Repeated RTP detection but nothing in quarantine

[ksalno]

My Detection History reports multiple RTP detections at regular intervals of 8AM, 2PM, 8PM, and 2AM. It reports the files as quarantined or blocked but there is nothing in quarantine.

One example from this morning's scan is

-Software Information-
Version: 4.5.4.168
Components Version: 1.0.1599
Update Package Version: 1.0.54103
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1645)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\WINDOWS\sysnative\cmd.exe, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload file blocked
File Name: C:\WINDOWS\sysnative\cmd.exe

The other is
-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid
URL:

Is this something I can ignore or do I have an issue I need to remediate? I did run the FRST scan tool and have attached the logs.

FRST.txt Addition.txt

[Maurice Naggar]

Hello    @ksalno

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Gotta have history and all logs from Malwarebytes for Windows. 

 [   2   ]

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

[ksalno]

Microsoft scan run and all requested logs attached.

msert.log logs.zip

[Maurice Naggar]

Thank you. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[ksalno]

ESET scan results attached

ESETscan.txt

[Maurice Naggar]

Hello. Thank you. 

One other scan here.

TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Edited April 28, 2022 by Maurice Naggar

[ksalno]

Housecall scan completed with no threats found.

[Maurice Naggar]

Good. Let us do this: 

[  Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[Maurice Naggar]

Requests for clarification
Is this machine by HP ?
about how old ?
or is it a recent new purchase?
Is it in warrenty ?
The main reason I ask is that the scheduled tasks in Windows have several tasks that make use of the Windows cmd ( OS command interpreter to run several HP hardware related tasks ).

[ksalno]

I started the Windows scan and it's going to take a while. I started it a couple of hours ago and it is still showing 12 hours estimated time to complete. My PC is an older HP. It's a 64-bit, i7 4770K, which came out in 2013, so my machine is probably 8-9 years old. Long out of warranty.

 

[Maurice Naggar]

Thanks. That is ok. Have patience & just let it do its thing. a I7 is a great processor. Its likely you have the standard type of hard disc drive.

[ksalno]

Scan finished. No current threats, no allowed threats, and no history of protective actions.

[Maurice Naggar]

Good morning. Bravo. Microsoft Defender shows no threats. YAY ! 

I would recommend getting a readout report as to update the status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Also, I would suggest to insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[ksalno]

Security check finished and text file is attached.

SecurityCheck.txt

[Maurice Naggar]

There are 2 installed applications that are not recommended and not needed. I would suggest you Uninstall both & then do a Windows Restart.

These 2

Bonjour 
Bonjour Print Services

 

[Maurice Naggar]

These are the other items tagged by SecurityCheck that need your attention:
Microsoft .NET Framework 4.5.2 v.4.5.51209   Warning! Download Update
Microsoft Silverlight v.5.1.50918.0   Warning! This software is no longer supported.
NVIDIA GeForce Experience 2.1.1 v.2.1.1   Warning! Download Update

------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 19.00 (x64) v.19.00   Warning! Download Update
Uninstall old version and install new one.
-------------------------- [ IMAndCollaborate ] ---------------------------
Zoom v.5.6.5 (823)   Warning! Download Update
Skype version 8.79 v.8.79 Warning! Download Update

-------------------------------- [ Media ] --------------------------------
Spotify v.1.0.69.336.g7edcc575   Warning! Download Update
--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.32.0.0.89   Warning! Download Update
opensource v.1.0.14960.3876 << Hidden   Warning! This software is no longer supported. Please uninstall it.
Adobe Reader X (10.1.16) MUI v.10.1.16   Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat Reader DC.
------------------------------- [ Browser ] -------------------------------
Blackhawk Striker 2 v.2.2.0.95   Warning! This software is no longer supported.
----------------------------- [ EmailClient ] -----------------------------
Windows Live Essentials v.16.4.3508.0205   Warning! This software is no longer supported.

---------------------------- [ UnwantedApps ] -----------------------------
System Diagnostics Tool v.1.1.0   Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

[ksalno]

OK, I either uninstalled or update everything on the list except for the following:

.Net framework is already at rel v4.8.04084, I checked the registry. So I couldn't install from the download link because 4.8 was already installed

I couldn't update to the latest GeForce Experience because my hardware doesn't support it but I checked and the GeForce driver is up to date

I couldn't find the opensource file to uninstall. I did some searches and it may be part of some HP code

I also couldn't find Blackhawk Striker to uninstall

The System Diagnostics Tool is from Lutron and I use it for troubleshooting my Lutron Radio RA lighting.

 

[Maurice Naggar]

• Alright. Thanks. on the .Net Framework we count on Microsoft and its Windows Update function. On non-Microsoft & all other add-on apps, you gotta rely on the software or hardware publisher.
• Now then, recircling back to the original issue: are ther any new notifications by Malwarebytes for Windows about 

Quote

Malware.Exploit.Agent.Generic

 

Edited April 29, 2022 by Maurice Naggar

[ksalno]

Scan report from this morning's MalwareBytes run is clean, nothing detected. The last finding in the History report is from the morning of April 24, which was when I reported it. It goes back with detections every few hours for the prior week, but nothing since then.

[Maurice Naggar]

Let's pause and make time and just get a set of fresh reports for review. Your machine has the FRST64 report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply. Thank you 

[ksalno]

FRST64 scan complete and files attached.

FRST.txt Addition.txt

[Maurice Naggar]

This is intended as a visual means to check on security.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

 

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status and that protection is on.

 

 

On the next display, look it over

 

[ksalno]

Everything looks good, no threats discovered and I have the green checkmark on all icons.

[Maurice Naggar]

Thank you. The following is like a mini-cleanup. There are a few scheduled tasks that are leftovers & no longer of any use + some housekeeping.

This custom script is for  Ksalno  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock.  It will remove quite a l number of scheduled Tasks that are "are of no use" (ie, junk or stuff to drag the system). 

NOTE-2: This should run a quick scan with MS Defender antivirus 

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

[ksalno]

Fix script was run, restarted without issue and fixlog attached.

Fixlog.txt