Jump to content

Repeated RTP detection on .NET Framework v4.0


Go to solution Solved by Maurice Naggar,

Recommended Posts

I am getting repeated malware blocked notification from Malwarebytes about .NET Framework version v4.0.30139 sending (or requesting; I do not know the proper term) something to 185.81.157.19 using port 3309. I attached the detailed information in the "log.txt" file. I found this forum and its subsequent form which seems to talk about similar issue, but I could not find the solution. I put the IP address in the Allow List for now, because the constant notification pop up is bothering me. Any suggestion is appreciated!image.thumb.png.d2543dd1ad31bc5422823539a2d1b79e.png

log.txt

Link to post
Share on other sites

5 minutes ago, office_cicada said:

I put the IP address in the Allow List for now, because the constant notification pop up is bothering me.

Your computer is infected and Malwarebytes WAS protecting you by blocking that IP. Take that out of the allow list and do the following.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

 

Link to post
Share on other sites

Hello @office_cicada My name is Maurice. You mentioned 

Quote

 I put the IP address in the Allow List 

Please be sure to go back into the Settings and remove any IP that you put in the "allow" list. There is a way to turn off the on-screen displays of "blocked" notices  ( events will still be logged in Malwarebytes history logs). I will get that infor for you on how to turn off visual notice.

Further, the Block windows are only for a few seconds, plus, you can just let it time out. Or just press the X to Close window.

Allowing the connection is not good practice.

Link to post
Share on other sites

@office_cicada I will be guiding you. 

These are the basic first steps just only for "notices" from Malwarebytes.
The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.
Malwarebytes web protection & real-time protections are keeping pc safe from potential harm.

In Malwarebytes, click Settings icon. Then click the tab Allow List
Remove each and every entry in "allow" section"

click tab Notifications
on second line,

Show all notifications In Windows notification area

slide the action button All the way to the LEFT side  ( OFF )

on 4th line,

Close non-critical notifications

, pick 3 seconds

There is much more to do. Allow me time to go thru your reports collection.

Edited by Maurice Naggar
Link to post
Share on other sites

  • Solution

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( 2 )

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select View → Show → File name extensions

( 3 )

Next first step, is to "Turn OFF ( to DISABLE) the "fast starup" of Windows 11
See https://www.windowscentral.com/software-apps/windows-11/how-to-enable-or-disable-fast-startup-on-windows-11

When that is done, be sure to do ( from Start menu) one Power >> Shutdown >> Restart.
Having "fast startup" can complicate our efforts to fix problems.
 

( 4 )

What follows is just the beginning first steps. We will be doing several tasks over several rounds. Please have lots of patience.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply.

Link to post
Share on other sites

Hi. Good morning. Because the Microsoft Defender antivirus had been compromised ( such that almost all your system, all drives, were seemingly excluded from its protection ) we will need to do more scans.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

Scan Results:
-------------
Threat Detected: HackTool:Win32/AutoKMS and Removed!
  Action: Remove, Result: 0x00000000
    file://C:\Users\User\Downloads\programs\MicrosoftOffice2016.exe->(7zSfx)->OFFICE2016/Utilities/Act.exe->(RarSfx)->AAct.exe
        SigSeq: 0x0000236C9E68D965
    file://C:\Users\User\Downloads\MicrosoftOffice2016.exe->(7zSfx)->OFFICE2016/Utilities/Act.exe->(RarSfx)->AAct.exe
        SigSeq: 0x0000236C9E68D965
    containerfile://C:\Users\User\Downloads\programs\MicrosoftOffice2016.exe
    containerfile://C:\Users\User\Downloads\MicrosoftOffice2016.exe

Results Summary:
----------------
Found HackTool:Win32/AutoKMS and Removed!
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Mon May  1 01:19:56 2023

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Hi. Good afternoon.
This last scan found & removed quite a few elements of coinminer Monero. Do you happen to remember if you willingly, knowingly consented to download "monero-gui-install-win-x64-v0.18.2.2.exe" ?
I would be curious to know.

One other scan here.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites

Hello Maurice Naggar,
Yes I did download that software. It was stated in their website that system detects it as 'malicious' software and tries to remove them. I did my best to verify what I am downloading is not fake by checking their PGP signature.
Thank you for your continued advice. I will also scan use this software to scan too, just in case.

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.