Jump to content

Concerned about a Trojan "RTP" detection and website block.


Recommended Posts

Hello, for the past two days since I installed Malwarebytes on a new computer, I have been receiving a popup notice about a blocked trojan website every time I log into Windows 11. In the attached photos you can see the IP address and file location that the notice is coming from. If needed I can provide log files. I'm a little confused as to how an IP address that looks very spoofed (12.34.56.78) is connecting to my computer and accessing System32???

Thank you so much in advance to anyone who can help me with this.

Screenshot2024-08-10001835.thumb.png.f71a6b8bfe561885ef5497ca2573cf27.png

Screenshot2024-08-10002021.png.981a733d2140e53bd7550ddda2ca0de7.png

Link to post
Share on other sites

6 minutes ago, Longshot583 said:

Also, should note that I have gone through multiple scans with MB including a >1hr long rootkit scan and a scan with MB AdwCleaner, and both are coming up with no detections.

Post those logs and do the following as well.

Click the following link and run a  Scan with Farbar Recovery Scan Tool and post the 2 logs generated from it.

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

 

  • Like 1
Link to post
Share on other sites

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... 

The following Fix will empty these folders:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin
  • Hosts file will be reset

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 was saved as C:\Users\User\Downloads\FRst\FRSTEnglish.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved.  (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
Link to post
Share on other sites

There were no infected objects detected, but the Integrity Checker was not able to Repair corrupted files.
 

Lets try this again:

FRST64 was saved as C:\Users\User\Downloads\FRst\FRSTEnglish.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved.  (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Link to post
Share on other sites

Open a Command Prompt as an Administrator, At the prompt type (Copy and Paste) the following commands one by one and press Enter:

  DISM /Online /Cleanup-Image /ScanHealth
  DISM /Online /Cleanup-Image /CheckHealth
  Dism.exe /online /Cleanup-Image /StartComponentCleanup
  DISM.exe /Online /Cleanup-image /Restorehealth
  sfc /scannow

 

Let me know the outcome.

Link to post
Share on other sites

Let me suggest registering at Sysnative. They have a group of experts in Windows updates and a database in case you need prior updates.

Here is the link:

Windows Update | Sysnative Forums

Let them know your are trying to RestoreHeath and are having problems. Run this command:

Copy /Y C:\Windows\Logs\CBS\CBS.log %Userprofile%\Desktop

Post the CBS.log on your desktop in the forum and wait for an expert. I am sure they will be able to help you. I will be also there.

 

How is the computer otherwise?

Link to post
Share on other sites

Alright, will do. 

As of right now, my computer is running fine and as expected, but I am still receiving frequent pop-ups from Malwarebytes about this blocked "trojan" website. 

Before I noticed the problem, I upgraded the HDD on this computer to an SSD using Macrium. I still have the old HDD, and am wondering if it might be best to re-install it to see if MB still reports the website block. I don't remember having downloaded very much with the computer before upgrading the drive, so I don't think it was infected.
However, I hesitate to do that as I wouldn't want to let malware copy itself to the old drive via the RAM or something if it wasn't present on the drive before the upgrade.

Do you have any thoughts on this? 

Thank you so much for your replies thus far.

Link to post
Share on other sites

Are those incoming notifications?

Lets clear the cashes on browsers:

FRST64 was saved as C:\Users\User\Downloads\FRst\FRSTEnglish.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved.  (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

 

 

Link to post
Share on other sites

Is you installation Legi? Are there any cracked software in the computer?

SppExtComObj.exe

sppextcomobj.exe is a legitimate Windows file developed by Microsoft. It is a part of the Windows Operating System. sppextcomobj.exe is used for Key Management Service (KMS) Licensing for Microsoft Products and installed with Windows File Protection (WFP) enabled. That’s why sppextcomobj.exe is run as a standard windows process and has Network Service privileges. You will usually find this file with the name KMS Connection Broker in task manager. The typical file path for this is C:\Windows\System32\sppextcomobj.exe.

 

The last time we check it was being exploited to activate Windows. I will check if it is a false positive
 

Link to post
Share on other sites

  • Root Admin

Pardon the intrusion. @Longshot583 @JSntgRvr

Please RESTART the computer

 

Then get us NEW fresh logs. I think another process is calling a legit file to do something bad.

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • NOTE: You must allow AutoRuns to run for at least 20 minutes to complete the VirusTotal scan. If you attempt to save the file sooner it will not be complete
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

Thank you

 

 

Link to post
Share on other sites

Thank you AdvancedSetup for your reply, but before I perform your recommended steps I think I should clarify that I bought this computer from Yahoo Auctions Japan, from a listing that said that Windows 11 was installed "using the workaround method". 

 

When I bought the computer I assumed that "workaround method" meant the seller had upgraded it from Windows 10 while bypassing Win11's restrictions on older CPUs which lack a certain security chip, something which I had heard of previously. 

 

However, I am now wondering if the installation of windows is not genuine, and that's what is causing KMS connection broker to attempt so many outgoing connections. 

 

Any thoughts on this? If my installation is not genuine, how might I check for that? I greatly appreciate your help.

Link to post
Share on other sites

  • Root Admin

If it were my computer I would wipe it and do a CLEAN install of Windows 10 or Windows 11  @Longshot583

If you're lucky Windows will automatically activate. If it does not though you can still run Windows pretty well without activating it.

They put restrictions on customization is about all. There are registry and command line methods though to typically still be able to customize some if wanted.

Back up your personal data then do a CLEAN install.

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587


Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.