Jump to content

Potential Houdini RAT infection


Recommended Posts

My ISP blocked the internet and redirected me to the website describing that my PC attempted to connect blacklisted IP and seems to be infected by Houdini RAT. There were 135 attempts to connect to blacklisted IP, first one starting at 2020-03-20 21:54, which based on my browser history is the day I decided to flash new ROM to my phone and had to download some wonky apps to flash via PC (softbricked phone would not go into recovery or let me reflash it itself). This probably resulted in some random virus being bundled with app... I do my best to prevent infections because I don't use antivirus. I scanned all apps via virustotal.com and all were fine. If that's not the source of infection then I have no idea. The phone is fine, the PC seems to be not. I didn't encounter any weird issues. I check CPU/mem/network usage frequently, I don't see any weird processes as well.

 

Can you please check out if there is something hidden in the logs that I missed? I quickly peeked into logs and didn't find any apps that I don't remember installing or don't consider system apps. There were some weird files though. Bitdefender scan couldn't access like 5 or so files located at "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ib2E15.tmp" - there is no permission to even check the ownership/files. I can't take ownership of them and they appear to be 0 kB, perhaps these are virus files? There is no way temp files are THAT secure.

 

Malwarebytes didn't find anything apart from NOUAC being on, miner files that are deleted now just in case, and Cheat Engine file, all being "PUP.Optional" or "RiskWare" so pretty safe AND I know them all.

 

If you need additional logs, let me know.

 

It would be cool if you helped me get rid of all the "leftovers" after using the system for 3 years, there are some trash leftovers like "Thunder Network" or "xhunter1" that I don't know etc.

FRST.txt Addition.txt Shortcut.txt Bitdefender scan logs.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

If the problem persists and you are Syncing Firefox it with other Devices reset it.

Navigate to this page and Remove it as suggested.

https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts

When done restart the computer normally.

If all is well.

Return to your Firefox Account and Click the Connect button.

Reset the sync.

Restart the computer normally.
<<<>>>

Please post the logs and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Logs attached.

 

I decided to only get rid of ConsoleApplication1, I don't want to toggle off NOUAC policy, remove host entries and remove firefox network proxy (I set it myself some time ago).

 

3 hours ago, nasdaq said:

Please post the logs and let me know what problem persists.

The problem is, there are literally no problems. I only got message from ISP that my network attempted to connect 213.152.162.154 IP address 135 times, with first occurance being 2020.03.20 and last occurance being 2020.04.20, and suggested that I should look for viruses and my PC is potentially infected with wshRAT/HoudiniRAT.

 

I can't see any signs of infection myself but I could overlook something. There could be something starting on startup or during certain events but I'm not sure.

 

The temp files mentioned in 1st post were actually removed. There are no temp files in the folder where the old temp files were located. I looked "around" that folder and couldn't find any as well.

 

Can someone confirm and make sure that everything seems alright? Three different antivirus/antimalware apps didn't pick up anything and I'm fairly informed and very understanding in terms of what's safe and what's not, so the chances of infection are low BUT the ISP warning won't give me inner peace until I find the reason for triggering that warning.

Fixlog.txt ReportRogue.txt

Link to post
Share on other sites

I just got 16 more occurrences of the virus trying to connect the remote IP.

 

My ISP protection filters says:

 

  • Liczba zaobserwowanych incydentów: 151
  • Data i godzina zaobserwowania pierwszej aktywności: 2020-03-20 21:54:00
  • Data i godzina zaobserwowania ostatniej aktywności: 2020-04-21 21:05:15

Which went up from 135 to 151. Seems like it happened minutes ago but I didn't really do anything special to trigger it (no idle, no installing/changing/running new apps).

 

I'm gonna investigate scheduled tasks. It has to RUN somehow but all antivirus/antimalware apps didn't find any weird processes or scheduled tasks.

Link to post
Share on other sites


Hi,

My mistake. I should have investigated the proxy.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt.
Is the problem fixed?

fixlist.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.