Jump to content

Multiple outbound RTP detections from system file


Recommended Posts

This has been happening on and off for a while, it was one of the reasons I got premium after my trial expired, but I was absolutely spammed tonight with outbound detections from multiple IP addresses and different event types, all coming from "system". A full MWB scan doesn't pick anything up and I thought I'd try here before I do a knee-jerk format and reinstall. 

 

image.png.8f95fb12aede8ad3f3143752aae7b268.png

 

I've attached my FRST and Addition logs from Farbar and I ran it after shutting down my p2p software.

Any help would be appreciated, thank you <3

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:      @Artifice

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Good day, @Artifice

Are you running this miner on purpose?

HKU\S-1-5-21-902216114-1819380452-3658199673-1001\...\StartupApproved\Run: => "NiceHash Miner"

 

Please run the following fix. Once the fix has completed, please attach the FIXLOG.TXT file.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hi AdvancedSetup, 

I've attached the requested log. 

RE the NiceHash miner: I was running it 12+ months ago but I haven't run the program since then, it's not set to run on startup or under any circumstances. I'm happy to uninstall it if you have security concerns and want me to. 

Thanks so much again for this help, and all the effort you put into plying your skills on this support forum. 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the log.

I don't know if it is actually running or not, but this line tells it to run

HKU\S-1-5-21-902216114-1819380452-3658199673-1001\...\StartupApproved\Run: => "NiceHash Miner"

 

The SFC program found and corrected some issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

 

Let me have you run the following, please.

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

Hi, I've attached the log. 

I think the RTP detections may have something to do with my p2p software or files? Last night, before I ran the microsoft safety scanner, I mis-clicked my qbittorent shortcut instead of my browser. It ran the program and briefly started seeding the files I share and MWB immediately started spitting out the same blocked outbound RTP dections from 'system'. These are the circumstances it's done this in the past too (when qbittorent runs).

 

image.png.3d4dfa674ed565db820ee10b00a092f9.png

 

msert.log

Link to post
Share on other sites

  • Root Admin

Yes, we block many IPs from torrenting when there is found to be actors pushing some type of threat from said IP.

Just so you're aware. Seeding P2P is considered participating in distribution. If you're seeding software or media that is not public domain or otherwise free, then you're potentially participating in a crime.

 

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security Agency
https://www.cisa.gov/uscert/ncas/tips/ST05-007

 

 

The current logs are not showing signs of an infection. Aside from the P2P detection are you seeing any other signs of an infection?

Thank you

 

Link to post
Share on other sites

Understood, thank you again for all your help AdvancedSetup. I wasn't aware of Virustotal.com but I'll be using this from now on!

 

My OS boot drive became unbootable yesterday and I've re-installed a fresh windows on the same drive (not formatted, just moved old files to windows.old) and it seems to be working alright now. I started getting various blue screens, first a few WHEA Uncorrectable_Error out of nowhere, then a few back-to-back Critical_Process_Died errors once loading into my user account, I got a final ntfs.sys blue screen before the drive became completely unbootable. It's working with a fresh OS install today, but if it persists I'll format the whole m.2 drive, and RMA the drive if it continues. Short of that, I'll probably just put my PC into a shop.

Link to post
Share on other sites

  • Root Admin

If it were my computer I'd back up all my personal files. Format the drive and install a Clean fresh installation of Windows. It literally takes less than 30 minutes to reinstall Windows and be fully up to date. It may take a few days to customize how you want but then  you have a good, clean working computer again.

 

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.