Jump to content

RTP detection blocking websites messages


Recommended Posts

Ever since 11/21 I've been noticing Blocked Website messages popping up while at my computer.  Today there were over 30. They say they are blocking sites because they are Compromised, Trojan, Malware, or RiskWare.  Malwarebytes says my system doesn't have any Malware (it scanned, detected, and quarantined 2).  Can you help me find and remove whatever is causing this?

I'm suspicious it has something to do with Kodi which I installed around mid November or PIA VPN which I began using more around then.

I have run Malwarebytes Support Tool and gathered the logs, and run ADWCLEANER SCAN.  It only reported Pre-installed applications and I removed the wild tangent games.  I've attached both log files for your review.

Thanks for your attention to my problem.

Jim

mbst-grab-results.zip AdwCleaner[C00].txt

Link to post
Share on other sites

1 hour ago, jimmyv4351 said:

PIA VPN which I began using

It is probably the PIA IP's being used. There have been several reports.

We need some actual detection log's.

To get the logs from Malwarebytes do the following:

Single click on the Clock icon above Detection History.

In the new window select Report

Double click on the Scan log which shows the Date and time of the detection

Click Export > From export you have two options:
Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

Please use " Copy to Clipboard " then paste the contents here in your next reply

Please double-click on one of the block entries shown in the image you posted to view the report, then click the Export link on the bottom left of the report and select Copy to clipboard, then paste the contents here in your next reply so that we may take a look and advise you based on what it shows.

Thanks

Edited by Porthos
  • Like 1
Link to post
Share on other sites

Thanks for your quick response.

Here are reports from several of the different log entries and screen copies of Malwarebytes scan summary and Detection Report History.  I've included one each reported as Compromised, Malware, Trojan, and RiskWare.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/8/21
Protection Event Time: 6:52 PM
Log File: 547e03fe-588a-11ec-b91b-405bd843fadc.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.48334
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1348)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Private Internet Access\pia-service.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 194.32.122.44
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/8/21
Protection Event Time: 5:47 PM
Log File: 3f728574-5881-11ec-8681-405bd843fadc.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.48332
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1348)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Malware
Domain: 
IP Address: 194.32.122.44
Port: 0
(No malicious items detected)
Type: Outbound
File: System

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/8/21
Protection Event Time: 5:35 AM
Log File: e98e456e-581a-11ec-98d1-405bd843fadc.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.48316
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1348)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\XBMCFoundation.Kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: extratorrent.si
IP Address: 104.21.12.5
Port: 443
Type: Outbound
File: C:\Program Files\WindowsApps\XBMCFoundation.Kodi_19.3.500.0_x64__4n2hpmxwrvr6p\kodi.exe

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/26/21
Protection Event Time: 9:14 AM
Log File: 9c4d9fb4-4ecb-11ec-9c07-405bd843fadc.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.47704
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1348)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: peacefullymenitch.com
IP Address: 192.243.59.20
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

Malwarebytes Scan Summary.JPG

Malwarebytes Detection History Yesterday evening.JPG

Link to post
Share on other sites

Further insight.  Last night about 7 pm I did a reboot.  I didn't notice until about 9 am this morning that PIA VPN hadn't restarted on the reboot.  Between those times, there were no blocked site messages.  When I turned it back on I started getting them again.  In the last 2.5 hours there have been over 15!  I guess PIA is at fault.

Any suggestions what to do?

My son says it's all Chrome based and recommends I switch to Firefox.

 

Malwarebytes History - PIA was off from 7pm to 9am.JPG

Link to post
Share on other sites

Interestingly, I left PIA VPN actively running VPN since 5 pm last night (it's now 8:45 am) and Malwarebytes gave no blocked website warnings. So, it appears that PIA only causes those when the application is running but not connected to VPN.

It would be nice not to get the messages, since I don't want to run VPN all the time.

Can you help eliminate them?

 

Updated: 12/12/2021 @ 1:19pm CST - I have updated PIA VPN to the latest version, 3.1.2-06767 and Malwarebytes to the latest version 4.4.10.144 with update pkg 1.0.48514 and component 1.0.1499.  Still no joy.  With VPN actively running, no blocked site messages, with VPN app running but not VPN actively constant messages, with VPN package not running, no blocked site messages.

Can you help?

Link to post
Share on other sites

  • Root Admin

Hello @jimmyv4351

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @jimmyv4351

 

Your DNS Servers: 192.168.12.1 - 192.168.68.1

 

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

CHR Notifications: Default -> hxxps://app.gotowebinar.com; hxxps://feedback.dxo.com; hxxps://www.chryslerminivan.net

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Let's go ahead and do a general cleanup of the computer as well to check and verify all system files are working well and valid.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thanks.

I changed the DNS server to Cloudflare and turned off Google notifications as you suggested.

Malwarebytes said the notifications their app was giving are typical of PIA VPN and of no concern as they are outbound from a known good program so they suggest just setting Malwarebytes to not report them.

So, I think I'll skip the general cleanup you suggested.

Thanks

Jim

Link to post
Share on other sites

  • Root Admin

No problem. Glad you have all under control then at this time.

I'll go ahead and close your topic then and wish you well.

Take care and stay safe out there and have a great week.

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
    Firefoxhttps://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
    Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • 3 months later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.