RainOnThem Posted April 24 ID:1632342 Share Posted April 24 Hello....odd one here..... Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/20/24 Protection Event Time: 5:32 AM Log File: 0066919c-ff12-11ee-953c-e89c25959931.json -Software Information- Version: 4.6.12.323 Components Version: 1.0.2309 Update Package Version: 1.0.83659 License: Premium -System Information- OS: Windows 11 (Build 22631.3447) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Malware Domain: ctldl.windowsupdate.com IP Address: 221.204.49.35 Port: 80 Type: Outbound File: C:\Windows\System32\svchost.exe (end) Link to post Share on other sites More sharing options...
Staff Atribune Posted April 24 Staff ID:1632351 Share Posted April 24 (edited) Could you please visit https://downloads.malwarebytes.com/file/mbst and follow the instructions on how to gather logs? Once you gathered them please share them so we can review. Edited April 25 by AdvancedSetup Corrected font issue Link to post Share on other sites More sharing options...
RainOnThem Posted April 24 Author ID:1632365 Share Posted April 24 Share them here, or in a support ticket? Link to post Share on other sites More sharing options...
Porthos Posted April 24 ID:1632371 Share Posted April 24 2 minutes ago, RainOnThem said: Share them here, or in a support ticket? I have moved your post to the malware removal section. Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following. Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware. Please respond to all future instructions from your helper in a timely manner. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: Please pay close attention the the instructions in all of the following links. If you have not done so already - Enable System Protection and create a NEW System Restore Point Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Please run the following scans: Please pay close attention the the instructions in all of the following links. Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Then be patient for the next expert to take your case. Thank you Link to post Share on other sites More sharing options...
Staff Atribune Posted April 24 Staff ID:1632376 Share Posted April 24 Here is fine or you can PM them to me. Link to post Share on other sites More sharing options...
RainOnThem Posted April 24 Author ID:1632377 Share Posted April 24 I'm confused. I've run several scans with my MalwareBytes Premium over the past few days. You're saying I have some undetected malware? The AdW cleaner found a PUP "Advanced Systemcare" from IO Bit in my Roaming folder, but it's just leftover files from using Driver Booster back when I set up my computer. No executables, just config files. MalwareBytes finds nothing. I will now restart and run the FRST tool. AdwCleaner[C00].txt AdwCleaner[S00].txt mbst-grab-results.zip MalwareBytes Scan.txt Link to post Share on other sites More sharing options...
Staff Atribune Posted April 24 Staff ID:1632379 Share Posted April 24 Not sure why this was moved. mbst-grab-result.zip is the one I needed Link to post Share on other sites More sharing options...
RainOnThem Posted April 24 Author ID:1632381 Share Posted April 24 (edited) FRST found nothing as well. All logs look clean, other than the previously mentioned PUP "Advanced SystemCare" configuration files. Addition.txt FRST.txt Shortcut.txt Edited April 24 by RainOnThem Link to post Share on other sites More sharing options...
David H. Lipman Posted April 24 ID:1632382 Share Posted April 24 (edited) 14 minutes ago, Atribune said: Not sure why this was moved. mbst-grab-result.zip is the one I needed It may have been moved to protect any data that was captured in the logs, for privacy sake? @Porthos would have to answer. I originally moved this from from; File Detections to Website Blocking Edited April 24 by David H. Lipman Edited for content, clarity, spelling and/or grammar Link to post Share on other sites More sharing options...
RainOnThem Posted April 24 Author ID:1632398 Share Posted April 24 Hello....any updates? I have to admit, this has me a bit paranoid now, since I believed it was a False Positive.... Link to post Share on other sites More sharing options...
Porthos Posted April 24 ID:1632399 Share Posted April 24 1 hour ago, Porthos said: Then be patient for the next expert to take your case. 2 minutes ago, RainOnThem said: Hello....any updates? 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632436 Share Posted April 25 Good day, @RainOnThem Please run the following scan. Dr.Web CureIt! Please download the Dr.Web CureIt! anti-virus utility https://free.drweb.com/ You will need to send them an email to obtain a link to download the scanner, please do so The downloaded file will normally have a unique name such as: q7a9tr4p.exe Close all open applications and locate the downloaded file and double-click to run it The program will take a moment to launch and bring up the License and Update screen Place a check mark to agree to the terms and then click on the Continue button Click the underlined link Select objects for scanning On the top left click the Scanning objects that should automatically check all objects Click the small wrench and make sure there is a check on Automatically apply actions to threats Then click the large button on bottom right Start scanning Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad The log is saved in the folder named Doctor Web in the top of your user profile folders Please attach that log on your next reply Next, please run the following for me Scan with SecurityCheck by glax24 https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/ Scan with FSS Farbar Service Scanner https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/ Thanks Link to post Share on other sites More sharing options...
RainOnThem Posted April 25 Author ID:1632454 Share Posted April 25 (edited) Are we sure all this is necessary? Why is MalwareBytes not enough? I've never heard of any of these, and they all want administrator access to my computer....this is making me very uncomfortable. Why is MalwareBytes recommending using OTHER anti-virus services....? Nevertheless....I am doing it.... Edited April 25 by RainOnThem Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632456 Share Posted April 25 You are the one that was suspicious, thus the recommendation to run another 3rd party antivirus scan to double-check the system. SecurityCheck looks at the software on your system to see if it can find old or outdated software that might need updating FSS scanner looks for services that manage Windows Updates and Windows Defender to determine if something might not be correct All the tools involved are very safe and used thousands of times for many users Link to post Share on other sites More sharing options...
