Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Premium sometimes blocks SVCHOST.EXE


  • This topic is locked This topic is locked
17 replies to this topic

#1 MrC0f33

MrC0f33

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 28 June 2017 - 08:58 AM

Greetings,

It has come to my attention that Malwarebytes Premium would occasionally block an outbound connection made by system32/svchost.exe each time with different ip address. I noticed it sometimes ago and paid no attention to it thinking that it was some sort of false positive. However, it has been annoying me hence I have decided to officially open a topic in this forum to seek for help.

Premium Anti-Virus I am using:
BitDefender Internet Security 2017
Malwarebytes Premium

Both found nothing with a full system scan (with rookit scanning enabled). I have also tried the procedure mentioned here: https://www.bleepingcomputer.com/virus-removal/fix-malicious-web-site-blocked-alert-from-svchost.exe/ but I have found nothing. 

Fearing for the worst, I have had my ISP's technician came and reset my wifi router (although prior to the reset, the technician mentioned that my wifi router's DNS address is indeed valid). However, for peace of mind, I went ahead and reset the router anyways and was once again provided with the same DNS address by my ISP. My house-mates and I have experienced no redirects or pop-ups of any sorts while using my laptop or smartphone (I just checked and the DNS address on both my PC and Wifi router is still "genuine".   

Attached with this topic will be my FRST and MWB Protection logs as well as screen-shots of what I believe to have been blocked by MWB using TCP View and Task Manager.  

Upon closer inspection, the logs show that svchost.exe was using Port [58062] with a PID of 3976 which corresponds to IP Helper or iphlpsvc. 
Note: screenshots attached were taken on the 20th of June 2017 corresponding with svchost protection log 1 and 2

I have also ran a bunch of secondary opinion scanner and found nothing. I hope that experts in this forum will help me to resolve the issue. 

I am very much looking forward to the assistance provided.

Thank-you 

EDIT: My time-zone is GMT+8.00  
 


Edited by TechN3wb, 28 June 2017 - 09:03 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 AM

Posted 29 June 2017 - 07:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (????????????[ChromeApps?]) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eablgejicbklomgaiclcolfilbkckngf [2017-04-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-13]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-06]

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
===

Please let me know what problem persists with this computer.

#3 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 29 June 2017 - 09:32 AM

Dear Nasdaq,

Thank-you for the quick reply. I have since followed your instructions and reset all of my browsers (Opera, Chrome, IE, and Microsoft Edge) to their default settings.

I have also ran the fixlist in admin mode and was prompted to restart my pc. Just a heads-up, the unicode yu saw on my FRST logs is a Chrome app which is an online game that I play. Also, I mainly use opera for the majority of my browsing.

Just for a peace of mind, can you also kindly analyse my minitoolbox (I selected everything but system restore point) log and see if my DNS are all good?

 

Finally, was my computer infected?

Thank-you 

EDIT: No problem as of now. I will have to see if SVCHost will be blocked again......


Edited by TechN3wb, 29 June 2017 - 09:38 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 AM

Posted 29 June 2017 - 01:18 PM

You are looking good.

Wait a day or two and let me know if the problem persists.

#5 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 29 June 2017 - 06:27 PM

Dear Nasdaq,

 

Thank-you for the reply. However, this morning when I woke up, Bit Defender Internet security found the following:

 

Gen:HackTool.WinCred.1
 

in the location 

c:\windows\system32\lsasrv.dll.

 

Strange as this is the first time that Bitdefender found something after months of installation.
 



#6 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 29 June 2017 - 06:35 PM

Here are my new FRST logs. BD seems to have blocked it. However, just to be sure.

 



#7 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 29 June 2017 - 08:31 PM

Edit: Seems like it is a false positive?

 

https://www.virustotal.com/en/file/7bb561df45d697a5b275af03323ae2d6a7366870771e5e39ff1e7fad5bd019f3/analysis/1498786156/

https://forum.bitdefender.com/index.php?/topic/76526-false-alert/ 

 

Edit: Just to be extra sure, can you kindly check my provided new FRST Logs?
         And may I also kindly know was my computer infected to begin with?
       Or how did my browser get compromised? If so, which browser was compromised?


