Jump to content

Recommended Posts

Hello,

I have recently, out of the blue, started to experience a pattern of 3 different RTP detection pop-ups from Malwarebytes from 3 various domain locations. These 3 pop-ups occur every 10-11 minutes. I have provided a screenshot of what this looks like in the detection history. I have tried removing all chrome extensions, running Windows Defender/Malwarebytes threat scans, and ADWcleaner scans. I'm not sure how to push forward on preventing this, and any ideas on a solution would be tremendously appreciated. If any additional information is needed, I will be glad to provide it. 

Thank you.

unknown.png

Link to post
Share on other sites

  • Root Admin

Hello @flipturn10

Can you please get us some logs so that we can review further.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please run the following fix @flipturn10

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

I apologize for the delay upon replying. I allowed my PC to sit in idle while I was at work. All I did was restart my PC beforehand before I left for my shift, and upon returning home, I discovered that it stopped the flow of the RTP Detections. So in theory my problem as far as this fourm post is concerned is solved. But it's rather important to note that this was BEFORE I applied the FRST fix suggested above. I recall the initial 'virus' that called this was first identified by Malwarebytes as Spyware.Vidar. I recall reading up on this virus awhile ago. I understand that it's a paid service designed to pull mainly crypto bank account/payment information. I do store (some) info about my crypto information here on this PC. Malwarebytes quarantined Vidar, but I do not know if that meant it protected my PC from it. I had only downloaded some content from my school's website that I presumed to be a trusted source (I suppose it could have been compromised in my case). I also understand Vidar kills itself after pulling a sufficient enough set of data from a PC. What would be a proper plan of action here for my case? I have ran several scans both in Malwarebytes and Windows Defender (no threats found) including the FRST fix. So should I go about my day anxiety-free knowing that Malwarebytes detected it, and was able to remove it? Or should I start frantically changing passwords and payment information to save the headache later?

 

Thanks.

Link to post
Share on other sites

  • Root Admin

I would like to get the FIXLOG.txt file back please and I'd still like to run some other scans before we're done here.

Once we're done, yes it would be a good idea to change passwords just in case. Make sure you use a Password Manager

Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password
https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/

 

 

Link to post
Share on other sites

  • Root Admin

From the log

Windows Resource Protection found corrupt files and successfully repaired them.

 

Let's run 2 more antivirus scans to make sure they both come back clean.

[ STEP 1 ]

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

[ STEP 2 ]

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

 

Link to post
Share on other sites

  • Root Admin

Great, that looks good.

Please run the following for me @flipturn10

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following as appropriate for your system


-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.1.0.9002 Warning! Download Update

 

--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 32 ActiveX v.32.0.0.363 Warning! This software is no longer supported. Please uninstall it.

Adobe Flash Player 32 NPAPI v.32.0.0.465 Warning! This software is no longer supported. Please uninstall it.

 

---------------------------- [ UnwantedApps ] -----------------------------
Driver Booster 8 v.8.7.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

IObit Uninstaller 11 v.11.0.1.14 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Razer Cortex v.9.16.27.1472 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

 

 

How is the computer running now?

Are you still getting any alerts?

 

Link to post
Share on other sites

My computer is running rather well. Nothing seems that out of line. I ran a few Malwarebytes scans last night and just now and nothing has come up. The RTP detection alerts have since stopped awhile ago. I still wonder what those domains had to do with Vidar. I assume it was trying to send data of some sort, but thankfully Malwarebytes blocked that process. The only notable thing to mention is that Razer Cortex has been acting rather odd. Cortex runs perfectly fine, but every time I boot up my PC and log in, it prompts me with a 'User Account Control' style prompt asking for it to being authority to make changes to this pc. I think this was a byproduct of running the FRST fix though because it only started doing this after I applied the fix. 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.