Multiple Inbound Connections Being Made + More Issues

[ExileRL]

Hey guys

I have multiple blocked inbound connections every day, in the last week or two it's mostly been from the application Splunk (which I used for my university work) however before that (starting from around last September/October when I got Malwarebytes) it would come from various applications such as Microsoft Edge and wininit.exe.

Around last August/September I installed a virus on my PC by accident, which scraped all my details including passwords, card info etc. Since then I have changed all my passwords and hard reset my PC around three to four times (first time by doing so through Windows, the other times by using an ISO USB drive. One of the times I used the ISO drive I also formatted all my drives before I booted on the ISO USB drive, not using quick format). Even after doing so, as well as clearing all passwords from my browser password managers and disabling them, my passwords have been taken, and attempts to login to my accounts have been made (specifically my Steam), even after multiple changes to my passwords. Malwarebytes has not been successful in finding any malware on my PC however.

 

Please can anyone help me with finding whatever's on my PC, as well as stopping the multiple blocked inbound connections made (or how to prevent them from happening so frequently). It's been driving me wild the last year and I don't want to hard reset my PC again just for my passwords to be stolen again.

[ExileRL]

I forgot to mention: I also used the TRON script to scan my PC (I did so around twice over the last 6 months). Specifically I followed this video tutorial.

 

I also started a scan while writing this post, it's scanning all of my drives however there are a lot of drives so I will probably post the scan report tomorrow morning (GMT time). 

[ExileRL]

Please find attached the FRST and Addition log files, the Malwarebytes scan is taking some time so once it is complete I will also upload those log files.

 

FRST.txtAddition.txt

[1PW]

Hello @ExileRL and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

[ExileRL]

Hey @1PW, thanks for the reply.

Should I cancel the currently running Malwarebytes scan I started before you replied? I was planning to let it run overnight (screenshot of the scan that I started earlier).

 

I'll post the MBST logs in the next reply.

 

 

 

 

[ExileRL]

MBST Log Files: 

mbst-grab-results.zip

[1PW]

Hello @ExileRL:

If the Malwarebytes Custom scan is still running, you may let it go to completion. If the Custom scan was prematurely stopped, an ordinary Threat scan with original/default settings will normally suffice for your assisting helper to follow.

Thank you.

[AdvancedSetup]

2 hours ago, ExileRL said:

I forgot to mention: I also used the TRON script to scan my PC (I did so around twice over the last 6 months). Specifically I followed this video tutorial.

Hello @ExileRL

In my professional opinion it would be that you backup your personal data and then do either a full reset of the computer or do a Clean install of Windows. The clean install would be the best method.

 

https://support.microsoft.com/en-us/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5

 

The best method to 100% ensure you have a good, well running, safe, and secure installation of Windows.

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

 

 

[AdvancedSetup]

As to your issue about Inbound, there is nothing one can do. Malwarebytes is doing it's job blocking them.

It would require an external firewall to fully block that off that most home users don't have access to control a firewall / router at that level.

 

[ExileRL]

46 minutes ago, AdvancedSetup said:

Hello @ExileRL

In my professional opinion it would be that you backup your personal data and then do either a full reset of the computer or do a Clean install of Windows. The clean install would be the best method.

 

https://support.microsoft.com/en-us/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5

 

The best method to 100% ensure you have a good, well running, safe, and secure installation of Windows.

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

 

 

Hey @AdvancedSetup,

 

As I stated in the first message, I've performed a clean reinstall multiple times however even after doing so there have been attempts to log in to my accounts (mainly Steam and my alternative Discord which has email 2FA).

 

The last time I clean reset my PC (roughly around February) I followed this system:

1. Scan each main folder (Desktop, Documents, Downloads etc.) with Malwarebytes. Once the scans were completed they would be zipped and stored on an external HHD. 
2. Scan files in the AppData folder. Once the scans were completed they would be zipped and stored on an external HHD (This was because I wanted to keep my Minecraft saves and thought I might as well keep the other folders too just in case).
3. Format my D:\ and E:\ drives, with Quick Format unchecked.
4. Boot onto my ISO USB drive. Once booted I would delete all partitions (including C:\ drive partitions) and install Windows onto what used to be the D:\ or E:\ drive.
5. Boot into Windows and follow setup.
6. Once completing setup, format the old C:\ drive, with Quick Format unchecked.
7. Repeat steps 4-6, but using the old C:\ drive as the install location for Windows.

