Constant outbound spyware blocks, host file still in there somewhere

[GrandVizierWazir]

Hello,

A few days ago I installed malwarebytes when there were regular cmd popups on my desktop that lasted for only a split second and talked about setting up a server or something; I ran a full scan with my Antivirus program, that found some items but the popups didn't stop, then I downloaded Malwarebytes and ran several full scans with it but that has also not found anything. 

 

But there have been regular blocks by malwarebytes on the same IP address and domain from svchost.

 

the cmd popups always have the same heading  that is C:\Users\AppData\Roaming\iudttwa

but when I looked for that file in explorer, it wasn't there and I wasn't able to reach it through cmd commands

Your kind help will be appreciated,

Thanking you in advance

''Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/1/22
Protection Event Time: 5:16 PM
Log File: a3ca841e-118f-11ed-9da8-c03eba385a48.json

-Software Information-
Version: 4.5.12.204
Components Version: 1.0.1725
Update Package Version: 1.0.58009
License: Trial

-System Information-
OS: Windows 11 (Build 22000.832)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Spyware
Domain: tob.mygametob.com
IP Address: 34.64.103.230
Port: 53
Type: Outbound
File: C:\Windows\System32\svchost.exe

(end)''

[GrandVizierWazir]

ps: I have also tried scanning with malwarebytes anti rootkit and adwcleaner but they didn't catch it

 

Here are the FARBAR files

 

FRST.txt Addition.txt

[AdvancedSetup]

You have an AutoConfig proxy set on the system

AutoConfigURL: [{196EFC7C-7B64-4A78-86C8-62CB2D0D8586}] => hxxp://35.236.159.79/win.pac <==== ATTENTION
AutoConfigURL: [S-1-5-21-46002119-4029510697-2126409557-1001] => hxxp://35.236.159.79/win.pac <==== ATTENTION

You also have some other items running on the system that don't belong. I see you have McAfee installed. That didn't stop it? Or you installed McAfee after the fact?

 

[GrandVizierWazir]

McAfee has been on my system ever since the day I bought it and I have been using it actively ever since with almost all its features enabled. I also try to run scans as often as possible. 

I was not aware of what an autoconfig proxy is, how could it have been there?

[AdvancedSetup]

Generally speaking malware of some type, typically Trojans put it there.

Let me write you a script to clean up the computer a bit. Then we'll use some other scanners too.

 

 

[GrandVizierWazir]

Yes, please

 

[AdvancedSetup]

Please click on Start and type in APPWIZ.CPL and run it to uninstall the following

• Java 8 Update 321 (64-bit)
   

 

Did you recently change your Google Chrome profile?  The following looks odd and Farbar called it out as being odd too.

CHR Profile: C:\Users\adity\AppData\Local\Google\Chrome\User Data\Default_Old [2022-07-30] <==== ATTENTION

 

You really should be very cautious about allowing sites to provide desktop notifications. They can sometimes be from Ads and look like an infection.

CHR Notifications: Default -> hxxps://web.wiseapp.live
CHR Notifications: Default_Old -> hxxps://meet.google.com; hxxps://web.wiseapp.live

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please make sure you disable McAfee real-time protection and exit out of Malwarebytes when you run this fix. Failure to turn off McAfee will result in a failed fix.

Once the fix has completed it should restart the computer and run a disk check. Please do not press any keys, just let it run.

Then once back into Windows find the FIXLOG.TXT file and attach it back on your next reply.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[GrandVizierWazir]

Yes, I had logged back into my google account when it was logged out due to sensing suspicious activity from the spyware.

The push notifications are from a trusted website but I would turn them off

I have turned back on the real time protection.

The fix has ran, here are the results

 

Fixlog.txt

[AdvancedSetup]

Overall that was a good run. Please look at the following entries that show Windows Defender has exclusions so that it would not check these folder paths or files.

 

ExclusionPath                                 : {C:\Users\adity\AppData\Local\Temp\csrss, C:\WINDOWS\rss, C:\WINDOWS\system32\, C:\WINDOWS\System32\drivers...}
ExclusionProcess                              : {csrss.exe, windefender.exe}

 

Please open Windows Defender and manage and remove all of those exclusions. If you need directions on how to do that, please let me know.

Once you have removed the exclusions then run the following.

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Edited August 1, 2022 by AdvancedSetup
Updated information

[GrandVizierWazir]

I have removed the exclusions.

The initial outbound connection blocked request is still popping up, since I logged back in with my google account could it have been result of the sync. I will be starting the scan right after sending tis message.

Thank you for all the valueabe time you have given me till now.

I will get back to you ask soon as possible with the log

[GrandVizierWazir]

I had no idea that the exclusions were there, do they get added automatically?

[AdvancedSetup]

No, malware does it.

Please temporarily disable McAfee and exit out of Malwarebytes and run the Microsoft Safety Scanner

Post the log as an attachment when it completes

 

[GrandVizierWazir]

hello, thank you for waiting, here are the logs attached. Though the outbound connection logs have not stopped yet

msert.log

[GrandVizierWazir]

Though I must metion that the machine slept quite a few times during the scan and had to be turned back on

 

[AdvancedSetup]

It found part of what we already removed.

Please disable McAfee and run a new Threat scan with Malwarebytes and post back that log.

Then keep McAfee disabled and run the following scanner.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

[GrandVizierWazir]

hello,

Here are the threat scan and the eset scan logs

esetscanlog.txt threatscanlog.txt

[GrandVizierWazir]

As I was saying what about the C:\Users\adity\AppData\Roaming\iudttwa file that was always on the head of the command prompt that popped up, was it removed or what?

[AdvancedSetup]

It should have been removed already, but seeing the log from ESET I can see there are still some unwanted items left we need to remove still.

Please run Farbar again and click the Scan button. Make sure you run with Admin rights. Then attach back both new logs

FRST.TXT
ADDITIONS.TXT

 

Thanks

 

[GrandVizierWazir]

Hello,

Thank you for your time, kindly find the logs attached

Addition.txt FRST.txt

[AdvancedSetup]

Do you have or use a paid version of Malwarebytes or the free version? Just want to know if you're using active real-time protection or not

 

 

[GrandVizierWazir]

It is the free version but under premium trial, so I am using it rn

[AdvancedSetup]

No problem. Thanks for the update

 

[GrandVizierWazir]

any breakthroughs on observing the new logs?

[AdvancedSetup]

https://www.youtube.com/watch?v=P_kaSPvGEsI

Please locate and delete the following folder.

C:\Users\adity\OneDrive\Pictures\Adobe Films

Everything under that folder should not be real, valid data from you.. It's part of an infection, but because it's on the OneDrive most AV is probably having trouble accessing it to remove it.

 

You also have some king of app that looks like it's trying to update your browser that's faulting.

C:\Users\adity\AppData\Local\Temp\IXP000.TMP\UpdateBrowserForApp.exe

 

[AdvancedSetup]

This was here yesterday, but looks like it's gone today

C:\WINDOWS\system32\ZX8U6EJXNL.tmp

You need a better antivirus to protect the system even if it's not ours. Check out the video I linked to and make up your own mind.