Goblets42 Posted May 31, 2021 ID:1460611 Share Posted May 31, 2021 Hi there first time using this as I usually can get my problems solved by simply reading the former threads, I have an old windows 7 service pack 1 computer I keep around for legacy software and sentimental reasons. I booted it up a few days ago, got the recent update to malwarebytes and got the free trial. After that I suddenly got a bunch of inbound RTP connections registering as trojans and compromised websites trying to reach svchost.exe, I naturally scanned my pc for malware even though it's an inbound connection and found nothing but a false positive on an old game DLL and nothing on my WDefender antivirus. What I could first find was pretty much as written that one of the sites I was on either was less trustworthy than I thought or it was compromised. I immediately closed them down only to find out that while watching a movie, a new rtp connection came in and many more kept coming over the days that followed. The domain names are always empty and it's usually the same 4-6 IP's going over several different ports (blocking either in the firewall won't do anything). As you can see from the picture bellow it has calmed down recently but as I was writing this I got another one. I'm usually pretty cautious with downloading on this computer nowadays though I have used Qbittorrent on it recently. Any idea what it is, should I be worried and what I can do to stop it? Thanks in advance. ads.txt ads2.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 31, 2021 ID:1460660 Share Posted May 31, 2021 Hello @Goblets42. My name is Maurice. I will guide & help you. first of all, note that 3 of the events were denoted as "compromised" IP addresses. this is copy of only just one. Website Data- Category: Compromised Domain: IP Address: 103.133.109.41 . IF your OS is Windows 10 PRO or Enterprise, consider disabling the Remote Desktop option. ALSO see the article https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise . Apply the tips if at all possible. . Know that the BLOCK notices do mean that Malwarebytes is keeping system safe from potential harm. . In addition, need for you to do all the first steps & reports as listed https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Always just Attach the reports from that, back here. And same principle as we go along. Link to post Share on other sites More sharing options...
Goblets42 Posted June 1, 2021 Author ID:1460746 Share Posted June 1, 2021 7 hours ago, Maurice Naggar said: Hello @Goblets42. My name is Maurice. I will guide & help you. Always just Attach the reports from that, back here. And same principle as we go along. That was an example of the most recent, I've currently got around 40 of these attacks, 13 which were compromised and are you sure you need them all? as for the other tips I've gone trough them and manually blocked all the ip adresses though I wonder how much that will help. Also how much will farbar tell you about an inbound connection? What I was worried about is if it being related to svchost.exe it was any reason for alarm, I also ask because this contains small sensitive bits of information that isn't so smart to just lay out there on a public forum. I know that the malwarebytes scan txt it says one malware detected but I have on multiple sources saying that it's a false positive. malwarebytes full scan.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 1, 2021 ID:1460843 Share Posted June 1, 2021 You can put your reports into a ZIP file & then attach. No need to fret about outsiders seeing your stuff. Only authorized helpers have access here. No need to fret on "svchost". It is just incidental that it gets mentioned. Here & forward I will be guiding you to several different security scans. By the way, you & I are the only ones on this thread. NO need for you to click on "Quote " ! . The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Select "FULL scan" from scan options. Let me know the result of this. The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
Goblets42 Posted June 1, 2021 Author ID:1460854 Share Posted June 1, 2021 Fair enough. Did some minor editing to one of the txt files, just removed my and my providers ip address, nothing major. I've downloaded the safety scanner and is currently running it, seems it's gonna take a while so I guess we'll see in another few hours what happens. FRST.7z Link to post Share on other sites More sharing options...
Goblets42 Posted June 1, 2021 Author ID:1460856 Share Posted June 1, 2021 Should I post the current compromized IP list? If not to get a better idea people who follow can at least block bad addresses. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 1, 2021 ID:1460882 Share Posted June 1, 2021 You may post that if you wish. But I am looking for the report from a completed MSERT report. We have more to do after. Link to post Share on other sites More sharing options...
Goblets42 Posted June 2, 2021 Author ID:1460939 Share Posted June 2, 2021 Well it took 11 hours but it's done. What's odd is that it said there were infected files during the scan but the file says otherwise. Also here's the IP's, I plugged out my internet yesterday and plugged in a few 3 hours ago and haven't gotten a new block since then, might jinx that now. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 2, 2021 ID:1461037 Share Posted June 2, 2021 MS SAFETY Scanner reports Results Summary: No infection found. . This PC's OS version being Windows 7 makes it a more tempting target for attempts to poke for weaknesses by probes. Why is machine still on Windows 7 ? A now unsupported OS as far as Microsoft. And it is a legacy of the first decade of this century. It is possible to upgrade it to WIN 10 - a much more sturdy OS. For one thing, a more modern firewall. . One other scan to just re check for malware ( if any ). I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Link to post Share on other sites More sharing options...
Goblets42 Posted June 2, 2021 Author ID:1461050 Share Posted June 2, 2021 As I said, this is not the main computer and I mostly use it for legacy programs. If I use it I mostly keep it offline, been online a lot recently due to these scans however, Before I go further into scanning I'm wondering if these messages are related to https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise rather than infection, which on both antimalware and anti virus shows up negative? Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted June 2, 2021 Solution ID:1461078 Share Posted June 2, 2021 The "block" notices do not mean that your machine has a infection. They are a notice that the Malwarebytes kept your pc safe from potential harm. Go forward with the scan. Link to post Share on other sites More sharing options...