I did this because I was super paranoid that whatever was infecting my system was able to stay on my system even after a clean reinstall, as I had performed at least 2 prior to this one, which is why I reinstalled Windows twice in the end.

Are there any other steps I can do before having to clean reinstall? I've got loads of video files on my PC (from video editing) which I probably won't be able to backup without buying a new drive (which I am unable to do at the moment).

 

I'll be asleep for the next 4-5 hours so please feel free to respond in due leisure. Once I wake up I will also post the custom scan logs that I started when opening this topic (they're still running, it's just scanning all files now).

[AdvancedSetup]

Nope, to truly be safe you only backup PERSONAL DATA that YOU created. Not games, Not trainers, not uTorrrent or items downloaded from uTorrrent.

You do not format the drive. You remove all partitions from the drive.

You do not install using an Online Microsoft account, you use a LOCAL Account

Use a Password Manger and reset ALL your passwords from a known clean system using very strong passwords and MFA/2FA where allowed.
Never use the same password on more than one site, never use Google, Facebook, Discord. etc link to login to an account. ALWAYS try to use a separate email based new logon account.

If you're going to add a secondary data drive then use multiple antivirus programs to search through ALL those programs, but again, using any programs there were downloaded via uTorrent should be at least suspect as a TROJAN.

Set your boot drive to SECURE BOOT

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
• Document passwords created and store them in a safe but accessible location.

 

After Windows is installed then double-check that ALL Windows Updates are installed before ever installing any 3rd party software. Since you've had issues in the past then try to secure the computer and use it for a couple days with no games, no 3rd party software at all to ensure that the computer is safe and working as expected.

Windows Defender is actually pretty good antivirus these days, but it's not at the level yet of a full antivirus. If you're using a paid version of Malwarebytes with Windows Defender it will actually probably be more secure than many other solutions. If you don't have or don't want to purchase Malwarebytes that's okay I'd still recommend using someone else's antivirus such as Avat (annoying Ads but probably still better at catching malware threats than Windows Defender alone)

 

Suggestions to help shore up the privacy and security after a clean install of Windows

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security
7. DO NOT click on links from "friends" on Discord. Validate and verify any links or download from Discord or similar social media "friends"

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

DO NOT USE Torrent software to download illegal material

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Edited July 3 by AdvancedSetup
Updated information

[ExileRL]

Hey

Small update to this, Malwarebytes didn't detect any malware after the long custom scan it did, so I proceeded to clean reinstall windows using your guide. Apart from a few photos and documents, I saved nothing and wiped everything.

After doing so and installing the programs I used to use the most (Steam, Riot Games, Discord etc), I decided since I'm gonna be asleep for a bit I'll run something to scan my PC. Since I forgot my Malwarebytes password and got locked out of it, I decided to run Microsoft Safety Scanner (from this source).

On my fresh C drive, which I removed all partitions from, MSS already found 1 infected file after around 5 minutes.

I'm just replying to let you know now and so that this post isn't closed prematurely, I'll post whatever logs come out from it once it completes.

 

 

Thanks in advanced for the help btw :) 

[AdvancedSetup]

During the scan process it's normal for Microsoft Safety Scanner to show files as infected. At the end it uploads all the information to the Cloud and then runs AI on it to determine if it's truly infected or not.

The final log is what determines if there is an infection or not.

Again, it's best to run the computer for a couple days and verify if it's safe or not. Many people get infected by trusting friends or so called friends on Discord, Steam, etc. Try to keep all that stuff off of the computer for a couple days.

 

Let me get some logs to see what's up. @ExileRL

 

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks