Jump to content

RTP inbound nvcontainer.exe


Recommended Posts

Hi,

 

I recently setup a windows PPTP VPN for use while I'm away, created a new user with a secure password for authentication. After returning I started to get RTP inbound requests that Malwarebytes blocked and informed me of. Some of them are the category Compromised and others are Exploit. Some are the port 1723. Others are a common port used with NVIDIA game streaming.

 

No worries, all inbound and scans come up clean. So I remove the port forward for the VPN and delete the connection from Windows. Then I release renew on my router to get a new public IP thinking that they'd have no way to attempt an exploit on me once I have a new address. But I just had another attempt at nvcontainer.exe.

 

The requests have dramatically slowed from daily up to Jan 1st, then I didn't have any until the 12th after I changed the public IP.

 

I'm concerned as to how they discovered the new IP was the same target. As well, I'm concerned with how they target specifically my local IP out of all the devices in my network.

 

All my scans are clean so I'm not sure what to do or where to look. I really thought a new IP would do it. I'm not at home right now but if you tell what you need I'll take care of it ASAP.

Link to post
Share on other sites

Hello @Ferahcity and :welcome:

While you are waiting for the next qualified/approved malware removal expert helper to weigh-in to your topic, please follow the instructions within the following Malwarebytes support article:

Run the Farbar Recovery Scan Tool to gather logs

Please attach both the FRST.txt and Addition.txt report files in your next reply.

Thank you.

Link to post
Share on other sites

  • Root Admin

Hello @Ferahcity

Please see the following article for the issue concerning RDP attacks.

https://blog.malwarebytes.com/explained/2021/08/rdp-brute-force-attacks-explained/

Please look at disabling Remote Desktop

https://www.lifewire.com/disable-windows-remote-desktop-153337

 

Then let me have you run the following general clean-up.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Fixlog.txtHi, I've uploaded the fix log. I know what RDP is, and how they are trying to gain access through the NVIDIA Game streaming service which has since been patched. My main concern is i changed my public IP and I was hit again? If my computer is clean, how did they get my new address instantly without something from within my network reaching out? My only guess is there is a group or individual that are port scanning know IP ranges from my ISP and since I had UPNP for the ports in question, it was forwarded to my computer. I've since removed the UPNP as I'm not using that service right now anyway. But other than that guess, I have to assume there is a beacon or service I'm using which provides the attacker my IP.

Link to post
Share on other sites

  • Root Admin

So many ways to obtain an IP. I'm sorry but we don't offer Forensic services as to the exact cause. Most sites I know that do that type of work charge over a thousand dollars and one would not clean the computer. One would do specific imaging or shut it down and not turn it back on until the drive was imaged. Often though imaging with memory would be used so physical access is also needed. We provide detection and clean-up services for free.

Please run the following and I'll check back later tonight. @Ferahcity

 

 

Let me have you run a different scanner to double-check.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

The ESET scanner did not load properly. Did you disable all other security software?

Please try running the following @Ferahcity

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Thank you

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.