Jump to content

Odd outbound attempt blocked in MB5 - windows svchost.exe


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hey, all, it's been a long time, I hope everyone is still doing well.

I just had a popup from MB5 about a blocked outbound connection via svchost.exe to an IP address that is registered to China Mobile (which I obviously do not use).

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 19-Sep-24
Protection Event Time: 14:22
Log File: 2c3eb6e0-76b4-11ef-b27d-00155d5a264d.json

-Software Information-
Version: 5.1.11.133
Components Version: 1.0.5044
Update Package Version: 1.0.89429
License: Premium

-System Information-
OS: Windows 11 (Build 26100.1742)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, 0CD128F416A04C06D50EC56392C25D9F, 324451797AC909A4DD40C7A2F7347EF91F6B7C786941AD5035F609C0FC15EDAA

-Website Data-
Category: Compromised
Domain: 
IP Address: 120.226.28.61
Port: 4008
Type: Outbound
File: C:\Windows\System32\svchost.exe



(end)

I looked up the IP at ICANN.org: https://lookup.icann.org/en/lookup

And that is how I found out it is trying to connect to an IP associated with China Mobile.

I realize that svchost is, in layman's terms, a wrapper to run services, for lack of a better description - but does the new MB5 offer additional details (particularly a PID for the process in question)? I have quite a few svchost.exe instances running at any given moment, and I'd like to verify if this is a legitimate call - or a legitimate concern.

As you can see in the following ss, right now it's basically a shot in the dark with a lot of trial and error before I can even narrow down which ones of these it might be:

Screenshot2024-09-19144123.thumb.png.2d65cadab164a960285ba1716ab697f2.png

Screenshot2024-09-19144157.thumb.png.8e2c2cee761b7977a69ff8616d1ce963.png

I ask here first in the hopes that I don't need to go through the entire process of getting my system analyzed and / or 'fixed', as I can do most of that myself - but I'd rather not go through the entire rigmarole if it is just a FP, yanno?

Thanks.

Link to post
Share on other sites

@John L. Galt This one needs malware removal assistance

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point  <<<<< Important.
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup   Windows 8 and newer only <<<<< Important.
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes
       RESTART the computer <<<<< Important.
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

 

Link to post
Share on other sites

Scans attached. Including the export of the MB5 original IP address access block. Settings for each respective application used to scan were set exactly as mentioned in each reference post.

 

Malwarebytes Website Blocked Report 2024-09-19 182248.txt AdwCleaner[S00].txt Malwarebytes Scan Report 2024-09-19 191520.txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @John L. Galt long time no see. Hope you're doing well.

Did you set up all of these? Generally speaking part of the idea of Safe Mode is to help prevent unknown items from loading while you check it out

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cdd.dll => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cdd.dll => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ExecutionContext.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netadaptercx.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinHttpAutoProxySvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices"

Oddly I don't see Malwarebytes listed there which typically even the free version will set our driver there.

 

Windows Defender believes this to be Suspicious. Please upload to VirusTotal to be scanned and verify

D:\Users\BeastA\Downloads\UniGetUI.Installer.exe

 

The logs overall do not indicate an obvious reason for the detection

Let's have you run a couple of AV scans to double-check

[ 1 ]

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

[ 2 ]

ESET Online Scanner

Please run the following and perform a Full Scan
 
Click the following link to save the installer for ESET Online Scanner
https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started.
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.


 
Note: If you do need to do a File Restore from ESET please follow the directions below
[KB2915] Restore files quarantined by the ESET Online Scanner version 3
https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner
 
Please attach the ESET scan log you saved at the end to your next reply

Link to post
Share on other sites

Just now, AdvancedSetup said:

Did you set up all of these? Generally speaking part of the idea of Safe Mode is to help prevent unknown items from loading while you check it out

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cdd.dll => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cdd.dll => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ExecutionContext.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netadaptercx.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinHttpAutoProxySvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{13cfe1b1-6b17-424c-ac3f-16ace8733898} => ""="I3C devices"

Oddly I don't see Malwarebytes listed there which typically even the free version will set our driver there.

I have no idea on those - let me check the system with the scans you've requested.

As for MB not being listed - uh, weird? But definitely cause for concern - as this is definitely some stealthy behavior that is concerning - and especially because I have MB5 running with my sub activated.

Let me run these scans next.

Link to post
Share on other sites

But my systems is pure AMD, so, other than Intel owning Killer, there should be nothing else Intel here. Only the Wi-Fi / BT and the Killer Ethernet NICs (E2600 and E3000). Checking Driver Store Explorer verifies that - the only drivers from Intel are all BT (and Killer for network).

However I do have an unknown name for a big UPS for my system, Let me look into that also.

I'll also re-run the MB5 installers.

