**Hardware model information** : HP ENVY 14t, specifics available if necessary
**Operating system and version** : Windows 10, latest updated
Hello, and thank you for clicking, I hope you can help. I have some IT knowledge, so I hope I have not missed anything obvious. I have tried to the best of my abilities. A few days ago, my **Runescape account was phished** through an online lookalike site. As someone who has never caught a virus/been phished or anything before, it was pretty demoralising, but I remember the exact point of contact and how they got my information, so I decided I'd just be more careful from now on. Soon after, there was an **attempted log in on my Steam account with the CORRECT username and password**. I use a very convoluted password, so arrogantly I use the same one for many sites. The most recent of which that I logged onto were NexusMods and ArcadePreHacks, with the same username and pass. I know NexusMods was hacked a long, long time ago, and I recently logged into NexusMods but I thought it was too much of a coincidence for it to be so soon after the Runescape phish. What concerns me is, I don't know how whoever this is got hold of my Steam information. I am certain I haven't even logged into Steam with my user and pass on this computer in a month or so, far predating the Runescape Phish.
The IP that tried to log in to my Steam Account: **18.104.22.168 (MY).**
I looked it up in a whois database and found out it's a **public Malaysian Proxy**. So whoever tried to access my steam account had some knowledge of infiltration.
I ran **CCleaner**, **Malwarebytes**, **Spybot**, **HitmanPro**, **HijackThis**, a **Windows Defender** antivirus scan, **System Explorer Process Scan** and nothing showed up. I do not have an antivirus, as I have operated under the assumption that Windows Defender is adequate. I can provide logs for HiJackThis if there's an experienced HJT user that would be willing to help me out.
I ran **netstat -ano**, cross-referenced the ESTABLISHED connection PIDs** with Task Manager and found a lot I could find no source for, some of them are (x indicates how many ESTABLISHED connections with the same PID):
"PID 8548? 2x
PID 4280? 2x
PID 6892? 2x
PID 9296? 2x
PID 5972? 2x
PID 10372? 2x
PID 5972? 4x
PID 1904? 2x"
Closing Firefox seemed to get rid of almost all of them (still unsure if it means FireFox is compromised by some RAT?. Why didn't the PIDs show up?)
Except these (further information found from **netstat -b**):
** TCP 192.168.1.16:49810 22.214.171.124:https
TCP 192.168.1.16:49821 dfw06s47-in-f4:https
TCP 192.168.1.16:49865 dfw25s07-in-f14:https
**TCP 192.168.1.16:49869 126.96.36.199:https ESTABLISHED**
Google tells me SearchUI.exe is a Cortana thing. But why couldn't I find the PID for the firefox processes in my task manager? Could it still be a chance of a RAT?
Also, I looked up the IPs for SearchUI and got this:
They both happen to be Microsoft servers, is that trustable? Also, the second one seems to have been reported twice.
I would like to stress** I can provide screenshots of my netstat -ano and netstat -b** on request, as well as HJT logs, or any other logs as necessary. I have had.... very unfortunate luck in my life these past 4 months, and it would be nice to get this out of my mind. I am avoiding formatting my PC unless completely absolutely necessary. I would very much appreciate any advice as to **how else I can check for any compromise of my system**, whether I need to reset my router etc.
Side note: I cannot use RescueDisk as the physical screen to my laptop is broken, and from my understanding RescueDisk requires something to be done at BIOS splash. I know little to nothing of RescueDisk, only that it involves rootkit
I ran **netstat -ano and netstat -b with Firefox open,** on a "new tab," no other tabs open.
One of the Firefox ESTABLISHED connections is to 188.8.131.52
When looked up, it seems to be related to **Verizon in Ashburn, VA, which is not my provider nor where I live. People seem to have reported this IP 33% of times.** OfficeClickToRun.exe *also* had this IP, as well as:
**https://www.abuseipd...ck/184.108.40.206** (OfficeClickToRun.exe had this connection, 3% likeliness, microsoft)
**https://www.abuseipd...ck/220.127.116.11** (Firefox again, 4% abuse, Microsoft)
**Other ESTABLISHED connections that I found are**:
Proto Local Address Foreign Address State
TCP 127.0.0.1:54322 DESKTOP-54K12O5:54323 ESTABLISHED
TCP 127.0.0.1:54322 DESKTOP-54K12O5:54324 ESTABLISHED
TCP 127.0.0.1:54322 DESKTOP-54K12O5:54325 ESTABLISHED
TCP 127.0.0.1:54323 DESKTOP-54K12O5:54322 ESTABLISHED
TCP 127.0.0.1:54324 DESKTOP-54K12O5:54322 ESTABLISHED
TCP 127.0.0.1:54325 DESKTOP-54K12O5:54322 ESTABLISHED
TCP 127.0.0.1:54334 DESKTOP-54K12O5:54335 ESTABLISHED
TCP 127.0.0.1:54335 DESKTOP-54K12O5:54334 ESTABLISHED
TCP 192.168.1.16:49869 18.104.22.168:https ESTABLISHED
TCP 192.168.1.16:49922 22.214.171.124:https ESTABLISHED
TCP 192.168.1.16:49923 126.96.36.199:https ESTABLISHED
TCP 192.168.1.16:49924 188.8.131.52:http TIME_WAIT
TCP 192.168.1.16:54322 a23-222-29-231:http ESTABLISHED
TCP 192.168.1.16:54326 197:https ESTABLISHED
TCP 192.168.1.16:54327 ec2-54-191-133-205:https ESTABLISHED
TCP 192.168.1.16:54328 184.108.40.206:https ESTABLISHED
TCP 192.168.1.16:54329 220.127.116.11:http ESTABLISHED
TCP 192.168.1.16:54330 ec2-34-211-99-53:https ESTABLISHED
TCP 192.168.1.16:54331 18.104.22.168:http ESTABLISHED
TCP 192.168.1.16:54332 ec2-52-26-196-116:https ESTABLISHED
TCP 192.168.1.16:54336 server-13-33-118-82:https ESTABLISHED
TCP 192.168.1.16:54337 dfw25s17-in-f19:https ESTABLISHED
The following showed up in the **netstat -b** but couldn't trace them back to a connection in the **netstat -ano.** But there is an equal number of ESTABLISHED connections in both, leading me to believe they're "encrypted" for some reason in the **netstat -b** as they don't look like IPv4 addresses. Some of them I was able to Google and find some mention of them as Google servers and whatnot. Those I could not trace were:
If anyone can provide any information or advice as to whether these could be malicious or not I'd be extremely grateful.
These IPs showed up in AbuseIPDB that were on **netstat -ano** but couldn't be traced back to **netstat -b,** meaning if my theory is correct one of the "encrypted" IPs in **netstat -b** is the following and malicious.
I can provide screenshots of my netstat -anu and netstat -b before and after running Firefox, please just ask if you feel you need it, although the information I thought pertinent should already be in this post.
I'm unsure if it's related, but Avira Antivirus won't run/open, even tried reinstalling and repairing.
Edited by vigne115, 19 minutes ago.