CyrodiilWarrior Posted October 20, 2022 ID:1538615 Share Posted October 20, 2022 (Moderators, please relocate this forum topic if in the wrong location) With the Facebook data leak news, I have started to take internet security and data protection much more seriously. I have used password utility tools to improve the security of internet passwords. I use code generators to authorize logins. I have used Malwarebytes and recently re-purchased a subscription. I noticed some detections on my system from something GameMaker related. I had the tool remove that from the system. I am worried with the string of RTP detections every now and then. I have done scans of my system. I really hate resetting Windows 11 and reinstalling everything. Is this something I should be concerned with? My activity involves: browsing social media (Facebook, Reddit, TikTok), watching YouTube, reading the news, internet forums. Games downloaded through Steam or GOG. Mod websites such as NexusMods. I may not have my internet browser open and these popup notifications still come. Link to post Share on other sites More sharing options...
1PW Posted October 20, 2022 ID:1538625 Share Posted October 20, 2022 Hello @CyrodiilWarrior and : While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following: I'm infected - What do I do now? Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic. Thank you. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 20, 2022 ID:1538655 Share Posted October 20, 2022 Hello @CyrodiilWarrior I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply The IP block actions by Malwarebytes are keeping the machine safe from potential threats. I do need the support zip reports to see more detail ( the screen grabs just do not have full details + those screens give no clue as to what processes are running. For Your Information: The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm. A block notice is an advisory of the "block". A "malicious website blocked" is entirely different from a "malware detected" event. The website Block message indicates that a potential risk was blocked by the malicious website protection. The Malwarebytes web protection, by default, will always show each IP block occurrence. The Malwarebytes Web protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC. Incoming block notice can be ignored, Malwarebytes software is blocking the threat and there is nothing more that can be done. On Outbound blocks, any attempted connection was Stopped ( halted) . No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56). A browser is not required to be running, just an active Internet connection with processes running, such as Instant messenger clients, Discord, SKYPE or Peer-to-peer software, to trigger these alerts. These may also triggered by banner ads running on websites (or ads embedded in Email ) which is the most common form of alert. See support article "Received a Website Blocked notification from Malwarebytes for Windows" NOTE: If you have a PRO or Enterprise edition of Windows, and if RDP Remote Desktop is not used a lot by you, you should consider turning off the Remote Desktop feature in order to lower the machine's exposure to potential exploitation. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 23, 2022 ID:1538970 Share Posted October 23, 2022 Hello @CyrodiilWarrior I hope you are doing well. How are you doing as concerns the initial tips above ? Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted October 25, 2022 Author ID:1539161 Share Posted October 25, 2022 Hello everyone, sorry for the delay. Whilst trying out the free GameMaker utility, I had downloaded some assets which were removed by Malwarebytes. My last Malwarebytes blocked website was 23/10 and today is 25/10. I'll monitor the machine as time goes. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 25, 2022 ID:1539250 Share Posted October 25, 2022 (edited) Hello. I would like a report set for review. This is a report only. Just a report. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply Edited October 25, 2022 by AdvancedSetup Corrected font issue Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2022 ID:1539695 Share Posted October 28, 2022 Hello. I have not heard back from you. Looking for the ZIP file from support-tool. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544246 Share Posted December 3, 2022 On 10/28/2022 at 8:41 PM, Maurice Naggar said: Hello. I have not heard back from you. Looking for the ZIP file from support-tool. Hello sorry for the late reply. I've recently reinstalled Windows 11. Not as often, but I am still getting some RTP detections. I'll upload later this evening. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544247 Share Posted December 3, 2022 mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 3, 2022 ID:1544270 Share Posted December 3, 2022 (edited) Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Select View → Show → File name extensions simply download & save a new copy of the tool FRST64.exe and SAVE to the Downloads folder. Be sure to do that. from this link This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on web browsers . To rebuild the Winsock. It will delete temporary file areas. This is not a cure-all. This custom script is for CyrodiilWarrior only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRST64.exe on the Downloads folder to run a custom script . The system will be rebooted after the script has run. Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Please only attach logs, reports as we go along. By the way, I did notice that this machine has active protection from BITDEFENDER. Edited December 3, 2022 by Maurice Naggar corrected link Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544284 Share Posted December 3, 2022 3 hours ago, Maurice Naggar said: Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Select View → Show → File name extensions simply download & save a new copy of the tool FRST64.exe and SAVE to the Downloads folder. Be sure to do that. from this link This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on web browsers . To rebuild the Winsock. It will delete temporary file areas. This is not a cure-all. This custom script is for CyrodiilWarrior only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt 8.97 kB · 0 downloads <<< - - - - - Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRST64.exe on the Downloads folder to run a custom script . The system will be rebooted after the script has run. Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Please only attach logs, reports as we go along. By the way, I did notice that this machine has active protection from BITDEFENDER. The link to FRST64.exe isn't working so not able to download the file. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544285 Share Posted December 3, 2022 Also I have only had Malwarebytes for a long time. Ran the BitDefender installer and it asked me to remove Malwarebytes (replace it with BitDefender) so I cancelled that install. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 3, 2022 ID:1544286 Share Posted December 3, 2022 If this machine is running Windows 11: Here is a good reference for how to turn off Smartscreen feature, so that we can do the work / the reports that we need. It also has some excellent screen image samples of how to do this. See the OPTION TWO at this link on Elevenforumhttps://bit.ly/3Q9Bhq6 Turn OFF Smartscreen feature. ( when we are ready to close this case, you may go back & turn it back ON if you wish ). NOW get and save FRST64 just like I listed before on my earlier reply, and then do all the rest just like I listed. https://forums.malwarebytes.com/topic/291240-rtp-detections-malwarebytes/?do=findComment&comment=1544270 Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544287 Share Posted December 3, 2022 20 minutes ago, Maurice Naggar said: If this machine is running Windows 11: Here is a good reference for how to turn off Smartscreen feature, so that we can do the work / the reports that we need. It also has some excellent screen image samples of how to do this. See the OPTION TWO at this link on Elevenforumhttps://bit.ly/3Q9Bhq6 Turn OFF Smartscreen feature. ( when we are ready to close this case, you may go back & turn it back ON if you wish ). NOW get and save FRST64 just like I listed before on my earlier reply, and then do all the rest just like I listed. https://forums.malwarebytes.com/topic/291240-rtp-detections-malwarebytes/?do=findComment&comment=1544270 Your previous reply says this link which takes me to this forum post. So I was unable to download FRST64 sadly. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 3, 2022 ID:1544288 Share Posted December 3, 2022 My sincere apologies. save a copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544291 Share Posted December 3, 2022 1 hour ago, Maurice Naggar said: My sincere apologies. save a copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ The FixLog.txt Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 3, 2022 ID:1544292 Share Posted December 3, 2022 Windows Resource Protection found corrupt files and successfully repaired them. The custom-fix-script run is beneficial. Please do a new scan with BitDefender. Let me know the result. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 3, 2022 Author ID:1544293 Share Posted December 3, 2022 2 minutes ago, Maurice Naggar said: Windows Resource Protection found corrupt files and successfully repaired them. The custom-fix-script run is beneficial. Please do a new scan with BitDefender. Let me know the result. I never fully installed BitDefender since it asked to remove Malwarebytes as my protection utility. I wanted to keep Malwarebytes and just exited the installer which probably left files behind. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 4, 2022 ID:1544297 Share Posted December 4, 2022 In that case, get & save the corresponding uninstaller from Bitdefender https://www.bitdefender.com/links/uninstall_consumer_trial.html and then run the uninstaller. Then Restart Windows. One must always cleanup after trying a antivirus & moving away from it to another security product. Your machine has leftover drivers of BitDefender. Let me know after this has been cleaned up. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 4, 2022 Author ID:1544318 Share Posted December 4, 2022 I used - uninstall Bitdefender Total Security. Wasn't sure what my one was. Either that one or Bitdefender Internet Security. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 4, 2022 ID:1544324 Share Posted December 4, 2022 Alright. I will guide you to running other scans. Most will be the type that is not uninstalled as a installed-application. They are just run on-demand. We will run them just to see whether there is actually any virus or trojan or malware or adwares. First, an adjustment. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. > The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. We will do more later. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 4, 2022 Author ID:1544332 Share Posted December 4, 2022 The log says no infection found but during scan I noticed 3. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 4, 2022 ID:1544338 Share Posted December 4, 2022 No virus, no trojan, no malware reported at the end of the run, which is all that matters. Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Sun Dec 4 20:01:08 2022 The interim visual on-screen display is not actual-real-confirmed stuff. This next scanner is also on-demand type. It does not install. You get it, save it, then run it. ESET Online scanner has a excellent & high reputation. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 5, 2022 Author ID:1544374 Share Posted December 5, 2022 So I'm running the long process of the ESET full-scan. I just want to mention the Malwarebytes popup. RTP detection, action: blocked website 05.12.22, 08:53 UK time: 107.189.13.47 File: C:\Windows\System32\svchost.exe If this is of any use or concern. Link to post Share on other sites More sharing options...
CyrodiilWarrior Posted December 5, 2022 Author ID:1544383 Share Posted December 5, 2022 (edited) The open-source game - 0 A.D. - uses a Torrent download - https://play0ad.com/download/win/ - long in the past I have used Torrent for big game mods too as them being compressed makes them easier. Perhaps an infection was among some old backup storage files. I wonder about my OneDrive too as that automatically re-downloads cloud files too. I am not sure if that backups AppData, but I know it backup Desktop, Documents, Pictures, Downloads, etc. It is possible this had backed up AppData in the past for modded Minecraft. When you use Technic Launcher for Minecraft and download a Minecraft modpack, it stores the modpack files in the AppData directory. eset.txt Edited December 5, 2022 by AdvancedSetup Disabled live hyperlinks Link to post Share on other sites More sharing options...
Recommended Posts