Jump to content

Possible Infection, Scanned with several scanners, nothing found.


Matthew P

Recommended Posts

So recently every few days or so. I get 2-3 Outbound port 137 IP blocks.

Usually from some Indian IP. My initial assumption with this being an outbound connection, would mean I have malware on my pc calling home. Some people told me this isn't necessary the case, but to be sure I wanted to get another opinion.

Attached are some related images from Malwarebytes.

 

The second issue is that they are Saying "File: System" which makes me think it's my system calling home? So 100% an infection. I don't know much about networking though so I could be incorrect in my way of thinking there.

In fact as of posting this another one happened again. So it's spooking me pretty bad. When I look up the IP's on Domain Whois I get the following:

India Bengaluru Hathway Cable And Datacom Limited. So some IP using Halthway as there ISP not much else.

 

When this happens I immediately disconnect my internet. Run several scanners, and look through task manager for anything suspicious.

 

I don't install many applications on this PC. I disabled sync on firefox, as per some suggestions online, and I uninstalled cFosSpeed which came with my gigabyte motherboard.

 

The computer runs Windows 10 *Legit Copy* and is only a few years old.

 

What would you like me to do next?

Capture.PNG

Capture2.PNG

Link to post
Share on other sites

  • Root Admin

Hello @Matthew P

Let's go ahead and do some scans and see what we can find.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

The malwarebytes scan came up clean.

The adAware scan came up with Honey *the browser extension* as a PUP.

 

And the logs requested are attached below.

 

PS: I should note I have 4 Hard Drives, and I don't know if threat scan, goes beyond your main drive unless you do a custom scan.

Capture.PNG

ScanReport.txt Addition.txt FRST.txt

Edited by Matthew P
Link to post
Share on other sites

  • Root Admin

Did you setup these Firewall blocks on purpose?

FirewallRules: [TCP Query User{99C14A9C-6617-431A-B57B-A885E2893BE3}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [UDP Query User{7E11C38E-9E26-4275-A500-A26CCF0623B1}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)

 

Due to one of the Event Log entries you appear to have this same error. Please see if the following fix works for you.

Fix Tilerepository error
https://answers.microsoft.com/en-us/windows/forum/all/event-viewer-erro-esent-455-since-update-1903/624a2548-06e5-47f4-bb99-76d6412895a0

 

Application errors:
==================
Error: (09/22/2020 07:57:32 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (8216,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.

 

You have old and outdated, compromised versions of Java on the computer. You should uninstall them and if possible try to run without them. If you really do need Java then make sure you keep it up to date at all times.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites

  • Root Admin

All of those IP blocks were recently added within the past week or so. I've asked our Research team for further information on them.

Let's go ahead though and double-check with another antivirus scanner to make sure they don't find anything either.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

Link to post
Share on other sites

Scanned with ESET and used the Other Scanner tool.

 

ESET Finished and found 4 items. 2 of which were an Old Visual Studio Project of mine probably some keylogging tutorial on youtube I followed along with when I was a kid. It's on my Old PC folder so it's backed up from there. Defently isn't causing any harm on my pc, and also isn't active.

 

The other two items were Installers found in my downloads folder. Called spsetup132.exe Which I think is Speedfan installer? According to ESET came with a google tool bar bundle.

 

So all in all I don't believe anything serious was found. I'll post the logs of both applications below though.

SecurityCheck.txt esetScanLog.txt

Link to post
Share on other sites

  • Root Admin

Yes, agreed the H: drive files are not live or a threat.

Please review, update as appropriate the items below. I may not hear back about the IP blocks until tomorrow but I don't see an obvious reason for them at this point.
We can do some other monitoring if needed depending on what I hear back

 


--------------------------- [ OtherUtilities ] ----------------------------
IrfanView 4.53 (64-bit) v.4.53 Warning! Download Update

VLC media player v.3.0.7.1 Warning! Download Update

Oracle VM VirtualBox 6.0.14 v.6.0.14 Warning! Download Update

FileZilla Client 3.44.1 v.3.44.1 Warning! Download Update

KeePass Password Safe 2.42.1 v.2.42.1 Warning! Download Update

Notepad++ (32-bit x86) v.7.7.1 Warning! Download Update


-------------------------------- [ Java ] ---------------------------------
Java 8 Update 241 (64-bit) v.8.0.2410.7 Warning! Download Update
Uninstall old version and install new one (jre-8u261-windows-x64.exe).

 

 

 

Link to post
Share on other sites

Ok I've updated the applications you listed with the exception of java which I just removed for the time being.

 

I'll keep my PC offline from the internet for the time being. And use my phone for now.

 

Thank you very much for your help so far. I look forward to **hopefully** seeing that I overreacted lol.

Edited by Matthew P
Link to post
Share on other sites

  • Root Admin

I really do not think there is an issue or concern. Just need to track down why we're seeing or blocking that.

We can do another antivirus scanner just to make sure

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Link to post
Share on other sites

On 9/22/2020 at 8:48 PM, AdvancedSetup said:

Did you setup these Firewall blocks on purpose?

FirewallRules: [TCP Query User{99C14A9C-6617-431A-B57B-A885E2893BE3}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [UDP Query User{7E11C38E-9E26-4275-A500-A26CCF0623B1}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)

 

Due to one of the Event Log entries you appear to have this same error. Please see if the following fix works for you.

Fix Tilerepository error
https://answers.microsoft.com/en-us/windows/forum/all/event-viewer-erro-esent-455-since-update-1903/624a2548-06e5-47f4-bb99-76d6412895a0

 

Application errors:
==================
Error: (09/22/2020 07:57:32 PM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (8216,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.

 

You have old and outdated, compromised versions of Java on the computer. You should uninstall them and if possible try to run without them. If you really do need Java then make sure you keep it up to date at all times.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Also in regards to the file tile repository, I follow the instructions and fixed that, and to the other question I don't recall making any firewall rules so I'm not sure what made them.

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.