Jump to content

Inbound svchost RTP detection every 2-3 minutes


Recommended Posts

Hello,

For about 2 days I have been getting a notice every 2 or 3 minutes that an RTP Detection has occurred. Every single time it has been a "Compromised" Event Detail and "Blocked Website" Action. The IP address has been a few different ones but they repeat often.

I have done a full scan with MWB, which did not find anything.

I have attached Addition.txt and FRST.txt

Thanks!!!

image.png.106d7db9d6c647cd19cc98f286a04aea.png

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.   

I need other details from a different report set.   Also, screen grabs do not have all the detail I need.

You made no mention at all if a web browser was in use when the Block event happened.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
.
 

.


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

Link to post
Share on other sites

Could you explain a bit more exactly what these types of events are?

Please help me understand? 😀 I am not having any system issues or odd behavior that i have noticed, but posted for support because all of the sudden I have been getting these pop ups below warning me of these inbound events constantly for two days. They are constant even if nothing is open on the PC. I am not clear on if I should be concerned though from reading your first post.

If i had to guess from the non-descriptive headers MWB uses, a blocked website action on an internal event would be someone or some ip trying to access my computer? Or trying to access from on my computer via svchost? 

image.png.e313b6f058f1706269d4d775d47188af.png

Link to post
Share on other sites

I suspect each case like this is a little different.   I have not found a absolute commonality as to what the source trigger is.

I would like to know though, whether on this pc you were running Remote Desktop access ?  or any other app that uses remote connections ?

In any event, the real-time protection of Malwarebytes is keeping your pc safe from harm.

As much as possible, keep all web browsers closed during this case.   Do not do any web surfing.  No online games.   No instant messenger apps.

 

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.
Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
 

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

Thank you very much for the scan report.  Indeed, there is no on-board infection.

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol. 

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.

I do expect that the block events stopped today.

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

Hi Maurice,

I reset my chrome browser and have not had any notifications of these inbound attempts on svchost.exe since. It has only been about 7 hours now with no new alerts / detection history.

Unless you would advise otherwise, I would consider the issue most likely resolved, but I can reach back out if it returns...?

Thanks!

Link to post
Share on other sites

OK.

If you wanted to, you could add the ( blocked )  IP  addresses into the Windows Firewall Block list.

you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

.

I would encourage you to have the Malwarebytes Browser Guard if you use either Chrome or Firefox.

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome. 
To get & install the Malwarebytes Browser Guard extension for Chrome, 
  
Open this link in your Chrome   browser: 
https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

  
Then proceed with the setup. 

  
.
If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension. 
Open this link in your Firefox browser:    
https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/


Then proceed with the setup. 
That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.
.
Finally

Do one tweak so that the Windows Defender Antivirus is fully enabled.

 See to it that Malwarebytes for Windows is not registered with the Windows 10  Windows Security Center.

The Malwarebytes real-time protections will still be available & on if it has Premium.


Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with WindowsSecurityCenter Click theSecurity Tab. Scroll d.own to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
When done, close the window.
Then I suggested Restart-ing Windows.
 

I wish you all the best.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.