Jump to content

Malicious activity from Half-Life


Recommended Posts

I don't remember any notifications etc. from Malwarebytes. I was doing a regular scan of downloaded stuff and noticed the notification bell. Starting from 1/2/23 to 1/7/23, for 5 days, Malwarebytes blocked a lot of activity from mostly the same addresses. I included the list screenshot and exported info of first two detections. I don't exactly know what to include, so I can provide more if needed.

Only suspected application is Half-Life (hl.exe).

Around the time of first detection (1/2/23):

- I didn't play any online matches since I installed the game (Both Half-Life and CS Condition Zero).

- I didn't install any obvious suspicious mods.

- At the time I was probably occupied with preparing this: 

https://gamebanana.com/mods/420215

 

- I might've used this once: 

https://gamebanana.com/tools/7299

 

- I might've used nvidia's video recording tool to record a video of Counter-Strike and edit it using Kdenlive, which you can see in the mod page above, around this time. Not sure about Kdenlive, that might've been later.

Also, the clock on my pc is set to UTC+02.00

2105281624_Screenshot(215).thumb.png.0dcc02979efa6eb946ad094c2cfb1cf5.png1080727518_Screenshot(216).thumb.png.e13585a0738221b388cd343468c9904f.png974259366_Screenshot(217).thumb.png.a6d8c1029f7063f9bbbc6c6b5e035459.png1100986476_Screenshot(218).thumb.png.b7a4cd81011d6d3e81abd025980be738.png256138539_Screenshot(219).thumb.png.b4945ae1787c9f035493bfe6d8775f11.pngrtp detection 1.2.23 trojan 93.114.82.176.txtrtp detection 1.2.23 compromised 91.211.118.88.txt

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

Hello @MkfMtr and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file in your next reply to this topic.

Thank you.

Link to post
Share on other sites

  • Root Admin

Yes, Steam Half-Life is calling out to some IP addresses that are known to be bad.

Bonjour is also causing network issues. I'd recommend you uninstall it.

Error: (01/12/2023 03:20:19 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: ProbeCount 2; will deregister   16 DESKTOP-I3A8MJ6.local. AAAA FE80:0000:0000:0000:9F94:D61E:D953:5B6A

 

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

Let me have you run the following please @MkfMtr

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

  • Root Admin

No, in the vast majority of cases Bonjour is not needed to work with your iPhone. If you were trying to sync your PC data with say an iPad over the network then it might be handy, otherwise it's actually often problematic for many Windows computers.

Interesting that ESET did not find anything.

 

Let's see if Kaspersky finds anything. If not then we may need to look at setting up some exclusions if it continues to be problematic.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

report_2023.01.13_01.47.41.txt I kinda wanted to keep Super Action Hero but whatever. Is it possible that it was a false positive though? That's an old file and it didn't classify as anything specific. Also, there being two copies isn't suspicious. I kept one normally in "installations" folder, and the other is just a copy I made in a more convenient place to use. I haven't run it with any emulators yet though, I think.

Link to post
Share on other sites

  • Root Admin

Clean up all your Browsers. Delete cache, cookies, etc.

For the game, upload the installer or zip file to https://virustotal.com and post back the link to the scan when done.

 

 

Please run the following as well

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Sorry for the late reply.

https://www.virustotal.com/gui/file/02c10465698516155decb43d450ffba6a7a3b78c478ab2f2408933239d216c6c/detection

SecurityCheck.txt

I removed mDNSResponder service from command prompt and renamed the dll, like in the link you sent. It said not to delete the whole folder just in case something breaks. Should I delete Bonjour completely? Security Check still thinks it's there.

Link to post
Share on other sites

  • Root Admin

Normally an uninstall from the Control Panel is enough for Bonjour.

Please update the following or uninstall as appropriate for your system

 

Git v.2.39.0 Warning! Download Update
Python 3.10.6 (64-bit) v.3.10.6150.0 Warning! Download Update
K-Lite Codec Pack 17.2.0 Standard v.17.2.0 Warning! Download Update

 

If you're still getting alerts from the game, please look at adding exclusions.

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows

 

How is everything looking now?

 

Link to post
Share on other sites

  • Root Admin

The fact that Kaspersky thinks it is an issue carries a lot of weight. I believe we removed that file though so you should not be seeing an issue from it.

We can do another scan though if you like to double-check if any issues found.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

Link to post
Share on other sites

  • Root Admin

Yes, the human mind is one of the best tool to help review mail issues and phishing or other such scams. Even my own account gets nearly a hundred a day every day due to the nature of my work and the same account for twenty years.

 

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.