Jump to content

Recommended Posts

Receiving a constant stream of popups from Malwarebytes about a riskware website being blocked. There is no domain given, and it continues even if I am not accessing my browser. It is referencing System32\svchost.exe. This file also exists in SysWOW64 once and WinSxS twice. The IP address is 123.123.123.123. A malwarebytes scan does not find anything, and I've run adwcleaner. I've uploaded an export of one of the event logs, and I can upload whatever other log data is needed.

 

Would like help in identifying if this is a stream of false positives, or if some other malicious file is causing the popups. Thank you.

report_log.txt

Link to post
Share on other sites

Hello risotto73 and welcome to Malwarebytes,

That IP address is not a false positive, have a look here: https://www.virustotal.com/en/ip-address/123.123.123.123/information/

The block is against inbound calls so Malwarebytes is just doing its job. Have you recently installed any new software, or made any changes to your PC or router...?

Run the following:

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.



Do not use the Remove Selected option until i`ve had a look at the log..

Thanks,

Kevin..

Link to post
Share on other sites

Hey Kevin,

Thank you for offering your assistance. I have pasted my Rougekiller log below. 

 

RogueKiller V12.13.1.0 (x64) [Sep 17 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : mcc89 [Administrator]
Started from : C:\Users\mcc89\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 09/17/2018 16:27:19 (Duration : 00:24:40)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 23.252.205.6 23.252.205.7 ([-][United States])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22306bd7-6a56-4365-8d1d-706598eed0ef} | DhcpNameServer : 23.252.205.6 23.252.205.7 ([-][United States])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : PriceBlink Coupons and Price Comparison [aoiidodopnnhiflaflbfeblnojefhigh] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.reddit.com/r/worldnews] -> Found
[PUM.HomePage][Chrome:Config] Profile 1 [SecurePrefs] : session.startup_urls [https://mail.google.com/mail/u/0/#inbox|https://calendar.google.com/calendar/r?tab=mc] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Crucial_CT250MX200SSD4 +++++
--- User ---
[MBR] 4441e9188f7ee0bcfcad848eccbda8ca
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 237859 MB
User = LL1 ... OK
User = LL2 ... OK
 

Link to post
Share on other sites

Thanks for that log, did you knowingly install the following addon extension to Chrome:

[PUP.Gen0][Chrome:Addon] Default : PriceBlink Coupons and Price Comparison [aoiidodopnnhiflaflbfeblnojefhigh] -> Found

https://www.reasoncoresecurity.com/aoiidodopnnhiflaflbfeblnojefhigh-4.2.crx-3d76c0dd21e5b2abc1c874bb23e0ff1c2628be59.aspx

The other two browser entries check out as clean at VirusTotal..

 

Link to post
Share on other sites

Your FRST logs are clean, the only entry in the RK log which may be an issue is the extension [aoiidodopnnhiflaflbfeblnojefhigh] it is worthwhile deleting that extension. The block you are having are inbound so i`m not sure why they are happening. Are you able to reset your router, see if that helps... I can give instructions if needed...

Link to post
Share on other sites

I deleted the extension and restarted my computer, but unfortunately that did stop the blocked connections. Could it have anything to do with svchost.exe? 

 

I don't think I can restart the router (I live in an apartment complex with shared internet throughout the building), but I am willing to boot a clean install of windows if you think that might help (I have my important files backed up to the cloud).

Link to post
Share on other sites

The calls are inbound, they do not come from your PC so I doubt that system files such as svchost.exe are the root cause.  Can you clean boot your PC, see if that makes any difference..

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode. Obviously 3rd party services that affect security or internet connection can be left active.
Link to post
Share on other sites

I followed the instructions on Microsoft Support for a clean boot with only Windows services and Malwarebytes allowed to run, but there are still continuous blocked connections. I can format my drive and install windows again if that will fix the issue, but I'm not sure what to do if the issue is with the router.

Link to post
Share on other sites

The only problem is the calls are inbound, so they are not from your PC. Malwarebytes is doing its job and blocking calls from the outside into your PC... This appears to be a sniffer is trying to make contact with your PC, why this has been initiated is difficult to identify...

Try this:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. See if the issue ceases after the reboot...

 

fixlist.txt

Edited by kevinf80
typing error,
Link to post
Share on other sites

Pasting the fix logs below; however, it has not stopped the website blocking.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.09.2018
Ran by mcc89 (17-09-2018 19:09:25) Run:1
Running from C:\Users\mcc89\Downloads
Loaded Profiles: mcc89 & SQLTELEMETRY$SQLEXPRESS (Available Profiles: mcc89 & SQLTELEMETRY$SQLEXPRESS & MSSQL$SQLEXPRESS)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
cmd: ipconfig /flushDNS
cmd: netsh winsock reset
cmd: netsh int ip reset
cmd: ipconfig /release
cmd: ipconfig /renew 
reboot:
end
*****************

Processes closed successfully.
Restore point was successfully created.

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= ipconfig /release =========


Windows IP Configuration

No operation can be performed on Local Area Connection* 1 while it has its media disconnected.
No operation can be performed on Local Area Connection* 2 while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::c8b8:3ef3:d157:9582%4
   Default Gateway . . . . . . . . . : 

========= End of CMD: =========


========= ipconfig /renew =========


Windows IP Configuration

No operation can be performed on Local Area Connection* 1 while it has its media disconnected.
No operation can be performed on Local Area Connection* 2 while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::c8b8:3ef3:d157:9582%4
   IPv4 Address. . . . . . . . . . . : 10.215.149.17
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 10.215.151.254

========= End of CMD: =========

The system needed a reboot.

==== End of Fixlog 19:09:43 ====

Link to post
Share on other sites

Run final scan with Sophos AV to double check your system, I do not expect anything to be found...

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thanks,

Kevin..

 

Link to post
Share on other sites

I expected that outcome because your PC is clean. The blocked calls are inbound from an IP listed to China, fortunately Malwarebytes is putting up an excellent defence, exactly what it is designed to do.

Even if you go for a format and reinstall of windows I suspect the inbound calls would return, as long as you have Malwarebytes Premium you are safe. The only answer I can give is to turn OFF notifications if they are too frequent and spoiling your concentration. Select Malwarebytes, open settings, then select "Application" tab, scroll to Notification, push button from On to Off....

I`ve had notifications turned off for several years..

 

 

Notification.JPG

Link to post
Share on other sites

Hello risotto73,

Yes your computer is definitely clean. Is it possible to contact your ISP and have the router reset..? To clean up do the following:

Delete RogueKiller portable from your C:\Users\mcc89\Downloads folder, also delete this folder if present: C:\ProgramData\RogueKiller

Next,

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.