johnnyspinebustah Posted October 3, 2020 ID:1411698 Share Posted October 3, 2020 I have Malwarebytes premium and I have been getting daily RTP detections, inbound blocked websites for a while now. Around 2 weeks. I have had notifications off, so I just recently noticed it. They are usually marked as compromised, but sometimes as trojan. The IP address changes usually everytime, so it is hard to block then specifically in windows firewall. Usually I get notifications like 2-4 times a day, so not every hour but constantly still. I have done full malwarebytes scan, adwcleaner scan and full windows defender scan and I cant seem to find any sense to this what is causing this. Zero alarms from any of the scans. I formatted my PC, but the notifications still come. The attachment is from last 2 days, after I formatted my PC. Link to post Share on other sites More sharing options...
kevinf80 Posted October 3, 2020 ID:1411715 Share Posted October 3, 2020 Hello johnnyspinebustah and welcome to Malwarebytes, Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Next, Can you also post the last Three RTP Detection logs as follows: To get the RTP Detection log from Malwarebytes do the following: Open Malwarebytes.... Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the RTP Detection log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
johnnyspinebustah Posted October 4, 2020 Author ID:1411839 Share Posted October 4, 2020 Hey and thanks for your reply. Here should be all. Malwarebytes scan.txt AdwCleaner[S02].txt FRST.txt Addition.txt RTP 1.txt RTP 2.txt RTP 3.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 4, 2020 ID:1411852 Share Posted October 4, 2020 Hello johnnyspinebustah, Your logs are clean, no obvious signs of any Malware or Infection. The RTP blocks do indicate inbound sniffers trying to conncet with your PC, Malwarebytes is doing its job and making the block. Of the three blocks one was from Philippines Makati Radius Telecoms Inc, the other two were from South Africa Cape Town Mtn Sa. Your server connection is listed as Finland Helsinki Teliasonera Finland Oyj is that correct...? As long as Malwarebytes makes the blocks you should be ok. Might be worthwhile resetting your router... Reset your router, instructons available at the following link:http://setuprouter.com/networking/how-to-reset-your-router/ Follow those instructions very carefully. Next, Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary. Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run. rom the left hand pane select "Flush DNS" From the main interface select the dropdown under "Choose a DNS Server" From the list select either "Google Public DNS" or "Open DNS" From the left hand pane select "Apply DNS" When done re-boot your system.... Do the blocks cease.. Thank you, Kevin.. Link to post Share on other sites More sharing options...
kevinf80 Posted October 5, 2020 ID:1412058 Share Posted October 5, 2020 Any progress...? Link to post Share on other sites More sharing options...
johnnyspinebustah Posted October 6, 2020 Author ID:1412092 Share Posted October 6, 2020 Yes, sorry for the delayed response. Somehow when I was resetting my router I was wondering how does this IP address sound so weird, and I was unable to connect to my router. My router was somehow se to "Bridge", and it was showing incorrect ip address when I was looking up my router's ip in ipconfig. Now it is set back to router and the IP address is correct. I did as you asked and I have had no detections in over 24 hours for the first time. Link to post Share on other sites More sharing options...
Solution kevinf80 Posted October 6, 2020 Solution ID:1412319 Share Posted October 6, 2020 Hello johnnyspinebustah, Thanks for the update, good to hear the detections have ceased.... Continue to clean up: Right click on FRST here: C:\Users\myste\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Download and use a Password Management application. https://www.windowscentral.com/best-password-manager-windows From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted October 7, 2020 ID:1412543 Share Posted October 7, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts