Inbound connection to svchost.exe

[MaximusDecimus]

I seem to have some kind of infection. MB has been notifying me of "Inbound Connections" from various IP addresses to svchost.exe

The connections seem to target different ports everytime, and MB has categorized them as either Trojan, Malware or Compromised. 

I searched for my problem and found a couple of topics with similar issues. I've tried their solutions and they don't seem to have worked so here I am starting a new topic. 

All help is greatly appreciated!

 

To aid the diagnostic process, I've ran FRST and have attached the two log files that it generated.

 

I'm at your mercy,

Thanks

Addition.txt FRST.txt

[Maurice Naggar]

[  sorry the top part of my intended message got chopped ]

 

Hi,   
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

 

Thank you for the reports.  Those are logs of Block events.   The program is keeping your machine safe from external threats.

 

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm. 

A block notice is an advisory of the "block". 

 

It  indicates that a potential risk was blocked by the malicious website protection.  

The Malwarebytes web protection, by default, will always show each  block occurrence. 

The Malwarebytes Web protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC. 

  

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true 

  

Incoming block notice can be ignored, the Malwarebytes Premium real-time protection is blocking the threat and there is nothing more that can be done. 

On Outbound blocks, any attempted connection was stopped. 

[    2    ]    *******

Since this is a Pro edition of Windows   (  Windows 10 Pro Version 1903 18362.959 (X64)    one of the first suggestions I would have, if you do not need, nor use the Remote Desktop option,  then to turn it off.   Because it is quite possibly attempts are ongoing to see if it ( remote desktop) can be compromised.

See the top part of this knowledge base article

Check that out.  Let me know if you can turn off RDP.

On my next replies I am going to lead you thru some scans   ( though I expect that this machine does not actually have a on-board "infection"

All what it is , is that ( possibly) some attempted probes are being made on your machine.

Edited July 17, 2020 by Maurice Naggar

[MaximusDecimus]

Hi Maurice, thanks for your help. My name is John. 

It is possible that I have already eliminated the infection as I tried every solution I could find and quarantined/deleted all the threats found. 

The only thing I couldn't get rid of are these inbound calls every few minutes. Although their frequency has greatly decreased since. 

However it wouldn't hurt to make sure that it's taken care of. 

Note: I tried all this before running the scans from the logs I posted. I haven't made any changes since then.

 

2: Sadly, remote desktop is not something I can turn off as this is a feature that I rely on a lot. 

Please let me know how to proceed. 

Thank you very much!

John

[Maurice Naggar]

Hello John.

I presume you have been looking at the history of the block notices to jot down / document some form of list of IP's  that have attempted these recent probes.

That would help you to map out a plan.  Such as , you can add the IP to the local firewall to prevent it from contacting the computer period.  

For example, if your pc has Windows 10 Microsoft Defender antivirus, you can add those ip to be blocked in the Windows Defender Firewall,

On Windows 10, to get to Windows Defender Firewall, in the taskbar Search box, type in "defender firewall";  look at the results; click on the App icon for "Windows Defender Firewall"

You would make a New Rule, and specify the IP address (es)  ( each IP ) as remote addresses to be blocked.

For a guide that you may consider, see https://www.domain.com/blog/2019/05/23/how-to-block-an-ip-address/

.

As to scanning your pc if you suspect a current on-board infection you can do a new scan as listed below,

Just be aware that when you see a block that mentions "comprmoised"  in the display of a IP block .....that the real-time Malwarebytes protections have STOPPED any attempted connection.

.

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.    Let it remove what it has detected.

NEXT

 

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.2.802.exe  to run the report

 

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next

Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

 

[MaximusDecimus]

Hi Maurice, thank you again for your help! 

I have created a blocking rule for defender firewall and am now blocking the most recent IP's which have targeted my computer. (I'm considering a block-all rule and just white-listing my trusted locations)

I ran the MB support tool as you instructed me and attached the resulting zip file. 

Thanks again for all your help as a volunteer 😀 and no worries if it takes a bit to respond. 

Best regards,

John

mbst-grab-results.zip

[Maurice Naggar]

Hi , John.   Thanks for the report.

here are the blocks i see logged for the 19th.   The port numbers on the right are what the "probers" were trying to test.

"ip" :  92.63.194.15                       "port" : 1863

"ip" :  203.154.52.42                     "port" : 40139

 

You may want to also block those 2 ports.

Though I think you can see the "probers'  are trying different ports  & also will be on different IP addresses.

.

By the way, one of the reports indicates that there is a MS Windows Update that is pending  & it requires a Windows Restart.

Make some time soon,  and do a RESTART   and have lots of patience as the processes begin and work their way.

.

The last scan by Malwarebytes for Windows found no threats on board this machine itself.

.

The next chance you get, you can run a different scan, just for another opinion & check.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

[AdvancedSetup]

Are you still with us @MaximusDecimus

[MaximusDecimus]

My bad, took a bit to respond. Here are my updates on the matter:

 

I black-listed a bunch of "probers" IP addresses which reduced the amount of calls I was getting. 

I have installed the windows update and ran ESET Online Scanner.

ESET found about 8 infected files, I allowed it to remove them.

Shortly after, MB blocked a couple of "outbound" calls.

A couple days after, the "inbound" calls seem to have increased in quantity but they're now coming from different IP addresses. 

 

Should I be worrying about those "outbound"s and are there any negative consequences at implementing a "block all" rule on the firewall, allowing only white-listed IP addresses to connect? 

Would it be viable to block everything except for a white-listed VPN (Namely MB VPN) and then just have to connect to the VPN when I need to remote into my computer?

 

Thanks,

John

 

 

[AdvancedSetup]

Thanks @MaximusDecimus

@Maurice Naggar should be along before too long to follow up with you. In the meantime perhaps you can run FRST again scan again and post back both new logs for him to review when he comes back.

If needed, here is the link for FRST again

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

[MaximusDecimus]

Thank you. 

Here are the logs for when you get a chance to look at them. 

Thanks again,

John

Addition.txt FRST.txt

[Maurice Naggar]

Howdy, John.

If there have been very recent "blocks"  that were "outbound"  it would help to have the recent Malwarebytes history.

      see https://support.malwarebytes.com/hc/en-us/articles/360039023453-Upload-Malwarebytes-Support-Tool-logs-offline

      Do a Gather logs procedure as listed in the article.  Then when it finishes, attach the mbst-grab-results.zip along with your reply   ( to this topic-thread ).

 

.

Thanks for the FRST reports.

I am curious to know whether you did do the scan with Eset  Online scanner.

I notice that this system had had Avast antivirus in the past.  I do see some remains of it.  This will need a bit of cleaning, which we will do on a custom script, for that and for other benefits.

.

It is advisable to turn on the Windows Defender antivirus  ( which is included in all Windows 10 versions)   and then also to tweak 1 setting in Malwarebytes.

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The Premium  protections of Malwarebytes will still be on.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center"

 

[   2  ]

Scroll down further one the  Security tab.  Look at "Exploit protection".   There are a pair of lines.

If your pc has Outlook program locally installed,  click the first line to ON    ( if it is not already so)

Be sure ( in any event) that the 2nd line   [  Block penetration testing attacks ]  is ON.    ( all the way to the right  )

 

[   3   ]

You may turn off the visual notices for the block events so that you do not get inundated on-screen.   The events will still be logged.

Click the NOTIFICATIONS tab.

Click the top line "Show all notifications in Windows notification area" to Off position.   ( far left is off)

 

[   4    ]

NOTE-1:  This script will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

This will also run a scan with the Microsoft Windows Defender antivirus.

 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the script has run.

.

This custom script is for  MaximusDecimus  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Desktop  folder

The tool named FRST64.exe   tool    is already on the Desktop
Start the Windows Explorer and then, to the Desktop

RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

 

Fixlist.txt

[MaximusDecimus]

Hi Maurice, thanks for all your help. 

Yeah, I actually tried to use Avast a bit ago, but the installation failed and it never actually worked. 

As for Eset online scanner, I did try it and it found a few infected files. They've been deleted. 

 

I have followed your recommendations: 

-Windows Defender is now on

-Ran the support tool to gather logs and attached them.

-Ran FRST fix and restarted. Attached fixlog.

 

Thanks again. 

Please let me know how to proceed.

John

Fixlog.txt mbst-grab-results.zip

[Maurice Naggar]

Hello John.

Thanks for the report files.  The custom script run is good.   The Windows System File Checker ran and found no issues.

The Windows DISM tool was run and found no issues.

.

{  A  }

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The Trial protections of Malwarebytes will still be on.   ( until after the 14th day following install...when it will cease.....unless you get a Premium license for Malwarebytes.   )

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

This choice will insure that Windows Defender  is enabled & is the resident antivirus.

Close Malwarebytes when done.

 

{   B   }

I want to be sure that your Windows 10 is able to do a scan with the Windows 10 Windows Defender antivirus.   Just do a regular Quick scan with Windows Defender.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate 

then press Enter-key on Keyboard.

Copy > Paste this next command-line  to do a quick scan

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

 

tap Enter-key to have it proceed.   Then just let it run, however long it takes.

Make a note of the final display results.

 

{  C  }

Notes:  These are some of the most recent IP  / domain  Blocks logged in the logs of Malwarebytes'  web protection

221.150.226.133

14.128.62.11

45.144.64.233

All these were Inbound blocks.   and the Malwarebytes Web protections has STOPPED any potential harm or threat.

 

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm. 

A block notice is an advisory of the "block".   Notices can be turned off ( if you desire) if they are too much of a distraction.

 

The Malwarebytes web protection, by default, will always show each  block occurrence. 

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.    In these cases here, they were Inbound.

  

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true 

  

Incoming block notice can be ignored, the Malwarebytes Premium real-time protection is blocking the threat and there is nothing more that can be done. 

On Outbound blocks, any attempted connection was stopped. 

For those block-message-windows that showed "compromise"   See this knowledge base article

.

If you are inclined, you may consider adding the blocked IP's  into the Block list of the firewall.

I cited a how-to-link in my reply  https://forums.malwarebytes.com/topic/261882-inbound-connection-to-svchostexe/?do=findComment&comment=1395349

 

{  D  }

We may run some other different scans later, if you wish,  just to re-check for any 'onboard' 'infection'.

[Maurice Naggar]

Hello John.

How is it going ?

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you