Jump to content

found Trojan? entry today after I got a change to my M/S account


Go to solution Solved by kevinf80,

Recommended Posts

Hi firstly I am not a PC engineer by a long shot I am a Nurse xD

Today I got the following warning.

I had an account notice saying there has been a change to my account possibly a password change.

I immediately changed it again via the ms link in my notification area of my toolbar.

as soon as a got back from that I saw this warning pop up again twice.

looking at the IP it says Taiwan... dunno but VPN? like I say my knowledge ends here.

I tried to look at the file but it is locked and I cannot even open it and I am Admin on my pc.

as my name suggests PlsHlp

Malwarebytes-trojan-25.04.21.txt DxDiag.25.4.21.txt

Link to post
Share on other sites
Hello Hlppls and welcome to Malwarebytes,

Lets grab some logs and see whats going on, continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 4 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts.

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
  • Like 1
Link to post
Share on other sites

Hi huge thanks for getting back to me.

Now, I have just done the new scan twice and its come up no threats.

This means there is no new log to paste, nor anything listed to Quarantine.

There ARE 2 logs from this morning RTP detection (I have pasted the later one below).

Does this mean there is nothing to worry about? The Data said it originated in my pc and was trying to contact the site in Taiwan.

(Note: there is more questions after this post with a second pasted report) I'm sorry but trying to be complete.

Do I still need the next steps if there is no detections in the scan just now?

I'll post this reply now but will do all the rest asap if you recon it is necessary.

Huge thanks for the help.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 25/04/2021
Protection Event Time: 08:49
Log File: c0010052-a59a-11eb-9cb1-3497f690fffa.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1251
Update Package Version: 1.0.39787
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.928)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20688.0_x64__8wekyb3d8bbwe\HxOutlook.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: hl.itpison.com
IP Address: 113.196.228.7
Port: 80
Type: Outbound
File: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20688.0_x64__8wekyb3d8bbwe\HxOutlook.exe

(end)

 

There were a couple of detections the other day but it appeared to be from a game my partner plays: Rimworld (I have to DL it from the creators, she originally got it on my steam account but since getting my old pc she cannot play it when I'm on something else) Which I had whitelisted as ok.... (I hope it wasn't spoofing Rimworld... )   =/

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 18/04/2021
Scan Time: 22:59
Log File: 5feda250-a091-11eb-8d2a-3497f690fffa.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1251
Update Package Version: 1.0.39539
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.928)
CPU: x64
File System: NTFS
User: Monkeyhitmonolith\Owner

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 295641
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 1 min, 48 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Malware.AI.4042459176, C:\USERS\OWNER\DESKTOP\Games Shortcuts\RimWorld1393Win - Shortcut.lnk, No Action By User, 1000000, 0, , , , , F2C60F4B8537EE01EABB4E61CC69D6D8, 74905561E3B4A22FDDAFC31A93210175ADBFC098BB24D4183707A2C9E6C438F8
Malware.AI.4042459176, C:\USERS\OWNER\MY GAMES\RIMWORLD1393WIN\RIMWORLD1393WIN.EXE, No Action By User, 1000000, 0, 1.0.39539, DA5160A3F73647CDF0F30828, dds, 01207942, 5BECB676ACCACF2B07006506BAE92269, D778C1DF4E29CBF7D5CFEE6B3B8F025E3AA6F7895B88761C9142D3A74E39FC9D

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

I didn't worry about the Rimworld thing because M.W.B detected Valheim as a trojan too and i had to whitelist that so thought Rimworld was the same.

but the Taiwan thing,

(Category: Trojan
Domain: hl.itpison.com
IP Address: 113.196.228.7 )

I have no idea about.

Link to post
Share on other sites

Oh! ok sorry will do. :)

ADW scan only preinstalled items I quarantined and cleaned anyway, Ill post both logs, then on to the FRST log (in uploaded files).

