John L. Galt Posted September 19 ID:1662029 Share Posted September 19 Hey, all, it's been a long time, I hope everyone is still doing well. I just had a popup from MB5 about a blocked outbound connection via svchost.exe to an IP address that is registered to China Mobile (which I obviously do not use). Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 19-Sep-24 Protection Event Time: 14:22 Log File: 2c3eb6e0-76b4-11ef-b27d-00155d5a264d.json -Software Information- Version: 5.1.11.133 Components Version: 1.0.5044 Update Package Version: 1.0.89429 License: Premium -System Information- OS: Windows 11 (Build 26100.1742) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, 0CD128F416A04C06D50EC56392C25D9F, 324451797AC909A4DD40C7A2F7347EF91F6B7C786941AD5035F609C0FC15EDAA -Website Data- Category: Compromised Domain: IP Address: 120.226.28.61 Port: 4008 Type: Outbound File: C:\Windows\System32\svchost.exe (end) I looked up the IP at ICANN.org: https://lookup.icann.org/en/lookup And that is how I found out it is trying to connect to an IP associated with China Mobile. I realize that svchost is, in layman's terms, a wrapper to run services, for lack of a better description - but does the new MB5 offer additional details (particularly a PID for the process in question)? I have quite a few svchost.exe instances running at any given moment, and I'd like to verify if this is a legitimate call - or a legitimate concern. As you can see in the following ss, right now it's basically a shot in the dark with a lot of trial and error before I can even narrow down which ones of these it might be: I ask here first in the hopes that I don't need to go through the entire process of getting my system analyzed and / or 'fixed', as I can do most of that myself - but I'd rather not go through the entire rigmarole if it is just a FP, yanno? Thanks. Link to post Share on other sites More sharing options...
David H. Lipman Posted September 19 ID:1662032 Share Posted September 19 https://www.abuseipdb.com/check/120.226.28.61 Link to post Share on other sites More sharing options...
Porthos Posted September 19 ID:1662033 Share Posted September 19 @John L. Galt This one needs malware removal assistance Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following. Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware. Please respond to all future instructions from your helper in a timely manner. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: Please pay close attention the the instructions in all of the following links. If you have not done so already - Enable System Protection and create a NEW System Restore Point <<<<< Important. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup Windows 8 and newer only <<<<< Important. Show-Hidden-Folders-Files-Extensions Please run the following scans: Please pay close attention the the instructions in all of the following links. Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer <<<<< Important. Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Then be patient for the next expert to take your case. <<<<< Important. Thank you Link to post Share on other sites More sharing options...
John L. Galt Posted September 19 Author ID:1662060 Share Posted September 19 Scans attached. Including the export of the MB5 original IP address access block. Settings for each respective application used to scan were set exactly as mentioned in each reference post. Malwarebytes Website Blocked Report 2024-09-19 182248.txt AdwCleaner[S00].txt Malwarebytes Scan Report 2024-09-19 191520.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662286 Share Posted September 20 Hello @John L. Galt long time no see. Hope you're doing well. Did you set up all of these? Generally speaking part of the idea of Safe Mode is to help prevent unknown items from loading while you check it out HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cdd.dll => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cdd.dll => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ExecutionContext.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netadaptercx.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinHttpAutoProxySvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices" Oddly I don't see Malwarebytes listed there which typically even the free version will set our driver there. Windows Defender believes this to be Suspicious. Please upload to VirusTotal to be scanned and verify D:\Users\BeastA\Downloads\UniGetUI.Installer.exe The logs overall do not indicate an obvious reason for the detection Let's have you run a couple of AV scans to double-check [ 1 ] Dr.Web CureIt! Please download the Dr.Web CureIt! anti-virus utility https://free.drweb.com/ You will need to send them an email to obtain a link to download the scanner, please do so The downloaded file will normally have a unique name such as: q7a9tr4p.exe Close all open applications and locate the downloaded file and double-click to run it The program will take a moment to launch and bring up the License and Update screen Place a check mark to agree to the terms and then click on the Continue button Click the underlined link Select objects for scanning On the top left click the Scanning objects that should automatically check all objects Click the small wrench and make sure there is a check on Automatically apply actions to threats Then click the large button on bottom right Start scanning Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad The log is saved in the folder named Doctor Web in the top of your user profile folders Please attach that log on your next reply [ 2 ] ESET Online Scanner Please run the following and perform a Full Scan Click the following link to save the installer for ESET Online Scanner https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get started. When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue When prompted for scan type, Click on the Full Scan button Enable ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click the Start scan button. Have patience. The entire process may take a few hours or more. