Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Something's Trying to Get Out 2

  1. #1
    Junior Member
    Join Date
    Aug 2018
    Posts
    26

    Default Something's Trying to Get Out 2

    My earlier thread is closed.

    I have not used this PC much since we finished that thread about 5 days ago.

    Tonight I got a pop-up from K9 that it had blocked outgoing traffic of some sort. These are tough to catch because the behavior gets blocked, I see a pop-up, and then it goes away. You have to click them fast.

    I clicked this one. I attached a screen capture of the K9 info screen that it took me to. I know nothing of the website listed, and certainly didn't try to go there (and I've barely clicked anything at all since I sat down here a few minutes ago).
    Attached Images Attached Images

  2. #2
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Not finding much of anything to say it's actually malicious, which browser was loaded at that time?

    Sometimes these come in as false positives. Not saying thats the case here but we'll do some searching.

    Use your onboard antivirus to do a full scan.
    If anything is found can you post the log from this?
    ~~~
    Next

    Farbar Recovery Scan Tool (FRST) Scan
    • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) andsave the file to your Desktop.
    • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
    • Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Aug 2018
    Posts
    26

    Default Will Get Back to You in 48 Hours

    I was running 3 browsers at the time: Firefox, Chrome, and Opera. I will try and not have more than one open at a time for a while, and see if I can isolate these warnings to one of them.

    ********************************

    I will run my antivirus and get back to you.

    I will then run FRST. Do note that we don't have a log from this made after the last round of fixes, only from before.

    The next two days are kind of crazy. No guarantee I will get this done before Thursday evening, but I'll try.

  4. #4
    Junior Member
    Join Date
    Aug 2018
    Posts
    26

    Default One More Thing

    When you said this could be a false positive, do you think that this might be some sort of link to the outside that's activated by just browsing to a certain webpage? And it's caught by K9 because it is on their internal blacklist (or not on their whitelist)?

    I guess what I'm wondering is could I be getting false positives from K9 due to passive rather than active behavior on my part?

  5. #5
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Quote Originally Posted by BooBounder View Post
    When you said this could be a false positive, do you think that this might be some sort of link to the outside that's activated by just browsing to a certain webpage? And it's caught by K9 because it is on their internal blacklist (or not on their whitelist)?

    I guess what I'm wondering is could I be getting false positives from K9 due to passive rather than active behavior on my part?
    I will then run FRST. Do note that we don't have a log from this made after the last round of fixes, only from before.
    Yes, I would like to have a fresh log from FRST.

    Heres my thoughts
    You have an application on your computer that reaches out to connect for updates, could be by using an add-blocker could stop it from activating, could be a specific web site with an embedded url.....
    Could be an old outdated list from K9, I just don't know.
    If we run all new/fresh scans and we don't find anything, hate to admit being kinda lost about it.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #6
    Junior Member
    Join Date
    Aug 2018
    Posts
    26

    Default Still Waiting

    I have been running a full scan with Windows Defender. It is taking a long time. I'm being patient with it.

  7. #7
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Has it found anything?

    Let's also do this

    Farbar Recovery Scan Tool (FRST) Scan
    • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) andsave the file to your Desktop.
    • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
    • Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #8
    Junior Member
    Join Date
    Aug 2018
    Posts
    26

    Default Windows Defender Report

    This was from a full rather than a quick scan.

    I will let you take a look at this and reply before I run FRST.

    I quarantined everything found (which is mostly on quite old stuff that is archived on this PC). Two threats were recommended for removal, but I did not do that yet. Please advise.

    I was still having trouble with my PC running slow when Windows Defender finished (I did a quarantine and a reboot and it's much better). Anyway, so I used PowerShell to generate this log before the reboot, in case there was an underlying partial crash that prevented logging.

    There's a few password hacking programs on there. This was mostly to help deal with a teenager that was getting into some trouble, and wouldn't open her accounts.

