PSYKO

November 17, 2022

Awesome I'll get that done, have a great night, thank you for your help so far! I'll be ready for the next step tomorrow!

November 17, 2022

oh cool, you guys are pure legends in my book haha, as requested here is the fixelog

Fixlog.txt

November 17, 2022

Awesome, just get a bit freaked out by this sort of stuff, the fix is being applied now, may I know what was in it or is that some trade secrets stuff?

November 17, 2022

as requested :) and this is as stated before completely safe for me to be posting in an open forum? also i have followed everything to the letter. i do not want to waist your time and am grateful for your help

mbst-grab-results.zip Addition.txt FRST.txt

November 17, 2022

Ok, I'll make sure to turn anything off and get it to you asap, aprox 3 hours

November 17, 2022

Ok I'll get on that asap, clearly there's something wrong, how bad is it?

November 17, 2022

as requested :)

mbst-grab-results.zip

November 16, 2022

Will do! Might be a few hours but I'll get on it asap

November 16, 2022

Yes there was one more but I'm not at my computer at the moment, can I update you later?

Why is it coming from "system" if I may ask?

November 16, 2022

No, not on this PC, I do on my phone and tablet but this PC doesn't have VPN on it anywhere

November 16, 2022

Hmm strange I thout I had, let's try again

cvomp.txt

See if that woks

November 16, 2022

cvomp.txtThe Ip showed up as being part of the game however all of the blocks were from "system" and were happening when I wasn't in the game at all I had 6 blocks last night and all of them were from system, with glasswire confriming that the nt kernal also had the IP connected to it

If it was just the DCS game I would have ignored it, as per the last thread, however this one is a system block, that's what conserns me

Here's the log file

November 16, 2022

Hi there, over the last week or so I've been getting real time blocks of an aparent compromised website, the problem is it's saying it's my system and that it's out going!!!

Through glass wire I was able to track the IP down to the DCS exe and to my shock the nt kernal

I ran the jp through VT and it only came back with one positive result

Mbam scan showed nothing..

Whats going on? Is my PC compromised? What do I do next?

July 2, 2022

Sounds good, I'll post link here on their forums, might be good for info

July 2, 2022

Sorry for being such a needy muppet, thank you for all your knowledge and wisdom

July 2, 2022

Thank you so much, would this still be the case with a game that's not on steam or epic or anything like that?

Im not sure if DCS world uses any of the same technology, I do know however that the port that the sites are coming through is the WebUI, which allows control of a server remotely. Ie, Change a mission

I that concisered P2P? I'm not well versed in all this sort of stuff

Just want to try understand as much as I can, don't get me wrong, I would rather mbam block every thing it possibly can, as agressively as possible! just need to make sure my network stays as safe as possible

One of the reasons Iove mbam! So good

July 1, 2022

That k you for taking a look, So this is one of the servers that the game developer uses? Or is this a personal computer that the owner is trying to connect to mine?

Should I be forwarding your results to the game devs?

July 1, 2022

hi there,

i host a very small server for me and my mates to play on. i run it off an old PC that i had sitting around and thought i may as well use it for something!

recently i have started getting real time blocking events happening, "website blocked due to Trojan" or "website blocked due to compromise" the port and exe that they are coming through to is the game exe that the WebUI uses to connect to the PC to control the server, the IPs that the events are coming from are different, and they happen at random times

as you can imagine this is freaking me out somewhat, i am hoping someone here can shed light on the matter

here are the exported log files

Spoiler

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/1/22
Protection Event Time: 3:39 PM
Log File: 7361d3b2-f8ef-11ec-8ee0-c86000c39830.json

-Software Information-
Version: 4.5.10.200
Components Version: 1.0.1709
Update Package Version: 1.0.56605
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1766)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
Domain:
IP Address: 179.43.155.172
Port: 8088
Type: Inbound
File: C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe

(end)

------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/1/22
Protection Event Time: 2:53 PM
Log File: edd8678e-f8e8-11ec-8ff5-c86000c39830.json

-Software Information-
Version: 4.5.10.200
Components Version: 1.0.1709
Update Package Version: 1.0.56605
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1766)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 46.249.32.102
Port: 8088
Type: Inbound
File: C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe

(end)

do they look like FPs? or do i need to freak out?

i should note that these events do not happen when the server exe is not running,

I'm not sure whats going on,

cheers guy

June 27, 2022

Sure thing

June 27, 2022

Is there any way to check/confirm if it was just a false positive or if something really has happened?

June 26, 2022

Ok can confirm that it is off, was never on, got my self confused with another thing haha

Whats next?

June 26, 2022

I believe it is, I'll shoot home soon and double check it

I should add that I don't have office or the outlook app on this pc, I uninstalled them both shortly after installing windows.

I'll post here once I've checked this setting, thanks for such a quick reply by the way

June 26, 2022

So last night I went to add a shortcut to my desktop through steam, the uac pop up came up and approved, at the same time mbam popped this...

Malwarebytes

www.malwarebytes.com

-Log Details-

Protection Event Date: 6/26/22

Protection Event Time: 9:41 PM

Log File: 13bc01da-f534-11ec-9c01-04421aed5d58.json

-Software Information-

Version: 4.5.10.200

Components Version: 1.0.1709

Update Package Version: 1.0.56482

License: Premium

-System Information-

OS: Windows 11 (Build 22000.739)

CPU: x64

File System: NTFS

User: System

-Exploit Details-

File: 0

(No malicious items detected)

Exploit: 1

Malware.Exploit.Agent.Generic, C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-

Affected Application: Windows Control Panel

Protection Layer: Application Behavior Protection

Protection Technique: Exploit Office loading points abuse blocked

File Name: C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL input.dll,,{C07337D3-DB2C-4D0B-9A93-B722A6C106E2}{HOTKEYS}

URL:

(end)

It's a brand new windows install, installed it a week ago, I'm not really sure what's going on, if it's a false positive or not, I don't even know if it was the steam icon to desk top thing that made it pop, after this I ran a quick scan in mbam and win defender with no results

Whats next have I been exploited or is it just an false positive and I can carry on with life?

Anxiously awaiting your reply

Events

Profiles

Forums

Posts posted by PSYKO

Important Information