Jump to content

RTP connection Issue repeats after new installs on different drives

Valenstar
 Share
Go to solution Solved by JSntgRvr,

Recommended Posts

Valenstar

Valenstar

Posted
Posted

Greetings! I am having an RTP Connection issue that is outbound to a specific IP. When the issue started, i ran Malware Bytes Advanced scan, AVG Deep Scan, NPE and MSERT. No virus. The issue persisted, so I reformatted and reinstalled. The issue returned, same IP address. I got irritated, grabbed another SSD I had, and reformatted and reinstalled. The issue returned. On this SSD with Windows 11 installed I have run all the same scans listed previously. MSERT found the VirTool:Win32/DefenderTamperRestore. That did not seem related, but I thought I would wait and see. It didn't take long, the RTP Issue occurred again. So I ran MSERT again. No Virus. I decided to FULLY uninstall Chrome and try AVG Secure Browser. The issue reoccurred. I removed that browser - and the issue occurred citing that browser, even though it was not there! I went back to Chrome since I prefer it. Of course, issue reappeared. It does not happen constantly, only twice a day. Hasn't yet today.

A couple Notes:

I changed the Admin name, admin password and the SSID name and password on my router after the final install of Windows. I did a lot of cut and paste to not have to type that information in.

We have 2 laptops. They are suddenly, as of three days ago, overheating, so I can't get Malwarebytes on to see if they have the issue.

My BIOS does need upgraded, i am just nervous about flashing it.

I use Malwarebytes Privacy VPN, and I change location a lot for added safety. 

 

Malwarebytes Website Blocked Report 2024-07-02 212536.txt

Malwarebytes Website Blocked Report 2024-07-04 200428.txt

Malwarebytes chrome 1.jpg

Malwarebytes Chrome 2.jpg

Malwarebytes AVG Secure Browser.jpg

MSERT Results 07102024 1254am.jpg

Malwarebytes Website Blocked Report 2024-07-11 000906.txt Deep scan.txt aswBoot.txt

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello @Valenstar and :welcome::

Thank you for the attachment(s) you have already posted. However, please carefully follow the procedures below in the order given for the best data. Please do not forget Malwarebytes AdwCleaner in its proper order.

Although I will not be your malware removal helper, please carefully follow the steps in the order given:

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, follow each step in the order provided. Unless otherwise asked, please attach all log files.

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

  1. If you have not done so already, Enable System Protection and create a NEW System Restore Point.
  2. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
  3. Temporarily disable the overly sensitive Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
  4. Disable-Fast-Startup. <<<<< Important.
  5. Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please Take your time and pay close attention to the instructions in all the following links.

  1. Select the following link and run a Scan with Malwarebytes AdwCleaner with only the eight (8) requested options selected.  Report files: AdwCleanerCnn.txt and AdwCleanerSnn.txt.
  2. Select the following link and run a DEFAULT Scan with Malwarebytes 5 for Windows®. Report file: Malwarebytes Scan Report YYYY-MM-DD HHMMSS.txt
  3. >>>> Restart the computer <<<<
  4. Select the following link, and then rename FRST.exe or FRST64.exe to FRSTEnglish.exe and run a Scan with Farbar Recovery Scan Tool. Report files: FRST.txt and Addition.txt

Example image of where to click to attach the five (5) files when posting your reply to your topic:

image.thumb.png.e208c182ff570799c53bcf57

The sooner you attach/send the log files, the sooner one of the Experts will weigh-in on your topic.

Thank you.

Link to post
Share on other sites
Valenstar

Valenstar

Posted
  • Author
Posted

Here are the requested files. I have severe ADHD and got a little confused with AdwCleaner and did it more then once. I had read over the directions, so know idea there. Anyway, all reports were gathered and now delivered. Thank you for taking the time to help with my issue, I really appreciate it.

Addition.txt AdwCleaner[C04].txt AdwCleaner[S04].txt FRST.txt Malwarebytes Scan Report 2024-07-14 135648.txt

  • Thanks 1
Link to post
Share on other sites
  • Solution
JSntgRvr

JSntgRvr

Posted
  • Solution
Posted

Welcome smile.png
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... 

This Fix will empty the following folders:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 was saves as C:\Users\lucyv\Downloads\FRSTEnglish.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved. FRSTEnglish.exe
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
  • Thanks 1
Link to post
Share on other sites
Valenstar

Valenstar

Posted
  • Author
Posted

When you say to close al running programs, does this include my virus scanner? I don't mind doing it, but wanted to be sure as I will be leaving my computer unprotected

I also have many commitments, but i will do my best to respond quickly as I am the one with the compromised system!

Thank you for your time and effort, it is greatly appreciated.

Link to post
Share on other sites
Valenstar

Valenstar

Posted
  • Author
Posted

Well, DR. Web Cureit! found a virus. It says it "moved" it. I am quite curious as to where! Here are the logs.

Will this Virus be in my restore points? And could it have gotten into Dropbox, or my OneDrive? I am curious as to how it got into two different SSD Drives. This drive was a clean install and I did not download anything I did not know what it was. I have mot yet completed all installs onto the drive, that is how fresh it is. The only commonalities are a windows 10 USB install drive, a windows 11 USB install drive, Dropbox and OneDrive. I did do a fresh install on the first drive and it was contaminated as well, and i barely had anything installed. I am so totally baffled. Unless it was in the installer for the program files it was found in, which I would be quite surprised at. I did not find it in my Dropbox folders, but not all folders were kept on the drive.