    PS C:\windows\system32> get-mpthreatdetection


    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {FFCF2916-1709-4BB7-A7A4-54A77BCBD458}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\dialupass.zip, file:_C:\Users\Dave\Downloads\Flashdrive
    (Black) Offload 18-06-18\Utilities\dialupass\Dialupass.exe,
    file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\dialupass.zip->Dialupass.exe,
    regkey:_HKCU@S-1-5-21-4063716828-1680190529-1648852121-1000\software\NirSoft}
    ThreatID : 2147663673
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {BEBC61E4-705E-47A6-8972-D972450F2381}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\webbrowserpassview.zip,
    file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\webbrowserpassview.zip->WebBrowserPassView.exe}
    ThreatID : 2147685165
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {2ADDF115-DF16-4BE9-A14E-337FFE58F316}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\pspv.zip, file:_C:\Users\Dave\Downloads\Flashdrive
    (Black) Offload 18-06-18\Utilities\Zip Files\pspv.zip->pspv.exe}
    ThreatID : 2147597639
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {F9B1D1D7-C118-4364-931C-8E43624E0F2E}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\netpass.zip, file:_C:\Users\Dave\Downloads\Flashdrive
    (Black) Offload 18-06-18\Utilities\Zip Files\netpass.zip->netpass.exe}
    ThreatID : 2147605535
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 2
    CurrentThreatExecutionStatusID : 1
    DetectionID : {8BAA532B-387C-4D59-BF6C-E948FF3E068C}
    DetectionSourceTypeID : 3
    DomainUser : 2012_Office\Office Administrator
    InitialDetectionTime : 8/10/2018 1:35:25 PM
    LastThreatStatusChangeTime : 8/10/2018 1:39:05 PM
    ProcessName : C:\EEK\bin64\a2emergencykit.exe
    RemediationTime : 8/10/2018 1:39:05 PM
    Resources : {file:_C:\Users\Dave\Downloads\Installed\OrbitSetup4.1.18_20130502_1.exe}
    ThreatID : 2147723143
    ThreatStatusErrorCode : 0
    ThreatStatusID : 3
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {062C127A-779B-42F6-BD11-D81D17B4181C}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {file:_P:\Laptop Backup 14-04-06\Documents and Settings\Ben\My
    Documents\Downloads\Java.exe}
    ThreatID : 2147723656
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {08B65E84-DD70-407B-B1AC-48CF97905A80}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {file:_P:\Old External Drive Back Up 14-04-06\Office Backup\My Documents\Zip
    Files\Utilities\AutoHotkey104608_Install.exe}
    ThreatID : 2147723143
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {A4B13D61-8E7A-47CE-B22F-01FB0502D061}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\mailpv.zip, file:_C:\Users\Dave\Downloads\Flashdrive
    (Black) Offload 18-06-18\Utilities\Zip Files\mailpv.zip->mailpv.exe}
    ThreatID : 2147571412
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {CDF1634A-3A17-4103-A2FC-9D74D0A77866}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Installed\Format Factory\FFSetup3.0.1.exe,
    file:_C:\Users\Dave\Downloads\Installed\Format
    Factory\FFSetup3.0.1.exe->(nsis-6-v9fft.exe)}
    ThreatID : 240791
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :

    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.18.1807.18075
    CleaningActionID : 9
    CurrentThreatExecutionStatusID : 0
    DetectionID : {24477645-C696-40F0-A57C-6390EA08DF41}
    DetectionSourceTypeID : 1
    DomainUser : 2012_Office\Dave
    InitialDetectionTime : 8/25/2018 3:06:32 AM
    LastThreatStatusChangeTime : 8/25/2018 3:06:32 AM
    ProcessName : Unknown
    RemediationTime :
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\wirelesskeyview.zip,
    file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\wirelesskeyview.zip->WirelessKeyView.exe}
    ThreatID : 2147657007
    ThreatStatusErrorCode : 0
    ThreatStatusID : 1
    PSComputerName :



    PS C:\windows\system32> get-mpthreat


    CategoryID : 13
    DidThreatExecute : False
    IsActive : True
    Resources : {containerfile:_C:\Users\Dave\Downloads\Installed\Format Factory\FFSetup3.0.1.exe,
    file:_C:\Users\Dave\Downloads\Installed\Format Factory\FFSetup3.0.1.exe->(nsis-6-v9fft.exe)}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 240791
    ThreatName : BrowserModifier:Win32/Beilextec
    TypeID : 0
    PSComputerName :

    CategoryID : 34
    DidThreatExecute : False
    IsActive : True
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\mailpv.zip, file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\mailpv.zip->mailpv.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 2147571412
    ThreatName : HackTool:Win32/Mailpassview
    TypeID : 0
    PSComputerName :

    CategoryID : 34
    DidThreatExecute : False
    IsActive : True
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\pspv.zip, file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\pspv.zip->pspv.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 2147597639
    ThreatName : HackTool:Win32/Passview
    TypeID : 0
    PSComputerName :

    CategoryID : 34
    DidThreatExecute : False
    IsActive : True
    Resources : {file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\netpass.zip->netpass.exe, containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\netpass.zip}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 2147605535
    ThreatName : HackTool:Win32/Netpass
    TypeID : 0
    PSComputerName :

