Jump to content

Possible Infection: Large number of RTP connection attempts


Recommended Posts

Hi.

 

Malwarebytes detected and blocked a large number of attempted RTP connections, all apparently outbound. It went on for a few hours from about 11am to 3pm, almost every minute, with varying destination IPs. I did the usual scan with Malwarebytes and a full scan with KVRT but they came back clean.

I've attached the text files from FRST, hoping this might help.

The connection attempts seemed to have stopped.

Any idea what could have caused this and does an outbound connection mean I am infected?

 

PS: I use PIA as a VPN and this sometimes gets blocked (but not always).

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @Jayems

Please uninstall the following. Go to Control Panel, Programs, Programs and Features

  • Bonjour

 

Error: (03/15/2022 04:32:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 872: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (03/15/2022 04:32:36 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 664: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (03/15/2022 08:40:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNS_Execute: SendQueries didn't send all its probes (72135773 - 72135773 = 0) will try again in one second

Error: (03/15/2022 08:40:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNS_Execute: SendQueries didn't send 469f0547._sub._apple-mobdev2._tcp.local. (PTR)

Error: (03/15/2022 08:40:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNS_Execute: SendQueries didn't send _apple-mobdev._tcp.local. (PTR)

Error: (03/15/2022 08:40:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNS_Execute: SendQueries didn't send _raop._tcp.local. (PTR)

Error: (03/15/2022 08:40:48 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNS_Execute: SendQueries didn't send _airplay._tcp.local. (PTR)

 

Then restart the computer and run the following scan. Make sure to exit out of Malwarebytes first.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Let me have you run the two following scans

 

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

 

 

NEXT ->

Click on  START - RUN and type in SIGVERIF and click OK
 
This is a Microsoft File Signature Verification program that will check the status of some files for us.

image.png

  • Click on the  START button and let it run. 
  • It will popup a box when it's done to show the status, you can close that box.
  • Close the  File Signature Verification application.
  • On Windows 7 / 10 find and attach the file C:\Users\Public\Documents\SIGVERIF.TXT to your next reply.
  • DO NOT post the log directly into your reply, attach the file please.
 
 

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs. The SIGVERIF indicates that you have one of your files that are not signed.  Opencl.dll

 

https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/sfc-detects-opencl-dot-dll-corrupted

 

Please open an elevated admin command prompt and run both of these commands.

Dism /online /cleanup-image /restorehealth

Then run this one

SFC  /SCANNOW

 

Let me know what the SFC command says

 

Link to post
Share on other sites

  • Root Admin

Not sure if this affected you or not but have a read here

https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/

The listed file in that article is not the same file so it may not be related

Edited by AdvancedSetup
Updated info
Link to post
Share on other sites

I haven't got an Nvidia GPU so doubt it.

The checks and scans have completed.

image.png.cdb61f96698ef01a414607da8f15528f.png

 

Today the issues detected by MWB only went on for 1 hour (2pm to 3pm). Nothing since. This was the last reported:

image.png.1cdc1fb9e89fa5c82e4330f86786f21f.png

The only out of the ordinary entry is an exploit attempt relating to explorer. I've attached the txt.

I'm a bit paranoid and tempted to do a completely fresh install, but really don't feel like the hassle.

 

Explorer_exploit.txt

Link to post
Share on other sites

  • Root Admin

Please do the following.

Start Malwarebytes, go to Settings, General, scroll to the bottom and click on the Restore default settings button

image.png

 

Then go to Security and scroll to the bottom and check the Advanced settings button

image.png

 

Then click on the Restore Defaults button

image.png

 

Then restart the computer and keep an eye on things and let me know if you continue to get the Exploit warning anymore

 

Edited by AdvancedSetup
Updated info
Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.