Jump to content

RTP Detection Compromised

Go to solution Solved by AdvancedSetup,

Recommended Posts

Hello, I have recently been getting scary detection notifications from specific IP addresses; I have attached a couple of the logs that show the IP addresses.

The 2nd IP address popped up after I added a rule to the firewall blocking the first IP address.

The fact these are outbound, and come from "System" is putting me into panic mode, and is making it tough to figure out the source.

Any help would be greatly appreciated.

1.txt 2.txt

Link to post
Share on other sites

Forgot to mention that I finished full scans using Malwarebytes, and KVRT, nothing detected.

I ticked all the boxes for adwcleaner's basic repair options, and did those as well, unfortunately that did not resolve the issue either.

If any other information is required, please let me know, and thank you in advance.

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:      @Mclaren


My screen name is AdvancedSetup and I will assist you with your system issues.

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.


To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you


Link to post
Share on other sites

  • Root Admin
  • Solution

Well, I see you're using Private Internet Access and some of the blocks are from that. All VPN products have to deal with bad actors also using their networks. It seems that PIA has more than many other do so when possible you should try to use another server connection if you do get a block.

Your system is listed as US English, yet your Windows Defender is logging in what appears to be Japanese?

Platform: Microsoft Windows 10 Pro Version 21H2 19044.1949 (X64) Language: English (United States)

Windows Defender:
Date: 2022-08-31 08:00:18
Microsoft Defender Antivirus スキャンは完了する前に停止しました。
スキャン ID: {4505B79A-C615-4CDA-8C06-ADF6C4E80B42}
スキャンの種類: Antimalware
スキャン パラメーター: Quick Scan


You have CMD.EXE from Google Chrome which is also unexpected. Did you use a batch file or command line to launch Google Chrome?

(C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe



Please go to Control Panel, Programs, Programs and Features and uninstall  the following.

CCleaner (computer experts no longer recommend this program)




Please run the following fix. Once the fix has completed, please attach the FIXLOG.TXT file.


Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.




Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Thank you for the quick reply, for some reason the site is spam blocking me from sending the fixlog, as for the rest of what you mentioned:

1. PIA blocked IPs tend to show the file originating from the PIA executable, but that isn't the case with these IPs, the origin file shows up as "system", and they show up even with the VPN service off.

2. My system's locale is set to Japanese, and the language is set to English, so that is probably what is causing that matter.

3. I have uninstalled CCleaner as suggested.

4. I do not use CMD to start Google Chrome, so this one is quite odd for me as well. Not sure if this will help, but here are my Google Chrome extensions: Privacy Badger, HTTPS Everywhere, UBlock Origin (only filters enabled), Malwarebytes Browser Guard, and a Password Manager.



Link to post
Share on other sites

I have noticed that all unusual traffic is going through port 137, so I blocked the port on both TCP, and UDP, but that hasn't fixed the issue either.

All network sharing is disabled, so it's quite unusual for anything to go through that port. No port forwarding has been done on the network either.

sidenote. yet more IPs have been added to the list.

4.txt 5.txt

Link to post
Share on other sites

It's currently scanning, but as that is going, I have checked my network traffic using Glasswire, and it shows me that the following file (c:\windows\system32\ntoskrnl.exe) is the source of the unusual traffic. There are over 200 IPs associated with the unusual traffic utilizing that file. Is the system infected on the kernel level?

Link to post
Share on other sites

Should've listened to you when you said it's the VPN. I tried uninstalling it, and suddenly all of that shady traffic vanished!

I don't understand how that's normal VPN traffic, especially with over 200 IP addresses in the background, so I will be contacting them regarding the matter now.

Once again, thank you for your patience, and assistance 🙂.

Link to post
Share on other sites

  • Root Admin

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)


  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin


Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes


Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.