Infernus Posted January 5, 2021 ID:1430562 Share Posted January 5, 2021 Hello, Infern\/s here. So, some time ago i made a same topic, but it looks like the problem is still not solved. I haven't used Malwarebytes Premium for a while and like 2 weeks ago I got the free premium trial version. Then it started happening again. I got the rtp detection and it spamms repeatedly. Also, when I add the ip to the blocked section in my firewall, different IP shows in the detection, I don't know what to do. I scanned my computer multiple times, but it didn't find anything. Please help. Link to post Share on other sites More sharing options...
kevinf80 Posted January 5, 2021 ID:1430564 Share Posted January 5, 2021 Hello Infernus and welcome to Malwarebytes, Can you post the last three RTP logs: To get the RTP Detection log from Malwarebytes do the following: Open Malwarebytes.... Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the RTP Detection log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply Next, Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
Infernus Posted January 5, 2021 Author ID:1430565 Share Posted January 5, 2021 Hey I did all of steps. I'm attaching all the files here. Addition.txt AdwCleaner[S20].txt FRST.txt rtpdetection1.txt rtpdetection2.txt rtpdetection3.txt scan.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 5, 2021 ID:1430576 Share Posted January 5, 2021 Hello Infernus, Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135 Basically all none MS services are disabled, see how your system runs in that mode, see if the RTP detections cease in that mode... Thanks, Kevin Link to post Share on other sites More sharing options...
Infernus Posted January 5, 2021 Author ID:1430581 Share Posted January 5, 2021 Hey, I ran the clean boot. Or I don't know ,maybe it is a false positive. I changed to the beta verison of Malwarebytes and no detection popping up till now. But maybe it's a matter of time. Thank you for helping me, I hope it helps Link to post Share on other sites More sharing options...
kevinf80 Posted January 5, 2021 ID:1430582 Share Posted January 5, 2021 (edited) Hiya infernus, I doubt that we are dealing with a false positive, I`ve worked similar threads to yours before.. Usually it turns out to be 3rd party software that runs after boot and exploits a system file to make an outbound call. I`ve just uploaded one of the IP`s to VirusTotal, the result confirms malicious activity... https://www.virustotal.com/gui/ip-address/92.63.197.97/detection What we now need to do is find out which software is causing the problem... As clean boot stops the RTP detection happening it is now a process of elimination to find which non MS service(s) was affecting your system... Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled. Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome.. Thank you, Kevin.. Edited January 5, 2021 by kevinf80 typing error Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430779 Share Posted January 6, 2021 Hey, It's me Infern\/s. Just wanted to ask, do you think that Hotspot Shield might be causing these detections? I can't uninstall it for some reason, i turned on most of the services and still no detection. Thank you Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430781 Share Posted January 6, 2021 Hey, It's me Infern\/s. Just wanted to ask, do you think that Hotspot Shield might be causing these detections? Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430810 Share Posted January 6, 2021 Hiya Infernus, I suppose it is possible for Hotspot shield to be at fault, why can you not make the uninstall... Kevin... Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430812 Share Posted January 6, 2021 Hey, thanks for the reply It takes forever to uninstall Hotspot Shield 9.12.0. Also, there is a blank exe process preventing shutdown, do you think that might be a virus? Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430815 Share Posted January 6, 2021 Hiya infernus, I see from the Addition.txt log that there are three versions of hotspot shield installed, two of those are marked up as hidden... Try the following: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. That will unhide hotspot shield... Next, Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information) Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required. Run the tool, the main GUI will populate with installed programs list, Left click on Program name to highlight that entry. Select Action from the Menu bar, then Uninstall from there follow the prompts. If Uninstall fails open the "Action" menu one more time and use "Force Removal" option Let me know if that works... Thanks, Kevin.. fixlist.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430818 Share Posted January 6, 2021 Have to go out for about an hour, regardles of what happens with previous instructions also do the following... Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430820 Share Posted January 6, 2021 Hey, I'm attaching the files here. Also, uninstalling went wrong and the Force Removal worked, so thank you so much Fixlog.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Solution kevinf80 Posted January 6, 2021 Solution ID:1430862 Share Posted January 6, 2021 Hiya infernus, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply, also let me know if there are any remaining issues or concerns.. Thank you, Kevin.. fixlist.txt Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430864 Share Posted January 6, 2021 Hey! I'm attaching the files here. Fixlog.txt msert.log Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430867 Share Posted January 6, 2021 Hiya infernus, How does your system respond now, any issues or concerns... Thanks, Kevin.. Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430868 Share Posted January 6, 2021 Hey, luckily no signs of RTP detections till now. I'm considering buying premium Malwarebytes Version, because the trial is about to end, and these detections were not showing in the detection history for about a week after getting the trial, but I think it actually could be Hotspot Shield. I researched the internet topics, and I found, that Hotspot Shield may be a malware. Is that true? Thank you so much for helping me Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430871 Share Posted January 6, 2021 Hello infernus, Which version of Hotpoint Shield did you use, free or premium. If the free version then such software uses other means to offset costs. Is Malwarebytes still making RTP detection s or have they ceased totally..? Thanks, Kevin.. Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430872 Share Posted January 6, 2021 Hey, I have used the free version, and Malwarebytes is not making RTP detections till now. Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430881 Share Posted January 6, 2021 Okay, now the RTP detection showed up, but this time it's Trojan warning, not Compromised. Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430883 Share Posted January 6, 2021 Hello infernus, Therein lies the problem, not all free software is really free. Such software may come bundled with addons that are used to recover there costs by devious means. Malwarebytes is really good at stopping such outbound calls that you were experiencing. The software itself is not classed as malicious, but its unseen actions can be. Therefore security programs do let the software run, but its hidden actions slip under the fence and do what they are intended to do, fortunately Malwarebytes does stop those actions... Not all free software behaves that way, its just being cautious at what you put on your system. Research is the best way to make sure any free software is ok to use... If no remaining issues or concerns continue to clean up: Right click on FRST here: C:\Users\oem\Desktop\frst\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430885 Share Posted January 6, 2021 Just missed your reply there, can you post the fresh RTP log... Open Malwarebytes.... Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the RTP Detection log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430887 Share Posted January 6, 2021 There is the file: rtptrojandetection.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 6, 2021 ID:1430905 Share Posted January 6, 2021 Hiya Infernus, That is an inbound call from a sniffer trying to make a connection to your system, very typical and not related to anything on your PC. Malwarebytes is doing its job.... The IP address is definitely malicious.. https://www.virustotal.com/gui/ip-address/193.239.147.156/detection Thanks, Kevin... Link to post Share on other sites More sharing options...
Infernus Posted January 6, 2021 Author ID:1430906 Share Posted January 6, 2021 Okay, so I think I should not be worried about this. Thanks, Infern\/s Link to post Share on other sites More sharing options...
Recommended Posts