Hlppls Posted April 25, 2021 ID:1453229 Share Posted April 25, 2021 Hi firstly I am not a PC engineer by a long shot I am a Nurse xD Today I got the following warning. I had an account notice saying there has been a change to my account possibly a password change. I immediately changed it again via the ms link in my notification area of my toolbar. as soon as a got back from that I saw this warning pop up again twice. looking at the IP it says Taiwan... dunno but VPN? like I say my knowledge ends here. I tried to look at the file but it is locked and I cannot even open it and I am Admin on my pc. as my name suggests PlsHlp Malwarebytes-trojan-25.04.21.txt DxDiag.25.4.21.txt Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453230 Share Posted April 25, 2021 "I had an account notice saying there has been a change to my account possibly a password change." Sorry to be complete: this refers to Microsoft account. Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453235 Share Posted April 25, 2021 Hello Hlppls and welcome to Malwarebytes, Lets grab some logs and see whats going on, continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... 1 Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453268 Share Posted April 25, 2021 Hi huge thanks for getting back to me. Now, I have just done the new scan twice and its come up no threats. This means there is no new log to paste, nor anything listed to Quarantine. There ARE 2 logs from this morning RTP detection (I have pasted the later one below). Does this mean there is nothing to worry about? The Data said it originated in my pc and was trying to contact the site in Taiwan. (Note: there is more questions after this post with a second pasted report) I'm sorry but trying to be complete. Do I still need the next steps if there is no detections in the scan just now? I'll post this reply now but will do all the rest asap if you recon it is necessary. Huge thanks for the help. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 25/04/2021 Protection Event Time: 08:49 Log File: c0010052-a59a-11eb-9cb1-3497f690fffa.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39787 Licence: Premium -System Information- OS: Windows 10 (Build 19042.928) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20688.0_x64__8wekyb3d8bbwe\HxOutlook.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: hl.itpison.com IP Address: 113.196.228.7 Port: 80 Type: Outbound File: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20688.0_x64__8wekyb3d8bbwe\HxOutlook.exe (end) There were a couple of detections the other day but it appeared to be from a game my partner plays: Rimworld (I have to DL it from the creators, she originally got it on my steam account but since getting my old pc she cannot play it when I'm on something else) Which I had whitelisted as ok.... (I hope it wasn't spoofing Rimworld... ) =/ Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 18/04/2021 Scan Time: 22:59 Log File: 5feda250-a091-11eb-8d2a-3497f690fffa.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1251 Update Package Version: 1.0.39539 Licence: Premium -System Information- OS: Windows 10 (Build 19042.928) CPU: x64 File System: NTFS User: Monkeyhitmonolith\Owner -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 295641 Threats Detected: 2 Threats Quarantined: 0 Time Elapsed: 1 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Malware.AI.4042459176, C:\USERS\OWNER\DESKTOP\Games Shortcuts\RimWorld1393Win - Shortcut.lnk, No Action By User, 1000000, 0, , , , , F2C60F4B8537EE01EABB4E61CC69D6D8, 74905561E3B4A22FDDAFC31A93210175ADBFC098BB24D4183707A2C9E6C438F8 Malware.AI.4042459176, C:\USERS\OWNER\MY GAMES\RIMWORLD1393WIN\RIMWORLD1393WIN.EXE, No Action By User, 1000000, 0, 1.0.39539, DA5160A3F73647CDF0F30828, dds, 01207942, 5BECB676ACCACF2B07006506BAE92269, D778C1DF4E29CBF7D5CFEE6B3B8F025E3AA6F7895B88761C9142D3A74E39FC9D Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453270 Share Posted April 25, 2021 I didn't worry about the Rimworld thing because M.W.B detected Valheim as a trojan too and i had to whitelist that so thought Rimworld was the same. but the Taiwan thing, (Category: TrojanDomain: hl.itpison.comIP Address: 113.196.228.7 ) I have no idea about. Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453271 Share Posted April 25, 2021 Can I see the logs from FRST...? 1 Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453272 Share Posted April 25, 2021 Oh! ok sorry will do. :) ADW scan only preinstalled items I quarantined and cleaned anyway, Ill post both logs, then on to the FRST log (in uploaded files). # ------------------------------- # Malwarebytes AdwCleaner 8.2.0.0 # ------------------------------- # Build: 03-22-2021 # Database: 2021-04-20.1 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 04-25-2021 # Duration: 00:00:22 # OS: Windows 10 Home # Scanned: 31984 # Detected: 5 ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries found. ***** [ Chromium URLs ] ***** No malicious Chromium URLs found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries found. ***** [ Firefox URLs ] ***** No malicious Firefox URLs found. ***** [ Hosts File Entries ] ***** No malicious hosts file entries found. ***** [ Preinstalled Software ] ***** Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT SOLUTIONS Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Preinstalled.HPSupportAssistant Folder C:\Users\Owner\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{C0ABBA07-B636-47B8-B9E1-BB96D7CD4831} Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{2B5A1E68-6617-406D-B797-5DAB5B4630B8} ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ########## Adw Clean # ------------------------------- # Malwarebytes AdwCleaner 8.2.0.0 # ------------------------------- # Build: 03-22-2021 # Database: 2021-03-22.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 04-25-2021 # Duration: 00:00:00 # OS: Windows 10 Home # Cleaned: 5 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT SOLUTIONS Deleted Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Folder C:\Users\Owner\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{C0ABBA07-B636-47B8-B9E1-BB96D7CD4831} Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{2B5A1E68-6617-406D-B797-5DAB5B4630B8} ************************* [+] Delete Tracing Keys NEXT FRST: added to the uploaded filed below. I hope this is correct. :) Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453274 Share Posted April 25, 2021 Also need to see FRST primary log "frst.txt" Logs are saved here :- C:\FRST\Logs 1 Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453277 Share Posted April 25, 2021 Okidoo! this is all that was in the logs folder. FRST_25-04-2021 16.07.32.txt Addition_25-04-2021 16.07.32.