# -------------------------------
# Malwarebytes AdwCleaner 8.2.0.0
# -------------------------------
# Build:    03-22-2021
# Database: 2021-04-20.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    04-25-2021
# Duration: 00:00:22
# OS:       Windows 10 Home
# Scanned:  31984
# Detected: 5


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.HPSupportAssistant   Folder   C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT SOLUTIONS 
Preinstalled.HPSupportAssistant   Folder   C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK 
Preinstalled.HPSupportAssistant   Folder   C:\Users\Owner\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK 
Preinstalled.HPSupportAssistant   Registry   HKLM\Software\Wow6432Node\\Classes\CLSID\{C0ABBA07-B636-47B8-B9E1-BB96D7CD4831} 
Preinstalled.HPSupportAssistant   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{2B5A1E68-6617-406D-B797-5DAB5B4630B8} 

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

Adw Clean

# -------------------------------
# Malwarebytes AdwCleaner 8.2.0.0
# -------------------------------
# Build:    03-22-2021
# Database: 2021-03-22.1 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    04-25-2021
# Duration: 00:00:00
# OS:       Windows 10 Home
# Cleaned:  5
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

Deleted       Preinstalled.HPSupportAssistant   Folder   C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT SOLUTIONS
Deleted       Preinstalled.HPSupportAssistant   Folder   C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Deleted       Preinstalled.HPSupportAssistant   Folder   C:\Users\Owner\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Deleted       Preinstalled.HPSupportAssistant   Registry   HKLM\Software\Wow6432Node\\Classes\CLSID\{C0ABBA07-B636-47B8-B9E1-BB96D7CD4831}
Deleted       Preinstalled.HPSupportAssistant   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{2B5A1E68-6617-406D-B797-5DAB5B4630B8}


*************************

[+] Delete Tracing Keys

NEXT FRST: added to the uploaded filed below.

 

I hope this is correct. :)


 

Addition.txt

Link to post
Share on other sites

Hello Hlppls,

Don`t see much wrong with your FRST logs. I see from the Malwarebytes block that the connection attempt is outbound via HxOutlook.exe, which is part of Microsoft Outlook. Outlook is normally associated with Microsoftt office, I do not see that on your system but you do have LibreOffice, is that correct..?

The outbound IP address is to New Century InfoComm Tech Co., Ltd. which is based in Taiwan does that mean anything to you..? Neither the IP address, the domain, or website are flagged as suspicious on checks I have made.

What exactly were you doing when the blocks occurred..?

Thanks,

Kevin..

Link to post
Share on other sites

ya I have LibreOffice.

I do not use Outlook, I have Microsoft email (i know not the best)

No I do not know anything about the company in Taiwan.

I had a notice in my pc notifications asking had I changed M/S password? which I had not done, I changed it again using the link in the notifications, when I had changed it I got 2 more detections for that website.

Link to post
Share on other sites

Hiya Hlppls,

Run the following please:

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.

Thanks,

Kevin

Link to post
Share on other sites

Ok I have dl'd it and am running it. it made me go through quite a few pages of choices and just nexted all, and didn't enable the Beta one.

It did not let me use desktop but instead only program's folder.

I use the blue scan all button as per..

Result below, but it said nothing.

I googled the website its a phone comms data and vpn company, I only use a vpn (Orebot) on my phone and do not have it synched with my pc.

 

Still Huge thanks for going through this with me so far :)

RKlog.txt

Link to post
Share on other sites

It was an, apparently standard M/S notice saying if I changed it leave it if I didn't then change it, I don't have the actual "link" it was more a box  from MS. I've seen them before kind of like the Pin notice you get occasionally, it left no log/record that i can find though without logging into M/S.

I should have Screenied it maybe

Link to post
Share on other sites

I was just curious, from what you descibe it seems to have been legitimate. Are you still receiving blocks, if so do you have Chrome browser open and in use at that time..

Edited by kevinf80
typing error
Link to post
Share on other sites

no no more detections or block since talking to you.

glad it seems ok, I use this pc for a few thing gaming aside and don't want things being messed with.

I have this thread bookmarked too but need to go bed, Work work, as the old orcs say xD

Thanks for your time today Kevin mate, but me alarm just went off. :(

went through quite a few things.  the Taiwan thing though is intriguing.. unless Virgin has farmed out? lol

anyways gotta go.

 

Link to post
Share on other sites

I have had no other Detections since, I left my pc running for a few hours a couple of times, Yesterday and a day or so before, and still have none.

As to the thing about it seeming Legitimate I'm kinda lost.

I have had Chrome going and possibly did when it happened, although I also have Duck Duck go as a plug in I believe.

Huge thanks for your patience as well dude.

I have to go out for a bit now, but will keep everything on and running, anything else we can do or look at?

BTW I still have the Roguekiller app, although have it stopped atm. should I use this instead of or with MWB?

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.