dsoto36 Posted August 5, 2022 ID:1527792 Share Posted August 5, 2022 I got a report last night at around 1am, when I was about to turn off my computer I saw I got a malwarebytes notice stating it blocked a website from being accessed. It shows my system32 as a location which is confusing, I did some poking around and saw people were saying svchost.exe is used as a trojan (Im not too sure). It isn't running on my task manager. I decided to block the IP on my firewall but this morning I checked the location of the IP and it's in a river in china. I tried checking if the ip address showed up on my cmd, there was nothing. I checked other foreign addresses and I didn't find anything suspicious. I don't know if someone has access to my computer on the backend, if i can't figure it out, I'm going to do a complete wipe. I appreciate any help! Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/5/22 Protection Event Time: 1:58 AM Log File: bdb61004-149c-11ed-a59e-18c04d83daa4.json -Software Information- Version: 4.5.12.204 Components Version: 1.0.1725 Update Package Version: 1.0.58203 License: Trial -System Information- OS: Windows 10 (Build 19044.1826) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: IP Address: 60.26.3.66 Port: 64347 Type: Outbound File: C:\Windows\System32\svchost.exe (end) Link to post Share on other sites More sharing options...
1PW Posted August 6, 2022 ID:1527820 Share Posted August 6, 2022 Hello @dsoto36 and : While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following: I'm infected - What do I do now? Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic. Thank you. Link to post Share on other sites More sharing options...
dsoto36 Posted August 6, 2022 Author ID:1527821 Share Posted August 6, 2022 Okay, gotcha! Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 6, 2022 ID:1527856 Share Posted August 6, 2022 (edited) Hello @dsoto36 Some starter tips: Beginning with advice to not go off on a web-search looking to see what 'folks at large' say about 'svchost'. The issue ( of block notices) that started out this case were due to attempted probes from the outside. The real-time protection of Malwarebytes for Windows is keeping the pc safe. They will continue to do so, given that you have Malwarebytes Trial or have Malwarebytes Premium. Here are some general conclusions & some tips. The blocks are on addresses that are (likely) attempting to do a forced attempt to exploit remote-desktop-protocol. The Real Time Protection of Malwarebytes for Windows is actively doing it's job to protect the system. I would recommend that if you have a internet-connection-router hardware at home, that you look over this article "How to Enable Your Wireless Router's Built-in Firewall"https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668 In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period. If you wish to do so, here is one how-to guide for the Windows software firewallhttps://www.interserver.net/tips/kb/add-ip-address-windows-firewall/ Additionally or alternatively, if this is on Windows 10 PRO and if you do not need or use Remote Desktop, you can turn that off.https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html This Windows version is a PRO edition. IF you do not use remote desktop access to other outside machines, then I suggest you turn R D P to Off. The probers look for PRO or Enterprise editions as a prime potential target for exploitation. . Here is how to block a port number in Windows https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/ How to Change the port number for RDP https://tunecomp.net/change-remote-desktop-port-windows-10/ ALSO see this Malwarebytes support articlehttps://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise Edited August 6, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
dsoto36 Posted August 6, 2022 Author ID:1527893 Share Posted August 6, 2022 Hello @Maurice Naggar Thanks for the advice, I did not disable my Malwarebytes to stop notices, I am concern with these alerts. I turned off UPnP for my router which allowed devices to bypass the routers firewall. I added the attackers IP to windows firewall to block it. I check the Remote Desktop slider and it was already set to off (I do not have Windows Pro). I blocked the three port numbers and the Ip he used. I also wanted to ask, I blocked the attackers ports on the inbound section as the website instructed but do I add it to outbound as well? (Same question for the IP address). I went ahead and changed my port number as instructed. I read the Malwarebytes article as well, I appreciate the information! I attached the other relevant reports as well, if needed. Thabk you! report-1.txt report-2.txt report-3.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 6, 2022 ID:1527900 Share Posted August 6, 2022 Please make very sure you did NOT block port 80. and for time being, don't sweat about any more firewall adjustments. Next action: Do a Scan with Malwarebytes & be sure to select (tick) all lines / elements tagged by it & have them Quarantined ( if any found). Next I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply The IP block actions by Malwarebytes are keeping the machine safe from potential threats. We do need the support zip reports to see more detail ( the screen grabs just do not have full details + those screens give no clue as to what processes are running. Link to post Share on other sites More sharing options...
