RTP inbound connections

[rayliu244]

Hello, my name is Ray

About a month ago I found a piece of malware on my computer and got rid of it through windows defender, I scanned with various scanners including malwarebytes, hitmanpro, etc. and they all came up clean. Since then, however, and since buying and installing malwarebytes premium, I've had constant RTP inbound connection warnings from a variety of different IP addresses. They're mostly with port 445, but sometimes with 139, 135, and others. I tried blocking them in my local firewall but I still receive the detections.

I understand that the detections don't mean I'm infected, however as I understand from looking through other forums with the same issue, it is highly unusual to have these detections last for longer than a couple days, and this has been going on for a full month. It's also odd that they're all from different IP addresses, and thus I cannot efficiently block them. 

Looking for some help on this issue,

Thanks.

 

 

[Porthos]

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

[rayliu244]

Thanks for the reply,

Here's the results.

mbst-grab-results.zip

[AdvancedSetup]

Hello  and       @rayliu244

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow all steps in the provided order and post back all requested logs
• Please attach all log files to your post, unless otherwise requested
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
• Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
• Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
• If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

 

[ 1 ]

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Java(TM) SE Development Kit 16.0.2 (64-bit)
 

[ 2 ]

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\rayli\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

 

Edited February 26 by AdvancedSetup
Updated information

[rayliu244]

Hi, thanks for the reply.

I've uninstalled Java(TM) SE Development Kit 16.0.2 (64-bit).

I saved the fixlist and ran the farbar scan.

Here's the log:

Fixlog.txt

[AdvancedSetup]

Thank you for the log @rayliu244 that ran well and removed most of the targeted items.

It also found and fixed some Windows issues

Windows Resource Protection found corrupt files and successfully repaired them.

 

 

Please follow the directions from the following topic.

 

 

 

Once that has been completed, please run the following

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

[rayliu244]

Hi, thanks for the reply,

before I try the google sync fix, I’m wondering since I have my google sync on for 2 computers and I also have sync on for the chrome app on my iPhone, should I turn sync off for all of them before doing the reset fix on my main computer, then do the fix on the 2nd computer, and then turn sync on again on all 3 devices including my iPhone? 

[AdvancedSetup]

Yes, unfortunately that is the issue with using something like Google, Microsoft, Firefox sync. It makes it very convenient but when something bad or potentially bad gets on the system then it can be a bit time consuming to clean up as you also should clean the other devices to make sure you don't sync it back.

If you're reasonably sure that Google is okay and not doing anything wrong you can skip the cleanup, it's up to you. I personally don't use any of the sync systems, but I do this for a living and prefer security over convenience. 

Please go ahead though and run the Safety scan from Microsoft @rayliu244

 

[rayliu244]

I just recently did a cleanup regarding google chrome sync after finding and removing some adware with adwcleaner a week or so before, is there anything in my previous fixlog that indicated that something is currently wrong with my google chrome? Otherwise I've had no apparent issues with it.

I'll go ahead with the microsoft safety scan in the meantime.

[rayliu244]

Hello,

I ran the microsoft safety scan and it states there were no detections found. I attached the msert file.

msert.log

[AdvancedSetup]

That's good news. Are you still getting any alerts? @rayliu244

 

Please run the following to check on other programs on the system.

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If Microsoft SmartScreen blocks the download, click through to save the file
• This tool is safe.   Smartscreen is overly sensitive.
• If SmartScreen blocks the file from running click on More info and Run anyway
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Thank you

 

 

[rayliu244]

Hi, here is the text file from the securitycheck scan.

Also, I was wondering if there was anything in the previous fixlog that made you suggest I reset my google chrome sync? Is there some kind of adware or anything on my chrome?

SecurityCheck.txt

[rayliu244]

And I'm still getting the RTP inbound connection alerts as of 6:13 PM yesterday (2/26/23).

[AdvancedSetup]

Thank you for the log @rayliu244

Only that I see that Google Chrome is your default browser and that of the thousand and thousands of systems I've fixed over more than a decade, the vast majority are running Google Chrome and have been infected via tricks often used against Google Chrome.

Being the largest market share makes Google Chrome a target for those trying to infect the computer. Thus cleaning is often a good practice to help keep the computer safe.

 

Please uninstall, update, or otherwise address the following as appropriate for your system.

• Discord v.0.0.309 Warning! Download Update
• HandBrake 1.4.1 v.1.4.1 Warning! Download Update
• Malwarebytes version 4.5.22.236 v.4.5.22.236 Warning! Update Malwarebytes
• Microsoft Teams v.1.4.00.22472 Warning! Download Update
• VLC media player v.3.0.17.4 Warning! Download Update
• WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update
• Zoom v.5.9.1 (2581) Warning! Download Update

 

 

Please note that INBOUND blocks indicate that Malwarebytes is doing it's job to prevent probes from remote systems that are attempting to find exploits. In most cases those type of attacks will subside and go away on their own within a week or less.

We scan and clean your computer to make sure that there is nothing that may have helped lead to your computer being contacted.

