Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected Computer - Multiple SubProcesses per Process


  • Please log in to reply

#16
BeazMagic

BeazMagic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

I got a prime example of something weird going on. I am running the MBAR, I have 1 tab open in firefox. but the firefox process has 8 sub process and 1 being MBAR and 2 being command prompts. Cant be normal can it?

Attached Thumbnails

  • ProcessesScreenshot_9302020.png

  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,240 posts
  • MVP

From the Speccy log:

 

C:\Users\Matt\AppData\Local\Discord\app-0.0.308\Discord.exe (1336)
                    Local 192.168.0.2:50105    ESTABLISHED Remote 162.159.135.233:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:50106    ESTABLISHED Remote 162.159.134.234:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:50206    ESTABLISHED Remote 35.186.224.25:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:50229    ESTABLISHED Remote 35.186.224.47:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:50238    ESTABLISHED Remote 162.159.128.235:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:50104    ESTABLISHED Remote 162.159.135.232:443 (Querying... ) (HTTPS)
                C:\Users\Matt\AppData\Local\Discord\app-0.0.308\Discord.exe (1760)
                    Local 127.0.0.1:6463    LISTEN
                    Local 127.0.0.1:6463    ESTABLISHED Remote 127.0.0.1:50312 (Querying... )
                C:\Users\Matt\AppData\Roaming\Spotify\Spotify.exe (10932)
                    Local 0.0.0.0:49731    LISTEN
                    Local 192.168.0.2:49748    ESTABLISHED Remote 35.186.224.47:443 (Querying... ) (HTTPS)
                    Local 0.0.0.0:57621    LISTEN
                    Local 192.168.0.2:49740    ESTABLISHED Remote 35.190.244.198:4070 (Querying... )
                C:\Users\Matt\AppData\Roaming\Spotify\Spotify.exe (6416)
                    Local 192.168.0.2:49766    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49767    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49768    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49770    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49771    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49772    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49773    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49774    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49775    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49776    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49777    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49769    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49764    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49738    ESTABLISHED Remote 192.168.0.10:8008 (Querying... )
                    Local 192.168.0.2:49739    ESTABLISHED Remote 192.168.0.10:8009 (Querying... )
                    Local 192.168.0.2:49744    ESTABLISHED Remote 192.168.0.9:8009 (Querying... )
                    Local 192.168.0.2:49745    ESTABLISHED Remote 192.168.0.9:32183 (Querying... )
                    Local 192.168.0.2:49746    ESTABLISHED Remote 192.168.0.7:8009 (Querying... )
                    Local 192.168.0.2:49758    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49759    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49760    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49761    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49762    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49763    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)
                    Local 192.168.0.2:49765    ESTABLISHED Remote 151.101.126.248:443 (Querying... ) (HTTPS)

 

Looking at the first IP address for Discord we see it is talking to: 162.159.135.233

which if we google it gives us this info:

https://ipinfo.io/162.159.135.233

One of the Domains hosted here by Cloudflare is:

discordapp.com

so that is probably legitimate.

 

Using the same site the next one is a host for: discord.gg

Then we have two going to Google.

Another Cloudflare site with domain: discord.media

Another Cloudflare site with domain: discord.com

So the first instance of Discord appears legit.  Certainly nothing evil. 

 

Looking at the second instance of discord:

The first line is just listening on a certain port for traffic.

The second line is a connection to another process running on your PC.

Local 127.0.0.1:6463    ESTABLISHED Remote 127.0.0.1:50312

If we look for the other end we find:

C:\Program Files\LGHUB\lghub_agent.exe (12208)
                    ...
                    Local 127.0.0.1:50312    ESTABLISHED Remote 127.0.0.1:6463 (Querying... )

LGHUB is Logitech Gaming Hub so probably related to this program you have installed:
 

Logitech Gaming Software 8.92 (HKLM\...\Logitech Gaming Software) (Version: 8.92.67 - Logitech Inc.)

 

 

No idea what Logitech has to do with this but it's probably not malicious.

 

The first instance of Spotify listens on ports:

49731    and  57621

and talks to Google in NJ and CA.

The second has a whole list of connections most most of them are the same and

connect to a hosting service in Toronto Canada.

Then you have connections to three PCs on your local network:

192.168.0.7

192.168.0.9

192.168.0.10

 

So in conclusion there doesn't appear to be anything suspicious.

 

As far as your Firefox is concerned I expect you are seeing MBAR at work for the Command Prompt and the other one.  If you do not have your Firefox set up like I do it will open multiple connection in order to preload any links it sees on the page plus some of the connections may be caused by your extensions.


  • 0

#18
BeazMagic

BeazMagic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Alright man. Thank you so much for your help with everything. Ya really helped me out with some of this nonsense.

