Jump to content

Recommended Posts

RTP Detections & Incoming connections

Windows 10 Pro 22H2 19045.3448

Browsers:  Brave, MS Edge

AV:  Malware Bytes, Hitman Alert Pro

Firewall:  Windows Defender Firewall, Malware Bytes Windows Firewall Control

Malware Bytes
Malware Bytes has blocked several outbound RTP detections.
(3) Compromised. website: bug.bz IP: 159.89.224.144. File: Brave.exe. Port: 443
(1) Trojan. website:  vietnam.travel 
(1) Riskware. website:thealmightyguru.com

Virustotal via Autoruns.
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
Jiangmin:  Trojan.Generic.hnsze
The other Avs show no detection.

https://www.virustotal.com/gui/file/8451e12c71b961644d8d1bfd605d67123ced6764f197427b77a8a8cd676b85e6/detection

Before my last reformat of the hard drive and re-install of Windows 10, Malware Bytes blocked a couple of RTP detections.  The RTP detections were outbound and the file was my VPN exe.  I uninstalled my VPN.


Malware Bytes Windows Firewall Control
Windows Defender firewall is set to block all incoming connections including allowed yet it allows incoming connections.  I had to set the block all incoming for Domain using Group Policy.   Every time I checked the box to block all incoming, when I checked the screen, it was unchecked.  Even with Domain set to block all incoming connections vis Group Policy,  the Firewall & Protection screen still shows block all incoming connections as unchecked.

The incoming connections list my pc as Remote and the other IP as local.
I reached out to Windows Firewall Control support.  The resource I didn't have an explanation nor fix for the strange behavior.
IPs that connected today:  64.233.176.95 (2am).
Connected at 3:26pm: 173.194.11.70 (twice), 173.194.54.6, 172.217.215.91 (twice) 

I either deleted or disabled Incoming allow rules.  The following rules re-appear after deletion:  Multiple Spotify rules, Microsoft Store, Brave(mDNS-In), MS Edge(mDNS-In0, MS Edge webview(mDNS-In).  
Once Your Account (Domain) re-enabled itself.

Just checked inbound rules:  App Installer (Domain) was set to enabled.  The rules listed above are still deleted.  All other Allow rules are set to Enabled = No.

I have manual rules that block incoming on all ports for TCP, UDP, IGMP, ICMP, RSVP, etc.

Other odd behavior
if I am working on anaconda or colab, I quickly run out of CPU or RAM. 
Unseen browser window.  Browser shows 2 instances when only one is open.

Allow remote connections is turned off.  

Thanks

Allow Inbound 092623 II.png

MWB 090823 Detection History.png

MWB 090723 459.png

Link to post
Share on other sites

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites

Copy FRSTEnglish.exe from this path on to your desktop C:\Users\GroovyHabanero\AppData\Local\Temp\mwb3AA6.tmp\FRSTEnglish.exe. During the following Fix, all temp folders and files will be removed. We want you to run FRSTEnglish.exe from your desktop instead.

 

Download the enclosed file.  Fixlist.txt  Save this file on your desktop, next to FRSTEnglish.exe. Right click on FRSTEnglish.exe and select run as an Administrator. This time around click on the Fix button and wait.

 

Upon completion,  a log file Fixlog.txt will pop up and saved in the same location the tool was ran from. Please attach this file to your next reply.

 

Dr.Web CureIt!
Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/
 
You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

Link to post
Share on other sites

A different scan with another security scanner. 
 
This with Kaspersky KVRT tool.
 
Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.
Next, Select the Windows Key and R Key together, the "Run" box should open.


J20WNqX.jpg.66d63346798b8dc045fc2f5bcd115906.jpg

 

Drag and Drop KVRT.exe into the Run Box.
EOPgDgR.jpg.d5b242479888ecb281534148131e6caa.jpg
C:\Users\George\DESKTOP\KVRT.exe will now show in the run box.
afR60HN.jpg.10cb064474bfcacc5948d6634cc9c278.jpg
add-dontencrypt
Note the space between KVRT.exe and -dontencrypt
C:\Users\George\DESKTOP\KVRT.exe -dontencrypt 
should now show in the Run box.
zr30F6l.jpg.c2b93917144d643f5bbc11ad641b05de.jpg
That addendum to the run command is very important.

To start the scan select OK in the "Run" box.
The Windows Protected your PC window "may" open, IF SO then select "More Info"
qA3V6r1.jpg.2e5602ae855c2909a51594ef4b0deff7.jpg
A new Window will open, select "Run anyway"
C8XsXHA.jpg.6ea289b809eeff33ca26ef9d4861dcf3.jpg
A EULA window will open, tick both confirmation boxes then select "Accept"
VwZrVL0.jpg.bf787d2f7c9d5568a69c750c857f91df.jpg
In the new window select "Change Parameters"
X3SsUj2.jpg.ae6b2c9111c94054054b794e08d8c15c.jpg

  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230526_223000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
Link to post
Share on other sites

Your main problem was Windows Firewall blocking core files.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe".
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes.
  • When prompted for scan type, Click on Full scan
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.  (e.g. their standard program). You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  (in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

How is the computer doing?