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453281 Share Posted April 25, 2021 Hello Hlppls, Don`t see much wrong with your FRST logs. I see from the Malwarebytes block that the connection attempt is outbound via HxOutlook.exe, which is part of Microsoft Outlook. Outlook is normally associated with Microsoftt office, I do not see that on your system but you do have LibreOffice, is that correct..? The outbound IP address is to New Century InfoComm Tech Co., Ltd. which is based in Taiwan does that mean anything to you..? Neither the IP address, the domain, or website are flagged as suspicious on checks I have made. What exactly were you doing when the blocks occurred..? Thanks, Kevin.. Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453328 Share Posted April 25, 2021 ya I have LibreOffice. I do not use Outlook, I have Microsoft email (i know not the best) No I do not know anything about the company in Taiwan. I had a notice in my pc notifications asking had I changed M/S password? which I had not done, I changed it again using the link in the notifications, when I had changed it I got 2 more detections for that website. Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453333 Share Posted April 25, 2021 Hiya Hlppls, Run the following please: Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop. Right-click on the RogueKiller file and select Run as administrator to start the tool. Click Yes to accept the UAC security warning that may appear. Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open. Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button. When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed. Then click on Report button. Click Export button and select "Text file". Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it. Click the Finish button and close RogueKiller window. Copy and paste the entire contents of that log into your next reply. Thanks, Kevin Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453337 Share Posted April 25, 2021 Ok I have dl'd it and am running it. it made me go through quite a few pages of choices and just nexted all, and didn't enable the Beta one. It did not let me use desktop but instead only program's folder. I use the blue scan all button as per.. Result below, but it said nothing. I googled the website its a phone comms data and vpn company, I only use a vpn (Orebot) on my phone and do not have it synched with my pc. Still Huge thanks for going through this with me so far :) RKlog.txt Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453339 Share Posted April 25, 2021 at least the rogue killer told me a few programs I need to update, and have xD Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453340 Share Posted April 25, 2021 You mention a link in notifications to change your MS account password, do you still have that link, can you post in a reply.. Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453346 Share Posted April 25, 2021 It was an, apparently standard M/S notice saying if I changed it leave it if I didn't then change it, I don't have the actual "link" it was more a box from MS. I've seen them before kind of like the Pin notice you get occasionally, it left no log/record that i can find though without logging into M/S. I should have Screenied it maybe Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453350 Share Posted April 25, 2021 (edited) I was just curious, from what you descibe it seems to have been legitimate. Are you still receiving blocks, if so do you have Chrome browser open and in use at that time.. Edited April 26, 2021 by kevinf80 typing error Link to post Share on other sites More sharing options...
Hlppls Posted April 25, 2021 Author ID:1453356 Share Posted April 25, 2021 no no more detections or block since talking to you. glad it seems ok, I use this pc for a few thing gaming aside and don't want things being messed with. I have this thread bookmarked too but need to go bed, Work work, as the old orcs say xD Thanks for your time today Kevin mate, but me alarm just went off. :( went through quite a few things. the Taiwan thing though is intriguing.. unless Virgin has farmed out? lol anyways gotta go. Link to post Share on other sites More sharing options...
kevinf80 Posted April 26, 2021 ID:1453381 Share Posted April 26, 2021 Hiya Hlppls, Run your system as you normally do for 24 hours, see if the blocks have totally ceased... Thank you, Kevin.... Link to post Share on other sites More sharing options...
kevinf80 Posted April 30, 2021 ID:1454205 Share Posted April 30, 2021 Any progress...? Link to post Share on other sites More sharing options...
Hlppls Posted April 30, 2021 Author ID:1454297 Share Posted April 30, 2021 Hi Kev. It seems they have,.. although I haven't been able to use my pc until now... work weight for Covid :( Ill check back, especially if they do. Link to post Share on other sites More sharing options...
Hlppls Posted April 30, 2021 Author ID:1454299 Share Posted April 30, 2021 Ill let it run today while doing shower and food and stuff, partner just wants to watch stuff on telly so not sure if I can be "active" so much while it does... Link to post Share on other sites More sharing options...
kevinf80 Posted April 30, 2021 ID:1454335 Share Posted April 30, 2021 Ok, update me when you can... Link to post Share on other sites More sharing options...
kevinf80 Posted May 3, 2021 ID:1454805 Share Posted May 3, 2021 Any progress...? Link to post Share on other sites More sharing options...
Hlppls Posted May 4, 2021 Author ID:1454940 Share Posted May 4, 2021 I have had no other Detections since, I left my pc running for a few hours a couple of times, Yesterday and a day or so before, and still have none. As to the thing about it seeming Legitimate I'm kinda lost. I have had Chrome going and possibly did when it happened, although I also have Duck Duck go as a plug in I believe. Huge thanks for your patience as well dude. I have to go out for a bit now, but will keep everything on and running, anything else we can do or look at? BTW I still have the Roguekiller app, although have it stopped atm. should I use this instead of or with MWB? Link to post Share on other sites More sharing options...
Recommended Posts