Unusual Activity on Computer

Page 1 of 2 12 LastLast

  1. catpepperjudo
    Posts : 7
    Windows 10 Pro
       New #1

    Unusual Activity on Computer


    Windows 10 Pro
    AMD Ryzen 5 4500U

    Before I reformat and re-install Windows Pro 10 again. Just reformatted two weeks ago on 6/20/23. I would like to figure out the cause of the below activities on my computer.

    I was wondering if using cloud products is increasing my exposure. I use Anaconda, Replit, SAS On-Demand, Google Sheets,Google Docs, Tableau. I am often connected for hours on the cloud.

    I have stopped using my vpn.

    #1
    ZoneAlarm OSFirewall log
    Product CTF Loader
    Filename: c:\windows\system32\ctfmon.exe
    Event: Registry
    SubEvent: DELValue
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run internat.exe

    There are four instances of this in the OSFirewall log of ZoneAlarm: 6/28, 6/29, 6/30, 7/1. The 7/1 entry happened at 11:21am.

    I cannot find internat.exe on the computer. I looked at the registry and the only entry I see is for the vpn.

    #2
    MalwareBytes
    At 11:22am on 7/1 MalwareBytes, flagged a RTP Detection.
    outgoing connection
    Category: compromised
    IP: 138.199.7.129
    Port: 7770
    File: vpn program file

    other instances:
    6/22/23 12:07pm port 7770
    6/26/23 8:05pm port 51820

    I ran MalwareBytes with scan for rootkit set multiple times, nothing.
    I also ran Malicious Software Removal Tool, full scan. Nothing.

    #3
    I am receiving the following AMD notifications.

    AMD Software: Adrenalin Software has detected one or more high-DPI panels are connected to your system. Enabling Virtual Super Resolution will increase your resolution...

    Press "Alt +R" to access Radeon Overlay for in-game configuration

    c:\program files\windowApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftw...\launcherrsxruntime.exe. A required privilege is not held by the client.

    I do not have any monitors connected to my laptop. My graphics driver is AMD Radeon.

    #4
    I have disabled multicast mDNS for Windows 10 & Edge as well as SSDP, UPnP, and LLMNR
    Yet, when I turn on the computer, it attempts to connect to 239.255.255.250 before internet is active. The computer is also attempting to connect to 224.000.000.252.

    Null sessions and guest accounts are disabled

    #5
    VPN has confirmed everything is working as designed. There are no DNSleaks.

    #6
    I have SEAPODAT.HDAUDIO.FUNC_01&VEN_10E... zipfiles in c:\windows\systems32. Could be normal just not sure.

    Thanks
      My Computer
    Quote Quote

  3. bro67
    Posts : 9,790
    Mac OS Catalina
       New #2

    Zonealarm is the worse product. As for exposure, are you asking if being online allows third party sites that you connect to to see that you are connected?
      My Computer
    Quote Quote

  4. catpepperjudo
    Posts : 7
    Windows 10 Pro
    Thread Starter
       New #3

    I was thinking that somehow being logged into a cloud account is increasing my exposure to hackers.

    I used to use Comodo before it died on me. Rules would disappear or change order. I was unable to select block for alerts. Despite using a vpn, my laptop was pinging 8.8.8.8, 8.8.4.4, and 1.1.1.1 like its life depended on it. The log had numerous ipv6 neighborhood solitications. Windows Operating System would poll 300+ ports trying to connect to an IP. When it finally broke I had over 10K firewall events however, it would show a blank log or no more than 10 events. I selected ZoneAlaram because I wanted to be able to enter specific firewall rules. Do you have any suggestions for a firewall? I tried McAfee firewall but found it useless.

    I found another entry for internat.exe in the ZoneAlarm firewall log today, date 12:18pm.