dsoto36 Posted August 7, 2022 Author ID:1527938 Share Posted August 7, 2022 I did a full scan and then gathered the logs. Did you wanted the scan as well or the archive only? mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 7, 2022 ID:1527940 Share Posted August 7, 2022 This will do. Going to review & then later ( soon) get back to you. 😁 Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 7, 2022 ID:1527947 Share Posted August 7, 2022 The good news from last report is that the "compromised IP blocks" have not repeated after 5 August. As to antivirus application, I did not see "Norton Security" as an installed program. There had been some indication that it had been installed in the past. The next task is intended to run the Windows System File Checker to check the system. And to remove many countless allowances on firewall rules to allow port # 9009. This run will attempt to update Microsoft Defender A-V and attempt a quick scan. Next, a custom script to do checks & selected cleanups. We will use FRSTENGLISH.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Dsoto36 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
dsoto36 Posted August 7, 2022 Author ID:1527953 Share Posted August 7, 2022 Hello, sorry about the wait! I remember I got on my computer one day and saw norton was installed. I was very confused, I removed it because I did not install it (about half a year or more ago). General curiosity, removing allowances on firewall rules to allow port # 9009, does this remove loop holes for possible attacks? I am generally interested to learn more! Fixlog is attached below, Thank you! Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 7, 2022 ID:1527956 Share Posted August 7, 2022 Yes the cleanup of allowances of port 9009 does remove a potential avenue of some potential threat. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 7, 2022 ID:1527958 Share Posted August 7, 2022 The last run is good. Microsoft System File Checker / Windows Resource Protection found corrupt files and successfully repaired them. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan . Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. We will do more later. Link to post Share on other sites More sharing options...
dsoto36 Posted August 8, 2022 Author ID:1527966 Share Posted August 8, 2022 The scan progress is over half as of now. Apologies if it takes very long. Another thing to ask, I just bought a laptop for school/work purposes and apparently I got two notices of the same type of attacks (Before this computer got it's notices). I haven't used it yet for work/school, I just set up git (installed git bash) and synced my google account. I let my brother use it to play games on steam, he hasn't downloaded any software without my permission. Apologies to include this in this thread, I don't want to overwhelm you. General thoughts on this? I'm assuming it's the same issue im having on this desktop. Link to post Share on other sites More sharing options...
dsoto36 Posted August 8, 2022 Author ID:1527973 Share Posted August 8, 2022 msert.log Link to post Share on other sites More sharing options...
dsoto36 Posted August 8, 2022 Author ID:1527974 Share Posted August 8, 2022 Sorry, this is the correct log. Ignore the one above. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 8, 2022 ID:1527998 Share Posted August 8, 2022 Kindly keep in mind that the Malwarebytes real-time protections are keeping the system safe from potential harm. Also, the Microsoft Safety Scanner found no actual infection. There is 1 file I had noticed before that we should delete. On the Taskbar Search box, type in cmd.exe click the line for "run as administrator" It is best to use the Windows Copy ( CTRL+ C ) and paste ( CTRL+V ) for the whole line, as-is On that command prompt, Copy & Paste this command del /s /q C:\Users\David\AppData\Local\2613946761 press Enter-key on keyboard This scan you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
dsoto36 Posted August 9, 2022 Author ID:1528058 Share Posted August 9, 2022 I removed the file. Scan is finished and report is attached below. eset-report.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 9, 2022 ID:1528090 Share Posted August 9, 2022 The ESET Online scanner found no virus; no trojans; no malware. Let's check your system with another ( different ) antivirus scan tool. Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencryptC:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Link to post Share on other sites More sharing options...
dsoto36 Posted August 9, 2022 Author ID:1528163 Share Posted August 9, 2022 report_2022.08.09_14.30.28..txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 10, 2022 ID:1528176 Share Posted August 10, 2022 Kaspersky scan reports no virus; no malware found. Very good result. How is situation at this point? [ 2 ] I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
dsoto36 Posted August 10, 2022 Author ID:1528188 Share Posted August 10, 2022 Hello, the situation seems fine at this point. No reports from MWB(Malwarebytes). Quick question, is Microsoft defender disabled when there is another anti-virus software (MWB) or is there a setting I need to enable it by? Appreciate the help! SecurityCheck.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted August 10, 2022 Solution ID:1528206 Share Posted August 10, 2022 (edited) Per the SecurityCheck, there are a few apps that need your attention to get the latest updates. Python 3.10.2 (64-bit) v.3.10.2150.0 Warning! Download Update WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update Discord v.1.0.9002 Warning! Download Update Microsoft Teams v.1.4.00.19572 Warning! Download Update Zoom v.5.10.1 (4420) Warning! Download Update As to antivirus: At the time that you had first installed Norton Security, it would have disabled Microsoft Defender. There seems to be some sort of leftover traces of Norton Security. I believe we need to run a cleanup tool. Download and Save, and then run the Norton tool. See this article at Norton support The goal is to run the tool to do a "removal" & at the end, do a Windows Restart. One other step: Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. > When all done, get into Windows Settings >>>Windows Security and check the status and turn ON Microsoft Defender. Edited August 10, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
dsoto36 Posted August 10, 2022 Author ID:1528240 Share Posted August 10, 2022 Everything seems to be in working order now. Appreciate everything Maurice! Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 10, 2022 ID:1528262 Share Posted August 10, 2022 This system is good-to-go. This here is for tools cleanup. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log may open in Notepad titled kprm-(date).txt. I do not need it. Just close Notepad if it shows up. Delete mb-support-1.8.7.918.exe Delete mbst-grab-results.zip on the Desktop Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. I am marking this case for closure. I wish you all the best. Stay safe. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 10, 2022 ID:1528263 Share Posted August 10, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts