Jump to content

Malwarebytes displaying outbound connections from svchost.exe


Go to solution Solved by Maurice Naggar,

Recommended Posts

I am getting a warning every 10 minutes or so from malwarebytes saying that a possible threat was blocked. The code is: The following website appears malicious: 196.188.115.240. It has been popping up all morning. The port is 50130. For what I was able to find, the ip address is from Ethiopia and is indeed malignant, but I can't seem to find the malware. I suspected I had a malware before because sometimes webpages open by themselves and our internet bandwidth gets maxed out of nothing, and all gets fixed when I shut down the PC. What can I do? Please help!

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Be sure you tell me, whether your pc had a web browser up and running, and which one it ws. Be sure to say which Windows version this pc is on.

can you try using a different web browser?
But in any event, always SAVE the downloads I guide you to. Then after download is complete, you go to the file using File Explorer.
and only then, launch it from there.

Let's do one special run  with Malwarebytes Adwcleaner. 
 
It will not take much time, Read over all lines before starting so that you have a good understanding of the whole method. Take your time and go careful. I ant to make sure you select all of what I list below - before- pressing the "scan" button.
 
First download & save it
 
Then go to where the EXE file is saved. Start Adwcleaner.  Do not rush. There are a few first choices to set as I have listed below.
 
Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.
 
When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status
Delete IFEO keys
Delete tracing keys
Delete Prefetch files
Reset Proxy
Reset IE Policies
Reset Chrome policies
Reset Winsock
Reset HOSTS file
 
ADW-s-1.png.c32838f45f840beb2b835ad51f0a1b7c.png
 
 
ONLY after you have set the selections above ....only after that .....
Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan.
 
 
This can take several minutes.
When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found.
 
AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean.
Click on the “Continue” button to finish the removal process.
 
 
 
Attach the clean log from Adwcleaner when all completed. For example AdwCleaner[C00],txt
There is much more to do even after this.
NOTE: The I P Block norice-windows -does- mean that Malwarebytes is keeping the pc safe from potential harm.
Link to post
Share on other sites

I have to ask, whether you followed all my directions AND Ticked all those special boxes I listed on Adwcleaner? The report does not reflect having done that.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions

( 2 )

  • EMPTY CACHE on EDGE browser & any other browser:

I simply would like to offer some remarks about Chrome & web browsers & Windows.
By the way, the same principle applies to the Edge browser in Windows 11 / 10. Clearing all cache helps.

The section for EDGE browser how-to https://forums.malwarebytes.com/topic/286888-few-malwares-were-failed-to-removed/?do=findComment&comment=1517006

  • As to Chrome, ( if this pc has Chrome vrowser) insure it is the latest release from Chrome

https://support.google.com/chrome/answer/95414?
On some periodic basis, suggest to delete all Cache content on Chrome for "all time" period. That will help keep Chrome running more snappy.
open Chrome.
At the top right, click More .
Click More tools and then Clear browsing data.
Choose the time range All time.
Select the types of information that you want to remove.
Click Clear data.

( 3 )


Now use the Windows Start menu & do a Shutdown >> Restart

( 4 )

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

 


 

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you, The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

That run removed many trojans, elements of hack tools, and many exploits. You should give consideration ( if you have a good full backup image from before all this, to do a full image restore from backup) OR to plan to do a clean new rebuild from scvratch of this whole Windows, and later on, doing new fresh program installs for user applications. Think about that.

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Will do all of that first thing tomorrow morning. Unfortunately I cannot use a fresh windows installation because I don’t have the time right now to do it as there is major work that is being done, and I could swear that my backups would be infected too. I will update you tomorrow morning. 

Link to post
Share on other sites

This is a work computer. Everything started after one of my colleagues opened an email with a supposed pdf file that was not a pdf file. After that, a few days after, I started noticing that weird things were happening, not only on my pc, but also hers and the third pc we have on another office. Those are solely windows machines for office work. Mine is used for 3D drawings and renderings. In January I got a call from the bank asking if I had purchased over 4k at walmart and 1st class tickets to dubai from my credit card, which I didn’t. I ran Windows Defender, Hitman Pro, McAffee, Malwarebytes and never got any threat found, until yesterday I started having this outcoming traces. I found the ip address to be in Ethiopia. Now, I am just doing the math on my head, how my boss will pretty much need to stop the company for pretty much a day and a half so I can make a fresh install of everything. My issue is I am very much sure that the backups are infected too. We also use onedrive under the same account, wich I believe it was how the virus was able to infect all pcs. We have satallite internet at work, 10mb download speeds with shared bandwidth because so far, there was no other isp that would provide service on that address. Installing everything new, mostly from internet downloads in all pcs is something that will take so many hours that I am actually afraid of myself alone will be able to do it all without forgetting something important. 

Link to post
Share on other sites

  • Solution

Hi. My bad for not spotting your last response earlier. But the ESET scan found & removed some 48 threats. Most of them in the folder C:\metasploit-framework\embedded\framework
Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\ruimr\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\ruimr\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230514_203000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
Link to post
Share on other sites

Do you do software development using Ruby? Did you see the report from Kaspersky? 

Found="43" Neutralized="41"

And if we go back and look at the ESET Online scan, it too had found and removed some 47 files of the C:\metasploit-framework\embedded\framework

Link to post
Share on other sites

Hi. This next is just a report.

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.