RainOnThem Posted April 25 Author ID:1632464 Share Posted April 25 (edited) I posted a false positive for an IP block....my thread was moved.....and now I've run several different no-name programs at admin level access on my computer....if anything I now feel infected when I was not before... It does not instill confidence in a paid user of MalwareBytes software to be told by MalwareBytes staff "hey please run these free programs from developers you've never heard of, that also trigger Windows security measures (ignore that), that might detect something the software we sold you for a few hundred dollars did not detect". Also....zero detections. FSS.txt SecurityCheck.txt cureit.log Edited April 25 by RainOnThem Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632465 Share Posted April 25 I apologize for the post moving around. I just saw the post tonight and I'm trying to help show you the system is safe and that my guess is that yes it was a False Positive block alert. Are you still getting an IP or Domain block from Malwarebytes? The Dr Web Cureit AV scanner found no issues. Please update the following programs on your computer. Discord v.1.0.9032 Warning! Download Update LibreOffice 24.2.0.3 v.24.2.0.3 Warning! Download Update Python 3.11.8 (64-bit) v.3.11.8150.0 Warning! Download Update Thank you Link to post Share on other sites More sharing options...
RainOnThem Posted April 25 Author ID:1632466 Share Posted April 25 (edited) I'm not trying to be offensive, it was just installing unknown software like this that led me to MalwareBytes in the first place. I was a victim of a Malware attack where I had almost 100,000 USD of crypto stolen from me, and only MalwareBytes was able to detect and remedy the malware, unfortunately they already had my crypto and browser data, and I had to change passwords on over 500 websites, and add 2FA to over 100 websites. This was a very dark time in my life, and it only happened a few years ago. I cannot have it happen again, I mentally would not be able to handle it. EDIT: I couldn't remember the name of the Malware, but I just remembered. "Vidar" malware. So you can see why I distrust russia-based developers needing admin access with their software. I have been trusting MalwareBytes because of this, but this thread is now leading me away from that trust. Nevertheless, I hope these programs were not malicious. I might just reset my computer now after this.....I can't get hacked again. Edited April 25 by RainOnThem Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632468 Share Posted April 25 I can promise you the programs are safe. Thousands of users not only here on our forums but on almost all forums around the Internet that due malware detection and removal use them. I'll provide you with some other information to help you keep your data and computer safer The following information will help you to keep your computer and data safer as well as improve your overall privacy. Don't forget to setup a good backup routine to an external USB drive that you do not keep connected. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site. https://www.howtogeek.com/780233/best-password-manager/ Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download https://patchmypc.com/about-us Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security Malwarebytes Browser Guard Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ uBlock Origin Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin Cybersecurity basics & protection Everything you need to know about cybercrime https://www.malwarebytes.com/cybersecurity Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal Link to post Share on other sites More sharing options...
RainOnThem Posted April 25 Author ID:1632469 Share Posted April 25 Thank you for your help, and sorry if anything I said sounded offensive, I am just paranoid about my security now. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632472 Share Posted April 25 Understandable. We truly want your data safe as well. No one wants to be a victim of these bad actors out there. Though our program is excellent in prevention, detection, and removal - no security product out there can promise you 100% that nothing will ever get in. It takes work on the user's part as well keeping things up to date and practicing safe computing habits Please open Malwarebytes and check for updates. We do have a newer version MB5 that is being rolled out. If you don't get the update and want to update to the latest you can manually do it. Some users don't like the included VPN on the main panel so you may want to remain on version 4 if that might bother you. They're working on moving the panels around some but not sure when that will be ready. MB5 Offline Installer https://downloads.malwarebytes.com/file/mb5_offline If there is anything else I can do to assist you, please let me know. Thank you Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632481 Share Posted April 25 (edited) Not sure if you followed the advice about these items that were listed above, but I would recommend you set it and keep it that way. Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Please make the following change in Malwarebytes so that both Malwarebytes and Windows Defender work in conjunction with each other to add possible improved detections. Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab. Then turn off "Always register Malwarebytes in the Windows Security Center" Restart the computer It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions between Malwarebytes and Windows Defender Malwarebytes for Windows antivirus exclusions list https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list Edited April 25 by AdvancedSetup Updated information Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632485 Share Posted April 25 If you're gaming and using Discord on the same computer you're doing financial work on that can potentially be a recipe for danger too sooner or later. Hundreds of people infected over Discord just this year alone. Perhaps look at isolating financial work onto a smaller system you keep very protected and don't game on it, don't do P2P uTorrent, no Discord, Facebook, etc. 1 Link to post Share on other sites More sharing options...
RainOnThem Posted April 25 Author ID:1632486 Share Posted April 25 Sorry, you mean through Discord the company? I have all DMs turned off on Discord, and really only use it to access a few friends servers. I do not join public servers. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632488 Share Posted April 25 Yes, friends can be compromised too. Then links sent for what looks safe or interesting and it turns out to be a zero day exploit that most AV doesn't yet detect. Just friendly advice on keeping things safe. I don't run any of that stuff on my main system. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25 Root Admin ID:1632489 Share Posted April 25 I'm going to head out. Been off work now for about 5 hours. I'll go ahead and close this topic tomorrow, but again, if you run into any issues or have questions, please let us know. Have a good day Cheers Link to post Share on other sites More sharing options...
Recommended Posts