cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Risky connection blocked

AS stated in by POSt it has removed the Babylon, but the "Risky connection blocked" by McAfee is still there, it is this I want to know how to solve?

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 12 of 27

Re: Risky connection blocked

OK, I'll defer to Hayton's superior knowledge on these matters.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 13 of 27

Re: Risky connection blocked

The blocked connection is said to be coming from svchost.exe, but there are always several instances of that process running on any Windows system. I would say it's advisable to run something like SysInternals' TcpView to pin down which process is trying to make the connection. It might not show it for more than a second or two if McAfee steps in to block it, but knowing the IP address(es) involved should help in identifying the process and its PID. Process Explorer or a similar program can then be used to examine the relevant process in detail.

As for Malwarebytes, if it finds nothing then the obvious next step is to up the ante and run a full McAfee scan after downloading the latest updates. Alternatively GetSusp or Stinger or both could be run - GetSusp to find suspicious files. Stinger of course is only a partial solution as it only checks for a subset of possible infections.

It might be an idea also to run SFC/SCANNOW from a command prompt in case svchost.exe has been modified.

And of course, clear the DNS cache just in case.

Re: Risky connection blocked

I   have run GetSusp and it found 32 suspicious files.

I ran a scan and Stinger from safe mode with network, Stinger found 2 threats, which were deleted.

The problem has not been solved, in fact is worse every time I open internet explorer I get "Risky connection blocked" different IP's  61.13.190.152,        116.177.235.175.

There are 16 svchost.exe   running,   Can I just stop them all?

Where is and how do I run SysInternals' TcpView

David

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 15 of 27

Re: Risky connection blocked

while we are troubleshooting this here you might also want to post a Hijackthis log on one of the recommended forums listed near the end of the link posted earlier, or here:

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 16 of 27

Re: Risky connection blocked


olwdave wrote:



I   have run GetSusp and it found 32 suspicious files.


I ran a scan and Stinger from safe mode with network, Stinger found 2 threats, which were deleted.


The problem has not been solved, in fact is worse every time I open internet explorer I get "Risky connection blocked" different IP's  61.13.190.152,        116.177.235.175.



There are 16 svchost.exe   running,   Can I just stop them all?


Where is and how do I run SysInternals' TcpView




It would help if we knew what Stinger had found and deleted. You already mentioned the Babylon Toolbar that Malwarebytes detected, but these unwanted extras often come packaged with other things. The files detected by GetSusp may or may not be significant - all it does it look for things it doesn't know are safe and flag them.

I can't say why your system is trying to contact a mail server in Asia or China : it perhaps depends who your ISP is and where you're located. If these IP addresses are in your local area that might explain it.

As for the 16 instances of svchost.exe, that's more than I see but I know of other people who have had that number running on their system. You have to examine each of the processes to see where the file came from, and any svchost.exe that isn't from c:\windows\system32 will be (highly) suspect. However, some malware can inject extra code into running processes - including into svchost.exe - which is why I recommended running sfc/scannow from a command window. If the file has been modified sfc will detect that and replace it with a backup copy.

It is generally considered not to be a good idea to stop svchost processes unless you're sure they're bogus, because Windows tends to have difficulty functioning without them

The TCPView program I mentioned comes from Microsoft - get it from

https://technet.microsoft.com/en-us/library/bb897437.aspx

It's an alternative to netstat, which has a lot of the same functionality.

If McAfee is preventing the outgoing connection from being established it might not show in TCPView, or it might only show briefly.

TCPView screenshot.PNG

Process Explorer is also a Sysinternals program -

https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

- I prefer this to using Task Manager, but TM on Windows 7 and higher is adequate for the job.

ProcExp all processes.PNG

Re: Risky connection blocked

Hi Hayton, many thanks for your help in trying to sort this out.

Stinger gave the following report and the two files have been deleted:

McAfee Stinger Scan Results


McAfee® Labs Stinger™ Version 12.1.0.1563 built on Jun  5 2015 at 15:25:43
Copyright© 2015, McAfee, Inc. All Rights Reserved.

AV Engine version v5700.7163 for Windows.
Virus data file v1000.0 created on Jun 4, 2015
Ready to scan for 6901 viruses, trojans and variants.

Scan initiated on Saturday, June 06, 2015 20:06:38

C:\Users\David\AppData\Local\Temp\7C35.tmp [MD5:4844bd2a538dd858eed9284332ab8267] is infected with Artemis!4844BD2A538D
C:\Users\David\AppData\Local\Temp\FE71.tmp [MD5:0479335d53a34a0e19beb24794dcd2d6] is infected with Artemis!0479335D53A3

Summary Report on Smart Scan
File(s)
TotalFiles:............ 480
Clean:................. 476
Not Scanned:........... 2
Possibly Infected:..... 2

Time: 00:00:19

Scan completed on Saturday, June 06, 2015 20:06:57

I am in the UK and my ISP is BT.  the operating system is  Windows 7 64 bit.

Using Process Explorer the svchost.exe's are c:\windows\system32, there are a couple c:\windows\sysWOW64\, which I assume is because it is a 64 bit.

McAfee states in the "Risky connection blocked" message that the program: Host Process for Windows Service.

Have done a sfc /scannow but found no violation.

Will try TCPView.

Thanks David

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 18 of 27

Re: Risky connection blocked

Initially Catdaddy (CD) suggested to restore back to an earlier time before this issue showed up have you the option?

Re: Risky connection blocked

No the only option showing is the 6th June the day after this problem started.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 20 of 27

Re: Risky connection blocked

,

                  That is most unfortunate that you lack a ' Restore Point/Shadow copy' to revert back to. From your very initial post, I realized that you had 'Malware Aboard'. As stated in the Document you initially went to, it specifically states 'The First Thing To Try' Meaning revert back to an earlier Time.


                     This is why I did not get too analytical, for there are and is so many variables involved, and can be difficult to conclude. My personal suggestion is to follow Colleague Ex_Brit,s suggestion, and Post a Hijack this to one of the Specialists Forums listed in the link provided, or here: Bleeping Computer/Malwaretips..

Again, if you had earlier restore points available, it is most probable that your issue could have been resolved.

After 38 years of computing, I have learned to try and 'Keep it simple" Though on certain occasions, quite possibly referring to this, it is not possible.

Wishing you all the Best,

Catdaddy

McAfee Volunteer Moderator

Cliff
McAfee Volunteer