Jump to content

RTP Detection - Blocked Website


Recommended Posts

Hi everyone,

 

I've been scratching my head for the past day or so at these recent popups from Malwarebyes claiming it has blocked a website due to it being compromised. Most of these attempts are inbound and with a little bit of research, I've found this to be somewhat common and the PC is most likely not infected. I have received a notification about an outbound connection from 'HxOutlook.exe', but I believe these notices are due to the insane amount of spam I'm getting on the default windows 'Mail' client at the moment.

 

Anyways, I've done a few steps that I've seen recommended to see if I can gather some more information but I'm not exactly an expert and was wondering if it would be possible at all for anyone to offer assistance?

 

I've noticed that all of these attempts are from different IP addresses but all target the same port (445). I used Farbar Recovery Scan (files attached) and found a Chrome extension (Sketchpad) that I have never installed. In fact, it has never showed up in my Google Chrome extensions at all. I went to go and look for it within the extension browser and... nothing. I navigated to the folder listed and deleted all of the files from there, just for the sake of it.

I've also performed scans with Malwarebytes, Windows Security and Karpovsky, all of which have returned nothing.

 

I believe that my PC isn't infected but, like I said, I'm no expert and could've easily missed something. I would really appreciate if someone could double check these to help give me some additional piece of mind.

 

I've attached the FRST files and exports of some of the logs from Malwarebytes detections (3 most recent and 2 of the outbound ones from yesterday). I've also attached a netstat grab because I thought there was some interesting entries, but these could be nothing (i.e. pog:https sounds... concerning)(also yes my PC is named NASA because when I built it, it was a pretty beefy machine and I thought it was funny. :) )

 

Thank you so much in advance.

Addition.txt FRST.txt Outbound1.txt Outbound2.txt Recent1.txt Recent2.txt Recent3.txt netstat.txt

Link to post
Share on other sites

  • Root Admin

Hello @Blaizen and :welcome:

 

Please review the following

 

Your DNS Servers: 192.168.1.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

Did you install this application or some application that uses it?

https://parsec.app/

It looks like it is on the system as a hidden service

"Parsec" => service could not be unlocked.
HKLM\SYSTEM\ControlSet001\Services\Parsec => "C:\Program Files\Parsec\pservice.exe"

 

 

 

Please run the following fix. When done, please attach the FIXLOG.txt file.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thank you for the warm welcome and advice!

I've gone ahead and switched to Google's DNS through my router. Hopefully this is okay.

As for Parsec, yes I did install this perhaps just a few hours prior to creating this post. I was receiving the 'RTP Detection' notifications before installing. It's a screen-sharing application that allows for gamepad input I was testing with friends. I've since uninstalled it however.

 

I've run the fixlist as requested and attached the Fixlog.txt

Thanks again.

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

That was a good run and many items were fixed.

Windows Resource Protection found corrupt files and successfully repaired them.

Please run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

  • Root Admin

Great, that looks good. It found a policy setting and removed it.

Please run the following for me

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you, sorry about that. Yes, Malwarebytes can stop the process sometimes. Glad you figured it out. @Blaizen

 

Please uninstall, update, or otherwise address the following as appropriate for your computer.

 


--------------------------- [ OtherUtilities ] ----------------------------

TeamViewer v.15.24.5 Warning! Download Update


------------------------------ [ ArchAndFM ] ------------------------------

7-Zip 21.07 (x64) v.21.07 Warning! Download Update
Uninstall old version and install new one.

WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update


------------------------------- [ Imaging ] -------------------------------

GIMP 2.10.30 v.2.10.30 Warning! Download Update
-------------------------- [ IMAndCollaborate ] ---------------------------

Discord v.1.0.9001 Warning! Download Update


-------------------------------- [ Java ] ---------------------------------

Java 8 Update 331 (64-bit) v.8.0.3310.9 Warning! Download Update
Uninstall old version and install new one (jre-8u333-windows-x64.exe).


-------------------------------- [ Media ] --------------------------------

Audacity 3.0.4 v.3.0.4 Warning! Download Update

VLC media player v.3.0.14 Warning! Download Update


--------------------------- [ AdobeProduction ] ---------------------------

Adobe Creative Cloud v.5.5.0.617 Warning! Download Update


------------------------------- [ Browser ] -------------------------------

Google Chrome v.102.0.5005.115 Warning! Download Update

 

 

Once those updates have completed, restart the computer. Then click on START SEARCH  and type in "Check for updates" and allow Windows to scan for and install any updates it finds.

 

Let me know how the computer is running now and if there are still any signs of an infection

 

Cheers

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

No worries! Just thought I'd mention it, just in case.

 

I've actioned everything outlined by SecurityCheck and decided to delay my response as the detection notifications can range from a few minutes to a few hours.

 

Unfortunately, I did just have another 'RTP Detection' notification come up now.

 

Also, out of curiosity, am I able to enquire about what would've happened with these attempts if I DIDN'T have Malwarebytes installed? My networking & cybersecurity knowledge is a bit more limited in comparison to general PC knowledge.

 

Thank you again for all of the help so far!

Link to post
Share on other sites

  • Root Admin

Let me get the current protection logs showing this detection, please. @Blaizen

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

Link to post
Share on other sites

Hi,

Apologies for the delay, I had some personal things come up that took me away from my PC longer than expected.

 

I've attached the 2 most recent logs (from approx. 2 hrs ago). They are roughly the same as the original logs but different IP addresses and different ports.

 

Thanks again!

1.txt 2.txt

Link to post
Share on other sites

  • Root Admin

Those are INBOUND blocks. Your original issue was OUTBOUND blocks.

Inbound is someone remotely pinging your system looking for open ports to exploit.

Outbound is something already on your computer reaching out. We can locate and correct outbound but aside from blocking inbound probing all we can do is block. In most cases those type of blocks go away on their own within a few days or less.

 

Link to post
Share on other sites

My original issue was primarily with the inbound attempts. The outbound attempts, as mentioned in the OP, were seemingly coming from the default Windows Mail application (HxOutlook.exe) and were linked to the insane amount of spam that was reaching my email address due to a recent breach/leak. The outbound connection notifications would pop whenever I was going through my emails and opened one of these from my inbox (not clicking links, just opening the emails as Mail likes to open them automatically). I merely added these just as an 'in-case'. I understand outbound is thoroughly more concerning but it all adds up to just Mail trying to preload content. I could, of course, be wrong but these outbound attempts don't happen unless I'm actively going through my emails and the links within the logs correspond with the links in the spam.

 

You can see the inbound attempts that I was querying in the 'Recent1, 2 3' text files attached in OP.

 

I appreciate all of the help provided with these issues.

Link to post
Share on other sites

  • Root Admin

Again, INBOUND is a remote system. Malwarebytes is doing its job in blocking them.

You can add them to your Windows Firewall as well but since Malwarebytes is on the same level as the Firewall it would still see them at the same time and more than likely block them at the same time the firewall would attempt to block them.

To fully drop those network packets you would need to be able to block them on your router or add an external firewall device that does allow you to fully manage it. In most cases having an expanded perimeter firewall device is beyond the cost expectations and too complex for most home users.

pfsense is one of the most well-known and trusted external to Windows firewalls.

https://www.pfsense.org/products/

 

Malwarebytes is doing its job though as said. It is blocking the INBOUND requests

 

 

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.