I got a prime example of something weird going on. I am running the MBAR, I have 1 tab open in firefox. but the firefox process has 8 sub process and 1 being MBAR and 2 being command prompts. Cant be normal can it?
Infected Computer - Multiple SubProcesses per Process
Started by
BeazMagic
, Sep 26 2020 03:02 PM
#17
Posted 30 September 2020 - 03:13 PM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
From the Speccy log:
C:\Users\Matt\AppData\Local\Discord\app-0.0.308\Discord.exe (1336)
Local 192.168.0.2:50105 ESTABLISHED Remote 162.159.135.233:443 (Querying... ) (HTTPS)
Local 192.168.0.2:50106 ESTABLISHED Remote 162.159.134.234:443 (Querying... ) (HTTPS)
Local 192.168.0.2:50206 ESTABLISHED Remote 35.186.224.25:443 (Querying... ) (HTTPS)
Local 192.168.0.2:50229 ESTABLISHED Remote 35.186.224.47:443 (Querying... ) (HTTPS)
Local 192.168.0.2:50238 ESTABLISHED Remote 162.159.128.235:443 (Querying... ) (HTTPS)
Local 192.168.0.2:50104 ESTABLISHED Remote 162.159.135.232:443 (Querying... ) (HTTPS)
C:\Users\Matt\AppData\Local\Discord\app-0.0.308\Discord.exe (1760)
Local 127.0.0.1:6463 LISTEN
Local 127.0.0.1:6463 ESTABLISHED Remote 127.0.0.1:50312 (Querying... )
C:\Users\Matt\AppData\Roaming\Spotify\Spotify.exe (10932)
Local 0.0.0.0:49731 LISTEN
Local 192.168.0.2:49748 ESTABLISHED Remote 35.186.224.47:443 (Querying... ) (HTTPS)
Local 0.0.0.0:57621 LISTEN
Local 192.168.0.2:49740 ESTABLISHED Remote 35.190.244.198:4070 (Querying... )
C:\Users\Matt\AppData\Roaming\Spotify\Spotify.exe (6416)
Local 192.168.0.2:49766 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49767 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49768 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49770 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49771 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49772 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49773 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49774 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49775 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49776 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49777 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49769 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49764 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49738 ESTABLISHED Remote 192.168.0.10:8008 (Querying... )
Local 192.168.0.2:49739 ESTABLISHED Remote 192.168.0.10:8009 (Querying... )
Local 192.168.0.2:49744 ESTABLISHED Remote 192.168.0.9:8009 (Querying... )
Local 192.168.0.2:49745 ESTABLISHED Remote 192.168.0.9:32183 (Querying... )
Local 192.168.0.2:49746 ESTABLISHED Remote 192.168.0.7:8009 (Querying... )
Local 192.168.0.2:49758 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49759 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49760 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49761 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49762 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49763 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Local 192.168.0.2:49765 ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
Looking at the first IP address for Discord we see it is talking to: 162.159.135.233
which if we google it gives us this info:
https://ipinfo.io/162.159.135.233
One of the Domains hosted here by Cloudflare is:
so that is probably legitimate.
Using the same site the next one is a host for: discord.gg
Then we have two going to Google.
Another Cloudflare site with domain: discord.media
Another Cloudflare site with domain: discord.com
So the first instance of Discord appears legit. Certainly nothing evil.
Looking at the second instance of discord:
The first line is just listening on a certain port for traffic.
The second line is a connection to another process running on your PC.
Local 127.0.0.1:6463 ESTABLISHED Remote 127.0.0.1:50312
If we look for the other end we find:
C:\Program Files\LGHUB\lghub_agent.exe (12208)
...
Local 127.0.0.1:50312 ESTABLISHED Remote 127.0.0.1:6463 (Querying... )
LGHUB is Logitech Gaming Hub so probably related to this program you have installed:
Logitech Gaming Software 8.92 (HKLM\...\Logitech Gaming Software) (Version: 8.92.67 - Logitech Inc.)
No idea what Logitech has to do with this but it's probably not malicious.
The first instance of Spotify listens on ports:
49731 and 57621
and talks to Google in NJ and CA.
The second has a whole list of connections most most of them are the same and
connect to a hosting service in Toronto Canada.
Then you have connections to three PCs on your local network:
192.168.0.7
192.168.0.9
192.168.0.10
So in conclusion there doesn't appear to be anything suspicious.
As far as your Firefox is concerned I expect you are seeing MBAR at work for the Command Prompt and the other one. If you do not have your Firefox set up like I do it will open multiple connection in order to preload any links it sees on the page plus some of the connections may be caused by your extensions.
