RTP Detection - Compromised/Trojan on Outbound Connection on Port 137

[Merrymint]

Hello,

Every few days or so (use to be everyday) I keep getting the same block pops up spread out every 10 minutes or so (sometimes like every minute) from Malwarebytes its been ongoing for awhile now and would like to resolve the issue. Sometimes it reported to me as "Compromised" other times as "Trojan" but it is always from a different ip address. It would seemly happen when doing nothing at all and even when the web browser is close or the laptop is running idle. I have done a threat scan with Malwarebytes now and then when it appeared and have found nothing. I have also done a full scan with Windows Defender with no results so I'm not sure if I'm infected or someone is trying to get in but it seems Malwarebytes has been keeping whatever at bay for now.  I have attached the Farbar reports as well as the alerts from Malwarebytes itself. 

Thanks

Trojan Report.txt Compromised Report.txt Addition.txt FRST.txt Scan Report.txt

[AdvancedSetup]

Hello @Merrymint

Are you blocking these items on purpose on your Firewall?

 

FirewallRules: [{ACC175D3-8210-484F-9BD8-7E960FAAB154}] => (Block) C:\program files\videolan\vlc\vlc.exe (VideoLAN -> VideoLAN)
FirewallRules: [{B177F3CB-7DD0-44BB-B328-F6B32AB12685}] => (Block) C:\program files\videolan\vlc\vlc.exe (VideoLAN -> VideoLAN)
FirewallRules: [{530BCCDC-01FB-4958-8A25-E71B95515FCD}] => (Block) C:\program files\netbeans 8.2\bin\netbeans64.exe (Oracle Corporation) [File not signed]
FirewallRules: [{457F3A30-BBCE-4819-8A40-98804204ADEC}] => (Block) C:\program files\netbeans 8.2\bin\netbeans64.exe (Oracle Corporation) [File not signed]
FirewallRules: [{09A42461-8842-4DEC-BD46-8320375BF1A7}] => (Block) C:\program files\java\jdk1.8.0_161\bin\java.exe
FirewallRules: [{DA4E29D5-5E58-41BF-8AEE-F389380A0859}] => (Block) C:\program files\java\jdk1.8.0_161\bin\java.exe
FirewallRules: [{44CC49EF-06D3-442D-9F33-FC5900FB9001}] => (Block) E:\steam\steamapps\common\war thunder\win64\aces.exe (Gaijin Network LTD -> Gaijin Entertainment)
FirewallRules: [{2D257D3D-96E2-48E3-B80E-43E319869E14}] => (Block) E:\steam\steamapps\common\war thunder\win64\aces.exe (Gaijin Network LTD -> Gaijin Entertainment)
FirewallRules: [{82F1C86D-69BD-42D2-BA73-F2B5F1AB3D8E}] => (Block) C:\program files\logitech gaming software\lcore.exe (Logitech Inc -> Logitech Inc.)
FirewallRules: [{ABA29F56-0FF2-4A41-9439-68C48F8BED61}] => (Block) C:\program files\logitech gaming software\lcore.exe (Logitech Inc -> Logitech Inc.)
FirewallRules: [{E0DAFA42-4BE6-4B66-8FF7-E395B1C63998}] => (Block) C:\program files\windowsapps\naver.linewin8_5.19.0.0_x86__8ptj331gd3tyt\lineapp.exe => No File
FirewallRules: [{BBF1EE60-AA09-495D-B9AC-03DA85FF0DC8}] => (Block) C:\program files\windowsapps\naver.linewin8_5.19.0.0_x86__8ptj331gd3tyt\lineapp.exe => No File
FirewallRules: [{FB1E7CF9-9F31-43F8-81AB-EF10E7477ED3}] => (Block) E:\steam\steamapps\common\planetside 2\planetside2_x64.exe (Daybreak Game Company LLC -> Daybreak Game Company, LLC)
FirewallRules: [{032011EA-8086-4A4F-BD94-35BA75F6C84F}] => (Block) E:\steam\steamapps\common\planetside 2\planetside2_x64.exe (Daybreak Game Company LLC -> Daybreak Game Company, LLC)
FirewallRules: [{555B8FCA-7F7D-47E4-93DD-43E394264B4B}] => (Block) C:\users\justi\onedrive\documents\mobaxterm\slash\justi_harmony\bin\xwin_mobax.exe (Mobatek -> )
FirewallRules: [{FE320D7F-7143-4EF9-9E8A-74482D7A87AA}] => (Block) C:\users\justi\onedrive\documents\mobaxterm\slash\justi_harmony\bin\xwin_mobax.exe (Mobatek -> )
FirewallRules: [{FA40B169-48F5-4BD4-9301-63E03E0D9307}] => (Block) E:\call of duty modern warfare\modernwarfare.exe (Activision Publishing Inc -> Activision)
FirewallRules: [{D3CE8A60-B2A6-4768-BC0B-3689016323AF}] => (Block) E:\call of duty modern warfare\modernwarfare.exe (Activision Publishing Inc -> Activision)
FirewallRules: [{6987D2CE-B344-4494-AF77-6CEE11EA2051}] => (Block) E:\steam\steamapps\common\grand theft auto v\gta5.exe (Rockstar Games, Inc. -> Rockstar Games)
FirewallRules: [{3F3B390E-D6C5-4F66-82B5-251FDFBDB7EA}] => (Block) E:\steam\steamapps\common\grand theft auto v\gta5.exe (Rockstar Games, Inc. -> Rockstar Games)
FirewallRules: [{E5F78F63-F04E-4A87-99A0-AF579ABBA35B}] => (Block) C:\program files\jetbrains\pycharm 2020.1.1\bin\pycharm64.exe (JetBrains s.r.o. -> JetBrains s.r.o.)
FirewallRules: [{DA2A779B-63B6-4392-85D8-A35377C3350D}] => (Block) C:\program files\jetbrains\pycharm 2020.1.1\bin\pycharm64.exe (JetBrains s.r.o. -> JetBrains s.r.o.)
FirewallRules: [{9F24A25A-CEDE-4434-A9E7-FD7B07EAE590}] => (Block) E:\epic games\borderlands2\binaries\win32\borderlands2.exe (Take-Two Interactive Software, Inc. -> Take-Two Interactive Software, Inc.) [File not signed]
FirewallRules: [{9F795878-5D8E-4009-985E-E5903CBE8E46}] => (Block) E:\epic games\borderlands2\binaries\win32\borderlands2.exe (Take-Two Interactive Software, Inc. -> Take-Two Interactive Software, Inc.) [File not signed]

