Author Topic: svchost.exe, crl4.digicert.com, and URL:CardStealer?  (Read 3280 times)

0 Members and 1 Guest are viewing this topic.

Offline unorelitas

  • Newbie
  • *
  • Posts: 3
svchost.exe, crl4.digicert.com, and URL:CardStealer?
« on: November 21, 2022, 01:42:00 AM »
This is an alert i started getting today. It appears as soon as Avast starts up whether i'm connected to the internet or not. It's not an exaggeration for me to say that i have no idea where to even begin to start solving this issue... For my own sake, let's proceed with the assumption that i am no good with computers or the internet.



Again, this alert appears seemingly on its own without my input. It seems svchost.exe is infected with a worm or something? Neither Avast nor AVG can detect anything, and i haven't had any luck with internet searches. How do i resolve this? How much danger is my system in? Thank you for your time.

Offline unorelitas

  • Newbie
  • *
  • Posts: 3
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #1 on: November 21, 2022, 03:57:52 AM »
UPDATE: happened again upon starting Resident Evil 4 from Steam. Same message and everything.

Offline juanc134

  • Newbie
  • *
  • Posts: 2
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #2 on: November 21, 2022, 05:28:57 AM »
I have the same problem and I don't know how to solve it, since it appears every time I turn on the pc http://bit.ly/3Gy0iKw
« Last Edit: November 21, 2022, 05:35:02 AM by juanc134 »

Offline unorelitas

  • Newbie
  • *
  • Posts: 3
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #3 on: November 21, 2022, 06:43:51 AM »
I have the same problem and I don't know how to solve it, since it appears every time I turn on the pc http://bit.ly/3Gy0iKw

did it start very recently for you too? maybe it's a brand-new problem

Offline ramblini

  • Newbie
  • *
  • Posts: 1
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #4 on: November 21, 2022, 07:31:03 AM »
I have the same problem and it started today, have gotten this alert twice.

Offline yyh

  • Newbie
  • *
  • Posts: 12
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #5 on: November 21, 2022, 07:31:56 AM »
I have the same problem

Offline Grim

  • Newbie
  • *
  • Posts: 1
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #6 on: November 21, 2022, 10:07:16 AM »
Same here. I'm getting the message every time on Avast start up. Actually kinda concerned about it.

Offline Barn

  • Newbie
  • *
  • Posts: 1
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #7 on: November 21, 2022, 02:13:13 PM »
Same issue, already tried Malwarebytes, HitmanPro, ADWCleaner, RKill, and Windows Command to Scan svchost.exe. Still comes back after every start up.

Seeing some of you are using Steam, did you have bought anything online and paid for it with a credit card for the past 48 hours? Might check in with Valve if there's something similar, this things keeps coming back.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #9 on: November 21, 2022, 02:33:47 PM »
Anyways we should wait for an official verdict from an avast team member.

As it is their definitions.
And they are the only ones eventually to confirm detection or unblock.

At VT it is not being detected (could also be so-far*): https://www.virustotal.com/gui/url/a750fed74094e58b920737ea129ad24801a392d53ba333094d387e490b5305f0/detection

but some members in the VT user-base there still have their doubts: https://www.virustotal.com/gui/url/a750fed74094e58b920737ea129ad24801a392d53ba333094d387e490b5305f0/community

What is also striking is we immediately will get an insecure http connection.
This sub-domain comes with an insecure connection:  https://sitecheck.sucuri.net/results/https/crl4.digicert.com
ECS Server abuse? Odd IP-connection: https://www.abuseipdb.com/check/72.21.91.29

TLS Recommendations
HTTPS version of this website is not accessible: 404 Not Found. Please consider setting up HTTPS to avoid the "Not Secure" browser warning.

Even although website is being whitelisted, we find:
Quote
No redirect from HTTP to HTTPS found. You should redirect your website visitors to the HTTPS version to avoid the "Not Secure" browser warning.
So what happend on ECS, on which it is running?

But we are not out of the woods yet, while we read here: https://www.reddit.com/r/AskNetsec/comments/dpzeuo/is_this_guy_making_a_big_mistake_marking_72219129/

Avast should communicate whether this is a so-called False Positive or the real McCoy, a genuine detection.

polonus

P.S. @Pondus, why VT does not flag this tracking instance?
(To me personally Pondus is a VT-g33k *  ;)).
« Last Edit: November 23, 2022, 01:21:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline juanc134

  • Newbie
  • *
  • Posts: 2
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #10 on: November 21, 2022, 05:06:32 PM »
I have the same problem and I don't know how to solve it, since it appears every time I turn on the pc http://bit.ly/3Gy0iKw

did it start very recently for you too? maybe it's a brand-new problem

The problem is recent, I still can't solve it

Offline laybel

  • Newbie
  • *
  • Posts: 2
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #11 on: November 21, 2022, 07:01:56 PM »
Got the exact same triggered notification from Avast word for word.

Couldn't figure out what caused it, kept popping up even after restarting my PC before opening anything, but managed to make it stop by using Avast to block the URL.

Hoping Avast respond about this soon...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #12 on: November 21, 2022, 08:32:56 PM »
For me the strange thing is the initiating executable file, whilst there occasions that svchost.exe legitimately connects to the internet.  I find it hard to see why it would do so in this instance.  Typically this is related to Windows Updates (and some other windows functions), which doesn't appear to be the case here

https://www.google.co.uk/search?q=legitimate+reasons+for+svchost.exe+to+connect+to+the+internet

See - https://www.avast.com/c-what-is-svchost-file#topic-6
Ignore the Avast CleanUp free trial (unrelated to this issue) button and view the remainder of the information on the page.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: svchost.exe, crl4.digicert.com, and URL:CardStealer?
« Reply #13 on: November 22, 2022, 12:44:03 PM »
L.S.

The problem is we see connections to digicert dot com being whitelisted by AbuseIPDB & others.
But also sub-domain, crl4 dot digicert dot com, has been whitelisted having IP 93.184.220.29.
This according to AbuseIPDB.

But following reports, being made there, it is still being abused for nefarious actions (phishing, attacks, malcode).
See: https://www.abuseipdb.com/check/93.184.220.29

So is EdgeCast NetBLk being abused, while officials state this cannot be, stats as denial of obvious facts?

Now we have to wait for some specifics from those that flagged this abuse in the first place.

I get this inside developers console on the browser
Quote
Access to fetch at 'hxtps://s-install.avcdn.net/aos/assets/prod/translations/Locale-en-US.json' from origin 'htxp://crl4.digicert.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

polonus
« Last Edit: November 22, 2022, 12:58:11 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!