CoUsT

I just got 16 more occurrences of the virus trying to connect the remote IP. My ISP protection filters says: Liczba zaobserwowanych incydentów: 151 Data i godzina zaobserwowania pierwszej aktywności: 2020-03-20 21:54:00 Data i godzina zaobserwowania ostatniej aktywności: 2020-04-21 21:05:15 Which went up from 135 to 151. Seems like it happened minutes ago but I didn't really do anything special to trigger it (no idle, no installing/changing/running new apps). I'm gonna investigate scheduled tasks. It has to RUN somehow but all antivirus/antimalware apps didn't find any weird processes or scheduled tasks.

Logs attached. I decided to only get rid of ConsoleApplication1, I don't want to toggle off NOUAC policy, remove host entries and remove firefox network proxy (I set it myself some time ago). The problem is, there are literally no problems. I only got message from ISP that my network attempted to connect 213.152.162.154 IP address 135 times, with first occurance being 2020.03.20 and last occurance being 2020.04.20, and suggested that I should look for viruses and my PC is potentially infected with wshRAT/HoudiniRAT. I can't see any signs of infection myself but I could overlook something. There could be something starting on startup or during certain events but I'm not sure. The temp files mentioned in 1st post were actually removed. There are no temp files in the folder where the old temp files were located. I looked "around" that folder and couldn't find any as well. Can someone confirm and make sure that everything seems alright? Three different antivirus/antimalware apps didn't pick up anything and I'm fairly informed and very understanding in terms of what's safe and what's not, so the chances of infection are low BUT the ISP warning won't give me inner peace until I find the reason for triggering that warning. Fixlog.txt ReportRogue.txt

My ISP blocked the internet and redirected me to the website describing that my PC attempted to connect blacklisted IP and seems to be infected by Houdini RAT. There were 135 attempts to connect to blacklisted IP, first one starting at 2020-03-20 21:54, which based on my browser history is the day I decided to flash new ROM to my phone and had to download some wonky apps to flash via PC (softbricked phone would not go into recovery or let me reflash it itself). This probably resulted in some random virus being bundled with app... I do my best to prevent infections because I don't use antivirus. I scanned all apps via virustotal.com and all were fine. If that's not the source of infection then I have no idea. The phone is fine, the PC seems to be not. I didn't encounter any weird issues. I check CPU/mem/network usage frequently, I don't see any weird processes as well. Can you please check out if there is something hidden in the logs that I missed? I quickly peeked into logs and didn't find any apps that I don't remember installing or don't consider system apps. There were some weird files though. Bitdefender scan couldn't access like 5 or so files located at "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ib2E15.tmp" - there is no permission to even check the ownership/files. I can't take ownership of them and they appear to be 0 kB, perhaps these are virus files? There is no way temp files are THAT secure. Malwarebytes didn't find anything apart from NOUAC being on, miner files that are deleted now just in case, and Cheat Engine file, all being "PUP.Optional" or "RiskWare" so pretty safe AND I know them all. If you need additional logs, let me know. It would be cool if you helped me get rid of all the "leftovers" after using the system for 3 years, there are some trash leftovers like "Thunder Network" or "xhunter1" that I don't know etc. FRST.txt Addition.txt Shortcut.txt Bitdefender scan logs.txt