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log and give it a name and location you remember. If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to turn off the offer for “periodic scanning”. Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Please attach the ESET scan log you saved at the end to your next reply Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662292 Share Posted September 20 Just now, AdvancedSetup said: Did you set up all of these? Generally speaking part of the idea of Safe Mode is to help prevent unknown items from loading while you check it out HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cdd.dll => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cdd.dll => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ExecutionContext.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netadaptercx.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinHttpAutoProxySvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices" Oddly I don't see Malwarebytes listed there which typically even the free version will set our driver there. I have no idea on those - let me check the system with the scans you've requested. As for MB not being listed - uh, weird? But definitely cause for concern - as this is definitely some stealthy behavior that is concerning - and especially because I have MB5 running with my sub activated. Let me run these scans next. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662294 Share Posted September 20 The I3C could be for Intel storage drivers possibly. This one since it's proxy related is of at least possible concern HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinHttpAutoProxySvc => ""="Service" Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662296 Share Posted September 20 You can download and run the Malwarebytes installer again to make sure everything is setup properly MB5 Online Installer https://downloads.malwarebytes.com/file/mb5-windows MB5 Offline Installer https://downloads.malwarebytes.com/file/mb5_offline 1 Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662299 Share Posted September 20 But my systems is pure AMD, so, other than Intel owning Killer, there should be nothing else Intel here. Only the Wi-Fi / BT and the Killer Ethernet NICs (E2600 and E3000). Checking Driver Store Explorer verifies that - the only drivers from Intel are all BT (and Killer for network). However I do have an unknown name for a big UPS for my system, Let me look into that also. I'll also re-run the MB5 installers. Meanwhile, with all of the news around Dr. Web, if you're still recommending it, that's cool, but when attempting to DL it it very specifically asks to allow them to process the information, and I am not sure I like that specific part: I've not visited Dr. Web before - is this specific checkbox what you meant in the part above that I'd need to give them an email? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662300 Share Posted September 20 (edited) Unfortunately every company wants your information. Basically they will gather stuff sort of like Farbar does to process on their system in order to try to improve their product. Asking you to run Microsoft's Safety Scanner does the same thing. Edited September 20 by AdvancedSetup Updated information 1 Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662301 Share Posted September 20 34 minutes ago, AdvancedSetup said: Windows Defender believes this to be Suspicious. Please upload to VirusTotal to be scanned and verify D:\Users\BeastA\Downloads\UniGetUI.Installer.exe 1/71: https://www.virustotal.com/gui/file/fec4eef1b5abd88ec8be6ad381871479bea54a10c5b156b8bef40b1bdcfb2202 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662302 Share Posted September 20 Thanks, seems okay to me 1 Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662303 Share Posted September 20 Just now, AdvancedSetup said: Unfortunately every company wants your information. Basically they will gather stuff sort of like Farbar does to process on their system in order to try to improve their product. Yeah, I suspected - just haven't ever been there, and being extra cautious that that is what I am supposed to see - but at least they make it (painfully) obvious about both the intent as well as the permission request, so kudos to them. I've re-installed MB5 now, and am gonna DL both of those and run them - after a reboot. Should I run any of the previous stuff too, to see if MB5 is showing where is should, and more? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662304 Share Posted September 20 Recheck for updates from Malwarebytes Then let me know if you're still getting any alerts about a blocked site or not. Try a computer reboot as well Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662305 Share Posted September 20 If you're still getting a block and AV finds nothings since you're running Microsoft Windows 11 Pro Version we can enable auditing and use Sysmon if needed to help track down what is doing that. Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662309 Share Posted September 20 (edited) Actually, I only ever received that block notice that one time. I've not gotten it again, which is why I was both super surprised, *and* willing to try to track it down myself at first. A week ago I have 4 reports to a separate IP, 172.56.104.178, which ICANN shows belonging to T-Mobile (which my system does access if I use my cellular connection, aka Google Fi) and it has very few reports: https://www.abuseipdb.com/check/172.56.104.178 Before that the reports are from July, June, May, and April. And, though listed as Trojan, the previous four attempts to that 172. IP are all svchost.exe as well, and all on port 18192: But all this other stuff now has me at the very least concerned, so I'm gonna continue to go through this until we're satisfied that there is nothing untoward going on here. Edited September 20 by John L. Galt Added screenshots, more info Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662311 Share Posted September 20 Checked for updates, rebooted, and nada. Commencing the scanning routine. Gonna do them all just to be sure. If MB5 is not adding itself to the safe mode hive, that is a problem in and of itself, I suspect. And it's been a while since I performed a clean install of my system, and with it now running an Insiders 24H2 build, might be a good time unless I find something truly nefarious going on here. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662314 Share Posted September 20 Well we can run a generic clean up script if you like, but if you're considering a clean install of Windows then not really needed You can also run these routines ECHO Y | CHKDSK C: /F DISM /Online /Cleanup-Image /RestoreHealth SFC.EXE /SCANNOW Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662315 Share Posted September 20 I use SysMinion (by the developer of Horodruin) to run those after major Windows updates, and I last ran all of them just a couple of days ago. I'm going through the scans in order starting with ADW, and I think I might have skipped running the Basic Repair button yesterday. I'm doing that today, and then running MB56 scan and then rebooting and continuing on through your own scan requests. I'll post all the files ASAP. 1 Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662318 Share Posted September 20 While I'm waiting for Dr.Web CureIt to finish (10 minutes in thus far) I will note that I am playing a game via Steam called Once Human, distributed by NetEase, a Chinese game distributor - but I only started playing as of 15 July, and I have 0 reports in MB5 since I started playing until 9 Sept and then yesterday. It is, however, still a possibility, and I'm keeping an open mind as to anything being possible here. Also, Dr.Web CureIt states "No threats detected". On to ESET and then posting files. But I'm also going to get dinner, so it may be a while. 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662321 Share Posted September 20 Sounds good. I'll check back later 1 Link to post Share on other sites More sharing options...
John L. Galt Posted September 20 Author ID:1662323 Share Posted September 20 (edited) Odd. ESET started with the downloading module update ... and then completely disappeared from my running processes. I've started it again for a full scan, and it is DLing again. It just hit 100% Now it shows 2233% briefly, and then completely exits. Going to reboot and try again. Wasn't able toe get a screenshot of it showing 2233% before it disappeared. Edited September 20 by John L. Galt fixed typo Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 20 Root Admin ID:1662326 Share Posted September 20 Yes, I'm not sure why but some systems simply will not run the ESET program. If it fails again, we can run the Microsoft scanner Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process [ 1 ] Please make the following system changes. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed. Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions [ 2 ] Microsoft Safety Scanner I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on the Scan Options & select the FULL scan. Then start the scan. Have lots of patience. It may take several hours to complete. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run and saved in the log. The scan may take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan. This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware. ) The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log Please attach that log with your next reply. It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Then it writes into the log on your computer what it found and did. Thank you Link to post Share on other sites More sharing options...
John L. Galt Posted September 21 Author ID:1662459 Share Posted September 21 Another day, and more confusion. The only thing found were 3 NirSoft utilities that can potentially be used maliciously, that both Defender and MB5 don't like seeing, and thus for which I have exceptions in both for the Windows System Control Center app. I am thoroughly confused. msert.log cureit.log FRST.txt Malwarebytes Scan Report 2024-09-20 212209.txt AdwCleaner[C01].txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 22 Root Admin ID:1662567 Share Posted September 22 Do you have the Addition.txt log file @John L. Galt Link to post Share on other sites More sharing options...
Recommended Posts