Jump to content

Trojan/Malware/Compromised/Riskware from svchost.exe


Recommended Posts

Hello @_peace    :welcome:

My name is Maurice.   I will guide you.

Thanks for the zip file report.   I will have more remarks after a review.

At this point, I would like you to study this article online Receiving message - Website blocked due to compromise

Link to post
Share on other sites

Hello @_peace    

This pc has Malwarebytes for Windows installed as a Trial.  The trial ends 14 days after the install. The trial does have real-time protections just like the Premium.

The web protection of the real-time protections IS protecting the pc from potential harm.  a "Block" notice means that any threat or potential harm is STOPPED.

.

I suggest that we insure that Microsoft Defender is ON.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes.

.

Now a fresh new scan with Malwarebytes for Windows.

  • In Malwarebytes for Windows program, we want to do a special scan.
  •  
  • Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.
  •  
  • Then click the Security tab.   
  • Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈
  •  
  • Click it to get it ON if it does not show a blue-color
  • .
  • Next, click the small x on the Settings line to go to the main Malwarebytes Window.
  •  
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Edited by Maurice Naggar
Link to post
Share on other sites

I am glad to learn that both Defender & Malwarebytes report no malware present !

I presume this is a personal use machine.  A home type computer. I presume you do not typically use a lot of Remote Desktop feature to control other Windows systems outside of your home location.
Your PC is a windows 10 PRO.  I suggest you turn OFF the Remote Desktop option. Doing that will lower your profile as a potential target of outside probes.

Please remain calm. No need to be over concerned. The Malwarebytes real-time protections are STOP ing any potential harm.  It is BLOCKED !
Malwarebytes is protecting your system.

In most cases the attempted probes will eventually stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

.

Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

 

 

Link to post
Share on other sites

Hi Maurice, thanks for coming back. Yes, remote desktop is disabled.

My concern was almost all of the blocked attempts were outbound so I am still confused on which program is causing it.

Link to post
Share on other sites

Curious, when you have seen these Block events, were you reading Email online in a browser?  or maybe using a web browser looking at some site ?  is your browser's home page set to some news site ( like maybe yahoo ) that just happens to have lots of ads ?

 

Let me suggest that you take some time, and for each browser on this pc, one at a time, for each of Brave, Chrome, Opera, Edge, and Firefox you get & install on each the Malwarebytes Browser Guard. There is a specific one for Firefox.  The others cam each have the one from Google.

See https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

.

Next step

Let me suggest you do one scan with Adwcleaner to check for adwares.

First download & save it 

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then do a scan with Adwcleaner 

 

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Also, as we go along, let me know How is the situation ?    Is there still Block notices when you have reached THIS point ?

 

Link to post
Share on other sites

This here is the next steps, after you are caught up with the last.  I would like that you would complete the tips above  ^ ^ ^ ^ ^ ^

I do not see a blatant booger 'program' that would lead to the issue leading to IP blocks.

The IP addresses blocked have varied.  I only saw 1 URL link address for a event where Chrome was in use & that was to something programmersought(dot)com

.

I have a custom script below to help alleviate what has been going on here.

NOTE-1: This custom script will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.   It will re-enable Microsoft Defender.  It should re-enable the availability of Windows System Restore.  ( It was Off at the start of this case.)

It will remove one suspicious DLL file that is under appdata\roaming

It will remove 2 settings of Runonce entries / application Restart for Chrome browser.   ( not at all recommend especially in problem cases )

"Restore last session"  on web browsers is not a good practice.

Depending on the speed of your computer this fix may take 30 minutes or more.

 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

 

Please download the attached fixlist.txt file and save it to the Downloads folder.
NOTE. It's important that both files, FRST , and fixlist.txt are in the same location or the fix will not work.

Fixlist.txt

 

After it is saved:  Use File Explorer & look for FRSTENGLISH.exe

Do a RIGHT-click on FRSTENGLISH & select RUN As Administrator to Start  FRSTENGLISH    ( Reply YES to proceed when prompted by Windows )

Note: If the tool warned you about an outdated version please download and run the updated version.

and press the Fix button just once and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b71

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.


The tool will make a log on the Downloads folder (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

 

After this run finishes, and the Windows system is restarted & available,  let me know.

H T H

Cheers

Edited by Maurice Naggar
Link to post
Share on other sites

I looked into the steps and did manually. I just didnt want to loose browser history as I keep my "to reads" open. However cleared cache, tmp files, disk checkup(came clean), dism checks(came clean).

Hybrid analysis for the dll came clean: https://www.hybrid-analysis.com/sample/c3af1c1bcaa1494ebd6229e6f8ff92fd5bd024667b5e5196b970f68114082fe3

Looks good so far today. But it still confuses me as to why svchost was reported. If it was some javascript triggered malware it should have been reported to be from the browser 🤔

Will keep an eye as the day passes

Link to post
Share on other sites

Hi.   This is is the download link for Adwcleaner   https://downloads.malwarebytes.com/file/adwcleaner

This here is an alternate link  https://toolslib.net/downloads/finish/1-adwcleaner/

If you continue to have a connection issue, try a different web browser.

Now them Have you done the FIX run with FRST ?   I would advise to go ahead with that.

https://forums.malwarebytes.com/topic/275349-trojanmalwarecompromisedriskware-from-svchostexe/?do=findComment&comment=1462816

 

Link to post
Share on other sites

Alright.  Thanks for the clarifications.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

SHA-256.   

3ea634ee60faeecf7a5c276573253db7c1b5a9c8a1b62cb9b61ba7ff210ea954

 

The SecurityCheck tool is from a known trusted site.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.