Jump to content

Constant Inbound Blocked Svchosts attacks


Recommended Posts

Hello.

For the past almost 2 weeks ive been getting consistent blocked svchosts attack notifications from Malwarebytes.

Although i have scanned and re-scanned with several programs including malwarebytes, almost all of them find nothing.  Even adwcleaner only found tracking cookies but it did find something that i found rather disturbing which was a "Trojan.StolenData".  The only program I have not used yet was the FarBar Recovery Scanner because i was afraid that it might do something to screw up my computer. Ive uninstalled a few programs and games and even disabled system restore in hopes of clearing out any infected restore points. I believe it came from a malicious game torrent I downloaded and now Im on the verge of re-installing Windows just to reset this.  Although i haven't noticed anything suspicious or any weird computer slowdowns, those constant daily blocked inbound connections to svchost are extremely troublesome.  On average I receive about 6 - 10 per day periodically on an average span of 2 - 3 hours apart.  The weird thing is though not a single outbound connection from svchost was ever blocked.  Even though i heard that Inbound connections are not as much to worry abound than outbound connections but the amount of blocked attacks ive been receiving especially in the last 2 weeks is worrying, and the "trojan.stolendata" is also very worrying, but nothing has been detected.  Please, im at a loss. Im on the verge of reinstalling my entire computer which is something i really don't want to do as it is a pain to reconfigure and reinstall everything.

Despite all I've done, i'm willing to restart from scratch with this whole cleaning process, so if you want me to re-scan again and repeat the process i just attempted to do (but perhaps poorly), just let me know.  Also, this is the first time i've ever done this forum malware removal thing, and i am concerned about making my information public, so is it possible that i can make this issue personal or private in any way before i post any information? Much thanks in advance.

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact an Administrator to let them know.

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.

    auto-reply-scan-types2.jpg.86e24e955a95d
     
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.

    auto-reply-scan-types1.jpg.f4eee0e0c9375
     
  4. Click Start Scan
     

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.

    _frst_scan.jpg.d79beccbb6e66628e557f6c28
     
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please attach or copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.
     

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:   notify me.jpeg
 

Click "Reveal Hidden Contents" below for details on how to add attachments to your post.
Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

 

 

Link to post
Share on other sites

Hello Chavez99 and welcome to Malwarebytes,

Continue with the following:

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Alright fine, how do i contact a forum moderator?  And considering that i have the premium version of malwarebytes, is there another alternative?  Im still receiving those svchosts attacks every hour from the same ip which i determined it to be from Russia.  The IP is 46.161.27.30.  I want to upload logs but id rather it be private.  The logs I think might reveal personal information files as well as my families, so i'd really want to know how to continue with this.  Other than the constant daily blocked IP address from malwarebytes, the computer seems to be running normal.  Meaning, no slowdowns, odd cpu usages, or denial of access of programs.  But the disturbing thing i found in one of the scans from adwcleaner a few days ago was "trojan.stolendata". 

I've uninstalled all software that has been installed when the blocked IP addresses started to happen.  It used to happen very sporadically, once a week, a month.  But now its happening daily and hourly and i'd like to see this issue resolved, and i have not seen a response from anyone.  Ive scanned with several software in safe mode, disconnected from the internet, reset my DNS using DNSJumper.  Although, when I turned on my computer this afternoon, it was fine for 3 hours, and then it started coming back up again.  The only program i havent used "only for scanning but not fixing" was FarBar recovery scanner.   Since i'm not an expert i'd figure its best if I have someone from here that privately examines my logs and prepares a fixlist for me to use.  It spotted a few attention with arrows pointed like so,

"GroupPolicy\User: Restriction ? <==== ATTENTION
GroupPolicyUsers\S-1-5-21-2947177259-2993387893-2168207468-1011\User: Restriction <==== ATTENTION
GroupPolicyUsers\S-1-5-21-2947177259-2993387893-2168207468-1007\User: Restriction <==== ATTENTION"

==================== Restore Points =========================

"ATTENTION: System Restore is disabled"  (that was done by me).

P.S.

A couple days ago, malwarebytes mysteriously had disabled website protection and was no longer in the taskbar.  Although it was still able to run, but it would close completely off instead of closing to the background"  That issue has been resolved so far, though im not sure if it has to do with the potential malware or if it was simply a bug with the updates since i noticed others had the same experience around the same time it happened to me.  Nonetheless, as soon as the Protection was reported disabled, i instantly resetted the computer and immediately disconnected the internet and booted into safe mode.  Thats when I had uninstalled all the programs dating back almost a month ago when the attacks started to occur and rescanned, deep scanned and tried to reset some settings including firewall and modem. 

After doing all that, when I had nervously started the computer back in default normal mode, everything seemed fine.  I was almost about to break out the champagne until 3 hours in the attacks from the same ip happened again.  This is seriously pissing me off and worrying me.

I also heard a couple days ago that an FBI reported attacks from Russia that are infecting malware in routers/modems via a malicious malware known as "VPN Filter" and advised people to reset their modems, and i've done that 3 times already.

Despite all this, im willing to restart from scratch and do the process all over again with a fresh start, but this time from an expert, but I dont want my files to be accessed publicly.  Maybe i'm being too overly paranoid but in this dark digital information age, you can never be too careful anymore, especially with cybercriminals running amok.

Link to post
Share on other sites

The admin guy to contact is @AdvancedSetup you could also contact consumer support as you have Premium version of Malwarebytes, the option to create a ticket for support is at the following link:  https://support.malwarebytes.com/community/consumer

That site is very busy so you may have to wait awhile, not sure how long...

Thank you,

Kevin..

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.