Jump to content

False Positive - Windows SVC Host?

RainOnThem
 Share
Go to solution Solved by Atribune,

Recommended Posts

RainOnThem

RainOnThem

Posted
Posted

Hello....odd one here.....
image.png.27de213bd38128c285c8e7d4179683ea.png

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/20/24
Protection Event Time: 5:32 AM
Log File: 0066919c-ff12-11ee-953c-e89c25959931.json

-Software Information-
Version: 4.6.12.323
Components Version: 1.0.2309
Update Package Version: 1.0.83659
License: Premium

-System Information-
OS: Windows 11 (Build 22631.3447)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Malware
Domain: ctldl.windowsupdate.com
IP Address: 221.204.49.35
Port: 80
Type: Outbound
File: C:\Windows\System32\svchost.exe

(end)

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
2 minutes ago, RainOnThem said:

Share them here, or in a support ticket?

I have moved your post to the malware removal section.

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case.

 

Thank you

Link to post
Share on other sites
RainOnThem

RainOnThem

Posted
  • Author
Posted

I'm confused.  

I've run several scans with my MalwareBytes Premium over the past few days.  You're saying I have some undetected malware?

The AdW cleaner found a PUP "Advanced Systemcare" from IO Bit in my Roaming folder, but it's just leftover files from using Driver Booster back when I set up my computer.  No executables, just config files.
MalwareBytes finds nothing.

I will now restart and run the FRST tool.
 

AdwCleaner[C00].txt AdwCleaner[S00].txt mbst-grab-results.zip MalwareBytes Scan.txt

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)
14 minutes ago, Atribune said:

Not sure why this was moved. mbst-grab-result.zip is the one I needed

It may have been moved to protect any data that was captured in the logs, for privacy sake?  @Porthos would have to answer.

I originally moved this from from;  File Detections  to  Website Blocking

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Good day, @RainOnThem

Please run the following scan.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

Next, please run the following for me

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

Thanks

 

Link to post
Share on other sites
RainOnThem

RainOnThem

Posted
  • Author
Posted (edited)

Are we sure all this is necessary?  Why is MalwareBytes not enough?  I've never heard of any of these, and they all want administrator access to my computer....this is making me very uncomfortable.

Why is MalwareBytes recommending using OTHER anti-virus services....?

Nevertheless....I am doing it....

Edited by RainOnThem
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You are the one that was suspicious, thus the recommendation to run another 3rd party antivirus scan to double-check the system.

 

SecurityCheck looks at the software on your system to see if it can find old or outdated software that might need updating

FSS scanner looks for services that manage Windows Updates and Windows Defender to determine if something might not be correct

 

All the tools involved are very safe and used thousands of times for many users

 

Link to post
Share on other sites
RainOnThem

RainOnThem

Posted
  • Author
Posted (edited)

I posted a false positive for an IP block....my thread was moved.....and now I've run several different no-name programs at admin level access on my computer....if anything I now feel infected when I was not before...

It does not instill confidence in a paid user of MalwareBytes software to be told by MalwareBytes staff "hey please run these free programs from developers you've never heard of, that also trigger Windows security measures (ignore that), that might detect something the software we sold you for a few hundred dollars did not detect".  

Also....zero detections.   

FSS.txt SecurityCheck.txt cureit.log

Edited by RainOnThem
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I apologize for the post moving around. I just saw the post tonight and I'm trying to help show you the system is safe and that my guess is that yes it was a False Positive block alert.

Are you still getting an IP or Domain block from Malwarebytes?


The Dr Web Cureit AV scanner found no issues.

 

Please update the following programs on your computer.


Thank you

 

Link to post
Share on other sites
RainOnThem

RainOnThem

Posted
  • Author
Posted (edited)

I'm not trying to be offensive, it was just installing unknown software like this that led me to MalwareBytes in the first place.  I was a victim of a Malware attack where I had almost 100,000 USD of crypto stolen from me, and only MalwareBytes was able to detect and remedy the malware, unfortunately they already had my crypto and browser data, and I had to change passwords on over 500 websites, and add 2FA to over 100 websites.  This was a very dark time in my life, and it only happened a few years ago.  I cannot have it happen again, I mentally would not be able to handle it.  EDIT:  I couldn't remember the name of the Malware, but I just remembered.  "Vidar" malware.  So you can see why I distrust russia-based developers needing admin access with their software.
 
I have been trusting MalwareBytes because of this, but this thread is now leading me away from that trust.  

Nevertheless, I hope these programs were not malicious.  I might just reset my computer now after this.....I can't get hacked again.

Edited by RainOnThem
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I can promise you the programs are safe. Thousands of users not only here on our forums but on almost all forums around the Internet that due malware detection and removal use them.

I'll provide you with some other information to help you keep your data and computer safer

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy. Don't forget to setup a good backup routine to an external USB drive that you do not keep connected.

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/780233/best-password-manager/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Understandable. We truly want your data safe as well. No one wants to be a victim of these bad actors out there.

Though our program is excellent in prevention, detection, and removal - no security product out there can promise you 100% that nothing will ever get in. It takes work on the user's part as well keeping things up to date and practicing safe computing habits

 

Please open Malwarebytes and check for updates. We do have a newer version MB5 that is being rolled out. If you don't get the update and want to update to the latest you can manually do it. Some users don't like the included VPN on the main panel so you may want to remain on version 4 if that might bother you. They're working on moving the panels around some but not sure when that will be ready.

MB5 Offline Installer
https://downloads.malwarebytes.com/file/mb5_offline

If there is anything else I can do to assist you, please let me know.

Thank you

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Not sure if you followed the advice about these items that were listed above, but I would recommend you set it and keep it that way.

 

 

Please make the following change in Malwarebytes so that both Malwarebytes and Windows Defender work in conjunction with each other to add possible improved detections.

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

If you're gaming and using Discord on the same computer you're doing financial work on that can potentially be a recipe for danger too sooner or later. Hundreds of people infected over Discord just this year alone.

Perhaps look at isolating financial work onto a smaller system you keep very protected and don't game on it, don't do P2P uTorrent, no Discord, Facebook, etc.

 

  • Like 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Yes, friends can be compromised too. Then links sent for what looks safe or interesting and it turns out to be a zero day exploit that most AV doesn't yet detect.

Just friendly advice on keeping things safe. I don't run any of that stuff on my main  system.

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.