Inbound Connections Attempts, sfc found corrupt files - Am I infected

[undercovergrill]

Hi,

About I week ago, I noticed a few connection attempts, inbound, being blocked by malwarebytes. I didn't think too much of it, but yesterday I got another attempt blocked. At this point, with the connections still happening, I ran `sfc /scannow` and it did find corrupted files and fix files, I've included log below.

The last connection attempt looked like this.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/16/23
Protection Event Time: 5:07 PM
Log File: e15cbc0c-2435-11ee-a480-f02f7418bc8e.json

-Software Information-
Version: 4.5.33.272
Components Version: 1.0.2069
Update Package Version: 1.0.72517
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3208)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 71.6.232.27
Port: 0
(No malicious items detected)
Type: Inbound
File: System

(end)

Overall the computer feels sluggish, I had +5gb ram allocated for explorer, +20gb on page file, and that's after closing everything but discord. 

Perhaps it's just a hardware issue, but I'm up for some piece of mind. Thanks for the help.

Full scan with malwarebytes and eset shows nothing.

I've included Malwarebytes Support Tool logs, along with the cbs log from sfc. Thanks again.

log_C-B-S.txt mbst-grab-results.zip

Edited July 19, 2023 by AdvancedSetup
Corrected font issue

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Thanks for the reports.
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

[Maurice Naggar]

This O S is Windows 10 Home Version 22H2 19045.3208 (X64). Let start with these first steps. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

[undercovergrill]

Hi Maurice,

Thanks for the help. I've closed Discord and turned off the windows `Always register Malwarebytes in the Windows Security Center`.

As for closing Malwarebytes, do you mean fully closing it. Like right click in system tray, `Quit Malwarebytes`?

Edited July 19, 2023 by AdvancedSetup
Corrected font issue

[Maurice Naggar]

No. I meant only to exit the screen of Malwarebytes. Just only that.

[undercovergrill]

Thanks for such speedy responses! :)

I ran the scan and it found nothing, but I had a thought to check task manager and saw (even though no windows are visible) there were 6 processes for edge running. I closed all of them and re-ran the scan.

Sorry I didn't think to check task manager for background processes. Both scans show nothing found.

AdwCleaner[S00].txt AdwCleaner[S01].txt

[Maurice Naggar]

As to Task Manager, the 6 lines for Edge were there due to having many tabs open on Edge. Close Task Manager. No need to be poking about there. The block notices from Malwarebytes mean that it is protecting your system from potential harm. Chrome was in use when for example, Malwarebytes was protecting for attempt to "ofashgonfcwp(.)com"

Please run the following custom script. Read all of this before you start. This is intended to check integrity and to do some housekeeping. We will do more checks after this run.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas.  Depending on the speed of your computer this fix may take 50-55 minutes or more. This run is like a housekeeping run and a mini tune-up. 

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   C:\Users\under\Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

With File Explorer go to folder  C:\Users\under\Downloads folder

Right-click with your mouse on  FRSTENGLISH and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the C:\Users\omar sh\Downloads\Programs folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply from Downloads

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

[undercovergrill]

37 minutes ago, Maurice Naggar said:

Chrome was in use when for example, Malwarebytes was protecting for attempt to "ofashgonfcwp(.)com"

Yes, I was also concerned with 

From Malwarebytes

Log File: e15cbc0c-2435-11ee-a480-f02f7418bc8e.json

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 71.6.232.27
Port: 0
(No malicious items detected)
Type: Inbound
File: System

Unless ofashgonfcwp resolves to 71.6.232.27...?

Is that normal? I'm not running any servers or anything. Does the windows firewall really just let connections through like that? If I'm not infected that is...

This computer recently is no longer behind a router and is plugged directly into my modem.

Fixlog.txt

[Maurice Naggar]

The custom script run is very good. What matters most is whether, from this point forward, there is new block notices on either ofashgonfcwp(.)com or on xihopjrdi(.)com. My expectations are that those will not happen. Now we do special scans.

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

Edited July 18, 2023 by Maurice Naggar

[undercovergrill]

Thanks for the help again Maurice, glad to see the fixes worked.

One issue, I went to run esetonlinescanner.exe and it closed itself on me. I got to the second screen, the one that asks about data collection options, when I went to click the option to allow them to collect data the program just fully exited. It was exactly as I clicked the setting.

I downloaded the file again, and compared hashes. I have sha-256 002bd266cd7e071a6555e96ea4ad0b5c923b0bbae561d88843e7f1bcb80241f5

Should I try again?

[Maurice Naggar]

That is odd. Close the browser. You did not say which one you used. But try using Edge. Let us do this 1 time special scan.

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

[undercovergrill]

Scan finished with no malware found.

I only have a `system-log.txt` file. No `mbar-log.txt` was created in the mbar directory.

system-log.txt

[undercovergrill]

Oh sorry, I didn't click exit on the scanner.

mbar-log-2023-07-18 (13-29-07).txt

[Maurice Naggar]

The Malwarebytes MBAR scan report-result is Excellent.

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

When you do reply, let me know if any new IP Block events have shown up from Malwarebytes.

[undercovergrill]

Thanks again for the help.

I download with Edge just to help ensure no issues, HouseCallLauncher custom scan across all drives, no threats found.

I did get another connection attempt. The only thing I've done is watch a youtube video or 2.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/18/23
Protection Event Time: 7:54 PM
Log File: 8f3f2454-25df-11ee-a555-34c93d0ec5f8.json

-Software Information-
Version: 4.5.33.272
Components Version: 1.0.2069
Update Package Version: 1.0.72613
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3208)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\lsass.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 91.240.118.251
Port: 49664
Type: Inbound
File: C:\Windows\System32\lsass.exe

(end)

[Maurice Naggar]

I will be composing another task to do soon. But I would like to request that on this computer, while this case is still open, to NOT do any web "surfing" & to not watch any Youtube & to not play any sort of "games". We need to restrict what this machine is used for to mainly just contacting this forum, doing suggested tasks,

[Maurice Naggar]

Delete the old file mbst-grab-results.zip on the Desktop.

Let us collect a new report-set using the Malwarebytes support tool at C:\Users\under\Downloads\mb-support-1.9.1.977.exe
Using File Explorer, go to the folder Downloads
locate the file mb-support-1.9.1.977.exe

With your mouse, do a RIGHT-click on mb-support-1.9.1.977.exe
select "Run as Administrator"  and reply YES at the prompt to allow to proceed forward

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished. Depending on hardware speed, the run may take some 10 or so minutes to complete.
Attach the mbst-grab-results.zip from the Desktop to your reply..

#2
My next tip  and first thing to cover is to systematically power down all your system, and recyle your router, and then power on in order.
It is now a very good idea to reset the router for the internet connection service.  
First, shutdown windows and be sure the power is OFF.

now, Unplug the power plug to the Modem and the Router. Wait for about a minute, please.

now, Plug the power into just the Modem (unless you have a modem/router combo) When all the lights come up, plug in the power to the Router (unless combo of course)

Now, power on the computer and get Windows restarted.   One Windows system at a time.

Edited July 19, 2023 by Maurice Naggar
amended

[undercovergrill]

2 hours ago, Maurice Naggar said:

I will be composing another task to do soon. But I would like to request that on this computer, while this case is still open, to NOT do any web "surfing" & to not watch any Youtube & to not play any sort of "games". We need to restrict what this machine is used for to mainly just contacting this forum, doing suggested tasks,

Not a problem. I'll leave the computer running and connected to the internet, unless you specify otherwise. I'll only use the Mail app from Windows, for thread notifications, and Chrome for updating you.

I deleted old mbst-grab-results.zip, ran mb-support-1.9.1.977.exe from my downloads folder, as admin -> new logs uploaded below.

#2 done as you specified.

No new connections.

 

mbst-grab-results.zip

[Maurice Naggar]

Thank you. I will be reviewing.  Then at some point I will make a new reply. Have patience. At this time / point I need to attend to other personal duties. 😀

[Maurice Naggar]

Hello. Good afternoon. Thanks for your patience. Two things here in this reply.

( Next suggestion )

This Windows system has these browsers. Edge, and Chrome.  see that each one gets the Malwarebytes Browser Guard. It is free, and adds a layer of protection.
See Support article how-to

For the EDGE browser

Note: If the pc also has Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).

(  2    )

Please run the following custom script. Read all of this before you start. This is intended to check integrity and to do some housekeeping. We will do more checks after this run.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to bar attempts to reach these 2 domains

IP 185.99.133.244
zappiehost(.)com

IP 91.240.118.251
changway(.)hk

.  

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   C:\Users\under\Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

With File Explorer go to folder  C:\Users\under\Downloads folder

Right-click with your mouse on  FRSTENGLISH and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the C:\Users\omar sh\Downloads\Programs folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply from Downloads

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

[undercovergrill]

Thank you Maurice for all the continued help.

I installed Malwarebytes Browser Guard on both chrome and edge. And the FRSTENGLISH log is down below.

So far no new connections since the last one.

Fixlog.txt

[Maurice Naggar]

Very good. 😀

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[undercovergrill]

Custom scan, across C drive, says no infection.

msert.log

[undercovergrill]

Just so you're aware, I got another connection attempt.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/21/23
Protection Event Time: 12:06 AM
Log File: 0c067526-2795-11ee-adf8-34c93d0ec5f8.json

-Software Information-
Version: 4.5.33.272
Components Version: 1.0.2069
Update Package Version: 1.0.72715
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3208)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 91.240.118.71
Port: 7680
Type: Inbound
File: C:\Windows\System32\svchost.exe

(end)

[Maurice Naggar]

MS Safety Scanner found no virus, no trojan, no threats.

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu Jul 20 16:41:33 2023

The block notice-message from Malwarebytes is keeping your system safe from potential harm.

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Edited July 21, 2023 by Maurice Naggar
amended