Jump to content

RTP detection Outbound (SysWOW64\PING.EXE)

Go to solution Solved by AdvancedSetup,

Recommended Posts

Good evening, everytime I boot up I get this blocked website report from (C:\Windows\SysWOW64\PING.EXE) Categorized as a Trojan with an outbound Connection and IP with port 0.


Attached are all Logs from MalwareBytes Scans, Adwcleaner.exe, and FRST64.exe (with addition.txt)

20230427Scan.txt Addition.txt AdwCleaner[C01].txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @Dillsion1 and :welcome:

We'll take a look and see what we can find.

I do see you have an unbelievable amount of CustomCLSID: from Java

Example of hundreds

CustomCLSID: HKU\S-1-5-21-3388967864-4246774857-54345224-1001_Classes\CLSID\{CAFEEFAC-0018-0000-0370-ABCDEFFEDCBC}\InprocServer32 -> C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll (Oracle America, Inc. -> )

I assume or hope you're doing some type of Java programming


Please note the following error

Error: (04/27/2023 09:50:28 PM) (Source: MsiInstaller) (EventID: 11714) (User: NT AUTHORITY)
Description: Product: Chrome Remote Desktop Host -- Error 1714. The older version of Chrome Remote Desktop Host cannot be removed. Contact your technical support group. System Error 1612.

Error: (04/25/2023 11:02:24 PM) (Source: Application Error) (EventID: 1000) (User: NT AUTHORITY)
Description: Faulting application name: remoting_host.exe, version: 103.0.5060.46, time stamp: 0x62a290ac
Faulting module name: remoting_core.dll, version: 103.0.5060.46, time stamp: 0x62a290ac
Exception code: 0x80000003
Fault offset: 0x0032a8ad
Faulting process id: 0x0x1a9c
Faulting application start time: 0x0x1d977fc49fdde57
Faulting application path: C:\Program Files (x86)\Google\Chrome Remote Desktop\103.0.5060.46\remoting_host.exe
Faulting module path: C:\Program Files (x86)\Google\Chrome Remote Desktop\103.0.5060.46\remoting_core.dll
Report Id: a4f03eac-ff70-4997-84e8-e9f57ec892b1
Faulting package full name:
Faulting package-relative application ID:



System errors:
Error: (04/27/2023 10:24:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the chromoting service to connect.

Error: (04/27/2023 10:24:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The IntelHaxm service failed to start due to the following error:
A device attached to the system is not functioning.

Error: (04/27/2023 10:24:01 PM) (Source: IntelHaxm) (EventID: 3) (User: )
Description: HAXM Failed to init VMX

Error: (04/27/2023 10:24:01 PM) (Source: IntelHaxm) (EventID: 6) (User: )
Description: HAXM can't work on system without VT support



Windows Defender:

Date: 2023-04-27 22:24:50
C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe has been blocked from modifying %userprofile%\Documents\Medal\ by Controlled Folder Access.
Detection time: 2023-04-28T04:24:50.312Z
Path: %userprofile%\Documents\Medal\
Process Name: C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe
Security intelligence Version: 1.387.2251.0
Engine Version: 1.1.20200.4
Product Version: 4.18.2303.8

Date: 2023-04-25 23:02:59
C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe has been blocked from modifying %userprofile%\Documents\Medal\ by Controlled Folder Access.
Detection time: 2023-04-26T05:02:59.479Z
Path: %userprofile%\Documents\Medal\
Process Name: C:\Users\Dills\AppData\Local\Medal\app-4.1916.0\Medal.exe
Security intelligence Version: 1.387.2251.0
Engine Version: 1.1.20200.4
Product Version: 4.18.2303.8

Date: 2023-04-25 22:29:16
C:\Users\Dills\AppData\Local\Medal\recorder-3.648.0\MedalEncoder.exe has been blocked from modifying %userprofile%\Documents\Medal\ by Controlled Folder Access.
Detection time: 2023-04-26T04:29:16.442Z
Path: %userprofile%\Documents\Medal\
Process Name: C:\Users\Dills\AppData\Local\Medal\recorder-3.648.0\MedalEncoder.exe
Security intelligence Version: 1.387.2251.0
Engine Version: 1.1.20200.4
Product Version: 4.18.2303.8




Can we get the following report which will also give us the logs from Malwarebytes to see what it's finding.


To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you


Link to post
Share on other sites

  • Root Admin

So the block is an old block and the site is now down, so we'll remove the block. However, that does not answer why your computer is calling out to it in the first place.

Here it is in our log

            "websiteData": {
               "blockType": 15,
               "ip": "",
               "isInbound": false,
               "port": 0,
               "processPath": "C:\\Windows\\SysWOW64\\PING.EXE",
               "url": ""



Please run the following


Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.





Thank you



Link to post
Share on other sites

  • Root Admin
  • Solution

Please run the following fix @Dillsion1




NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Dills\Downloads\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.



Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.


  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.




Link to post
Share on other sites

  • Root Admin

Great, glad to hear all is better. Please run the following @Dillsion1 We're not quite done yet.


SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt






Thank you



Link to post
Share on other sites

  • Root Admin

Thank you. Please uninstall, update, or otherwise address the following as appropriate for your system.


Notepad++ (64-bit x64) v.8.4.8 Warning! Download Update
Node.js v.18.3.0 Warning! Download Update
Python 3.9.13 (64-bit) v.3.9.13150.0 Warning! Download Update
Discord v.1.0.9004 Warning! Download Update
Telegram Desktop version 4.0.2 v.4.0.2 Warning! Download Update

---------------------------- [ UnwantedApps ] -----------------------------
Driver Easy 5.7.2 v.5.7.2 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
----------------------------- [ End of Log ] ------------------------------



Then restart the computer and check for Windows Updates and install any found


Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.