Jump to content

Concerned about RTP detections


Recommended Posts

Hello, posting this here even though I don't have any obvious signs of infection since I know it can be hard to tell with these things.

 

A few weeks ago I got some RTP detections over several days. The first one concerned me since it came from within the system, as opposed to a browser, as an outgoing communication. I wasn't using the computer at the time so it was an automated process that caused the detection. After that I was getting similar blocked outgoing communication detections from Firefox for a few days. Most of the Firefox detections were from a popular website that I've never had an issue with before. I know you can get RTP website blocks from ads or such but I very rarely get any with running Browser Guard, uBlock, and NoScript. While testing, one detection came from a completely different site in a private window so it didn't seem to be a cookie problem. From what I remember the detections were only happening once per system restart. After a few days they stopped and I haven't had one since. The only thing I remember downloading before this started was the night of the first detection, Apple's updater showed an update for iTunes.

Since this started I've run numerous MWB scans as well as Microsoft Defender online / offline scans with nothing detected. Also haven't noticed any unusual computer or web browser activity. In the meantime I cleared Firefox's cache and deleted most of the cookies that were stored. I also deleted iTunes and associated Apple software since I wasn't using it anyway. I did some research on the domain / IP addresses the detections showed. There wasn't much about the domain from the first detection but from what I found it appears to be legitimately used by Windows Update. The website I found for checking the IP addresses (Talos Intelligence) didn't show anything alarming about the IPs, although not sure how reliable that site is as I've never used it before now. One thing I noticed in common is that all the IPs went to Akamai owned servers but from what I found they seem to be a widely used company.

So after all that it looks like possible false positives from MWB. First time seeing something like this in years using it. Was there anything happening on MWB's side during that time frame that could have caused these detections and was then corrected? If not, please let me know what additional scans I should run to be safe and sure there isn't an issue with the computer. Including with this post are exports of the specific detections, results from the last few scans done, and the log file from the MWB support tool.

 

Thank you for the help and reading through my long-winded explanation. I hope you enjoy the rest of your day.

mbst-grab-results.zip RTP-1.txt RTP-2.txt RTP-3.txt RTP-4.txt ScanReport-041423.txt ScanReport-041523.txt ScanReport-041623.txt

Link to post
Share on other sites

  • Root Admin

The computer is having some issues for sure @Viperion

System errors:
=============
Error: (04/09/2023 09:15:10 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:14:24 PM on ‎4/‎8/‎2023 was unexpected.

Error: (04/09/2023 09:15:02 AM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 3221225684A fatal error occurred processing the restoration data.

Error: (04/08/2023 09:14:37 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000000a (0x0000000000000034, 0x0000000000000002, 0x0000000000000000, 0xfffff8037523ab71). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 8680a939-36fb-4df3-ab34-8f37a4f6fa72.

Error: (04/08/2023 09:14:24 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:44:08 PM on ‎4/‎7/‎2023 was unexpected.

Error: (04/06/2023 09:33:18 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:22:11 PM on ‎4/‎5/‎2023 was unexpected.

Error: (04/06/2023 09:33:11 AM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 3221225684A fatal error occurred processing the restoration data.

Error: (04/01/2023 07:35:39 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:00:56 PM on ‎4/‎1/‎2023 was unexpected.

Error: (04/01/2023 07:35:33 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 3221225684A fatal error occurred processing the restoration data.

 

Blue Screen of Death

Please see if you can zip up this file and attach if it's not too big

C:\Windows\MEMORY.DMP

If it's too big let me know and I'll post a method to upload it.

 

 

Link to post
Share on other sites

Looks like the file is too big, 1.06 GB uncompressed. Got it down to 234 MB as zip and 156 MB as 7z.

 

The BSoD issue is something I've had with this computer since it was build, almost 9 years ago. I later found out that the GPU I have is a toss-up on if it had Samsung memory or a subpar off brand. I tested the system RAM and that came out fine so I believe it's the memory the GPU came with. I've lived with since the BSoD almost always only happens within 10 minutes of logging in after startup and averages every 10 boots. If it doesn't crash shortly after login then it runs fine and I can leave it on for days without a problem. Although the timing for the errors about unexpected shutdowns look like when I was shutting down from the Start menu and never had a BSoD from that.

Link to post
Share on other sites

  • Root Admin

Well, I see the computer is rather old

BIOS: American Megatrends Inc. 2012 09/30/2014
Motherboard: ASUSTeK COMPUTER INC. Z97-PRO(Wi-Fi ac)

 

We can do some generic clean up if you like but I'm not seeing any obvious infection. If you'd like to do some generic clean up though, let me know.

 

Link to post
Share on other sites

Yeah it's getting up there in age, first PC I built myself but I know it's due for replacement soon. The CPU still packs a punch as long as you don't mind not having the best graphics or over 60 FPS, which I don't. I want to do a minor GPU upgrade to better match the CPU and that will be it's end-of-life hardware.

I'm relieved there doesn't appear to be an infection. Any idea why MWB was blocking those seemingly legitimate connections temporarily?

Also, what do you suggest for the generic cleanup?

 

Link to post
Share on other sites

  • Root Admin

Many sites are often linked to bad behavior but only shortly. They then get reported or get blocked and remove the items. Sometimes we may block a site by accident as it may have had some kind of signature making it look like it was doing something wrong.

When we're updated that a site has been cleaned up we remove the block thus if it was temporary and we remove the block you'll not see it anymore.

 

Here are some of the items performed during a generic clean up

 

 

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

Thanks

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.