Jump to content

Recommended Posts

I have a Raspberry Pi set up to act as my DNS server on my network to block advertisements (Pi-Hole). It also tracks all DNS searches and has revealed that two domains are being accessed every 2 minutes by my Win7 PC - primewire.ag and 123netflix.com

This happens even when the browsers on my PC are closed.

I previously visited these domains using Chrome incognito mode so I thought they infected my PC.

Malwarebytes and Avira find nothing. There are no suspicious add-ons to my browsers.

I kept track of exactly when the Pi-Hole showed access to the two domains from my PC (every 2 minutes exactly).

Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed:

tasklist /svc /fi “imagename eq svchost.exe”

Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains.

Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains.

Double clicked the packets and scrolled down to find the Source Port numbers:
57098 and 65208

Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers.

Double clicked and now I had:

  • the PID (1576),
  • the Path (C:\Windows\system32),
  • the Command Line parameters (-k NetworkService) and
  • the process name (svchost.exe)

Unfortunately, it’s the ubiquitous svchost.exe

Switch to Windows Powershell and checked out the results from when I ran the tasklist command.
PS C:\Users\MyPC> tasklist /svc /fi “imagename eq svchost.exe”

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1576 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc

Now I have the Services behind svchost.exe.

Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32:

CryptSvc = cryptsvc.dll
Dnscache = dnsapi.dll
LanmanWorkstation = wkssvc.dll
NlaSvc = nlasvc.dll

Ran system filechecker with command

sfc /scannow
Windows Resource Protection did not find any integrity violations.

Scanned each file with MalwareBytes and Avira.
Nothing found.

Decided to check each service’s Display Name and Description:
CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer’s name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Now I’m stumped. Other than Blacklisting those sites on the Pi-Hole, any ideas on how to find out why they are being accessed every 2 minutes?

Share this post


Link to post
Share on other sites

Hello @Tuba and :welcome:

Good work on researching this. Let me have you go ahead and run the following scans and see what we come up with.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Ron,

Thanks for helping.

2 things to note before I respond to your instructions:

  1. My PC does a DNS check on the two domains with the Pi-Hole but it does not seem to be sending packets to those domains. I filter Wireshark using the “ip ==” for the IP addresses of those sites (104.25.83.57, 104.25.84.57, 104.31.16.3 and 104.31.17.3) and nothing shows up.
  2. I used msconfig to run a clean boot of my PC by disabling everything except the Microsoft services. Upon reboot, my PC was not checking those two domains (primewire and 123netflix). I ran a few programs and still OK. I didn’t see anything unusual in my services but I assume it must be something in there causing this issue. Might be best to try slowly adding back services to see which triggers the issue.

I followed all 3 steps. Some changes were made but my PC is still checking the two domains every 2 minutes.

FYI, I have MalwareBytes Premium and Avira Free Version.

Attached are the MalwareBytes and AdwClean log files. It looks like the Farbar log files contains some activation codes for some of my software.

Can I send these to you privately?

AdwCleaner[C0] 10 Feb 2018 cleaned.txt

MalwareBytes Scan 10 Feb 2018.txt

Share this post


Link to post
Share on other sites
16 hours ago, AdvancedSetup said:
Quote

 

FRST doesn't typically grab any codes on purpose. But, you can send me a private message with those logs if you like.

Thanks

Ron

 

Logs sent!

 

Share this post


Link to post
Share on other sites

Difficult to say for sure without deeper analysis, but this computer shows signs it is being, or was used, by someone to steal software. As such we won't assist in that endeavor. We'll help you to remove malware, but not analyze it to safely steal software.

There are some plugins and programs used that I probably wouldn't use on my computer but that does not make them bad.

At this point I would probably suggest doing a full reset on your browsers and see if that corrects the issue. There are underlying programs that can make calls to other programs that may be the cause of the issue you're seeing. It may not be the issue but is an easy fix if it is. As you know and have shown yourself there are some "less used" services running on the system that could potentially be tied in as well.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
    • run_command.png
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png

 

Restart your computer now and verify if the block is gone now and let me know.

Thanks

Ron

 

 

Share this post


Link to post
Share on other sites
Ron,
 
Not trying to steal software so no need to help me with that!
 
But appreciate your continued help to cure my PC of malware.
 
I reset all 3 browsers as per your instructions. Rebooted and it's still happening.
 
Then I ran the Kaspersky Virus Removal Tool. It didn't find any viruses.
 
Please let me know what else I should try.

Share this post


Link to post
Share on other sites

Let's disconnect the PI for now temporarily. Then run the following commands from an elevated admin command prompt.
This should reset most of the caching of your network.

IPCONFIG    /FLUSHDNS

ARP -d *

nbtstat -R

route -f

Then restart the computer and make sure all browsers, instant messengers, and similar programs that reach out to the internet are closed down. Then wait a couple minutes and open an elevated admin command prompt and type the following and post back the results. You can send via PM if you like. -o is an OH not a Zero.

 

netstat -b -n -o

 

Thanks

Ron

 

 

Share this post


Link to post
Share on other sites

Ron,

I turned off the PI and followed your instructions.

