Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Potential RAT/Keylogger, need a network/malware expert. Have done all


  • Please log in to reply

#1
vigne115

vigne115

    New Member

  • Member
  • Pip
  • 1 posts

**Hardware model information** : HP ENVY 14t, specifics available if necessary

**Operating system and version** : Windows 10, latest updated

Hello, and thank you for clicking, I hope you can help. I have some IT knowledge, so I hope I have not missed anything obvious. I have tried to the best of my abilities. A few days ago, my **Runescape account was phished** through an online lookalike site. As someone who has never caught a virus/been phished or anything before, it was pretty demoralising, but I remember the exact point of contact and how they got my information, so I decided I'd just be more careful from now on. Soon after, there was an **attempted log in on my Steam account with the CORRECT username and password**. I use a very convoluted password, so arrogantly I use the same one for many sites. The most recent of which that I logged onto were NexusMods and ArcadePreHacks, with the same username and pass. I know NexusMods was hacked a long, long time ago, and I recently logged into NexusMods but I thought it was too much of a coincidence for it to be so soon after the Runescape phish. What concerns me is, I don't know how whoever this is got hold of my Steam information. I am certain I haven't even logged into Steam with my user and pass on this computer in a month or so, far predating the Runescape Phish.

The IP that tried to log in to my Steam Account: **192.228.245.230 (MY).**

I looked it up in a whois database and found out it's a **public Malaysian Proxy**. So whoever tried to access my steam account had some knowledge of infiltration.

I ran **CCleaner**, **Malwarebytes**, **Spybot**, **HitmanPro**, **HijackThis**, a **Windows Defender** antivirus scan, **System Explorer Process Scan** and nothing showed up. I do not have an antivirus, as I have operated under the assumption that Windows Defender is adequate. I can provide logs for HiJackThis if there's an experienced HJT user that would be willing to help me out.

I ran **netstat -ano**, cross-referenced the ESTABLISHED connection PIDs** with Task Manager and found a lot I could find no source for, some of them are (x indicates how many ESTABLISHED connections with the same PID):

"PID 8548? 2x
PID 4280? 2x
PID 6892? 2x
PID 9296? 2x
PID 5972? 2x
PID 10372? 2x
PID 5972? 4x
PID 1904? 2x"

Closing Firefox seemed to get rid of almost all of them (still unsure if it means FireFox is compromised by some RAT?. Why didn't the PIDs show up?)

Except these (further information found from **netstat -b**):


 [SearchUI.exe]

 ** TCP    192.168.1.16:49810     13.107.51.254:https    
ESTABLISHED
**


 [SearchUI.exe]

  TCP    192.168.1.16:49821     dfw06s47-in-f4:https   
TIME_WAIT

  TCP    192.168.1.16:49865     dfw25s07-in-f14:https
 
TIME_WAIT

  **TCP    192.168.1.16:49869     52.173.24.17:https     ESTABLISHED**

  WpnService


Google tells me SearchUI.exe is a Cortana thing. But why couldn't I find the PID for the firefox processes in my task manager? Could it still be a chance of a RAT?

Also, I looked up the IPs for SearchUI and got this:

**https://www.abuseipd...13.107.51.254**

**https://www.abuseipd.../52.173.24.17**

They both happen to be Microsoft servers, is that trustable? Also, the second one seems to have been reported twice.


I would like to stress** I can provide screenshots of my netstat -ano and netstat -b** on request, as well as HJT logs, or any other logs as necessary. I have had.... very unfortunate luck in my life these past 4 months, and it would be nice to get this out of my mind. I am avoiding formatting my PC unless completely absolutely necessary. I would very much appreciate any advice as to **how else I can check for any compromise of my system**, whether I need to reset my router etc.

Side note: I cannot use RescueDisk as the physical screen to my laptop is broken, and from my understanding RescueDisk requires something to be done at BIOS splash. I know little to nothing of RescueDisk, only that it involves rootkit

I ran **netstat -ano and netstat -b with Firefox open,** on a "new tab," no other tabs open.

One of the Firefox ESTABLISHED connections is to 72.21.91.29

https://www.abuseipd...eck/72.21.91.29

When looked up, it seems to be related to **Verizon in Ashburn, VA, which is not my provider nor where I live. People seem to have reported this IP 33% of times.** OfficeClickToRun.exe *also* had this IP, as well as:

**https://www.abuseipd...ck/13.107.3.128** (OfficeClickToRun.exe had this connection, 3% likeliness, microsoft)

**https://www.abuseipd...ck/52.173.24.17** (Firefox again, 4% abuse, Microsoft)



**Other ESTABLISHED connections that I found are**:

  Proto  Local Address          Foreign Address        State

  TCP    127.0.0.1:54322        DESKTOP-54K12O5:54323  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54322        DESKTOP-54K12O5:54324  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54322        DESKTOP-54K12O5:54325  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54323        DESKTOP-54K12O5:54322  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54324        DESKTOP-54K12O5:54322  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54325        DESKTOP-54K12O5:54322  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54334        DESKTOP-54K12O5:54335  ESTABLISHED

 [firefox.exe]

  TCP    127.0.0.1:54335        DESKTOP-54K12O5:54334  ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:49869     52.173.24.17:https     ESTABLISHED

  WpnService
 [svchost.exe]

  TCP    192.168.1.16:49922     52.232.69.150:https    ESTABLISHED

 [OfficeClickToRun.exe]

  TCP    192.168.1.16:49923     13.107.3.128:https     ESTABLISHED

 [OfficeClickToRun.exe]

  TCP    192.168.1.16:49924     72.21.91.29:http       TIME_WAIT

  TCP    192.168.1.16:54322     a23-222-29-231:http    ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54326     197:https              ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54327     ec2-54-191-133-205:https  ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54328     151.101.48.193:https   ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54329     72.21.91.29:http       ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54330     ec2-34-211-99-53:https  ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54331     72.21.91.29:http       ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54332     ec2-52-26-196-116:https  ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54336     server-13-33-118-82:https  ESTABLISHED

 [firefox.exe]

  TCP    192.168.1.16:54337     dfw25s17-in-f19:https  ESTABLISHED

The following showed up in the **netstat -b** but couldn't trace them back to a connection in the **netstat -ano.** But there is an equal number of ESTABLISHED connections in both, leading me to believe they're "encrypted" for some reason in the **netstat -b** as they don't look like IPv4 addresses. Some of them I was able to Google and find some mention of them as Google servers and whatnot. Those I could not trace were:

server-13-33-118-82
 
a23-222-29-231

ec2-54-191-133-205

ec2-52-26-196-116



If anyone can provide any information or advice as to whether these could be malicious or not I'd be extremely grateful.

These IPs showed up in AbuseIPDB that were on **netstat -ano** but couldn't be traced back to **netstat -b,** meaning if my theory is correct one of the "encrypted" IPs in **netstat -b** is the following and malicious.

**https://www.abuseipd...172.217.6.179**



I can provide screenshots of my netstat -anu and netstat -b before and after running Firefox, please just ask if you feel you need it, although the information I thought pertinent should already be in this post.

 

I'm unsure if it's related, but Avira Antivirus won't run/open, even tried reinstalling and repairing.


Edited by vigne115, 19 minutes ago.

  • 0

Advertisements







Similar Topics

5 user(s) are reading this topic

0 members, 3 guests, 1 anonymous users


    Bing (1)

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP