps版].lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=eablgejicbklomgaiclcolfilbkckngf

 

You have some programs crashing but the computer does not appear to be infected.

Let me have you run the following though and we'll check some network DNS stuff.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

Link to post
Share on other sites

By the way, just saw the firefox warning from using MiniToolBox. Just want to let you know that I never used Firefox, it came preloaded in my pc. It was only after I installed BitDefender then I removed firefox.
The browser I mainly use is Opera.

Thank-you 

Edited by TechNewb
Link to post
Share on other sites

  • Root Admin

Some of the crashes appear to be from BitDefender.  Possibly uninstalling it and reinstalling it may fix it - not sure. If it continues you may need to contact BitDefender support about that.

I would highly recommend using Google Public DNS

https://developers.google.com/speed/public-dns/

Give that a read and try using their DNS servers.

Aside from that the computer appears okay at this time. Are you having any other issue that looks like it might be malware?

 

Link to post
Share on other sites

1 minute ago, AdvancedSetup said:

Some of the crashes appear to be from BitDefender.  Possibly uninstalling it and reinstalling it may fix it - not sure. If it continues you may need to contact BitDefender support about that.

I would highly recommend using Google Public DNS

https://developers.google.com/speed/public-dns/

Give that a read and try using their DNS servers.

Aside from that the computer appears okay at this time. Are you having any other issue that looks like it might be malware?

 

Dear Ron,

Thank-you for the fast reply. I guess there is no suspicious activity at this point in time. From the results obtained from MTB, does everything seem normal?
Or should I contact my ISP and request a technician to reset my router?
I think I will contact BitDefender and show them the FRST logs perhaps?

Thank-you

Link to post
Share on other sites

  • Root Admin

You can typically reset the router on your own.

Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

 

Link to post
Share on other sites

  • Root Admin

Yes, you can reopen the topic if it's not too old. If its very old should probably open a new topic.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot


Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites

Daer Ron,

Thank-you once again for the quick reply. I have ran the delfix tool and used ultrasearch to find all of the files and logs related to the tools utilized and deleted them. My main problem now is I cannot remove the system restore point for JRT despite following instructions. 

I have also contacted my ISP to request for technical assistant to reset my router. I dare not reset the router myself as there are other users. 

Thank-you

Link to post
Share on other sites

32 minutes ago, AdvancedSetup said:

No, that's a normal setting that even myself I'll make some changes to the start menu. The program can't tell if the user made the change or malware.

Your computer show no signs of any real infection.

 

Thanks for the reply RON. 

Just a quick update, my ISP's Technician just left after resetting my router. When they checked the DNS settings on my Router, all was well and they mentioned that that is indeed my ISP's DNS (both primary and secondary). I guess I am in the clear for now.

I would then like to kindly request that this topic be closed. If anything comes up again, I will perhaps PM you to re-open the topic. Would that be okay?

Thank-you

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.