Inbound Connections Attempts, sfc found corrupt files - Am I infected

[undercovergrill]

HouseCallLauncher scan across C drive shows no infections found.

[Maurice Naggar]

Great 👍 We have reached the end of the quest for infectious malware. Cool.

I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

[undercovergrill]

Thanks Maurice for all your help. I can finally breathe a little that this computer is secure :)

One last final question regarding inbound connections.

Does Malwarebytes realtime web protection run before the windows firewall? I ask cause I'm interested given the inbound firewall rules, to drop inbound connections, it'd only make sense to see Malwarebytes alerts in three cases.

- Safe : Malwarebytes always alerts even if the firewall drops

- Safe : Malwarebytes runs before the windows firewall, therefore you'd see the alerts even if the firewall would drop anyway.

- Unsafe : Malware infection/a vulnerably in some windows service/ect approved a pass through firewall, Malwarebytes then blocks. 

I deal with bad paranoia and some reassurances/clearing up would be grateful.

 

I guess my question truly boils down to how natural it is to see inbound connection attempts. And what to do if I get more.

Thanks again for all the assistance.

SecurityCheck.txt

[Maurice Naggar]

Firstly, please try to dial down any sort of 'paranoia'. We use multiple trusted tools/scanners here ( on this sub-forum) to check for potential malicious malware.
The good thing, SecurityCheck lists only 1 application that needs your follow-up.
Git v.2.41.0 Warning! Download Update

Secondly, I tend to think that the Malwarebytes web-protection is first in reporting a Block notice, that gets triggered before any firewall action or such. The Windows firewall here is on and working.

Now, I would appreciate this report:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

[undercovergrill]

Thanks for the information.

I updated git and ran the scan.

FSS.txt

[Maurice Naggar]

The FSS report is all very good.
Tring to recall the tools & checks I had you run before this point. You have run
Adwcleaner
Malwarebytes MBAR anti-rootkit special tool
We've done I believe 2 custom-fix-scripts
TrendMicro Housecall scan
Microsoft Safety Scanner MSERT

Now a different scan with another security scanner. 

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\under\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\under\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20230721_203000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply

[undercovergrill]

Scan completed with 0 objects found.

report_2023.07.21_15.12.32.klr.txt

[undercovergrill]

Maurice I had ordered a new router, my current one is from 2010. I was wondering if was ok to install it? Or, would you rather I wait till we're finished here?

I got another connection attempt, I understand this is Malwarebytes keeping me safe, I was just alerting you.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/21/23
Protection Event Time: 9:36 PM
Log File: 53484e3c-2849-11ee-9a1d-34c93d0ec5f8.json

-Software Information-
Version: 4.5.33.272
Components Version: 1.0.2069
Update Package Version: 1.0.72767
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3208)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 8.209.218.31
Port: 49666
Type: Inbound
File: C:\Windows\System32\svchost.exe

(end)

 

[Maurice Naggar]

Hello. The Kaspersky KVRT reports there is no virus, no malware, no threat.

If you have a newer hardware router, then go ahead and switch to the new router.

I would note, and highly suggest, that at end of each day or when you no longer need to use this computer, that you be real sure to do a daily Windows SHUTDOWN.  That way your machine is like "radio silent" to the outside world.  And thus cannot have Windows exposed to any "inbound" potential probes.

NOTE also, the notation of the "block message"  Category: Compromised
Domain: 
IP Address: 8.209.218.31

The domain or IP address is what has the compromise. It is STOPPed from further communication to this computer.

 

I am going to list several suggestions that you should apply.
( 1 )
My next tip  and first thing to cover is to systematically power down all your system, and recyle your router, and then power on in order.
It is now a very good idea to reset the router for the internet connection service.  
First, shutdown windows and be sure the power is OFF.

now, Unplug the power plug to the Modem ( IF there is one)  and the internet hardware Router. Wait for about a minute, please.

now, Plug the power into just the Modem (unless you have a modem/router combo) When all the lights come up, plug in the power to the Router (unless combo of course)

Now, power on the computer and get Windows restarted.   One Windows system at a time.

( 2 )
Secure your router by resetting it and then setting a strong password to sign into the router, and a strong wireless key to sign into your network. You can find your router manual by googling the exact model (on bottom) to follow the reset instructions, set the password and wireless key, optimize Security and Performance per these articles:
https://www.lifewire.com/resetting-a-home-network-router-818061
https://www.techradar.com/broadband/how-to-change-your-router-password

( 3 )
This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

( 4 )

Using just the Chrome browser, sign-in to your Google account ( if not signed in already)  https://chrome.google.com/
Then go to https://chrome.google.com/sync?
Scroll down the page, press the "CLEAR DATA" button, to clear the Chrome data from your Google account.

( 5 )

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

The Malwareytes blocks are on addresses that are attempting to do some sort of probing or connecting.

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

I  would recommend that you look over this article
"How to Enable Your Wireless Router's Built-in Firewall"
https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

ALSO see this Malwarebytes support article
https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/
 

[undercovergrill]

Thanks Maurice for all the info. I'll go ahead and setup the new router then ;)

Thanks for the suggestions and more info regarding inbound connections. I'll make my way through the list of actions you're suggesting.

I'll post again once I'm done. It may be later today depending on how well setting up the router goes. 

[Maurice Naggar]

Alright. You are welcome.  << acknowledged >> 👍

[undercovergrill]

All done finally, my router is going back though, very unhappy 😖... who doesn't support basic logging, or should I say who doesn't allow users to access their logs...

Anyway.

1) full reset done

2) Strong password in place

3) Haven't done anything but open this website/anything involving your suggestions :)

4) Sync sounds terrible actually, someone could just randomly add a chrome extension to my computer... I cleared data and disable sync for this computer :)

5) Already set to ask for permission

My router again basically hides all relevant settings, I will be sending it back. I assume it automatically sets a firewall as I can't even choose whether to connect 2.4g or 5g... it's easy of use but not what I'm looking for.

Thanks again for the info on inbound connections, this is all very reassuring.

Feeling in a much better place now!

[undercovergrill]

Oh sorry, for 3) I did disable only one thing and let the others.

All the others I don't know about or I felt were relevant to keep running.

 

[Maurice Naggar]

Tell me, please, do you personally use MongoDB Compass ? How did that get to be on this system? Do you do some sort of data analysis on this machine ?

[undercovergrill]

I installed Mongo, it's my goto for local databases. If I'm going to have a 100K+ of something I'll use it to organize/store results.

So yes to the data analysis, though I just play academic :) I'm just a hobbyist with a bunch of interests.

Currently wanting to get into https://github.com/facebookresearch/faiss (vector database) for some work around evaluating LLM's and SD models at scale.

A lot of work is being published all over the place, but have yet to see something really nice in the evaluation area, I hope to build some tools to fill that for individuals.

Perplexity and FID metrics are nice but there's nothing quite like the human eye for evaluation. Especially if you can get some help (ie vector database).

[Maurice Naggar]

Alright. Just wanted to be sure.

[Maurice Naggar]

I would like a report set for review. This is a report only. first, on the Desktop, Delete the current file  mbst-grab-results.zip .

The mb-support-1.9.1.977.exe is on Downloads folder.

Go to Downloads using File Explorer, do a right click with your mouse on  mb-support-1.9.1.977.exe & then select "Run as Administrator"  and reply YES when prompted and allow it to run.

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished. It may take some 10 - 12 minutes to complete, depending on hardware speed.
Attach the mbst-grab-results.zip from the Desktop to your reply..

[undercovergrill]

Hi,

I was actually gonna ask for one final review :)

I did make a smallish software/hardware change, I hope that's ok. I installed 2 HDD's and inserted 2 usbs.

 

I was trying to validate my cuda installation + taking a quick peak to get some burning questions answered.

I installed Precision X + HWD Monitor and Sandboxie, which I hoping to use their kernel driver for another project (the burning questions), but decided on another project on GitHub.

 

Sorry for getting antsy, just really looking forward to get back to my projects.

For completeness, I ran mbar + Kaspersky + mb again, all come back clean.

mbst-grab-results.zip

[Maurice Naggar]

Hi. The reports look ok, that is to say, there is no malware infection. There may be indication of an issue with failure on Microsoft Windows Update. So, you need to do a run to check it. Insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[undercovergrill]

Great glad to hear :) From your analysis was there ever evidence this computer was infected to begin with?

Yes I did have an update for .net but nothing else other then optional.

installed : https://support.microsoft.com/en-us/topic/july-25-2023-kb5028412-cumulative-update-preview-for-net-framework-3-5-4-8-and-4-8-1-for-windows-10-version-22h2-3c543fa0-c211-40af-ab8d-d10e4183e9a5

I included an image of the optional updates. Do you want me to install those too?

[Maurice Naggar]

No, I do not recall a significant "malware" on this box. That said, this system is good to go. The first item listed on this screen grab is a PREVIEW. Do not take that. On the others, those are up to you. It should be ok to take those hardware driver updates.

Cleanups:

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_2-14.exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)
• Delete mb-support-1.8.7.918.exe
• Delete mbst-grab-results.zip on the Desktop.
• Delete MBAR.exe

This system is clear and good to go.  😎
Sincerely.

[undercovergrill]

Very good work. Thanks a lot Maurice for all your help.

And thanks for this clean up tool, I was gonna ask about that cause I lost like 20+gb in this process, I guess from restore points, but yeah :)

Malwarebytes has a great reputation online and the support here to showed that. Thanks again.

kprm-20230725120744.txt

[Maurice Naggar]

👍 You are most welcome. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.

Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Stay safe.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you