Jump to content

svchost.exe connections to malicious IPs, full scan returns nothing


Recommended Posts

I've been seeing intermittent instances of this pop up over the last couple of weeks, but no scans by any products return any results.  I've done scans with MWB (obviously). MS Safety Scanner, Kaspersky KVRT, and nothing has come up.

I don't know if this is just a false positive or what, but I can't seem to locate the source of these requests.  Any help you can provide would be very appreciated.

mbst-grab-results.zip is attached, MSERT.log is forthcoming when a second scan completes so I have the log file.

mbst-grab-results.zip

Link to post
Share on other sites

  • Root Admin

Hello @kuri

Please run the following and we'll see what we can find.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Please uninstall the following

Java 8 Update 321

 

The computer is possibly having some issues with your hard drive or drives that might indicate an oncoming failure. It is best that you run Diagnostic software on these drives to make sure nothing is wrong with them.

 

Error: (07/13/2022 08:09:13 AM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (07/13/2022 08:09:13 AM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

 

 

Link to post
Share on other sites

Are you indicating that the Java update is responsible for the "malicious" connections that I keep getting alerted about?

I will look into the disk errors, I run Samsung's software and check my SSD regularly and it hasn't alerted me to any issues or concerns, but I will review again.

Link to post
Share on other sites

I'm a bit confused about those disk errors, after looking I don't *have* a "harddisk1" or a "harddisk2" in my system.  I have a 0 and a 3.

PS C:\Windows\system32> Get-PhysicalDisk | Select -Prop DeviceId,FriendlyName,SerialNumber

DeviceId FriendlyName             SerialNumber
-------- ------------             ------------
3        Kingston DataTraveler G3 001372997D4BEAC0F56E0106
0        Samsung SSD 980 PRO 1TB  0025_38B5_1150_2645.

Link to post
Share on other sites

  • Root Admin

No, I'm not saying Java is doing anything wrong. Just that it's old and possibly compromised. One should always uninstall all old versions of Java and if you really need it keep it up to date at all times. https://java.com

Almost no applications really require Java except P2P programs which though legal, the vast majority of use is for stealing software, music, and movies which is not legal.

 

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security Agency
https://www.cisa.gov/uscert/ncas/tips/ST05-007

 

 

Please save the attached file to the same folder where you have the Farbar program and click on the FIX button.

When done, post back as an attachment the FIXLOG.TXT file.

fixlist.txt

Thanks @kuri

 

 

Link to post
Share on other sites

Ok, well I'll just say that there are many legitimate uses for Java as well and leave it at that.  I don't do filesharing.

I'll review your script and get results back to you once I've validated it's safe to run.  Thanks for the help.

Link to post
Share on other sites

Also, as a side note, I think those might have been coming from a quite old USB drive I had plugged into the system.  I've removed it for now to see if any of those errors reoccur.

Link to post
Share on other sites

  • Root Admin

Please check that your Samsung SSD Magician software is up to date. Then have it check for firmware updates.

You can check for updates within the program

image.png

 

Then do SMART check of your drive and then a SHORT test of your drive, please.

 

Not sure why you didn't list your Kingston drive, but I'd look online for software from Kingston to test that drive as well to make sure nothing is wrong with it.

Absolutely, it very well could be from old USB drives plugged into the system. No harm in testing to make sure though

 

 

Link to post
Share on other sites

  • Root Admin

I just did not want to go on with more extensive testing if you are having a failing drive as that could push it over the edge.

Please go ahead then if you're sure your drives are okay and run the following scanner.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

I did list my drive...

DeviceId FriendlyName             SerialNumber
-------- ------------             ------------
3        Kingston DataTraveler G3 001372997D4BEAC0F56E0106
0        Samsung SSD 980 PRO 1TB  0025_38B5_1150_2645.

The Kingston is the "old usb drive" that I suspect may have been the source of the error, and I've since removed it from the system and tossed it in the trash.  It was a ~15 year old 4GB drive that I was only using for a 3d printer.

I will run some tests with the magician software, but my larger concern here is the unexplained connections from svchost.exe to several IPs that are flagged as malware.  Can you point me in a direction to identify the source of those requests?

Link to post
Share on other sites

Looks like we cross posted.

I just tried running the ESET scanner and it almost immediately closes.  I'm seeing this in the event viewer:

Faulting application name: ESETOnlineScanner.exe, version: 10.23.31.0, time stamp: 0x61e82da2
Faulting module name: WININET.dll, version: 11.0.19041.1566, time stamp: 0x58892bb7
Exception code: 0xc0000005
Fault offset: 0x00313278
Faulting process id: 0x680
Faulting application start time: 0x01d89725290a6d22
Faulting application path: C:\Users\XXXXXXXX\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
Faulting module path: C:\Windows\SYSTEM32\WININET.dll
Report Id: f31600e4-1496-4eae-ad24-ef40c39b67ef
Faulting package full name: 
Faulting package-relative application ID: 

Link to post
Share on other sites

  • Root Admin

Okay, let's try this one then.

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

Just to keep you updated, I do have KVRT running right now, however I am also running sfc alongside it so it's taking a bit longer than expected.  Thank you very much for your help and patience on this, I will post the results ASAP.

Link to post
Share on other sites

Can't answer that, I ran it with the options you outlined, it ran, it said it finished, I copied the file and posted it.

I'll run it again I guess, just to make sure.

Link to post
Share on other sites

  • Root Admin

Yes, it looks like Kaspersky must have changed something. It's running much faster than it did before. Looks like it will be done here in another couple of minutes on my system as well.

Rather strange that ESET would not run.

Microsoft = Clean
Kaspersky = Clean
Malwarebytes = Clean
 

 

Please show me the log or screenshot where you're still getting some Alert, Block, or Popup, please.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.