Jump to content

Recommended Posts

Hi - I just bought premium malware bytes and have run some scans. First of all, even when not running any scans MWB keeps popping up a message that it is blocking a connection to a website: 52.53.192.135 on port 7700. Second, when I run a scan it finds detections, i quarantine them and run another scan, and it keeps finding detections. I have yet to get to a point where it finds no more detections. What is going on?

 

Link to post
Share on other sites

  • Root Admin

Hello @zortag

Can  you please post back the scan log so that we can review. Then run the following as well and post back the logs

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

To be clear, the "detections" seemed to be mostly PUPs not malware threats. The detection history for 52.53.192.135 says "malware" but it is an outbound connection from C:\Windows\SysWow64\svchost.exe to 52.53.192.135 on port 7700 and that IP address is for Amazon.com.

 

Link to post
Share on other sites

  • Root Admin

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

Link to post
Share on other sites

  • Root Admin
22 minutes ago, AdvancedSetup said:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

 

The Farbar program is safe to download and use. If Smart Screen or your Antivirus block it please set it to allow.

image.png

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

By the way, I reran MWB and it found no more "tetections" but I am still getting that popup warning about blocked website.

How do I make that warning stop? I have no idea if that IP address is safe or not. I don't want to see that warning popup every 3 minutes!

 

Link to post
Share on other sites

  • Root Admin

Please give me time to review your logs. The IP address is listed as a bad site. Why your computer is trying to contact it is what I'm looking for.

The program should not be producing Ads. It might have other product information within the program.

 

Please go to Control Panel, Programs, Programs and Features and uninstall the following

 

  • Bonjour
  • Java SE Development Kit 8 Update 111
  • Java 8 Update 251
  • Java 8 Update 111

 

 

Your network card software is having some type of fault issue.

 

Application errors:
==================
Error: (10/27/2021 12:26:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: KNDBWM.exe, version: 3.0.4000.0, time stamp: 0x606caa48
Faulting module name: KNDBWM.exe, version: 3.0.4000.0, time stamp: 0x606caa48
Exception code: 0xc0000005
Fault offset: 0x0000000000078374
Faulting process id: 0x28324
Faulting application start time: 0x01d7cb688d7f0bfc
Faulting application path: C:\WINDOWS\System32\drivers\RivetNetworks\Killer\KNDBWM.exe
Faulting module path: C:\WINDOWS\System32\drivers\RivetNetworks\Killer\KNDBWM.exe
Report Id: d417e804-0047-4116-be3e-0189e6256bc3
Faulting package full name:
Faulting package-relative application ID:

 

 

 

Not needed. This is from 2013 and there are no updates from that long ago. This is wasting resources of the computer.
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard Company -> Hewlett-Packard)


Do you still run any software from 2013 that requires this licensing software? Maybe MATLAB?
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [2075480 2013-06-24] (Flexera Software LLC -> Flexera Software LLC.)


Do you still run these applications? Not saying they're bad, only that they're very old now.
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [35648 2015-01-19] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [17600 2015-01-19] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFProHook] => C:\Program Files (x86)\Nuance\PDF Professional 7\pdfpro7hook.exe [641864 2013-03-20] (Nuance Communications, Inc. -> Nuance Communications, Inc.)

 

What is this software? Do you still use it?
HKLM-x32\...\Run: [Dimension4] => C:\Program Files (x86)\D4\D4.exe [355840 2013-11-27] (Thinking Man Software) [File not signed]

 

Again, nothing wrong with this if  you're using it but it is very old now.
HKU\S-1-5-21-597201372-2591535210-1504292889-1001\...\Run: [HP Officejet 6600 (NET)] => C:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett Packard -> Hewlett-Packard Co.)
HKLM\...\Print\Monitors\HP 5D12 Status Monitor: C:\Windows\system32\hpinksts5D12LM.dll [332176 2012-09-12] (Hewlett Packard -> Hewlett-Packard Co.)
HKLM\...\Print\Monitors\HP Discovery Port Monitor (HP Officejet 6600): C:\Windows\system32\HPDiscoPM5D12.dll [741480 2012-10-17] (Hewlett Packard -> Hewlett-Packard Co.)

 

I find it very difficult to believe that a program from 2002 is both working and needed on Windows 10. Are you still using this?
HKU\S-1-5-21-597201372-2591535210-1504292889-1001\...\Run: [TopmostClock] => C:\Program Files (x86)\Topmost Clock\TopMostClock.exe [540672 2002-09-07] () [File not signed]

 


Nothing wrong with this remote control application but having it run when the computer starts may not be needed
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk [2020-01-09]
ShortcutTarget: AnyDesk.lnk -> C:\Program Files (x86)\AnyDesk\AnyDesk.exe (philandro Software GmbH -> philandro Software GmbH)

 

What is this software?
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TREZOR Bridge.lnk [2020-06-02]
ShortcutTarget: TREZOR Bridge.lnk -> C:\Program Files (x86)\TREZOR Bridge\trezord.exe (SatoshiLabs, s.r.o. -> )

 

 

 

 

 

Link to post
Share on other sites

I have removed the following: Bonjour, all the Java SDK and update stuff, HP programs, Nuance, Dimension4, TopmostCLock, and AnyDesk.