    CategoryID : 34
    DidThreatExecute : False
    IsActive : True
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\wirelesskeyview.zip, file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\wirelesskeyview.zip->WirelessKeyView.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 2147657007
    ThreatName : HackTool:Win32/Wirekeyview
    TypeID : 0
    PSComputerName :

    CategoryID : 34
    DidThreatExecute : False
    IsActive : True
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\dialupass.zip, regkey:_HKCU@S-1-5-21-4063716828-1680190529-1648852121-1000\software\NirSoft,
    file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\dialupass.zip->Dialupass.exe, file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\dialupass\Dialupass.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 2147663673
    ThreatName : HackTool:Win32/Dialupas
    TypeID : 0
    PSComputerName :

    CategoryID : 34
    DidThreatExecute : False
    IsActive : True
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\webbrowserpassview.zip, file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\webbrowserpassview.zip->WebBrowserPassView.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 4
    ThreatID : 2147685165
    ThreatName : HackTool:Win32/BrowserPassview
    TypeID : 0
    PSComputerName :

    CategoryID : 8
    DidThreatExecute : False
    IsActive : True
    Resources : {file:_C:\Users\Dave\Downloads\Installed\OrbitSetup4.1.18_20130502_1.exe, file:_P:\Old External
    Drive Back Up 14-04-06\Office Backup\My Documents\Zip Files\Utilities\AutoHotkey104608_Install.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 5
    ThreatID : 2147723143
    ThreatName : Trojan:Win32/Bitrep.B
    TypeID : 0
    PSComputerName :

    CategoryID : 8
    DidThreatExecute : False
    IsActive : True
    Resources : {file:_P:\Laptop Backup 14-04-06\Documents and Settings\Ben\My Documents\Downloads\Java.exe}
    RollupStatus : 1
    SchemaVersion : 1.0.0.0
    SeverityID : 5
    ThreatID : 2147723656
    ThreatName : Trojan:Win32/Fuerboos.E!cl
    TypeID : 0
    PSComputerName :

  9. #9
    Junior Member
    Join Date
    Aug 2018
    Posts
    26

    Default One More Thing

    The two that are quarantined, but that Windows Defender wants to remove, are Bitrep.B and Beilextec. Should I remove them?

  10. #10
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Let me show you what I've found

    The 2 below files/folders if not deleted can be.
    C:\Users\Dave\Downloads\Installed\OrbitSetup4.1.18_20130502_1.exe
    P:\Laptop Backup 14-04-06\Documents and Settings\Ben\MyDocuments\Downloads\Java.exe

    There's a few password hacking programs on there. This was mostly to help deal with a teenager that was getting into some trouble, and wouldn't open her accounts.
    And those programs you downloaded and installed are found.
    some identify AutoHotKey as a hacking tool. If you installed this then leave it alone.
    Resources : {file:_P:\Old External Drive Back Up 14-04-06\Office Backup\My Documents\Zip Files\Utilities\AutoHotkey104608_Install.exe}

    Is considered a freeware hack tool that is used to display passwords for a number of email applications.This tool is used by hackers to hack other computers.
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\mailpv.zip, file:_C:\Users\Dave\Downloads\Flashdrive(Black) Offload 18-06-18\Utilities\Zip Files\mailpv.zip->mailpv.exe}


    Let's remove the below. Research shows me other's had this and it was deleted.
    C:\Users\Dave\Downloads\Installed\Format Factory\FFSetup3.0.1.exe

    I find the below to be legit. Only thing that comes to mind, as well as with the other legit apps, adware/spyware downloaded along with it.
    But it's not displaying any of that.
    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload
    18-06-18\Utilities\Zip Files\wirelesskeyview.zip,
    file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\wirelesskeyview.zip->WirelessKeyView.exe}

    The below utility is also used as a hacking tool. Can you see why it was flagged?
    Hacktools can be used to patch or "crack" some software so it will run without a valid license or genuine product key.
    Beware of running hacktools because they can be associated with malware or unwanted software.

    Resources : {containerfile:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip
    Files\pspv.zip, file:_C:\Users\Dave\Downloads\Flashdrive (Black) Offload 18-06-18\Utilities\Zip Files\pspv.zip->pspv.exe}

    Heres the long story short
    Nirsoft is and can be used to steal passwords. You are trying to access a PC by the sounds of it.
    Nirsoft to access wifi passwords and windows credentials, even passwords from internet explorer, firefox and chrome.
    (I did a quarantine and a reboot and it's much better
    Hope this is still ongoing?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •