Jump to content

MalwareBytes blocking svchost.exe


Recommended Posts

8 minutes ago, AdrianM said:

they are inbound connections

The blocks are on addresses that are attempting to do a forced attempt to exploit remote-desktop protocol. 

The Real-Time Protection of Malwarebytes for Windows is actively doing its job to protect the system.

In most cases, the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

Link to post
Share on other sites

4 minutes ago, AdrianM said:

the ip address changes every time.

As long as they are inbound, Malwarebytes is doing its job.

You can also stop these by having a router between your ISP modem and your computer.

As I also see you are using the trial, that protection will stop when the trial expires.

Edited by Porthos
Link to post
Share on other sites

1 minute ago, AdrianM said:

The inbound connections coming from a file inside my computer

It is not coming from the file in your computer, It is trying to attack that Windows file.

2 minutes ago, AdrianM said:

isn't there any way I can stop it completely?

Yes, by investing in a router as I stated before.

11 minutes ago, Porthos said:

You can also stop these by having a router between your ISP modem and your computer.

 

Link to post
Share on other sites

Please do the following so that we may take a closer look at your system.

Please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

     

Thank you

  • Like 1
Link to post
Share on other sites

  • Root Admin

Please post back the requested log and we'll take a look.

Inbound is due to remote systems probing your system looking for some type of exploit. As mentioned by @Porthos a properly configured router normally won't allow that type of probe to reach Windows.

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
    Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

  • Root Admin

Contact Spectrum. Let them know your concerns about how a remote system is able to get past the router and probe Windows. Ask them if they can tighten the security on it.

 

The following are recommendations to clean up or improve the operation of Windows. It WILL NOT change or disable the Inbound probing.

 

[ 1 ]

This appears to be a temporary account that should have been removed during the installation of Windows Unless you've somehow saved data there you should be able to remove this account.

defaultuser100001 (S-1-5-21-1683634121-883303585-1651781312-1019 - Limited - Enabled)

 

[ 2 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Bonjour
     

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

Unless you're doing Java programming or similar their is no need to have this installed. If you are using it then leave it, but if not then please uninstall it.

  • Java(TM) SE Development Kit 19.0.1 (64-bit)

 

 

[ 3 ]

The choice is yours as it's your computer but the Ads and other eye candy of your Opera GX Stable  browser help bring things into the computer that may increase your risk of infection.

I would highly suggest either using Firefox or even Google Chrome over Opera today.  The logs indicate you're using Microsoft Edge as your default browser. Which is better than Opera

Windows Defender even had an issue trying to upload and test it

Date: 2023-04-01 16:22:04
Description:
Microsoft Defender Antivirus has encountered an error trying to upload a suspicious file for further analysis.
Filename: C:\Users\Administrator\Downloads\OperaGXSetup.exe
Sha256: 40857d597ed2c2fbe0ef03badd6a78d374160834508d9a717e83b1b791499fd3
Current security intelligence Version: AV: 1.385.1805.0, AS: 1.385.1805.0
Current Engine Version: 1.1.20100.6
Error code: 0x80508016

 

 

[ 4 ]

Your current DNS Servers: 192.168.1.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 5 ]

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\denni\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.