    ZoneAlarm OSFirewall log
    Product CTF Loader
    Filename: c:\windows\system32\ctfmon.exe
    Event: Registry
    SubEvent: DELValue
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run internat.exe

    To add #7 to the above list, I frequently get unable to reach website messages. I even get it for duckduckgo.com.
      My Computer
    Quote Quote

  6. bro67
    Posts : 9,790
    Mac OS Catalina
       New #4

    How can someone hack your account on some random drive unless you provide credentials. A Firewall that you are using does not prevent someone from hacking a random server on the internet. A firewall is to protect intruders from getting into your computer from the outside as locks and locked windows on a house stops someone from easily getting into your house.
      My Computer
    Quote Quote

  7. csun
    Posts : 1,026
    Win10 Version 21H2 19044.1645
       New #5

    Hopefully, @TairikuOkami will see this thread and opine.
      My Computer
    Quote Quote

  8. TairikuOkami
    Posts : 5,452
    Windows 11 Home
       New #6

    catpepperjudo said:
    I found another entry for internat.exe in the ZoneAlarm firewall log today
    Download Autoruns and type to quick filter - internat.exe - fileless malware tend to hide in scheduled tasks.

    catpepperjudo said:
    Do you have any suggestions for a firewall?
    Windows Firewall Control

    Comodo has not been updated for 2 years and Zone Alarm is a bit hard to grasp.

    catpepperjudo said:
    8.8.8.8, 8.8.4.4, and 1.1.1.1
    Use malware/botnet blocking DNS from cloudflare - 1.1.1.2 - 1.0.0.2

    catpepperjudo said:
    I frequently get unable to reach website messages. I even get it for duckduckgo.com.
    You can use DOH in browsers, that might bypass some problems.
    How to Enable or Disable DNS over HTTPS (DoH) in Microsoft Edge

    catpepperjudo said:
    Despite using a vpn, my laptop was pinging 8.8.8.8, 8.8.4.4, and 1.1.1.1 like its life depended on it.
    The log had numerous ipv6 neighborhood solitications.
    IPv6 can cause issues, like leaking when using VPN, it is better to disable it. Run CMD as admin, copy/paste:
    Code:
    netsh int ipv6 isatap set state disabled
netsh int teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "6to4_State" /t REG_SZ /d "Disabled" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "ISATAP_State" /t REG_SZ /d "Disabled" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "Teredo_State" /t REG_SZ /d "Disabled" /f
reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f
reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "EnableICSIPv6" /t REG_DWORD /d "255" /f
    Unchecking all protocols except IPv4, disabling NetBIOS and Lookup can also limit vulnerabilities.
    Unusual Activity on Computer-capture_07052023_084714.jpg

    catpepperjudo said:
    I have disabled multicast mDNS for Windows 10 & Edge as well as SSDP, UPnP, and LLMNR
    I use this to stop it, plus you need to disable flag in Edge.
    Code:
    edge://flags/#media-router-cast-allow-all-ips
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableMDNS" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f
    catpepperjudo said:
    AMD Software: Adrenalin Software has detected one or more high-DPI panels are connected to your system. Enabling Virtual Super Resolution will increase your resolution...
    Windows updates can update the driver while the control panel version might not be compatible.
    Download the latest AMD/chipset drivers, do the factory install to remove old drivers and reset.

    https://www.amd.com/en/support/apu/a...-ryzen-5-4500u

    https://www.amd.com/en/support/kb/re...et-5-05-16-529
      My Computer
    Quote Quote

  9. Fabler2
    Posts : 4,803
    Windows 10 preview 64-bit Home
       New #7

    What is internat.exe?

    • internat.exe process is also known as Keyboard Language Indicator Applet.
    • internat.exe loads a tiny icon to your system icon tray using which you can switch between multiple locales.
    • This feature is convenient when you are using multiple keyboard layouts, and your job requires switching between them.

    From What Is Internat.exe In Windows 10? Is It Safe? | MyWindowsHub
      My Computers
    Quote Quote

  10. catpepperjudo
    Posts : 7
    Windows 10 Pro
    Thread Starter
       New #8

    Thank You!

    I ran Autoruns and did quick filter internat.exe. No results.
    I tried without a filter. Below are the results. I am not sure if there are any issues.

