RTP Detections?

[Human_Person]

I keep getting RTP detections from C/Windows/System32/rundll32.exe I don't know how to stop it unless I kill it in task manager I get spammed by them I attached a file with one of them below.

Logs.txt

[TwinHeadedEagle]

Hi,

Please follow this topic and attach diagnostic logs

 

Edited November 30, 2021 by TwinHeadedEagle

[AdvancedSetup]

Hello @Human_Person

Can you please get us some other logs.

 

Please do the following so that we can get started and see what's going on.

The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

1. Download the Farbar Recovery Scan Tool
   Do not click on any Ads.
    
2. Locate the file you downloaded on your computer.
   Downloaded files are often saved to the Downloads folder.
    
3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.
   
   
    
4. A Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
   Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?
   
        a.  Click More info.
   
   
        b.  Click Run anyway.
   
   
5. When the User Account Control window appears, click Yes.
   
   
   
    
6. To accept the Disclaimer of warranty, click Yes.
   
   
   
    
7. Ensure only the boxes listed below are checked
   
   

   Registry  Services  Drivers
   Processes  Internet  One month
   Addition.txt
   
   
   
    

8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
   Please remember to re-enable any Antivirus software when we are finished running scans
   
   Click Scan. The scan may take a few minutes to complete.
   
   
    

9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

• Scan completed. FRST.txt is saved in the same directory FRST is located.
  
  

• Addition.txt is saved in the same directory FRST is located.
  
  
   

• Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

 

 

Thank you

 

 

 

[Human_Person]

Here they are

Addition.txt FRST.txt

[AdvancedSetup]

Hello @Human_Person

Can you please zip and attach this file for me.

C:\Users\Justin's Best PC EVA\AppData\Local\Justin's Best PC EVA\{61DDB18C-71E8-683D-085A-50BA4C518F0A}\noloem.dll

If you're not sure how to do that's okay. I can write a script to do it for us.

Thanks

 

[Human_Person]

Here it is

noloem.zip

[AdvancedSetup]

Thank you. Give me a moment and will reply back soon

 

 

[AdvancedSetup]

Thanks @Human_Person

Did you setup that Task or know what it does with that file? Sure seems suspicious.

Task: {7C02B874-3CC5-4E49-90BC-6B1FEF419BB8} - System32\Tasks\jeviaz_{38E939CC-FABD-7972-859A-19550ECF7507} => rundll32.exe "C:\Users\Justin's Best PC EVA\AppData\Local\Justin's Best PC EVA\{61DDB18C-71E8-683D-085A-50BA4C518F0A}\noloem.dll",DllMain --eyja="InformNumber\license.dat"

 

 

Checking your logs. Did you set these policies on purpose?

HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-1189032634-688743978-268734218-1001\...\Policies\Explorer: [NoLogOff] 0

 

 

CHR Notifications: Default -> hxxps://mail.google.com; hxxps://www1.bethanyharrell.pro; hxxps://www1.ramirocampos.pro; hxxps://www1.sherwoodsutton.pro; hxxps://www1a.sherwoodsutton.pro

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

 

Just curious why you have the Dokan Project installed.  Are you doing some type of programming on this system? This driver is 5 years old. If not using you should probably consider removing it.

https://dokan-dev.github.io/

https://github.com/dokan-dev/dokany

R1 dokan1; C:\WINDOWS\System32\DRIVERS\dokan1.sys [108608 2016-09-24] (ISLOG -> Dokan Project)

 

You also have a very old installation of HWiNFO
R1 HWiNFO32; C:\WINDOWS\SysWOW64\drivers\HWiNFO64A.SYS [27552 2020-02-10] (Martin Malik - REALiX -> REALiX(tm))

 

[Human_Person]

I didn't setup that task, and I don't think I set those policies on purpose. I also don't know what hwinfo is. and I never installed dokan unless maybe some mod for a game i play did.

[Human_Person]

Actually if Python or Raptor use dokan then that could be i use those for college assignments  

[Human_Person]

Whenever I try to delete dokan it gives me this message

[AdvancedSetup]

No problem. Give us a few and I'll write up something to remove and fix things up a bit.

 

[AdvancedSetup]

No, those files should not be part of Python. HWiNFO is a hardware discovery tool  https://www.hwinfo.com/

 

Please download the attached fixlist.txt file and save it to the C:\Users\Justin's Best PC EVA\Downloads  location where you ran FRST from.
NOTE. It's important that both files, C:\Users\Justin's Best PC EVA\Downloads\FRST64.exe and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run C:\Users\Justin's Best PC EVA\Downloads\FRST64.exe and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[Human_Person]

Here it is

Fixlog.txt

[AdvancedSetup]

Great, that log looks pretty good. Please run the following for me @Human_Person

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If Microsoft SmartScreen blocks the download, click through to save the file
• This tool is safe.   Smartscreen is overly sensitive.
• If SmartScreen blocks the file from running click on More info and Run anyway
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Thank you

 

 

[Human_Person]

SecurityCheck.txt

[AdvancedSetup]

As you can see your version of Windows is not the latest version. I would recommend that you update to the latest version.

 

Windows 10 November 2021 Update

https://www.microsoft.com/en-us/software-download/windows10

 

 

You also need to review the following for possible updates

--------------------------- [ OtherUtilities ] ----------------------------

Microsoft Visual Studio Code (User) v.1.53.0 Warning! Download Update

 

-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.0.0.309 Warning! Download Update

Microsoft Teams v.1.4.00.19572 Warning! Download Update

 

Thank you

 

[Human_Person]

Alright I shall do that thank you for your help.

[AdvancedSetup]

Once all is done, please let me know if there are any other detections or not.

Cheers

 

[Human_Person]

I scanned with malwarebytes now that windows is done updating and there are no more issues so thanks for your help

[AdvancedSetup]

You're very welcome. Glad all is back to normal @Human_Person

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
   Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
   Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[Human_Person]

Alright here is the log for patch my pc

PatchMyPC.log

[Human_Person]

Wrong log sorry where would i find the kprm log?

[Human_Person]

Never mind here it is

kprm-20211130172753.txt

[AdvancedSetup]

Excellent. All looking good.

If there is anything else you need please let us know, otherwise have a great rest of your week.

Cheers