Here are the results (note that 192.168.1.15 is my PC’s IP address):

PS C:\Users\sager> netstat -b -n -o
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:5357         127.0.0.1:49186        TIME_WAIT       0
  TCP    127.0.0.1:49174        127.0.0.1:49175        TIME_WAIT       0
  TCP    127.0.0.1:49275        127.0.0.1:49276        TIME_WAIT       0
  TCP    127.0.0.1:49279        127.0.0.1:49280        TIME_WAIT       0
  TCP    127.0.0.1:49301        127.0.0.1:2559         SYN_SENT        3668
 [nvtray.exe]
  TCP    192.168.1.15:49173     112.106.186.155:443    TIME_WAIT       0
  TCP    192.168.1.15:49180     192.168.1.1:80         CLOSE_WAIT      3656
 [Avira.ServiceHost.exe]
  TCP    192.168.1.15:49185     65.202.184.40:80       TIME_WAIT       0
  TCP    192.168.1.15:49195     23.73.177.242:443      ESTABLISHED     7088
 [mbamtray.exe]
  TCP    192.168.1.15:49205     54.186.155.102:443     CLOSE_WAIT      4400
 [mbamservice.exe]
  TCP    192.168.1.15:49226     23.212.158.252:80      ESTABLISHED     5524
 [wmiprvse.exe]
  TCP    192.168.1.15:49274     112.106.186.155:443    TIME_WAIT       0
  TCP    192.168.1.15:49278     112.106.186.155:443    TIME_WAIT       0
  TCP    [::1]:2869             [::1]:49190            TIME_WAIT       0

Afterwards I ran Wireshark. My PC is still reaching out to resolve the DNS on those 2 websites.

Share this post


Link to post
Share on other sites

Ron,

I found it!

I remembered that the issue went away when I used msconfig to run a clean boot of my PC by disabling everything except the Microsoft services.

So I started removing non-Microsoft services and then adding them back gradually, rebooting each time, to see if I could find one service that I could stop that would cure the problem.

It worked. It's been over 10 minutes running without any access to either domain.

The service that I stopped to cure the problem was MalwareBytes!

So I re-enabled MalwareBytes and rebooted. As soon as MalwareBytes loaded, there was a DNS check on both websites. I then manually exited MalwareBytes and waited 10 minutes. The access was stopped.

Digging further I realized that those two websites were the only ones I had whitelisted in the Exclusions section of the MalwareBytes settings.

To further test it, I also added ‘forums.malwarebytes.com’ to the Exclusions section. BAM! My PC did a DNS check on ‘primewire.ag’, ‘123netflix.com’ and ‘forums.malwarebytes.com’ all at the same time!

So the call was coming from inside the house. :lol:

Any thoughts on how to stop MalwareBytes from DNS checking whitelisted domains?

Share this post


Link to post
Share on other sites

I will have to check with the QA team and see what they think is going on. I wouldn't think it should be checking every 2 minutes like you say.

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Thanks for reaching out. This is intended behavior because of the way our blocking system works. We can put a block on a DNS name, an IP address, or both the hostname and IP address. So if you add a hostname to the whitelist, we query that hostname every 2 minutes in case the IP address of that server changes so we can make sure to not block the IP address either. Because of the way Windows works, we can't wait for the user to type 123netflix.com into their browser, lookup the IP address, and then return the site because the hostname isn't always passed down through the networking stack to our driver.

We have some plans to make this a little smarter in the future, but in the examples you provided (whitelisting a site that is on the blocklist) this is expected.

Share this post


Link to post
Share on other sites

Devin,

Thanks for clarifying. Wish we would have met 3 weeks ago. :]

I suspected it was something like that but I considered such behavior more appropriate for a user addition to a blacklist rather than a user addition to a whitelist.

DNS propagation can take 24-48 hours. Checking every 2 minutes for something that can only change every day or two at most seems like overkill.

Especially since the user can see if a website on the whitelist is being blocked by MalwareBytes. And at that point a forced DNS refresh option in the settings would solve the problem.

Any idea why I wasn’t able to trace the DNS query back to MalwareBytes as the process. As per my initial post, I was only able to see svchost and CryptSvc, Dnscache, LanmanWorkstation and NlaSvc services beyond it.

Share this post


Link to post
Share on other sites
On 2/15/2018 at 7:07 PM, dcollins said:

Thanks for reaching out. This is intended behavior because of the way our blocking system works. We can put a block on a DNS name, an IP address, or both the hostname and IP address. So if you add a hostname to the whitelist, we query that hostname every 2 minutes in case the IP address of that server changes so we can make sure to not block the IP address either. Because of the way Windows works, we can't wait for the user to type 123netflix.com into their browser, lookup the IP address, and then return the site because the hostname isn't always passed down through the networking stack to our driver.

We have some plans to make this a little smarter in the future, but in the examples you provided (whitelisting a site that is on the blocklist) this is expected.

 

On 2/15/2018 at 11:41 PM, Tuba said:

Devin,

Thanks for clarifying. Wish we would have met 3 weeks ago. :]

I suspected it was something like that but I considered such behavior more appropriate for a user addition to a blacklist rather than a user addition to a whitelist.

DNS propagation can take 24-48 hours. Checking every 2 minutes for something that can only change every day or two at most seems like overkill.

Especially since the user can see if a website on the whitelist is being blocked by MalwareBytes. And at that point a forced DNS refresh option in the settings would solve the problem.

Any idea why I wasn’t able to trace the DNS query back to MalwareBytes as the process. As per my initial post, I was only able to see svchost and CryptSvc, Dnscache, LanmanWorkstation and NlaSvc services beyond it.

Hey Devin,

Hoping you or someone on your team can respond to my questions above. Thanks.

Share this post


Link to post
Share on other sites

Sorry @Tuba, I completely missed the question at the end.

The reason this wasn't tracked back to Malwarebytes is because we use a driver (MBAMWebProtection) to handle these requests, which interacts directly with the DNS on the system. I don't know exactly which process flow it takes through the system, so I don't have more info on how you could've tracked that down directly to the driver.

As for the DNS request, sites that are considered malicious actually updated their DNS records quite frequently, so if a user excludes one we want to make sure it's available for them. And while we could include some text around how to refresh your DNS settings, most users don't want to have to do that, they just want their software to work as they've configured it.

Hopefully that helps, let me know if you have any other questions.

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.