 

If you dont mind me asking, what type of anti version programs do you usually have installed on your computer?

Malwarebytes seems to be a staple everywhere.

Zemana helped me one time but thats about it.

AVG I tend to only install if I think something is wrong as I find it rather annoying.


  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,240 posts
  • MVP

I use the free Avast and MalwareBytes.

 

Avast is probably just as annoying as AVG (Avast bought up AVG a while ago) but you can go in and turn on Silent Mode and that stops the pop ups trying to get you to buy it.  Best to make the Avast icon visible in the SysTray so you can see when it wants to get updated.

 

I don't know if AVG has it yet or not but one of Avast's strengths is the boot-time scan which starts before Windows and most malware gets loaded:

 

It takes like 6 hours so I usually let it run at night.


Click on the Avast ball.  Then click on Protection, then on Antivirus, then on Other Scans then on Boot-time Scan.  Click on Install Special Definitions.  Click on Run on Next PC Reboot.

  Reboot and let it run a scan.  It may take hours.
Once it finishes it should load windows.   Mute your speakers so it doesn't wake you up when Windows boots.

When you reboot you will see the scan start.  It will tell you where it saves its log.  Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.   This is a hidden location so you will need to tell Windows to let you see it:

http://www.howtogeek...-windows-vista/

Copy and paste the text from the log to a Reply when done.


  • 0

#20
BeazMagic

BeazMagic

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

09/30/2020 21:59
Scan of C:

Scan of *STARTUP

File C:\Program Files\Epic Games\UE_4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\build\zlib-1.2.5.tar.gz|>zlib-1.2.5.tar|>zlib-1.2.5\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\Program Files\Epic Games\UE_4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\Src\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\Program Files\WindowsApps\Microsoft.3DBuilder_18.0.1931.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_torus.3mf:WofCompressedData|>3D\3dmodel.model Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\WindowsApps\Microsoft.3DBuilder_18.0.1931.0_x64__8wekyb3d8bbwe\Assets\Catalog\spheres.3mf:WofCompressedData|>3D\3dmodel.model Error 42125 {ZIP archive is corrupted.}
File C:\Program Files (x86)\Epic Games\4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\build\zlib-1.2.5.tar.gz|>zlib-1.2.5.tar|>zlib-1.2.5\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\Program Files (x86)\Epic Games\4.13\Engine\Plugins\Experimental\AlembicImporter\Source\ThirdParty\Alembic\zlib-1.2.5\Src\contrib\dotzlib\DotZLib.chm|>DotZLib.Codec.html Error 42136 {CHM archive is corrupted.}
File C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020098.msp|>PCW_CAB_RDR|>rdrservicesupdater.exe|>static\images\hi_contrast\core_icons_highcontrast_retina.png Error 42125 {ZIP archive is corrupted.}
File C:\Users\Matt\AppData\Local\Temp\SAS5DCE.tmp|>data Error 42125 {ZIP archive is corrupted.}
File C:\Users\Matt\Documents\USB Dumps\SpaceCows\Milestone 3\SaveFile38.zip|>SaveFile38\Assets\Characters\ck\texture\eyes.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\SpaceCows\Milestone 3\SaveFile38.zip|>SaveFile38\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\SpaceCows\SaveFile42_Matt.zip|>SaveFile42\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\April_16_420.zip|>April_16_420\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\mar27_645_MATTB.zip|>mar27_645_MATTB\EverythingIDidTonight\march25_721\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\mar27_645_MATTB.zip|>mar27_645_MATTB\mar27_645_MATTB (2)\march25_Matt\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\mar27_645_MATTB.zip|>mar27_645_MATTB\mar27_645_MATTB (3)\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\march25_Matt.zip|>march25_Matt\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Users\Matt\Documents\USB Dumps\PL\SaveFile42_Matt.zip|>SaveFile42\Assets\Characters\ck\texture\shoe_Text.tga Error 42110 {The file is a decompression bomb.}
File C:\Windows\Installer\1816bf2e.msp|>PATCH_CAB Error 0xC000009C {STATUS_DEVICE_DATA_ERROR}
File C:\Windows\Installer\402c0a2.msp|>PCW_CAB_RDR|>rdrservicesupdater.exe|>static\images\hi_contrast\core_icons_highcontrast_retina.png Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 253292
Number of tested files: 5887660
Number of infected files: 0

 

This only scanned my C: Drive, I have another. Is it necessary to check both? Or is this specifically about the booting process?


  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,240 posts
  • MVP

You can tell it to check other drives but it's mostly designed to check the boot drive.

 

I usually delete the corrupt files it finds.  The file name and path is everything before the |.

 

The decompression bombs may be false positives.  You could try submitting them to virustotal.com and see what they say.


  • 1






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP