Jump to content

RTP Detection-COMPROMISED-Blocked Website (143.110.220.131)


guruuno

Recommended Posts

17 minutes ago, guruuno said:

End users goes to https://www.yahoo.com, he gets notifications (as per screenshot)....why, what, how?

Could you post the actual logs showing these detection's.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

Link to post
Share on other sites

I am going to move you to the malware remove removal section. Please do the following to prepare for assistance.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/23/22
Protection Event Time: 5:41 AM
Log File: 72abc9c0-6b1b-11ed-bfba-a4bb6dd8b56b.json

-Software Information-
Version: 4.5.17.221
Components Version: 1.0.1806
Update Package Version: 1.0.62669
License: Premium

-System Information-
OS: Windows 11 (Build 22000.1281)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 159.203.73.163
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe


-----------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/23/22
Protection Event Time: 5:05 AM
Log File: 5fe6314a-6b16-11ed-9a2a-a4bb6dd8b56b.json

-Software Information-
Version: 4.5.17.221
Components Version: 1.0.1806
Update Package Version: 1.0.62669
License: Premium

-System Information-
OS: Windows 11 (Build 22000.1281)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Malware
Domain: 
IP Address: 159.203.73.163
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

(end)

-------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/23/22
Protection Event Time: 5:04 AM
Log File: 3d03f252-6b16-11ed-ba1d-a4bb6dd8b56b.json

-Software Information-
Version: 4.5.17.221
Components Version: 1.0.1806
Update Package Version: 1.0.62669
License: Premium

-System Information-
OS: Windows 11 (Build 22000.1281)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 159.203.73.163
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

(end)

--------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/22
Protection Event Time: 5:49 PM
Log File: fd94e18e-6ab7-11ed-a665-a4bb6dd8b56b.json

-Software Information-
Version: 4.5.17.221
Components Version: 1.0.1806
Update Package Version: 1.0.62649
License: Premium

-System Information-
OS: Windows 11 (Build 22000.1281)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 159.89.239.212
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

(end)

Link to post
Share on other sites

  • Root Admin

Hello @guruuno

Please post back the following and we'll see if we can determine why your system was reacting to those in the first place.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you @guruuno

[ 1 ]

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
CCleaner
(computer experts no longer recommend this program)
 

 

[ 2 ]

Your DNS Servers: 192.168.1.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 3 ]

You have very old Cyberlink software from 2011 on the computer and it's faulting. Are you sure you still want or use this software?

Error: (11/22/2022 03:36:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The CLKMSVC10_9EC60124 service terminated with the following error:
The device is not ready.

S2 CLKMSVC10_9EC60124; C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [248304 2011-08-11] (CyberLink -> CyberLink)

 

[ 4 ]

Did you image or upgrade the current computer from a very old computer or take an old hard drive that had Windows on it and upgrade to Windows 11?

BIOS: Dell Inc. 2.16.0 09/02/2022
Motherboard: Dell Inc. 0HMF7C

You have a lot of very old software on the system that is not normal to be on a newer computer.

S3 nusb3hub; C:\WINDOWS\system32\drivers\nusb3hub.sys [80384 2010-09-30] (Renesas Electronics Corporation) [File not signed]
S3 nusb3xhc; C:\WINDOWS\system32\drivers\nusb3xhc.sys [180736 2010-09-30] (Renesas Electronics Corporation) [File not signed]
S3 SNXPPAMD; C:\WINDOWS\system32\drivers\snxppamd.sys [100728 2010-12-03] (SUNIX CO., LTD. -> SUNIX Co., Ltd.)
S3 SNXPSAMD; C:\WINDOWS\system32\drivers\snxpsamd.sys [97144 2010-12-03] (SUNIX CO., LTD. -> SUNIX Co., Ltd.)
S3 ST7007; C:\WINDOWS\system32\drivers\ST7007.sys [67696 2011-06-20] (STMicroelectronics -> STMicroelectronics)
S3 stdpms; C:\WINDOWS\System32\drivers\stdpms.sys [28904 2018-05-24] (Splashtop Inc. -> Splashtop Inc.)

 

[ 5 ]

Please run the following fix

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Running 'fixlist.txt' now, will provide file(s) upon completion as requested, sorry for the delay (holiday).

Question(s)?

You state: "CCleaner (computer experts no longer recommend this program)"...can you advise as to why?  Can you suggest alternative tool?

Yes, the new PC was upgraded with a Macrium image from a previous machine.

Does the 'fixlist.txt' address the files/items that you reference or do I manually do the removal?

Thanks

Link to post
Share on other sites

  • Root Admin

CCleaner falls into the category of Optimizer programs that Microsoft and most computer experts do not recommend. In general you can use built-in tools to do most operations.

See if this link helps

Modern File Cleanup Tools in Windows 11
https://answers.microsoft.com/en-us/windows/forum/all/modern-file-cleanup-tools-in-windows-11/e5bde52d-f128-4191-a9a4-256c9bb34e55

 

No, any listed OLD programs would need to be uninstalled by you.

Please go to Control Panel, Programs, Programs and Features. Locate and uninstall any programs you no longer use or want. Then restart the computer.

 

Link to post
Share on other sites

  • Root Admin

Thank you, that log looks good.

Let me have you run the following, please.

 

You will need to send Sophos an email to get the link to download, please do so.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.