Thank you for finding this virus. I am assuming there might be more steps, so what is next?

cureit.log Fixlog.txt

Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

This is the file detected.

C:\program files\common files\avg\overseer\overseer.exe - infected with Trojan.DownLoader46.57905

Windows Resource Protection found corrupted files and successfully repaired them.

I'll never will go for AVG. Microsoft Defender is better as an antivirus. You need nothing else.

How is the computer doing?
 

Link to post
Share on other sites
Valenstar

Valenstar

Posted
  • Author
Posted

So far, so good, however the RTP outbounds that Malwarebytes caught happened twice a day, so lets see what happens tomorrow, although I personally think we got it. Thank you so much! I was feeling pretty hopeless when i decided to come here to try this forum as Malwarebytes was catching the attempts.

As for my myriad questions I asked with my last post, can you help me with them at all? Especially the questions about the restore points although I am curious about the possibility of OneDrive or something else being infected. I am just at a loss.

Thanks once again! I am really excited that the virus was found. I'll let you know about what happens over the next day to see where it all ends up. I bet it ends up clean!

 

Link to post
Share on other sites
Valenstar

Valenstar

Posted
  • Author
Posted

I have a question: I did not log into Google or utilize sync on this install because I thought it might have something to do with the issue. The only thing i did was import bookmarks. Does that exclude Google Sync from being the issue? I'll follow this guide with computers that ARE logged into my email that I was suspicious of and reset Chrome sync, just to be sure about this, but it would not make sense for being the issue on this computer.

I have several questions related to the resetting of Chrome sync: I have two email accounts that I have used that may be the in question. I have switched out which one I use a couple times, so should I do this with both accounts? 

Will this reset my app passwords? I need them to keep my emails working in Outlook.

Also, I have a pc that is overheating so fast I can't get into it, so I can't log out of whichever Google account is on that machine. I therefore cannot use this method to reset Chrome sync on it. How does that affect this overall scenario?

Assuming that Chrome Sync is not the issue since it was never used on this build, I still need the method of delivery to 3 different installs on two different SSD drives. I did log into the same Hotmail account each time, as it is the one I use for this computer for the Microsoft account logged into Windows. I also log into another Hotmail account when using office, which is then connected to my OneDrive. I uninstall OneDrive as I prefer Dropbox, but there is still some sort of connection to my pc, as Word and Excel keep trying to save to OneDrive and I have files available which say they are on OneDrive.

Is there a way to virus scan files contained solely on the cloud? Like the Dropbox folders I keep offline only, or OneDrive? 

Sorry to be so lengthy in my observations and questions, I just want to make sure this will not reoccur. Thanks for your patience.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

If you're not using Google Sync then unwanted cache or other settings from an affected system should not be a concern.

Cleaning Google Chrome of old cookies, cache, and verifying ALL settings are as you want them is good for any system. Infected or not.

Personally I would recommend using Firefox or Brave rather than Google Chrome or Microsoft Edge

 

If you feel there is still something going on with your system, then please RESTART the computer and run the following scans after cleaning Google Chrome on this system.

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thank you @Valenstar

 

 

 

 

Link to post
Share on other sites
Valenstar

Valenstar

Posted
  • Author
Posted

So far, so good. I noticed I have not been one during the periods the connection attempts usually occurred, so will endeavor to do so today. We have been having severe thunderstorms where our power goes off and on, so i have been disconnected late afternoon. 

 

I realized I did log into my google account long enough to set up an app password, but I did not sync. Can you a virus, if one is there, by simply logging into Chrome if you do not Sync? 

Lets say it is the Google account and I did sync, and the virus was there. I installed chrome clean twice, and this install 100% has not been synced. If i log in to my account and sync, i assume I get the virus again. Sooner or later, at sometime, on one of my computers, i will need to sync again. Will I then get the virus? If so, how do i reset the sync without doing it on this computer? If I sync on one of my less expensive computers and then reset the sync as per instructions you gave me, will it then be cleaned up for all new connections, or will the virus always be there? 

Thank again, a million times over! I'll check back tomorrow and let you know how it goes.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Google Sync - from HelloTech

 

When you turn on Google Chrome’s sync feature, it will save data about all your bookmarks, extensions, themes, search history, open tabs, saved passwords, payment info, addresses, phone numbers, settings, preferences, and more.

You can also customize what data you do want to sync and what you don’t.

 

The vast majority of attacks are from Trojans. There have only been like 2 new viruses out in the wild in the past decade.

If there is nothing else, let's go ahead and clean up

 

 

 

 

 

Excellent, glad to hear all is well again. I'll go ahead and close your topic now and wish you well.

Please follow the directions below to remove the logs and tools we've used. If any are still left after that you can manually uninstall or delete them.

Take care and stay safe out there. Try to follow as much of the advise below as you can as well.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt. You can close it.

 

We're glad that we were able to assist you.

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/780233/best-password-manager/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.