Jump to content
Syntaxs

Potentially infected with a RAT

Recommended Posts

I was monitoring my network traffic yesterday after noticing some unusual activity and this unfamiliar IP kept popping up, I done a IP checkup & it's not attached to any services, the IP was using a UK ISP mostly used by home users, I'm also personally under the same ISP but it's definitely not the same IP I've been assigned & is in a entirely different location to myself by a long way. I've ran malwarebytes & windows defender numerous times but no detection has been made.

 

Where do I go from here?

 

Also I've ran RKill and nothing was terminated nor detected.

Share this post


Link to post
Share on other sites

Hi,  @Syntaxs    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

You mentioned " I've ran malwarebytes & windows defender numerous times but no detection has been made. "

Is this on a Windows 10 ?
 


We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites
22 minutes ago, Maurice Naggar said:

Hi,  @Syntaxs    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

You mentioned " I've ran malwarebytes & windows defender numerous times but no detection has been made. "

Is this on a Windows 10 ?
 


We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Forgot to quote you, attachments are above this post :)

Share this post


Link to post
Share on other sites

Thanks I got the report file.  You and I are the only ones on this case.  I get all replies.

There is no need to click on the QUOTE feature when you reply.

I noticed a number of recent website block events by the Malwarebytes web protection & they relate to the Chrome browser.

[ 1 ]

Using the Chrome browser, I  suggest you  go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

 

[ 2 ]

I would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner.

 

 

Please download the current release for Malwarebytes AdwCleaner from here:
https://downloads.malwarebytes.com/file/adwcleaner

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.

 

You should then see a screen showing "Scan results".

Review what is listed. If something is listed that you know for sure is safe, then for that line, click the check-box on the left so that it is un-checked.

(NOTE, clicking the small right pointed little arrow, will cause the screen to refresh & show all line items . )

 

When ready, click on the button "Clean and repair".

If prompted to restart then click on "Clean & Restart Now".

 

When You see screen with "Your cleanup is complete", click on the View Log file button.

It should then show as a open window in your text editor ( normally Notepad).

Do a File >> Save As, given it a unique name and Save to your Desktop or some other permanent folder.

 

Kindly provide a copy of that run report. Attach it with reply.

When done with Adwcleaner, click the X button to Exit out.    We will do more later on.

Thank you.

 



Share this post


Link to post
Share on other sites

That's fine.  Thanks.   Lets do a one time run with the standalone anti-rootkit.

 

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from here this link

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
Sincerely,

Maurice

 

Share this post


Link to post
Share on other sites

It appears no suspicious files were detected in this case either, was there anything in the FRST logs that appeared suspicious?

 

I mean the initial reason for me becoming suspicious was that i ran ' netstat -bn ' and an ip address appeared that was using a home providers isp, which is the same provider as mine but this was a different ip to the one I have. Also in a entirely different location, within the same country however a considerable distance away from my own location, originally there was only one of these ips, but on further network scans there's been a few that appear with the same network prefix & subnet but different host ID, so example of IPs 

' 90.12.163.146 '
' 90.12.163.160 '

' 90.12.163.83 '

 

My personal IP has a entirely different network prefix, subnet & hostid there's no connection between the ips & my ip other than the ISP, however is it possible my ISP is transmitting data from and to my network using other networks in different locations under their own broadband provider? ( If that makes sense )

mbar-log-2019-06-30 (00-40-38).txt

Share this post


Link to post
Share on other sites

The MBAR reported no rootkits.   That is great.

As to the IP addressed you are seeing, I would only just point you to other resources.

.

For a different scan:

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
Then look on the right hand side and click on Windows Defender.
Then, scroll all the way down on the scroll bar, down to where you see "Windows Defender Offline"
Click on the button Scan Offline to start the process and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

 

p.s.  No, the FRST did not point to "some thing".

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

You have run the MBAR anti-rootkit and it found no rootkits.  That is very good.

You have completed a Windows Defender Offline and it found nothing.   That is great.

There has been no finding of "infection" or malware.  I doubt there is any here.

 

You can check this system using another free tool at Microsoft.  For another opinion.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

take a minute to locate & then send the log that it made, named msert.log

It should be at C:\Windows\debug\msert.log

 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.