 

 

The logs don't really appear to indicate any real type of infection. We'll do some generic clean up but if it's really on a schedule then you'll probably need to look closer at your scheduled tasks.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[Merrymint]

@AdvancedSetup

No. I did not block those are purpose I don't recall blocking anything at all actually. There is no specific time they show up either and I don't see any tasks that appear to be the cause. The only task I ever scheduled was a long time ago (before all this) for a program to restart every day cause sometimes it would crash and would not sync without me noticing. Before I apply the fix do you know if this affects the extension Onetab? I could store my tabs in there but I don't know if its affected.

[AdvancedSetup]

I do not know for sure about your extension. Normally it does not affect most extensions but if there are custom settings perhaps export them first and then import back if you do notice an issue.

 

[Merrymint]

@AdvancedSetup
I also forgot to ask does this part include Malwarebytes and/or Windows Defender? "Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it." 

[AdvancedSetup]

Yes, please exit out of Malwarebytes via the Task Tay icon. Open Defender and turn of real time protection temporarily

 

[Merrymint]

I have attached the fixlog.

Fixlog.txt

[AdvancedSetup]

The log looks good. Windows found and fixed some of it's files.

Windows Resource Protection found corrupt files and successfully repaired them.

Can you please run FRST again and click SCAN and make sure you have Additions.txt checked as well and post back both new logs as an attachment.

 

Also, let me know how the computer is running now and if you're still showing any signs of an infection or not

 

[Merrymint]

The computer seems to be running fine and Malwarebytes hasn't reporting anything yet but to be sure I will need to keep an eye on it for some days. Also, I have attached the requested files.

Addition.txt FRST.txt

[AdvancedSetup]

Overall the logs look good.

Please download the following software and run it. It will check for any software updates the computer may need for 3rd party software.

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

Then after that is done please click on Start and type in "Check for updates" and see if there are any Windows Updates to install.

Let me know how that goes as well

 

 

 

[Merrymint]

Ran Patch My PC and successfully updated two outdated programs. I am now running Windows update there appears to be a several updates waiting including version 2004 but that will take awhile to before its ready to install.

[AdvancedSetup]

If you've not already started it I would suggest you only do the other updates fist before the 2004 build update.

Then restart the computer. Then exit out of Malwarebytes when doing the 2004 update so it goes faster and smoother. That is a HUGE update.

 

 

[Merrymint]

So far so good I don't see any pop ups as of yet thanks for the help. If I do end up seeing the message again do I open a new thread or something else?

[AdvancedSetup]

Please check out the following link especially on Securing your browser

 

[Merrymint]

@AdvancedSetup

Hello again, 

It seems as though the problem has resurfaced as I am getting the same message from Malwarebytes today several times spread throughout the day currently even some when not in use when the laptop is shut and should be in hibernation like last time. 

[AdvancedSetup]

Hello @Merrymint

Please let me get new logs

Upload Malwarebytes Support Tool logs offline

 

[Merrymint]

Here are the logs @AdvancedSetup

mbst-grab-results.zip

[AdvancedSetup]

Let's go ahead and clean up the temp and check a few things again

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

 

Thanks

 

fixlist.txt

[Merrymint]

Attached Log

Fixlog.txt

[AdvancedSetup]

How are things going now? Are you  still getting blocks?

 

[Merrymint]

Not at the moment but usually restarting the computer makes the blocks go away for a time so I will have to wait a week again to see if they truly stay away this time. 

[AdvancedSetup]

Have you also installed uBlock Origin for your browser?
What about Cookie AutoDelete plugin

 

[Merrymint]

I had Ublock Origin long before but I did not have Cookie AutoDelete I just added it now and have enabled auto-delete.

[AdvancedSetup]

Cool, okay. Hopefully things remain clean a bit longer then.

Cheers

 

[Merrymint]

@AdvancedSetup

Actually the issue already resurfaced...