Jump to content

Recommended Posts

Hello all,

I've been having RTP outbound compromised events I reported in:

I found an issue to the internet ping overrides from the game, but do believe after further events I have a trojan or something I can't seem to get rid of.

I had done a factory reset of my windows 10 and it wiped the hard drive, also did a factory reset of my router.

First thing I installed was Malwarebytes, and I still keep getting these notifications when launching the game Valheim. However I have new events now outside of just the RTP compromised events.

I now have RTP detection - Trojan, and had a RTP Detection Exploit CVE. that got quarantined.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/15/22
Protection Event Time: 3:15 PM
Log File: 16887cd8-4cc6-11ed-b882-c0b5d7b1afd0.json

-Software Information-
Version: 4.5.15.215
Components Version: 1.0.1784
Update Package Version: 1.0.61105
License: Premium

-System Information-
OS: Windows 10 (Build 19043.2130)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Exploit.CVE202121551.Vulnerable, C:\Windows\Temp\DBUtil_2_3.Sys, Quarantined, 13223, 940272, 1.0.61105, , ame, , ,


(end)

I'm not sure what to do since I've ran extended root kit scans from malwarebytes and have done the factory reset of the computer.

Link to post
Share on other sites

The trojan even log details are:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/17/22
Protection Event Time: 11:35 AM
Log File: ab9e5d32-4e39-11ed-b1d2-c0b5d7b1afd0.json

-Software Information-
Version: 4.5.15.215
Components Version: 1.0.1784
Update Package Version: 1.0.61184
License: Premium

-System Information-
OS: Windows 10 (Build 19043.2130)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Steam\steamapps\common\Valheim\valheim.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 72.21.17.20
Port: 2457
Type: Outbound
File: C:\Program Files (x86)\Steam\steamapps\common\Valheim\valheim.exe

 

(end)

I've gone ahead and uninstalled this game as well now.

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Please attach  mbst-grab-results.zip    to your reply

 

  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • I  do need the support zip reports to see more detail  
Link to post
Share on other sites

Hi Maurice, thank you!

I have a custom scan thats taking a bit longer and finishing up still, but so far still returning all clean.

I had read the "I'm infected post", so had also downloaded and ran the Farbar Recovery Scan Tool. I'll attach those logs here.

Once my custom scan finishes running, I'll run the Malwarebytes MBST Support tool I just downloaded as well, and post back the log results.

Again, thank you!

Addition.txt FRST.txt

Link to post
Share on other sites

Thanks. Now then, if you have a scan in progress now, wait till after it has finished.
Then do not do anything else on your own. I will be guiding you.
Firstly, do not run any games of any sort will case is still open.
Do do these steps when the system is idle.
Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide

( Step 2 )
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>
( Step 3 )

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

 We now do a custom script run. This will do checks of the system.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    

This custom script is for  BryerB  machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

 Fixlist.txt   <<< - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.  👈

PLEASE have patience when this starts. You will see a green progress bar start.  Please attach the Fixlog.txt report.   😉

Edited by Maurice Naggar
Link to post
Share on other sites

Hey Maurice!

Thank you for your continued  help, I greatly appreciate it.

I reinstalled the valheim game and tried to connect to my dedicated server again, and did get another pop up.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/18/22
Protection Event Time: 10:20 AM
Log File: 6f08fcf0-4ef8-11ed-a32a-c0b5d7b1afd0.json

-Software Information-
Version: 4.5.15.215
Components Version: 1.0.1784
Update Package Version: 1.0.61230
License: Premium

-System Information-
OS: Windows 10 (Build 19043.2130)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Steam\steamapps\common\Valheim\valheim.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 68.235.43.172
Port: 2457
Type: Outbound
File: C:\Program Files (x86)\Steam\steamapps\common\Valheim\valheim.exe

 

(end)

Link to post
Share on other sites

If you believe that to be the case, then make a new posting at the sub-forum https://forums.malwarebytes.com/forum/123-website-blocking/

Provide them with a full copy of the block log info.   

  1. Open Malwarebytes for Windows.
  2. Click the Detection History card.
  3. Click the History tab.
  4. Look for the most-recent-dated report.
  5. Hover your cursor over the report you want to view and click the eye icon 2020-08-03_8-25-11.jpg ).
  6. Summary window displays to show the threat details, the protection date and time, and the action executed. 
  7. click the Advanced tab in this window.
  8. you want to download the full report, click Export, then click either Copy to Clipboard or Text File (*.txt).

 

Edited by Maurice Naggar
Link to post
Share on other sites

As to the IP address I have no idea about it.  That is why I encourage you to make the new post. at the sub-forum https://forums.malwarebytes.com/forum/123-website-blocking/

As to your pc, you may do a different scan. 

This here you can start & once it is under way, you can leave the machine alone & let it run. No need to keep watch once it starts the actual scan run. 

This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Ah thank you! I appreciate all your assistance.

I do believe theres a trojan or malicious program somewhere thats trying to mask itself and use valheim when it runs, and reaching out to those  IP addresses that are reported as malicious.

I've ran the eset scan and attached the file. Looks like it came back clean.

If we exhaust all scans and unable to detect it, would reinstalling windows from a USB drive be helpful?

eset-scan-log.txt

Link to post
Share on other sites

Heyo Maurice,

Wanted to post a quick update. Since I had reinstalled the game valheim to test if the IP address block notifications we're still coming up, I wanted to repeat a previous scan.

I did a new scan from Microsoft Safety Scanner, but choose a full system scan for this one. It has found a infected file, but isn't complete yet. Once it is, I'll report back with those results as well.

Link to post
Share on other sites

A. As to the MSERT display ....that is a know quirk.

B. I prefer to see the MSERT.log and its content. Only look at the log-file-report and forget the display.

C. as to the MS Safety Scanner "display". For your benefit and everyone else reading this topic....
about what you "saw" on intermediate displays of the Microsoft Safety Scanner, I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html

Also, the post by EricYin of Microsoft ( just below that section)

Quote

if nothing reported in %SYSTEMROOT%\debug\msert.log, that means no infections.

It's only the final report that matters. For the gory details, see https://answers.microsoft.com/en-us/protect/forum/protect_scanner-protect_scanning-windows_10/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3?messageId=e199de56-9a50-4cc5-a37a-3a7f2708b093

See also https://support.microsoft.com/en-us/topic/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner-6cd5faa1-f7b4-afd2-85c7-9bed02860f1c
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.