If you are using Malwarebytes and receive a Malicious Website Blocked alert that has a corresponding process of C:\Windows\System32\Svchost.exe associated with it, there is a good chance that your computer is configured with a malicous DNS server. A computer’s DNS servers are typically changed to malicious ones through two methods. The first being that you have a unwanted programs called DNS Unlocker, TopFlix, AnyFlix, Cloudscout, or DNS Keeper installed, which change your DNS settings to ones under their control. The other possibility is that your router’s DNS settings have been modified.
As the DNS settings on a computer ultimately determine what actual site you go to when browsing the web, by hijacking your computer’s DNS servers, malware developers can control what sites you go to. This also allows them to show sites that you think are legitimate, but are actually imposters, or to show ads on sites that normally do not have them.
Normally, when Malwarebytes detects a process connecting to a malicious site it will display the malicious process associated with the connection. As DNS resolution is handled by legitimate Windows services, connections related to malicious DNS servers will instead be shown as coming from C:\Windows\System32\svchost.exe.
When people see these alerts they automatically think that svchost.exe is infected or that it has been patched. In reality, there is nothing wrong with svchost.exe and it is just acting as a intermediary for the network services that are performing DNS resolution. Since this DNS resolution is using a malicious server, it causes the alert to appear.
The table below lists the historic malicious DNS servers’s IP addresses and their associated host names that Malwarebytes may detect. If you are the owner of one of these IP addresses and they are no longer involved in malicious activity, you should contact Malwarebytes regarding this. I can’t help remove their detections.
|Known Malicious DNS Servers|
This guide will walk you through removing these malicious DNS entries from your computer so that you will no longer see these alerts and can use your computer properly.
If you believe that you are a victim of Malicious Website Blocked Alerts from Svchost.exe, give us a call at 718-565-6063 immediately to prevent the infection from stealing your information or further damaging your computer.