    Unusual Activity on Computer-autoruns_070523_1.pngUnusual Activity on Computer-autoruns_070523_2.pngUnusual Activity on Computer-autoruns_070523_3.pngUnusual Activity on Computer-autoruns_070523_4.png

    - - - Updated - - -

    Internat.exe
    I read the information. I am not using a multilingual keyboard. Is it normal for CTF Loader to delete the registry entry for internat.exe over and over again?

    IPv6
    commands executed

    Multicast
    commands executed

    Edge DOH
    message "Browser is managed by your organization". I am using my computer.
    I am unable to turn on Use secure DNS.
    I found a posting with the following. Should I proceed with this?

    HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
    create new DWORD "EnableAutoDoh". Set value to 2.


    FireFox DOH
    It is set to Default Protection. FireFox decides when to use secure DNS
    Other options are Increase Protection. You control when to use secure DNS and choose your provider.
    Max Protection. FireFox will always use Secure DNS.

    Other
    working on the other stuff

    Incoming connection
    I checked the 24 incoming connections for svchost.exe that were blocked. Half of the IPs have an entry on AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time. The majority of the IPs were on a google domain.

    Outgoing connection
    I checked some of the outgoing UDP connections blocked by ZoneAlarm on 7/3-4. Two-thirds of the IPs have an entry in the AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time database.
      My Computer
    Quote Quote

  12. TairikuOkami
    Posts : 5,452
    Windows 11 Home
       New #9

    catpepperjudo said:
    Edge DOH
    message "Browser is managed by your organization". I am using my computer.
    I am unable to turn on Use secure DNS.
    This will remove all policies:
    Code:
    taskkill /im msedge.exe /f
reg delete "HKCU\Software\Policies\Microsoft\Edge" /f
reg delete "HKLM\Software\Policies\Microsoft\Edge" /f

    catpepperjudo said:
    Internat.exe
    I read the information. I am not using a multilingual keyboard.
    You can try to disable it via:
    Code:
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "internat.exe" /f
      My Computer
    Quote Quote

  13. catpepperjudo
    Posts : 7
    Windows 10 Pro
    Thread Starter
       New #10

    Updated network adapter settings.
    Changed DNS.
    Ran code for Edge policies. Set secure DNS.
    Ran code to disable internat.exe. ZoneAlarm log had two more entries for the internat.exe registry delete.
    Looking at AMD drivers
    Any action required for the non-verified Microsoft items in the Autorun output?
    Looked at the Windows Firewall Control. Is there a utility that produces a readable log of events? My frustration with Windows Defender is that I can't tell what it is doing. It seems to add and delete rules on a whim. I have no idea on the traffic it is blocking.
    Does everyone have those seapodat files in their c:\windows\system32 directory?

    Whoo hoo! Surfing the internet improved a lot using MS Edge after making the changes outlined above. FoxFire is still terrible.
      My Computer
    Quote Quote

 

  Related Discussions
Under security I noticed an entry that has been marked as 'Unusual Activity'. ProtocolIMAPIP: 13.101.xxx.xxx WhoIs IP shows this belongs to Microsoft. It was yesterday only. Initially I thought it had something to do with updating Windows. I...
Unusual windows pop up
in General Support

Hello all, as a new user to this site, it's one of the best I have found so far and happy to be a member. I had the most unusual experience to day, running Win 10 Pro, ( Version 21H1 ( OS BUILD 19043.1202 ),,, looking at Sudoku sites and...
I don't know where to post this but Google has been hitting me with a lot of "we've detected unusual activity" nonsense lately, especially if I run too many searches in a few minutes (how many is anybody's guess as it seems arbitrary). But their...
Hey All, Have a weird one that I have never seen before. after about an hour or so of the computer running (just a Dell Dimension E521, 4gb ram, 1TB HDD) the screen goes black and at the top in white letters states: "Boot from CD: No boot device...
I'm starting this to see who has some unusual stories about themselves. My unusual story is the fact that I have never been paid for. My dad still owes the doctor $25.00. But my dad has been gone for quite some time and the doctor has been gone for...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 02:20.
Find Us




Windows 10 Forums