The WIFI card error doesn't matter because this computer is hardwired to the router (Ethernet cable).

Yes I still need Matlab licensing. 

The Trezor files are for a crypto hardware wallet. I need those files and won't remove them.

Do you want me to run another frst64 scan?

 

 

Link to post
Share on other sites

  • Root Admin

No problem about the software. Just asking to make sure. If you use any of it that's okay.

No, let's run a Microsoft scan and an ESET scan, please.

 

STEP 1

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

STEP 2

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

C:\WINDOWS\system32>tasklist /svc /fi "imagename eq svchost.exe"

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1164 BrokerInfrastructure, DcomLaunch, PlugPlay,
                                   Power, SystemEventsBroker
svchost.exe                   1332 RpcEptMapper, RpcSs
svchost.exe                   1388 LSM
svchost.exe                   1492 TermService
svchost.exe                   1544 lmhosts
svchost.exe                   1556 BTAGService
svchost.exe                   1564 BthAvctpSvc
svchost.exe                   1572 bthserv
svchost.exe                   1700 NcbService
svchost.exe                   1724 TimeBrokerSvc
svchost.exe                   1800 hidserv
svchost.exe                   1940 EventLog
svchost.exe                   1112 nsi
svchost.exe                   2064 Dhcp
svchost.exe                   2092 Schedule
svchost.exe                   2384 NlaSvc
svchost.exe                   2536 ProfSvc
svchost.exe                   2544 Themes
svchost.exe                   2552 SysMain
svchost.exe                   2560 EventSystem
svchost.exe                   2736 SENS
svchost.exe                   2860 netprofm
svchost.exe                   2896 UserManager
svchost.exe                   3016 DeviceAssociationService
svchost.exe                    836 AudioEndpointBuilder
svchost.exe                    860 FontCache
svchost.exe                   3240 WinHttpAutoProxySvc
svchost.exe                   3304 Dnscache
svchost.exe                   3328 SSDPSRV
svchost.exe                   3392 Audiosrv
svchost.exe                   3452 DusmSvc
svchost.exe                   3460 Wcmsvc
svchost.exe                   3708 Winmgmt
svchost.exe                   3864 WlanSvc
svchost.exe                   3904 UmRdpService
svchost.exe                   3960 ShellHWDetection
svchost.exe                   4024 BFE, mpssvc
svchost.exe                   4064 CertPropSvc
svchost.exe                   3116 LanmanWorkstation
svchost.exe                   4108 SessionEnv
svchost.exe                   4204 StateRepository
svchost.exe                   4428 DiagTrack
svchost.exe                   4436 CryptSvc
svchost.exe                   4444 CoreMessagingRegistrar
svchost.exe                   4464 IKEEXT
svchost.exe                   4476 DPS
svchost.exe                   4492 iphlpsvc
svchost.exe                   4500 SstpSvc
svchost.exe                   4508 LDrvSvc
svchost.exe                   4544 TrkWks
svchost.exe                   4556 Netman
svchost.exe                   4564 WpnService
svchost.exe                   4580 stisvc
svchost.exe                   4780 TapiSrv
svchost.exe                   5020 WdiServiceHost
svchost.exe                   5332 LanmanServer
svchost.exe                   5516 RasMan
svchost.exe                   6616 PolicyAgent
svchost.exe                   1712 DispBrokerDesktopSvc
svchost.exe                   8816 NgcSvc
svchost.exe                   4264 lfsvc
svchost.exe                   4412 PcaSvc
svchost.exe                   8972 CDPUserSvc_1a2686
svchost.exe                   8336 BluetoothUserService_1a2686
svchost.exe                   2744 WpnUserService_1a2686
svchost.exe                    752 TabletInputService
svchost.exe                   8836 TokenBroker
svchost.exe                   1588 UsoSvc
svchost.exe                  10112 CDPSvc
svchost.exe                   4408 RmSvc
svchost.exe                   6972 OneSyncSvc_1a2686,
                                   PimIndexMaintenanceSvc_1a2686,
                                   UnistoreSvc_1a2686, UserDataSvc_1a2686
svchost.exe                  10544 NgcCtnrSvc
svchost.exe                  11252 cbdhsvc_1a2686
svchost.exe                   7748 LicenseManager
svchost.exe                  13928 BITS
svchost.exe                  12256 wscsvc
svchost.exe                   3496 WbioSrvc
svchost.exe                  10404 StorSvc
svchost.exe                   1008 InstallService
svchost.exe                  17440 W32Time
svchost.exe                  18020 DsSvc
svchost.exe                   1604 Appinfo
svchost.exe                 103324 QWAVE
svchost.exe                 228556 DoSvc
svchost.exe                 254524 DeviceInstall
svchost.exe                 262732 camsvc
svchost.exe                 162032 wuauserv
svchost.exe                 253068 seclogon
svchost.exe                 234980 WdiSystemHost
svchost.exe                  36044 WaaSMedicSvc

C:\WINDOWS\system32>

Link to post
Share on other sites

  • Root Admin

But, none the less, to verify that one or more of the programs on the system are not infected it's still best to run the other AV scans I listed.

I can provide you a generic clean up script as well afterwards that will help the overall operations of the computer.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.