Unusual Activity on Computer

Page 1 of 2 12 LastLast

  1. Posts : 7
    Windows 10 Pro
       #1

    Unusual Activity on Computer


    Windows 10 Pro
    AMD Ryzen 5 4500U

    Before I reformat and re-install Windows Pro 10 again. Just reformatted two weeks ago on 6/20/23. I would like to figure out the cause of the below activities on my computer.

    I was wondering if using cloud products is increasing my exposure. I use Anaconda, Replit, SAS On-Demand, Google Sheets,Google Docs, Tableau. I am often connected for hours on the cloud.

    I have stopped using my vpn.

    #1
    ZoneAlarm OSFirewall log
    Product CTF Loader
    Filename: c:\windows\system32\ctfmon.exe
    Event: Registry
    SubEvent: DELValue
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run internat.exe

    There are four instances of this in the OSFirewall log of ZoneAlarm: 6/28, 6/29, 6/30, 7/1. The 7/1 entry happened at 11:21am.

    I cannot find internat.exe on the computer. I looked at the registry and the only entry I see is for the vpn.

    #2
    MalwareBytes
    At 11:22am on 7/1 MalwareBytes, flagged a RTP Detection.
    outgoing connection
    Category: compromised
    IP: 138.199.7.129
    Port: 7770
    File: vpn program file

    other instances:
    6/22/23 12:07pm port 7770
    6/26/23 8:05pm port 51820

    I ran MalwareBytes with scan for rootkit set multiple times, nothing.
    I also ran Malicious Software Removal Tool, full scan. Nothing.

    #3
    I am receiving the following AMD notifications.

    AMD Software: Adrenalin Software has detected one or more high-DPI panels are connected to your system. Enabling Virtual Super Resolution will increase your resolution...

    Press "Alt +R" to access Radeon Overlay for in-game configuration

    c:\program files\windowApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftw...\launcherrsxruntime.exe. A required privilege is not held by the client.

    I do not have any monitors connected to my laptop. My graphics driver is AMD Radeon.

    #4
    I have disabled multicast mDNS for Windows 10 & Edge as well as SSDP, UPnP, and LLMNR
    Yet, when I turn on the computer, it attempts to connect to 239.255.255.250 before internet is active. The computer is also attempting to connect to 224.000.000.252.

    Null sessions and guest accounts are disabled

    #5
    VPN has confirmed everything is working as designed. There are no DNSleaks.

    #6
    I have SEAPODAT.HDAUDIO.FUNC_01&VEN_10E... zipfiles in c:\windows\systems32. Could be normal just not sure.

    Thanks
      My Computer


  2. Posts : 9,806
    Mac OS Catalina
       #2

    Zonealarm is the worse product. As for exposure, are you asking if being online allows third party sites that you connect to to see that you are connected?
      My Computer


  3. Posts : 7
    Windows 10 Pro
    Thread Starter
       #3

    I was thinking that somehow being logged into a cloud account is increasing my exposure to hackers.

    I used to use Comodo before it died on me. Rules would disappear or change order. I was unable to select block for alerts. Despite using a vpn, my laptop was pinging 8.8.8.8, 8.8.4.4, and 1.1.1.1 like its life depended on it. The log had numerous ipv6 neighborhood solitications. Windows Operating System would poll 300+ ports trying to connect to an IP. When it finally broke I had over 10K firewall events however, it would show a blank log or no more than 10 events. I selected ZoneAlaram because I wanted to be able to enter specific firewall rules. Do you have any suggestions for a firewall? I tried McAfee firewall but found it useless.

    I found another entry for internat.exe in the ZoneAlarm firewall log today, date 12:18pm.

    ZoneAlarm OSFirewall log
    Product CTF Loader
    Filename: c:\windows\system32\ctfmon.exe
    Event: Registry
    SubEvent: DELValue
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run internat.exe

    To add #7 to the above list, I frequently get unable to reach website messages. I even get it for duckduckgo.com.
      My Computer


  4. Posts : 9,806
    Mac OS Catalina
       #4

    How can someone hack your account on some random drive unless you provide credentials. A Firewall that you are using does not prevent someone from hacking a random server on the internet. A firewall is to protect intruders from getting into your computer from the outside as locks and locked windows on a house stops someone from easily getting into your house.
      My Computer


  5. Posts : 1,029
    Win10 Version 21H2 19044.1645
       #5

    Hopefully, @TairikuOkami will see this thread and opine.
      My Computer


  6. Posts : 5,492
    Windows 11 Home
       #6

    catpepperjudo said:
    I found another entry for internat.exe in the ZoneAlarm firewall log today
    Download Autoruns and type to quick filter - internat.exe - fileless malware tend to hide in scheduled tasks.

    catpepperjudo said:
    Do you have any suggestions for a firewall?
    Windows Firewall Control

    Comodo has not been updated for 2 years and Zone Alarm is a bit hard to grasp.

