Jump to content

Malwarebytes is blocking svchost.exe with IP addresses and port 3389


Go to solution Solved by kevinf80,

Recommended Posts

Hi,

I installed malvarebytes today and malvarebytes keeps blocking a lot of IP adresses with same port 3389, every minute it says "Malwarebytes has successfully blocked access to a potentially malicious website"

I scanned my PC with malvarebytes, defender, adwcleaner, only adwcleaner found 7 small viruses, but it still didn't help

image.thumb.png.eb23608a57424d21a22eef965b83442c.pngThis is how the log looks like:

Link to post
Share on other sites

Hiya Kexo and welcome to Malwarebytes,

Can you attach the last three RTP detection logs to your next reply please:

To get the RTP Detection log from Malwarebytes do the following:

Open Malwarebytes....

  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the RTP Detection log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Thank you,

Kevin

Link to post
Share on other sites

From your log...

Quote

IP Address: 94.232.43.67
Port: 3389
Type: Inbound

'Inbound' means communication is emanating from the POV of the Internet and is attempting ingress

'Port: 3389' - Is the Remote Desktop Protocol (RDP)

'IP Address: 94.232.43.67' - is the internet address using TCP Port 3389 and the Remote Desktop Protocol to  access and CONTROL your PC.

TCP and UDP Ports are like doors.  That door can be open, closed or locked.

Your TCP Port 3389 'door' is open and Malwarebytes is blocking the ingress from Internet sites trying to enter that TCP Port 3389 door.  If you do not know what Remote Desktop Protocol 'is' then you want that door locked.

Think of your computer like a house. It has a Front Door and doors to individual rooms.  The Front Door, which leads to the street, has a lock on it.  Individual doors within the house may or may not have locks on them.

The Internet is like a street in front of your house and your Internet Router is that Front Door.  Depending on the Make and Model of the Router, it may have a Firewall implementation or Firewall constructs that will allow the user to lock that door (aka; BLOCK TCP Port 3389).  If the Router does not have minimal Firewall constructs the Windows PC has a Firewall that can be used to BLOCK TCP Port 3389.

The idea is that all those warnings of MBAM performing the blocking action can be annoying.  If you block TCP Port 3389 on the Internet Router, the Windows PC will never see that activity and MBAM will not have anything to block on TCP Port 3389.

 

 

Link to post
Share on other sites

Hiya Kexo,

Those blocks are inbound, meaning sniffers from the outside trying to connect to your PC. Malwarebytes is just doing its job, not sure why your Firewall is letting them through. The IP`s are based in Russia, but no great alarm via VirusTotal. There are two different IP`s, are they meaning anythingto you..?

https://whois.domaintools.com/94.232.43.67

https://whois.domaintools.com/91.220.163.140

Lets grab some logs and check your system:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Disable smart screen if it interferes with software we have just used:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed if it stops software we may used from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....


Thank you,

Kevin....

 

 

Link to post
Share on other sites

thanks, i knew what port means but i didn't know if i am beign DDosed or somethink like that, so it means it's not a virus? Before making this post i blocked port in firewall but it didn't helpm hope blocking port on router will help..., thanks for answer!

Link to post
Share on other sites

Hiya Kexo,

Are the blocks still happening..? Did you set the following Firewall rules...

FirewallRules: [{0EA64EB4-9F11-4B35-B15B-57A5DF5775D0}] => (Allow) LPort=7
FirewallRules: [{A2B67703-F162-4D1D-83EE-66EF63DE6D4F}] => (Allow) LPort=7
FirewallRules: [{A2C3289C-9D66-41BB-ACA6-250F95DBD636}] => (Allow) LPort=9993
FirewallRules: [{23BC6EC6-FC7B-4E6D-A139-9F3D708CBE58}] => (Allow) LPort=9993

Thank you,

Kevin.

Link to post
Share on other sites

Hello Kexo,

Thanks for the update, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Lt me see those logs in your reply...

Thank you,

Kevin.

 

fixlist.txt

Link to post
Share on other sites

19 minutes ago, kevinf80 said:

If you have any questions or concerns please ask before running this fix.

What does the fix do with firewall settings? Is there a chance it might break my computer?, i will do it tommorow because it´s midnight in my country

Link to post
Share on other sites


---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.343, (build 1.343.1586.0)
Started On Sat Jul 24 18:48:56 2021

Engine: 1.1.18400.4
Signatures: 1.343.1586.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Quick Scan Results:
-------------------
Threat Detected: VirTool:Win32/DefenderTamperingRestore and Removed!
  Action: Remove, Result: 0x00000000
    regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Results Summary:
----------------
Found VirTool:Win32/DefenderTamperingRestore and Removed!
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sat Jul 24 18:51:46 2021


Return code: 6 (0x6)
 

 

FRST is still fixing, i will post it after it's done

Link to post
Share on other sites

  • Solution

Hiya Kexo,

We do not really have any control over inbound connection attempts, that is the reason to have a good security setup. You have your Firewall and Malwarebytes, it would seem that the connection attempt is sneaking past your Firewall, but that is when Malwarebytes kicks in and stops it dead... Can you check and see if "Remote Desktop Connections are are active, if so can you disable and therefore block that possibility. Instructions at the following link:

https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

Thank you,

Kevin.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.