Compromised RTP Detection

[KenjieDec]

Hello, I'm KenjieDec.
I've been getting RTP detection for the past 2 days

The port is mostly 445 and the file is only System or scvhost.exe

I've scanned my laptop serveral times and it doesn't help to stop the detection.
Please help, thank you.
 

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

• Please attach  mbst-grab-results.zip    to your reply
• I do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.

[KenjieDec]

Hello, Thank you for replying! Here's the File :)

mbst-grab-results.zip

[Maurice Naggar]

Thanks for the report. These here are the first initial steps. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide

( Step 2 }

We need to insure that Microsoft Defender antivirus is Enabled. This install of Malwarebytes is a trial. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( Step 3 }

I really suggest that you turn off Windows' Remote Desktop Protocol (RDP)

The issue ( of block notices) that started out this case were due to attempted probes from the outside.

The real-time protection of Malwarebytes for Windows is keeping the pc safe.  They will continue to do so, given that you have Malwarebytes trial in effect.

Here are some general conclusions & some tips.

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol.

The Malwarebytes Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article
"How to Enable Your Wireless Router's Built-in Firewall"
https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

 

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

This pc is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you should turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

This Windows version is a PRO edition.
The probers look for PRO or Enterprise editions as a prime potential target for exploitation.

ALSO see this Malwarebytes support article
https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

I will be posting another follow-up procedure, for this machine, soon.

Edited November 2, 2022 by Maurice Naggar

[Maurice Naggar]

After applying the tips above, Do this.

This is intended to check the system using Windows SFC & DISM. To rebuild the Winsock. To clear the temporary cache files of the web browsers. This also will attempt to insure that Microsoft Defender antivirus is on & up-to-date.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run. 

This custom script is for  KenjieDec  machine  only / for this machine only.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt   <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.

RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

•    If the tool warns you the version is outdated, please download and run the updated version.
• IF Windows prompts you about running this, select YES to allow it to proceed.
• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply.

AND by the way, when you are finished using this computer at end-of-day, don't leave it in Sleep mode. Do a daily Windows SHUTDOWN so that this machine is not able to be "found" by the potential probers.

Edited November 2, 2022 by Maurice Naggar
added tip for SHUTDOWN at end-of-day

[KenjieDec]

Help, should I run FRSTENGLISH.exe? The detection is going every second now

[KenjieDec]

Hello, here's the file. I runned FRSTENGLISH.exe after the detection has stopped.

Fixlog.txt

[Maurice Naggar]

The custom-fix-run is a good run. BUT there is a indication of the presence of cracked / hacked app here, like D:\Games\CorelDRAW.Graphics.Suite.22.0.0.412.x86\Keygen\xfcdgs2020.exe

I have to be assured that that is uninstalled, along with any other such app. The safety of this system depends on not having such apps.

Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now
 

 

Edited November 2, 2022 by Maurice Naggar

[KenjieDec]

I will uninstall that , thank you. Are there any other thing I should do?

[Maurice Naggar]

Hi. 

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[KenjieDec]

Hello! Here's the log file. I've deleted the all the folders that has detected file inside except installshield because google said not to delete it.

esetScanLog.txt

[Maurice Naggar]

Another scan. This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.



add 

-dontcrypt

 Note the space between KVRT.exe and -dontencrypt

C:\Users\User\DESKTOP\KVRT.exe -dontcrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window will open, select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20221103_103821.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply.

[Maurice Naggar]

sorry disregard "this here"  post.  My bad.   For KenjieD I do want you to run the Kaspersky scan as originally posted.

Edited November 3, 2022 by Maurice Naggar

[KenjieDec]

Hello, here is the report file! There were 5 RTP detections during the scan and 2 detections before the scan. Thank you.

report_2022.11.04_05.50.36.zip

[Maurice Naggar]

Hi. 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. Let me know, How is the situation, overall, at this point ?

[KenjieDec]

Hello again! There were 10 RTP detections during the scan and 11 detections before the scan.

msert.log

[KenjieDec]

+ Thank you

 

[Maurice Naggar]

For Your Information: The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection.
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Web-protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
Incoming block notice can be ignored, the real-time protection of the trial Malwarebytes is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.

As far as the MS Safety Scanner, it reported zero virus or trojan or malware.

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sat Nov  5 20:51:04 2022

^

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

See Support article how-to for Firefox

For the EDGE browser https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser

Note: If your pc also has Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).

^

If your computer is just used as a stand-alone at home ( meaning it is not on a home network where extensive file sharing is used), then you can try and block port 445

Here is how to block a port number in Windows
https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

Then see if that helps out.  In any event, be sure that at the end of each day, you do a Windows SHUTDOWN.  That is a best practice in any event.

Edited November 5, 2022 by Maurice Naggar

[KenjieDec]

How about port 0 and 135? there were detections coming from them too.

[KenjieDec]

[Maurice Naggar]

Port 0 is not a real port number. However, you can use that guide & see if you can block that port for both Inbound and outbound.

Leave port 135 alone. It is used by legitimate processes.

I would ask, whether you turned off RDP like I listed ( way earlier) ? turn off Remote Desktop

[KenjieDec]

Yes, I think. Is this right?

[KenjieDec]

New port has just appeared.

[Maurice Naggar]

I do not need screen grabs.  You can if you wish, put that IP address in the firewall block list for Inbound. here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

Try this also, logout of Windows ....do a Windows SHUTDOWN and let this machine be powered off and unused for say 3 hours so that your machine is no longer "there" and totally unreachable by the outside.
Again, note the "compromised" in that notice. It is the outside IP address that is compromised. NOT your machine !

and that the BLOCK is STOPPING any potential harm

[KenjieDec]

Ok, thank you.