    catpepperjudo said:
    8.8.8.8, 8.8.4.4, and 1.1.1.1
    Use malware/botnet blocking DNS from cloudflare - 1.1.1.2 - 1.0.0.2

    catpepperjudo said:
    I frequently get unable to reach website messages. I even get it for duckduckgo.com.
    You can use DOH in browsers, that might bypass some problems.
    How to Enable or Disable DNS over HTTPS (DoH) in Microsoft Edge

    catpepperjudo said:
    Despite using a vpn, my laptop was pinging 8.8.8.8, 8.8.4.4, and 1.1.1.1 like its life depended on it.
    The log had numerous ipv6 neighborhood solitications.
    IPv6 can cause issues, like leaking when using VPN, it is better to disable it. Run CMD as admin, copy/paste:
    Code:
    netsh int ipv6 isatap set state disabled
    netsh int teredo set state disabled
    netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
    reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "6to4_State" /t REG_SZ /d "Disabled" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "ISATAP_State" /t REG_SZ /d "Disabled" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "Teredo_State" /t REG_SZ /d "Disabled" /f
    reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f
    reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "EnableICSIPv6" /t REG_DWORD /d "255" /f
    Unchecking all protocols except IPv4, disabling NetBIOS and Lookup can also limit vulnerabilities.
    Unusual Activity on Computer-capture_07052023_084714.jpg

    catpepperjudo said:
    I have disabled multicast mDNS for Windows 10 & Edge as well as SSDP, UPnP, and LLMNR
    I use this to stop it, plus you need to disable flag in Edge.
    Code:
    edge://flags/#media-router-cast-allow-all-ips
    reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableMDNS" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f
    catpepperjudo said:
    AMD Software: Adrenalin Software has detected one or more high-DPI panels are connected to your system. Enabling Virtual Super Resolution will increase your resolution...
    Windows updates can update the driver while the control panel version might not be compatible.
    Download the latest AMD/chipset drivers, do the factory install to remove old drivers and reset.

    https://www.amd.com/en/support/apu/a...-ryzen-5-4500u

    https://www.amd.com/en/support/kb/re...et-5-05-16-529
      My Computer


  7. Posts : 4,994
    Windows 10 preview 64-bit Home
       #7

    What is internat.exe?

    • internat.exe process is also known as Keyboard Language Indicator Applet.
    • internat.exe loads a tiny icon to your system icon tray using which you can switch between multiple locales.
    • This feature is convenient when you are using multiple keyboard layouts, and your job requires switching between them.

    From What Is Internat.exe In Windows 10? Is It Safe? | MyWindowsHub
      My Computers


  8. Posts : 7
    Windows 10 Pro
    Thread Starter
       #8

    Thank You!

    I ran Autoruns and did quick filter internat.exe. No results.
    I tried without a filter. Below are the results. I am not sure if there are any issues.

    Unusual Activity on Computer-autoruns_070523_1.pngUnusual Activity on Computer-autoruns_070523_2.pngUnusual Activity on Computer-autoruns_070523_3.pngUnusual Activity on Computer-autoruns_070523_4.png

    - - - Updated - - -

    Internat.exe
    I read the information. I am not using a multilingual keyboard. Is it normal for CTF Loader to delete the registry entry for internat.exe over and over again?

    IPv6
    commands executed

    Multicast
    commands executed

    Edge DOH
    message "Browser is managed by your organization". I am using my computer.
    I am unable to turn on Use secure DNS.
    I found a posting with the following. Should I proceed with this?

    HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
    create new DWORD "EnableAutoDoh". Set value to 2.


    FireFox DOH
    It is set to Default Protection. FireFox decides when to use secure DNS
    Other options are Increase Protection. You control when to use secure DNS and choose your provider.
    Max Protection. FireFox will always use Secure DNS.

    Other
    working on the other stuff

    Incoming connection
    I checked the 24 incoming connections for svchost.exe that were blocked. Half of the IPs have an entry on AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time. The majority of the IPs were on a google domain.

    Outgoing connection
    I checked some of the outgoing UDP connections blocked by ZoneAlarm on 7/3-4. Two-thirds of the IPs have an entry in the AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time database.
      My Computer


  9. Posts : 5,492
    Windows 11 Home
       #9

    catpepperjudo said:
    Edge DOH
    message "Browser is managed by your organization". I am using my computer.
    I am unable to turn on Use secure DNS.
    This will remove all policies:
    Code:
    taskkill /im msedge.exe /f
    reg delete "HKCU\Software\Policies\Microsoft\Edge" /f
    reg delete "HKLM\Software\Policies\Microsoft\Edge" /f

    catpepperjudo said:
    Internat.exe
    I read the information. I am not using a multilingual keyboard.
    You can try to disable it via:
    Code:
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "internat.exe" /f
      My Computer


  10. Posts : 7
    Windows 10 Pro
    Thread Starter
       #10

    Updated network adapter settings.
    Changed DNS.
    Ran code for Edge policies. Set secure DNS.
    Ran code to disable internat.exe. ZoneAlarm log had two more entries for the internat.exe registry delete.
    Looking at AMD drivers
    Any action required for the non-verified Microsoft items in the Autorun output?
    Looked at the Windows Firewall Control. Is there a utility that produces a readable log of events? My frustration with Windows Defender is that I can't tell what it is doing. It seems to add and delete rules on a whim. I have no idea on the traffic it is blocking.
    Does everyone have those seapodat files in their c:\windows\system32 directory?

    Whoo hoo! Surfing the internet improved a lot using MS Edge after making the changes outlined above. FoxFire is still terrible.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:08.
Find Us




Windows 10 Forums