Sorry for all the question and thank-you


Edited by TechN3wb, 29 June 2017 - 08:36 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 AM

Posted 30 June 2017 - 08:28 AM

Your logs are clean.

Your computer was never compromised.


If all is well read and follow these recommendations.
To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 30 June 2017 - 08:34 AM

Thank-you for the reassurance Nasdaq.

I will update this thread in a weeks time to see if SVCHOST is blocked again by Malwarebytes. Until then, you have been nothing but a life-saver at keeping my mind at ease. 

Thank-you



#10 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 04 July 2017 - 12:12 AM

Dear Nasdaq, 

 

MWB blocked SVCHost.exe again today. However, this only occured when I was using Tixati, a P2P software. 
MWB states that it is an outbound connection using the same ports of the above log files (Port 58062).
So I guess perhaps using a P2P software is the root cause of my issue.

However, prior to this,  in 

 

svchost protection log 3.txt   

svchost protection log 4.txt   
 

 

I was not running any P2P software and only had Opera browser running. But prior to this I had used Tixati the night before. So once again, perhaps it is the fault of P2P software?

Thank-you

 


Edited by TechN3wb, 04 July 2017 - 04:58 AM.


#11 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 04 July 2017 - 06:35 AM

Dear Nasdaq,

Attach are the scans from FRST and MTB. If all is well after you examine them (Please, I kindly request that you examine my latest log file), then I shall kindly request that you close down this topic. I will then proceed to stop using P2P software and opt for Direct Download instead. 

Sorry for the troubled. 

Thank-you once again


Edited by TechN3wb, 04 July 2017 - 06:37 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 AM

Posted 04 July 2017 - 08:03 AM



Hi,

I'm not sure that Tixati is causing this, unless you have a compromised copy.

Run this fix. After a restart of the computer execute Tixati.
If the problem returns remove the Application and install the latest version from the original site.
https://www.tixati.com/download/

If it does then submit the Titaxi.exe to Malwarebytes for their review.
Explain the issue you are having when running it.

Instructions on this page.
https://forums.malwarebytes.com/topic/3228-please-read-before-reporting-a-false-positive/
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-29]
ContextMenuHandlers01: [Mp3tagShell] -> {6351E20C-35FA-4BE3-98FB-4CABF1363E12} => C:\Program Files (x86)\Mp3tag\Mp3tagShell64.dll -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers02: [Mp3tagShell] -> {6351E20C-35FA-4BE3-98FB-4CABF1363E12} => C:\Program Files (x86)\Mp3tag\Mp3tagShell64.dll -> No File
ContextMenuHandlers04: [Mp3tagShell] -> {6351E20C-35FA-4BE3-98FB-4CABF1363E12} => C:\Program Files (x86)\Mp3tag\Mp3tagShell64.dll -> No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

p.s.

MBAM reports this IP address.
199.241.146.179

OrgName: HugeServer Networks, LLC
OrgId: HNL-14
Address: 11601 WILSHIRE BOULEVARD #500
City: Los Angeles
StateProv: CA
PostalCode: 90025
Country: US

Is this your provider?

#13 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 04 July 2017 - 09:04 AM

Dear Nasdaq,

Thank-you once again for the quick and informative reply. I have ran the fixlist as requested. Besides that, I have also attach the block by MWB today. I relaunched Tixati and checked for update and my version was the latest. 

I tried using the same Magnet Links which I've used today and could not replicate the issue. 

Thank-you

EDIT: The addresses reported by MBAM is not my provider.


Edited by TechN3wb, 04 July 2017 - 09:33 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 AM

Posted 04 July 2017 - 10:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


If the problem persists reset your Router it may be compromised.

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Keep me posted.

#15 MrC0f33

MrC0f33
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:19 PM

Posted 04 July 2017 - 11:09 AM

Dear Nasdaq,

Is there something wrong with the logs from MBT? Is my DNS compromised? I prefer not to reset my router as I am living in a rented unit and several other individuals are using this router. Further more, technicians from my ISP have come and resetted my router. 

I have just checked the wireless router and both the DNS are valid. My computer's DNS is also valid (which is the one given to me by my ISP)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users