Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

RTP Detection from Compromised


Recommended Posts

I've recently had an issue with having my Discord app hijacked and the account stolen. After going through that, I purchased and downloaded Malwarebytes to CMA. On Feb 1st, I got a notice stating that I had a RTP attempt on my computer trying to go through port 7680 and attempting to access svchost.exe. Feb 2nd came and gone with no additional attempts. Today however, I've been hit 4 times from the same IP address even though I have it added to my blacklisted IPs in my Firewall trying to get through 49664-49668 and are attempting to access lasass.exe, wininit.exe, svchost.exe, and spoolsv.exe. I'm very concerned I may still have malicious software on my computer but Malwarebytes, Avast, and Windows Defender are not finding anything. Any assistance will be greatly appreciated. I've attached the latest attempt to get into my computer that Malwarebytes has blocked.

Thank you in advance for your time.

Blacklisted IP.txt

Link to post
Share on other sites

  • Root Admin

Hello @Starbane

The logs don't indicate any obvious infection. This was an inbound IP block. Please see the following for more information on that.

 

How to protect your RDP access from ransomware attacks
https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

Don’t Become a Ransomware Target – Secure Your RDP Access Responsibly
https://securityboulevard.com/2019/01/dont-become-a-ransomware-target/

 

We can do some other scans if you like to make sure nothing is found. It also looks like you may need to setup exclusions between Avast and Malwarebytes as our program shows it has recently faulted as shown in the logs.

 

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows

 

Please temporarily disable your Avast antivirus and exit out of Malwarebytes and run the following antivirus scanner and post back the results.

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

With it being so late, I will have to run this scan after work tomorrow with it being late for me. I thank you for your quick reply. It gives me a bit of hope and soothes my anxiety a bit. Hopefully the scan you recommend will showcase nothing and the logs won't reveal anything else.

How often do these inbound blocks tend to occur? For the first 5 days, I had none come in. Feb 1st had one from a completely different IP from the attachment in my original post and the 2nd had none happen that Malwarebytes reported. Today had 5 come in from the same IP address hitting different ports starting 5 before the one in the original post.

I have Windows 11 Home edition as far as I know cause I saw zero need for Win10 Pro when I got this computer so RDP shouldn't even be an option.

Link to post
Share on other sites

  • Root Admin

They come and go. Normally they don't usually persist more than a day or two. If they do continue you can add a block to your firewall but generally speaking since the Firewall and Malwarebytes both see it we'll still block and alert on it.

Correct, RDP is not enabled on Windows Home. But the fact that the probe comes in is still a bit disconcerting to see. Though they may not be able to access the system with an automated probe it's still annoying.

 

 

Link to post
Share on other sites

 Here is the scan results. Honestly, I was expecting a lot more info inside it but I guess seeing so little is a good thing. I've also done a ipconfig release/renew and reset my modem to hopefully get a new IP address. I doubt these did anything really, but it was for my own piece of mind. I've also gone ahead and removed Avast. It was only a free trial and so far Malwarebytes has impressed me way more than Avast ever did.

I had already added the IP address that was attempting to gain access to my computer before the last attempt came to my Firewall block list. Which I figured would stop them all. I hadn't restarted my computer, so maybe it hadn't taken effect yet.

report_2022.02.04_11.16.05 as text.txt

Link to post
Share on other sites

  • Root Admin

Yes, basically Kasperksy confirmed the same that the computer itself is not infected. It's simply being probed looking for a possible entrance.

Please restart the computer one more time and then do the following.

Run the Farbar tool again and click on SCAN and get me new, fresh logs for possible cleanup.

  • FRST.txt
  • Addition.txt

 

Thank you @Starbane

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Starbane

 

Please review this setting.

CHR Notifications: Default -> hxxps://garlandtools.org

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Garlandtools is fine. It's a web tool to help track when certain nodes in Final Fantasy XIV are going to pop and provides an alert when it is within a certain time period of spawning and has spawned. Will report back when the tool has finished.

Link to post
Share on other sites

  • Root Admin

Yes, the computer looks to be really clean.

Secure Boot is enabled, that's good.

Windows File System Checker did not find any OS file integrity issues.

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
    Firefoxhttps://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
    Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.