Meanwhile, with all of the news around Dr. Web, if you're still recommending it, that's cool, but when attempting to DL it it very specifically asks to allow them to process the information, and I am not sure I like that specific part:

Screenshot2024-09-20161551.thumb.png.644c0eeb096f189444002e1de1798f1e.png

I've not visited Dr. Web before - is this specific checkbox what you meant in the part above that I'd need to give them an email?

Link to post
Share on other sites

  • Root Admin

Unfortunately every company wants your information. Basically they will gather stuff sort of like Farbar does to process on their system in order to try to improve their product.

Asking you to run Microsoft's Safety Scanner does the same thing.

Edited by AdvancedSetup
Updated information
  • Like 1
Link to post
Share on other sites

34 minutes ago, AdvancedSetup said:

Windows Defender believes this to be Suspicious. Please upload to VirusTotal to be scanned and verify

D:\Users\BeastA\Downloads\UniGetUI.Installer.exe

1/71: 

https://www.virustotal.com/gui/file/fec4eef1b5abd88ec8be6ad381871479bea54a10c5b156b8bef40b1bdcfb2202

Link to post
Share on other sites

Just now, AdvancedSetup said:

Unfortunately every company wants your information. Basically they will gather stuff sort of like Farbar does to process on their system in order to try to improve their product.

 

Yeah, I suspected - just haven't ever been there, and being extra cautious that that is what I am supposed to see - but at least they make it (painfully) obvious about both the intent as well as the permission request, so kudos to them.

I've re-installed MB5 now, and am gonna DL both of those and run them - after a reboot. Should I run any of the previous stuff too, to see if MB5 is showing where is should, and more?

Link to post
Share on other sites

Actually, I only ever received that block notice that one time. I've not gotten it again, which is why I was both super surprised, *and* willing to try to track it down myself at first.

A week ago I have 4 reports to a separate IP, 172.56.104.178, which ICANN shows belonging to T-Mobile (which my system does access if I use my cellular connection, aka Google Fi) and it has very few reports:

https://www.abuseipdb.com/check/172.56.104.178

Before that the reports are from July, June, May, and April.

Screenshot2024-09-20165512.thumb.png.7e7a081ee068228d9fe57897a8c6d193.png

And, though listed as Trojan, the previous four attempts to that 172. IP are all svchost.exe as well, and all on port 18192:

Screenshot2024-09-20165756.thumb.png.833f95928d41674aa6734a8c661f2ba2.png

But all this other stuff now has me at the very least concerned, so I'm gonna continue to go through this until we're satisfied that there is nothing untoward going on here.

Edited by John L. Galt
Added screenshots, more info
Link to post
Share on other sites

Checked for updates, rebooted, and nada. Commencing the scanning routine. Gonna do them all just to be sure. If MB5 is not adding itself to the safe mode hive, that is a problem in and of itself, I suspect. And it's been a while since I performed a clean install of my system, and with it now running an Insiders 24H2 build, might be a good time unless I find something truly nefarious going on here.

Link to post
Share on other sites

I use SysMinion (by the developer of Horodruin) to run those after major Windows updates, and I last ran all of them just a couple of days ago.

I'm going through the scans in order starting with ADW, and I think I might have skipped running the Basic Repair button yesterday. I'm doing that today, and then running MB56 scan and then rebooting and continuing on through your own scan requests. I'll post all the files ASAP.

  • Like 1
Link to post
Share on other sites

While I'm waiting for Dr.Web CureIt to finish (10 minutes in thus far) I will note that I am playing a game via Steam called Once Human, distributed by NetEase, a Chinese game distributor - but I only started playing as of 15 July, and I have 0 reports in MB5 since I started playing until 9 Sept and then yesterday. It is, however, still a possibility, and I'm keeping an open mind as to anything being possible here.

Also, Dr.Web CureIt states "No threats detected". On to ESET and then posting files. But I'm also going to get dinner, so it may be a while.

  • Like 1
Link to post
Share on other sites

Odd. ESET started with the downloading module update ... and then completely disappeared from my running processes.

I've started it again for a full scan, and it is DLing again. It just hit 100% Now it shows 2233% briefly, and then completely exits.

Going to reboot and try again. Wasn't able toe get a screenshot of it showing 2233% before it disappeared.

Edited by John L. Galt
fixed typo
Link to post
Share on other sites

  • Root Admin

Yes, I'm not sure why but some systems simply will not run the ESET program.

If it fails again, we can run the Microsoft scanner

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system.

Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

Microsoft Safety Scanner

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours to complete.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run and saved in the log.
  • The scan may take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware. )

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found and did.

 

Thank you

 

Link to post
Share on other sites

Another day, and more confusion.

The only thing found were 3 NirSoft utilities that can potentially be used maliciously, that both Defender and MB5 don't like seeing, and thus for which I have exceptions in both for the Windows System Control Center app.

I am thoroughly confused.

msert.log cureit.log FRST.txt Malwarebytes Scan Report 2024-09-20 212209.txt AdwCleaner[C01].txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.