Jump to content

Mysterious inbound RTP connection trying to reach svchost


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi there first time using this as I usually can get my problems solved by simply reading the former threads, I have an old windows 7 service pack 1  computer I keep around for legacy software and sentimental reasons. I booted it up a few days ago, got the recent update to malwarebytes and got the free trial. After that I suddenly got a bunch of inbound RTP connections registering as trojans and compromised websites trying to reach svchost.exe, I naturally scanned my pc for malware even though it's an inbound connection and found nothing but a false positive on an old game DLL and nothing on my WDefender antivirus.

What I could first find was pretty much as written that one of the sites I was on either was less trustworthy than I thought or it was compromised. I immediately closed them down only to find out that while watching a movie, a new rtp connection came in and many more kept coming over the days that followed.

The domain names are always empty and it's usually the same 4-6 IP's going over several different ports (blocking either in the firewall won't do anything).  As you can see from the picture bellow it has calmed down recently but as I was writing this I got another one. I'm usually pretty cautious with downloading on this computer nowadays though I have used Qbittorrent on it recently.

Any idea what it is, should I be worried and what I can do to stop it? Thanks in advance.

 

mbam_2021-05-31_14-52-51.png

ads.txt ads2.txt

Link to post
Share on other sites

Hello @Goblets42.  :welcome:

My name is Maurice.  I will guide & help you.

first of all, note that 3 of the events were denoted as "compromised" IP addresses.

this is copy of only just one.

Website Data-

Category: Compromised

Domain: 

IP Address: 103.133.109.41

.

IF your OS is Windows 10 PRO or Enterprise, consider disabling the Remote Desktop option.

ALSO see the article https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

.

Apply the tips if at all possible.

.

Know that the BLOCK notices do mean that Malwarebytes is keeping system safe from potential harm.

.

In addition, need for you to do all the first steps & reports as listed 

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

 

Always just Attach the reports from that, back here.  And same principle as we go along.

Link to post
Share on other sites

7 hours ago, Maurice Naggar said:

Hello @Goblets42.  :welcome:

My name is Maurice.  I will guide & help you.

Always just Attach the reports from that, back here.  And same principle as we go along.

That was an example of the most recent, I've currently got around 40 of these attacks, 13 which were compromised and are you sure you need them all? as for the other tips I've gone trough them and manually blocked all the ip adresses though I wonder how much that will help. Also how much will farbar tell you about an inbound connection? What I was worried about is if it being related to svchost.exe it was any reason for alarm, I also ask because this contains small sensitive bits of information that isn't so smart to just lay out there on a public forum.

I know that the malwarebytes scan txt it says one malware detected but I have on multiple sources saying that it's a false positive.

malwarebytes full scan.txt

Link to post
Share on other sites

You can put your reports into a ZIP file & then attach. No need to fret about outsiders seeing your stuff.

Only authorized helpers have access here.

No need to fret on "svchost".  It is just incidental that it gets mentioned.

Here & forward I will be guiding you to several different security scans.

By the way, you & I are the only ones on this thread.  NO need for you to click on "Quote " !

.

 The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Select "FULL scan" from scan options.

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

MS SAFETY Scanner reports 

Results Summary:

No infection found.

.

This PC's OS version being Windows 7 makes it a more tempting target for attempts to poke for weaknesses by probes.

Why is machine still on Windows 7 ?  A now unsupported OS as far as Microsoft.  And it is a legacy of the first decade of this century.

It is possible to upgrade it to WIN 10 - a much more sturdy OS. For one thing, a more modern firewall.

.

One other scan to just re check for malware ( if any ).

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

  • Go to the saved file, and double click it to get it started.
  • When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

  • When prompted for scan type, Click on Full scan
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

As I said, this is not the main computer and I mostly use it for legacy programs. If I use it I mostly keep it offline, been online a lot recently due to these scans however,

Before I go further into scanning I'm wondering if these messages are related to https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise rather than infection, which on both antimalware and anti virus shows up negative?