Goblets42 Posted June 3, 2021 Author ID:1461216 Share Posted June 3, 2021 It's very strange to find out that sandboxie, the program I use to avoid malware was found to be malware. However I'm not actually sure they are a false positive or not ESET log.txt Link to post Share on other sites More sharing options...
Goblets42 Posted June 3, 2021 Author ID:1461242 Share Posted June 3, 2021 After some research I've found that it's a false positive, to quote the dev "The SbieDrv.sys driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications wrongfully flag it as potentially dangerous or a virus." https://github.com/sandboxie-plus/Sandboxie/issues/95 Which kinda sucks since I did go forward with removing it. Oh well time to reinstall. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 3, 2021 ID:1461314 Share Posted June 3, 2021 Hello. The ESET scanner removed 2 threats. Identified files: 2 Cleared files: 2 That statement by the app dev cited above shows poor security practices. I would stay away from any of his stuff or any similar ones. . Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Link to post Share on other sites More sharing options...
Goblets42 Posted June 3, 2021 Author ID:1461343 Share Posted June 3, 2021 While I'm thankful for all your help with this matter before I continue I have to ask if this is just something to be extremely sure or if you believe there is a virus on my computer? I have gone trough several antivirus tools presented and all turn up negative. This tool seems rather sketchy and it's privacy policy isn't the best. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 3, 2021 ID:1461372 Share Posted June 3, 2021 Sophos is a trusted scan tool, from a well known security firm. My view was to have that as an added check, because not all scanners catch all malwares. if you would prefer that we halt & Close this case, we can do that. Let me know what you prefer. Link to post Share on other sites More sharing options...
Goblets42 Posted June 3, 2021 Author ID:1461377 Share Posted June 3, 2021 No no, better see where this thing goes I guess. Hey might even help other who knows. See you in a few hours then. 1 Link to post Share on other sites More sharing options...
Goblets42 Posted June 4, 2021 Author ID:1461499 Share Posted June 4, 2021 The scan is complete, no infections. I have no idea how to confirm if it did or did not scan those directories but I can give you the log if you want. SophosVirusRemovalTool.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 4, 2021 ID:1461555 Share Posted June 4, 2021 (edited) Thanks for the Sophos log. It did not report any infections found. We can proceed to close this case if you are so inclined. There is no infection here. You may uninstall Sophos. Edited June 4, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Goblets42 Posted June 4, 2021 Author ID:1461559 Share Posted June 4, 2021 Well, at least it was a crash course in antivirus protection. Thanks for at giving it a shot 👍. If you could answer one small thing about security however, while MWB does block these incursions and the general rule is simply to keep things up to date that might not be the case especially when one finds and boots up an old and unprotected computer. So while not first rate choices what are some second rate choices things like this? Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 4, 2021 ID:1461572 Share Posted June 4, 2021 Keep always in mind, that Block notices (website blocks / I P blocks) from Malwarebytes for Windows are courtesy notices that the real-time protections of the Premium is keeping the pc safe from potential threats. It does not necessarily indicate that there is a actual onboard infection. The potential threats are external - - - - out on the web. What needs to be done is to strenghthen your safety practices and all apps. There will be a link about that when we close the case. Another thing you can do is to see about adding the Malwarebytes Browser Guard to those of your browsers that can handle it. See https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard Question: Either for yesterday or today ( June 4 ), Has there been any new Inbound I P Block notices ? and also, for a security status of the applications, lets have you run a report ( just only a report ) I would like you to run a tool named SecurityCheck to inquire on the current-security-update status of some applications. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Cheers. Link to post Share on other sites More sharing options...
Goblets42 Posted June 5, 2021 Author ID:1461794 Share Posted June 5, 2021 Yes, they have steadily popped up every 45 minutes rushes with an 2-4 hour wait time between each rush. I block every single ip that pops up but sometimes new ones appear. While I usually only plug this computer in when I need it As for the case I do believe it is solved. I will check this program out but generally I believe all my security programs are up to date. Link to post Share on other sites More sharing options...
Goblets42 Posted June 5, 2021 Author ID:1461795 Share Posted June 5, 2021 To clarify, for the past few days I've felt that it's better to be safe than not and also block every ip MB blocks in my firewall. What I find odd is that certain IP's gets phased out while others stay the same. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 5, 2021 ID:1461806 Share Posted June 5, 2021 Hi. Let me just say, and I know it is a repeat. That pc being on Windows 7 is not a good thing. Windows 10 has a much more modern and stronger firewall, plus as a big huge plus, comes with Microsoft Defender antivirus & firewall. . Whilst this pc still is on Windows 7, keep it off the internet as much as possible. The bad guys are always 'probing' for weaknesses to exploit. . See this article on our Malwarebytes Blog https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". . . Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web.Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" NOTE: I am looking to getting the report from SecurityCheck. 1 Link to post Share on other sites More sharing options...
Goblets42 Posted June 5, 2021 Author ID:1461809 Share Posted June 5, 2021 Hm, well this is a pretty convenient little tool though the spelling during the scan gave the worries and as you said you should always be worried about "candy" without at least some quick research. While most of these programs were expected to be out of date on this computer I've since updated most of them all or removed the ones I actually forgot about (like office), some I keep at that point for legacy and better experience purposes. As you said I will not really be "surfing" on this computer anyway. What's new to me is the hotfix, I believe I have almost all windows updates. And if I can ask how is using a standard account safer than an administrator account? Doesn't an administrator account have more safeguards? SecurityCheck.txt Link to post Share on other sites More sharing options...
Recommended Posts