Edited by JSntgRvr
Link to post
Share on other sites

I will work on the ESET Online Scanner and provide feedback.

How was Windows firewall blocking core files?

How is the computer doing?  

The newsfeed displays!!  Missing in action for months.  Thanks!

CPU is still running at 32%.  

If I close all windows CPU runs at 32% before the remediation efforts.  I am expecting below 10%.  I haven't tested closing all windows yet because I am using the computer.

I will continue to monitor for Allowed Incoming Connections.

Should I switch to another firewall?  I just want the firewall to stop allowing incoming connections and my computer to stop communicating with malicious IPs.

All of the inbound rules and outbound rules are gone. Yikes!

Domain
Inbound connections that do not match a rule are blocked

Private
All inbound connections are blocked

Public
All inbound connections are blocked


Is it OK to re-enter my rules?  My computer was communicating with malicious sites before the re-format, so I had rules to block IPs that I have identified so far: 108.177.122.127, 69.16.175.42,151.139.128.10, 151.101.2.114, 13.107.4.50, 13.107.21.200, 13.107.42.33, 64.190.63.111, 151.101.0.176, 104.17.24.14, 138.199.7.0 - 138.199.7.255, 193.0.0.0 - 193.255.255.255.

239.255.255.250, 224.00.000.001 - 224.000.000.255

I also had rules blocking TCP & UDP outgoing ports:
21-24, 134-142, 69, 500, 666 to 669, 1234, 1701, 1723, 1900, 4500, 6969, 5000, 445, 3389, 8080, 12345, 8996

I also had rules for blocking chatty explorer.exe and SearchApp.exe.

Why is the firewall blocking incoming from the router ports: 67,53 to my pc ports: 68, 55187, 53570, 53337, 60377,  62443?

Link to post
Share on other sites

Closed all windows.  Task Manager.

CPU seems to stay at 30-33%.  It once dropped to 29%.  I find that odd.  It should drop to less than 10%.

Desktop Window Manager (0% - 16.8%)
System Interrupts (8.9% - 29.5%)

Every once in a while the CPU% detail is significantly less than the column header total fo 30% - 33%

System Interrupts: 19.6% All other appears to be 0%. Column is sorted by CPU descending.  Column heading showed 30%.

Link to post
Share on other sites

So the problem is no malware.

 

Lets try a workaround.

 

Please turn off the following setting in Malwarebytes. Also, check for updates in the general tab.

 

image.png.88b2febbd8fff9994c1521aaa9fdf0

 

Next

Turn off fast startup in Windows.

 

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

 

Lets reset the Firewall to defaults:

Download the enclosed file.  Fixlist.txt  Save it next to EnglishFRST64.exe. Open EnglishFRST64.exe as an Administrator. This time around click on the Fix button and wait.

 

Please attach the resulting report in your next reply.

 

Restart the computer.

 

Attempt to re-create the issue.

Link to post
Share on other sites

Hi,

Will work on the above and report back.

Checked CPU usage this morning.  I opened two private MS Edge windows.  One window had two tabs opened with websites.  The other window had one tab open with a website.

CPU hovered around 2% with fluctuations up to 12%.   System Interrupts ranged between 0 - 0.9%.  

New rule popped up for Incoming Connections: MS Edge (mDNS-In)  Webview2 Runtime (All)

Allowed Incoming connections  log is active again. activity started around 2:17am.    

::1 port: any to ::1 port 445

0.0.0.0 port 68  to 255.255.255.255 port 67

pc  Port: any to router port: 53

pc port: any to 224.0.0.251 port: 5353

brave tor on 127.0.0.1 port: any

There were no additions to Block Incoming connections log.

 

Link to post
Share on other sites

2 hours ago, Pickleajijunco said:

Hi,

Will work on the above and report back.

Checked CPU usage this morning.  I opened two private MS Edge windows.  One window had two tabs opened with websites.  The other window had one tab open with a website.

CPU hovered around 2% with fluctuations up to 12%.   System Interrupts ranged between 0 - 0.9%.  

New rule popped up for Incoming Connections: MS Edge (mDNS-In)  Webview2 Runtime (All)

Allowed Incoming connections  log is active again. activity started around 2:17am.    

::1 port: any to ::1 port 445

0.0.0.0 port 68  to 255.255.255.255 port 67

pc  Port: any to router port: 53

pc port: any to 224.0.0.251 port: 5353

brave tor on 127.0.0.1 port: any

There were no additions to Block Incoming connections log. Address 0.0.0.0 and 127.0.01 are the Local Network. Usually used to block any incoming connection. 

 

You should perform a google search on these entries. I see nothing wrong on any.

