Jump to content

Constant outbound spyware blocks, host file still in there somewhere

Go to solution Solved by AdvancedSetup,

Recommended Posts


A few days ago I installed malwarebytes when there were regular cmd popups on my desktop that lasted for only a split second and talked about setting up a server or something; I ran a full scan with my Antivirus program, that found some items but the popups didn't stop, then I downloaded Malwarebytes and ran several full scans with it but that has also not found anything. 


But there have been regular blocks by malwarebytes on the same IP address and domain from svchost.


the cmd popups always have the same heading  that is C:\Users\AppData\Roaming\iudttwa

but when I looked for that file in explorer, it wasn't there and I wasn't able to reach it through cmd commands

Your kind help will be appreciated,

Thanking you in advance


-Log Details-
Protection Event Date: 8/1/22
Protection Event Time: 5:16 PM
Log File: a3ca841e-118f-11ed-9da8-c03eba385a48.json

-Software Information-
Components Version: 1.0.1725
Update Package Version: 1.0.58009
License: Trial

-System Information-
OS: Windows 11 (Build 22000.832)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Spyware
Domain: tob.mygametob.com
IP Address:
Port: 53
Type: Outbound
File: C:\Windows\System32\svchost.exe


Link to post
Share on other sites

  • Root Admin

You have an AutoConfig proxy set on the system

AutoConfigURL: [{196EFC7C-7B64-4A78-86C8-62CB2D0D8586}] => hxxp:// <==== ATTENTION
AutoConfigURL: [S-1-5-21-46002119-4029510697-2126409557-1001] => hxxp:// <==== ATTENTION

You also have some other items running on the system that don't belong. I see you have McAfee installed. That didn't stop it? Or you installed McAfee after the fact?


Link to post
Share on other sites

  • Root Admin

Please click on Start and type in APPWIZ.CPL and run it to uninstall the following

  • Java 8 Update 321 (64-bit)


Did you recently change your Google Chrome profile?  The following looks odd and Farbar called it out as being odd too.

CHR Profile: C:\Users\adity\AppData\Local\Google\Chrome\User Data\Default_Old [2022-07-30] <==== ATTENTION


You really should be very cautious about allowing sites to provide desktop notifications. They can sometimes be from Ads and look like an infection.

CHR Notifications: Default -> hxxps://web.wiseapp.live
CHR Notifications: Default_Old -> hxxps://meet.google.com; hxxps://web.wiseapp.live

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.


Turn notifications on or off - Google Chrome

Web Push notifications in Firefox



Please make sure you disable McAfee real-time protection and exit out of Malwarebytes when you run this fix. Failure to turn off McAfee will result in a failed fix.

Once the fix has completed it should restart the computer and run a disk check. Please do not press any keys, just let it run.

Then once back into Windows find the FIXLOG.TXT file and attach it back on your next reply.



Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.




Link to post
Share on other sites

  • Root Admin

Overall that was a good run. Please look at the following entries that show Windows Defender has exclusions so that it would not check these folder paths or files.


ExclusionPath                                 : {C:\Users\adity\AppData\Local\Temp\csrss, C:\WINDOWS\rss, C:\WINDOWS\system32\, C:\WINDOWS\System32\drivers...}
ExclusionProcess                              : {csrss.exe, windefender.exe}


Please open Windows Defender and manage and remove all of those exclusions. If you need directions on how to do that, please let me know.

Once you have removed the exclusions then run the following.


Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well


Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article



I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 



Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.



It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.



Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

I have removed the exclusions.

The initial outbound connection blocked request is still popping up, since I logged back in with my google account could it have been result of the sync. I will be starting the scan right after sending tis message.

Thank you for all the valueabe time you have given me till now.

I will get back to you ask soon as possible with the log

Link to post
Share on other sites

  • Root Admin

It found part of what we already removed.

Please disable McAfee and run a new Threat scan with Malwarebytes and post back that log.

Then keep McAfee disabled and run the following scanner.


Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.


Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3



Link to post
Share on other sites

  • Root Admin

It should have been removed already, but seeing the log from ESET I can see there are still some unwanted items left we need to remove still.

Please run Farbar again and click the Scan button. Make sure you run with Admin rights. Then attach back both new logs





Link to post
Share on other sites

  • Root Admin

Please locate and delete the following folder.

C:\Users\adity\OneDrive\Pictures\Adobe Films

Everything under that folder should not be real, valid data from you.. It's part of an infection, but because it's on the OneDrive most AV is probably having trouble accessing it to remove it.


You also have some king of app that looks like it's trying to update your browser that's faulting.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.