 

Thank you

 

[rayliu244]

Hi, I updated or uninstalled the listed programs. I also received another block just now. I understand that it does not indicate an infection, however this has been going on constantly for longer than a month now. Every hour or so there is a new block from a new IP address, many from different countries, so I'm wondering if there is any precedent for this or any reason for these probes to be going on for so long.

[AdvancedSetup]

Do you own your own router or do you rent it from your ISP (Internet Service Provider)

 

[AdvancedSetup]

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
• Document passwords created and store them in a safe but accessible location.

 

 

[rayliu244]

Hi, I do not own the router so I'm unable to access it. When i'm getting these block alerts from malwarebytes, does that mean that these inbound connections are getting through my PC's firewall and malwarebytes is blocking it and not my firewall, or is malwarebytes telling me that my firewall blocked it? Like, if I turned malwarebytes RTP off, would all these inbound connections get through my firewall?

 

[AdvancedSetup]

Yes, it means that they are coming into the system.

Some ports need to remain open on a hardware firewall to allow legitimate network traffic to pass through to your computer or device. These open ports are used for specific network services that your computer needs to use, such as email, web browsing, file sharing, remote access, and so on.

The built-in Windows 10 or 11 firewall has multiple built-in rules to both allow and block certain protocols and ports. The blocks that Malwarebytes is blocking is specific to known bad actor IP locations. Though we too have or get false positives and block items that should not be blocked.

Without Malwarebytes the port scan would typically go through the firewall but there are still many cases where the software firewall may also block it.

 

 

Do you know how to use batch files?

 

[AdvancedSetup]

You could add the following via a command prompt with Admin rights and it would tighten up the Windows firewall a little bit more

 

Block all inbound ports 135-139 and 445

netsh advfirewall firewall add rule name="1Custom Block Ports 135-139 and 445" dir=in action=block protocol=TCP localport=135-139,445 enable=yes
netsh advfirewall firewall add rule name="1Custom Block Ports 135-139 and 445" dir=out action=block protocol=TCP localport=135-139,445 enable=yes

 

Block all Outbound access for WScript and CScript Executables

netsh advfirewall firewall add rule name="1Custom Block WScript and CScript Executables" dir=out action=block program="%windir%\system32\wscript.exe,%windir%\system32\cscript.exe,%windir%\SysWOW64\wscript.exe,%windir%\SysWOW64\cscript.exe" enable=yes

 

Block all inbound ICMP traffic for Echo request

netsh advfirewall firewall add rule name="1Custom Block ICMP Echo Request and Echo Reply" dir=in protocol=icmpv4:8,0 action=block
netsh advfirewall firewall add rule name="1Custom Block ICMPv6 Echo Request and Echo Reply" dir=in protocol=icmpv6:128,129 action=block

Blocking inbound traffic on ports 135-139 and 445 can help prevent attacks targeting SMB services, which are known to have many security vulnerabilities.
However, this rule may interfere with legitimate file sharing and printer sharing services and may need to be adjusted depending on the specific network environment.

Blocking outbound access for WScript and CScript executables can help prevent malicious scripts from running on your system and can help protect against attacks that use these executables.
However, this rule may interfere with legitimate scripts and may need to be adjusted depending on the specific network environment.

Blocking inbound ICMP traffic for Echo request can help prevent ping flooding attacks and can help protect against certain types of network reconnaissance attacks.
However, this rule may interfere with network diagnostic tools that use ping to test network connectivity and may need to be adjusted depending on the specific network environment.

 

Also, take a look at the following link but be careful what you change as some changes could render the computer inoperative or result in networking issues.

A Defensive Computing Checklist by Michael Horowitz
https://defensivecomputingchecklist.com/

Router Security Checklist
https://routersecurity.org/checklist.php

 

 

Edited March 1 by AdvancedSetup
Updated information

[AdvancedSetup]

How is the computer running now?

Aside from the Inbound IP blocks are there any other issues I can assist you with?

 

[rayliu244]

As of yesterday night the blocks are ongoing. I ran the command prompt commands just now for "Block all inbound ports 135-139 and 445" and "Block all inbound ICMP traffic for Echo request" and will see if that lessens / stops the probing. Otherwise, my computer is running fine and there is nothing else wrong with it really. That's why I feel so confused as to why these probes have been going on for so long. But, otherwise everything seems fine.

[AdvancedSetup]

Please try the following. @rayliu244

When you go to bed tonight turn off the power and unplug your Router after shutting down your computer.

Then when you wake up go ahead and plug the Router back in and give it a couple minutes to power on before you turn the computer on.

Keep an eye on it and let me know if things improve or not.

 

[rayliu244]

I don't own my router so I'm unable to access it, unfortunately. The command prompt fix didn't really work, still getting the same amount of inbound connection blocks. How common is it for probing like this to go on for a month straight? Is it indicative of something malicious on my computer/network or do probes like this just randomly happen?

[AdvancedSetup]

Normally they are random and typically for most people they go away on their own within about a week or so.

Let me get a fresh set of logs and I'll double-check to make sure all are still valid blocks.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you