There were no additions to Block Incoming connections log. Address 0.0.0.0 and 127.0.01 are the Local Network. Usually used to block any incoming connection.  It seems that you are interested in the meaning of the firewall record that involves the PC port, the IP address 224.0.0.251, and the port 5353. According to the web search results, this record indicates that your PC is allowed to receive multicast DNS packets from any source on the UDP protocol. Multicast DNS is a service that enables devices to discover each other on a local network without a central server.

 

It uses the multicast IP address 224.0.0.251 and the port 5353Some applications that use multicast DNS are Apple iTunes, Bonjour, and AirPlay.

Link to post
Share on other sites

6 hours ago, JSntgRvr said:

So the problem is no malware.

 

Lets try a workaround.

 

Please turn off the following setting in Malwarebytes. Also, check for updates in the general tab.

 

image.png.88b2febbd8fff9994c1521aaa9fdf0

 

Next

Turn off fast startup in Windows.

 

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

 

Lets reset the Firewall to defaults:

Download the enclosed file.  Fixlist.txt 488 B · 0 downloads   Save it next to EnglishFRST64.exe. Open EnglishFRST64.exe as an Administrator. This time around click on the Fix button and wait.

 

Please attach the resulting report in your next reply.

 

Restart the computer.

 

Attempt to re-create the issue.

Followed the instructions (ended up doing the FRST instructions 2x because I thought the "Fixlog.txt is saved in the same directory FRST is located" pop-up was an error.) Fixlog attached here: Fixlog.txt

Will update later.

Link to post
Share on other sites

Listed in allowed incoming connections log:

At 10:48 am this morning

64.233.177   port 443   protocol UDP   DHCP (PC listed as source and provided ip address listed as destination) 

New rule listed in incoming rules:

Rule: Brave (mDNS-In)

 

At 1:25 pm: 

Listed in allowed incoming connections log:

142.250.9.95   port 443   protocol UDP  DHCP (PC listed as source and provided ip address listed as destination)

Link to post
Share on other sites

Port 443:  I looked at the article.  I don't understand how it explains that incoming UDP connections from random IPs are OK.

Question: if you don't see anything wrong with the connections, how do you define an incoming connection that is an issue?

224.0.0.251 port 5353:  OK. so if I don't want to see this I need to find a way to turn off multicast.

CPU is still under 10% which is good.  

New Inbound rules popped up:  Spotify Music (8 rules), App Installer, Microsoft Edge (mDNS-In), Microsoft Edge(mDNS-In) webview2

New outbound rules popped up:  Spotify Music (3 rules), App Installer, Microsoft People

I do not use Spotify nor Microsoft People.  Is Spotify required to listen to music videos on youtube?

Outbound Connections:

104.17.21.14 (abuseipdb reported 89 times)

108.177.122.94, 108.177.122.95,108.177.122.132 (abuseipdb reported 4-5 times. same subnet as IP involved with Mirai malware)

13.107.21.200 (VirusTotal 4/88 malicious)

69.16.175.10 (VirusTotal 4/88 malicious)

69.16.175.41 (VirusTotal 5/89 malicious)

 

Link to post
Share on other sites

I don't know why are you receiving these packets, and the information provided is incomplete. Perhaps there are remnants of programs you no longer have. I have checked some of them and they are not malicious, thus I disagree with VirusTotal. The fact is, that none of them are active at this time.

There is a remote possibility that they will stop with a Clean or Repair Install of Windows.

As there is no malware in your system, I will consider this topic completed. Please download KpRm by Kernel-panik and save to your Desktop.

  • Click on KpRm.exe to run the tool.

Vista/Windows 7/8/10 users right-click and select Run As Administrator.

  • Put a check mark next to these items:

- Delete tools

- Create Restore Point

- Delete now

  • Click the "Run" button.

automatic.png

  • When the tool has finished, it will create and open a log report and delete itself.

A few final recommendations:

  • Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
  • Make sure you're backing up your files.
  • Keep all software up to date - PatchMyPC -
  • Keep your Operating System up to date and current at all times -
  • Further tips to help protect your computer data and improve your privacy:
  • Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security.

Malwarebytes Browser Guard

uBlock Origin

Further reading if you like to keep up on the malware threat scene:
 
Malwarebytes
 
Bleepingcomputer

Link to post
Share on other sites

Thanks for your help!  

I have re-formatted my hard drive and re-installed windows multiple times.  It does not stop.

Since you feel this isn't a malware issue, is there a different forum where I can seek help?

Today is the worst I have seen it for incoming connections.  At 17:19, I have 9 IPs connect to my computer.  I don't understand how that is normal.

17:50pm: 173.194.144.135 port: 443 UDP, 64.223.185.93 port: 443 UDP

17:19pm: 173.194.219.95, 74.125.219.95, 104.17.25.14, 104.18.11.207 (connected twice), 172.67.73.115, 108.177.122.94. 104.26.9.127, 104.17.25.14, 104.26.8.127.  all port 443 UDP.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.