Link to post
Share on other sites

After some research I've found that it's a false positive, to quote the dev "The SbieDrv.sys driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications wrongfully flag it as potentially dangerous or a virus." https://github.com/sandboxie-plus/Sandboxie/issues/95

Which kinda sucks since I did go forward with removing it. Oh well time to reinstall.

Link to post
Share on other sites

Hello.  The ESET scanner removed 2 threats.

Identified files: 2

Cleared files: 2

That statement by the app dev cited above shows poor security practices.  I would stay away from any of his stuff or any similar ones.

.

Download Sophos Free Virus Removal Tool    and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Link to post
Share on other sites

While I'm thankful for all your help with this matter before I continue I have to ask if this is just something to be extremely sure or if you believe there is a virus on my computer?

I have gone trough several antivirus tools presented and all turn up negative. This tool seems rather sketchy and it's privacy policy isn't the best.

Link to post
Share on other sites

Sophos is a trusted scan tool, from a well known security firm.

My view was to have that as an added check, because not all  scanners catch all malwares.

if you would prefer that we halt & Close this case, we can do that.

Let me know what you prefer.

Link to post
Share on other sites

Well, at least it was a crash course in antivirus protection. Thanks for at giving it a shot 👍.

If you could answer one small thing about security however, while MWB does block these incursions and the general rule is simply to keep things up to date that might not be the case especially when one finds and boots up an old and unprotected computer. So while not first rate choices what are some second rate choices things like this?

Link to post
Share on other sites

Keep always in mind, that Block notices (website blocks / I P blocks) from Malwarebytes for Windows are courtesy notices that the real-time protections of the Premium is keeping the pc safe from potential threats.  It does not necessarily indicate that there is a actual onboard infection.  The potential threats are external - - - - out on the web.

What needs to be done is to strenghthen your safety practices and all apps.   There will be a link about that when we close the case.

Another thing you can do is to see about adding the Malwarebytes Browser Guard to those of your browsers that can handle it.

See https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

 

Question:  Either for yesterday or today ( June 4 ), Has there been any new Inbound I P  Block notices ? 

and also, for a security status of the applications, lets have you run a report   (  just only a report )

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Cheers.

Link to post
Share on other sites

Yes, they have steadily popped up every 45 minutes rushes with an 2-4 hour wait time between each rush. I block every single ip that pops up but sometimes new ones appear. While I usually only plug this computer in when I need it

As for the case I do believe it is solved. I will check this program out but generally I believe all my security programs are up to date.

Link to post
Share on other sites

Hi.   Let me just say, and I know it is a repeat.   That pc being on Windows 7 is not a good thing.

Windows 10  has a much more modern and stronger firewall, plus as a big huge plus, comes with Microsoft Defender antivirus & firewall.

.

Whilst this pc still is on Windows 7, keep it off the internet as much as possible.

The bad guys are always 'probing' for weaknesses to exploit.

.

See this article on our Malwarebytes Blog

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

 

Scroll down to the tips section "How do I disable them".

.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:

  • Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
  • First rule of internet safety: slow down & think before you "click".
  • Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).
  • Free games & free programs are like "candy". We do not accept them from "strangers".
  • Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
  • Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
  • Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
  • Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".
  • Use a Standard user account rather than an administrator-rights account when "surfing" the web.

    Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.
  • See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
  •  
  • Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.
  • For other added tips, read "10 easy ways to prevent malware infection"

 

NOTE:  I am looking to getting the report from SecurityCheck.

  • Like 1
Link to post
Share on other sites

Hm, well this is a pretty convenient little tool though the spelling during the scan gave the worries and as you said you should always be worried about "candy" without at least some quick research. While most of these programs were expected to be out of date on this computer I've since updated most of them all or removed the ones I actually forgot about (like office), some I keep at that point for legacy and better experience purposes. As you said I will not really be "surfing" on this computer anyway.

What's new to me is the hotfix, I believe I have almost all windows updates.

 

And if I can ask how is using a standard account safer than an administrator account? Doesn't an administrator account have more safeguards?

SecurityCheck.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.