#18
Posted 30 September 2020 - 04:40 PM
BeazMagic
- Topic Starter
-
- Member
-
- 14 posts
Member
Alright man. Thank you so much for your help with everything. Ya really helped me out with some of this nonsense.
If you dont mind me asking, what type of anti version programs do you usually have installed on your computer?
Malwarebytes seems to be a staple everywhere.
Zemana helped me one time but thats about it.
AVG I tend to only install if I think something is wrong as I find it rather annoying.
#19
Posted 30 September 2020 - 04:55 PM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
I use the free Avast and MalwareBytes.
Avast is probably just as annoying as AVG (Avast bought up AVG a while ago) but you can go in and turn on Silent Mode and that stops the pop ups trying to get you to buy it. Best to make the Avast icon visible in the SysTray so you can see when it wants to get updated.
I don't know if AVG has it yet or not but one of Avast's strengths is the boot-time scan which starts before Windows and most malware gets loaded:
It takes like 6 hours so I usually let it run at night.
Click on the Avast ball. Then click on Protection, then on Antivirus, then on Other Scans then on Boot-time Scan. Click on Install Special Definitions. Click on Run on Next PC Reboot.
Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Mute your speakers so it doesn't wake you up when Windows boots.
When you reboot you will see the scan start. It will tell you where it saves its log. Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location. This is a hidden location so you will need to tell Windows to let you see it:
http://www.howtogeek...-windows-vista/
Copy and paste the text from the log to a Reply when done.
#20
Posted 01 October 2020 - 12:34 AM
BeazMagic
- Topic Starter
-
- Member
-
- 14 posts
Member
09/30/2020 21:59
Scan of C:
Scan of *STARTUP
File C:\Program Files\Epic Games\UE_4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\build\zlib-1.2.5.tar.gz|>zlib-1.2.5.tar|>zlib-1.2.5\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\Program Files\Epic Games\UE_4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\Src\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\Program Files\WindowsApps\Microsoft.3DBuilder_18.0.1931.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_torus.3mf:WofCompressedData|>3D\3dmodel.model Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\WindowsApps\Microsoft.3DBuilder_18.0.1931.0_x64__8wekyb3d8bbwe\Assets\Catalog\spheres.3mf:WofCompressedData|>3D\3dmodel.model Error 42125 {ZIP archive is corrupted.}
File C:\Program Files (x86)\Epic Games\4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\build\zlib-1.2.5.tar.gz|>zlib-1.2.5.tar|>zlib-1.2.5\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\Program Files (x86)\Epic Games\4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\Src\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020098.msp|>PCW_CAB_RDR|>rdrservicesupdater.exe|>static\images\hi_contrast\core_icons_highcontrast_retina.png Error 42125 {ZIP archive is corrupted.}
File C:\Users\Matt\AppData\Local\Temp\SAS5DCE.tmp|>data Error 42125 {ZIP archive is corrupted.}
File C:\Users\Matt\Documents\USB Dumps\SpaceCows\Milestone 3\SaveFile38.zip|>SaveFile38\Assets\Characters\ck\texture\eyes.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\SpaceCows\Milestone 3\SaveFile38.zip|>SaveFile38\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\SpaceCows\SaveFile42_Matt.zip|>SaveFile42\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\April_16_420.zip|>April_16_420\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\mar27_645_MATTB.zip|>mar27_645_MATTB\EverythingIDidTonight\march25_721\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\mar27_645_MATTB.zip|>mar27_645_MATTB\mar27_645_MATTB (2)\march25_Matt\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\mar27_645_MATTB.zip|>mar27_645_MATTB\mar27_645_MATTB (3)\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\march25_Matt.zip|>march25_Matt\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\SaveFile42_Matt.zip|>SaveFile42\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Windows\Installer\1816bf2e.msp|>PATCH_CAB Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}
File C:\Windows\Installer\402c0a2.msp|>PCW_CAB_RDR|>rdrservicesupdater.exe|>static\images\hi_contrast\core_icons_highcontrast_retina.png Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 253292
Number of tested files: 5887660
Number of infected files: 0
This only scanned my C: Drive, I have another. Is it necessary to check both? Or is this specifically about the booting process?
#21
Posted 01 October 2020 - 08:54 AM
RKinner
-
- Expert
-
- 24,731 posts
Malware Expert
You can tell it to check other drives but it's mostly designed to check the boot drive.
I usually delete the corrupt files it finds. The file name and path is everything before the |.
The decompression bombs may be false positives. You could try submitting them to virustotal.com and see what they say.
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
