Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


RKill twice deleted this in my Temp folder. Should I be worried?

  • Please log in to reply
7 replies to this topic

#1 spaceferret


  • Members
  • 7 posts
  • Local time:08:49 PM

Posted 23 December 2015 - 05:22 PM

I just ran Rkill today and this got picked up:


Checking for processes to terminate:

* C:\Users\Owner\AppData\Local\Temp\{EDE1C972-6D26-40A2-B94F-AA8949413685}\{13250C03-6E30-47A0-A1A4-B4B41463A075}.exe (PID: 14712) [T-HEUR]

1 proccess terminated!


This file was not detected when I ran the scan again, nor was it detected previously the rest of the day.  However a few days ago a similar file was terminated in the same folder location with a similar file name (I can't recall if its the same or not).


I currently have Rkill, Webroot, TDSSKiller, and Malwarebytes.  So far they haven't detected anything.  Am I fretting over nothing or did something sneak onto my computer?

BC AdBot (Login to Remove)


#2 InadequateInfirmity


    I Gots Me A Certified Edumication

  • Banned
  • 5,180 posts
  • Gender:Male
  • Local time:08:49 PM

Posted 23 December 2015 - 06:49 PM

Lets have a look at some logs. :)


Adware Cleaner Scan.


Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


JRT Scan.

Please download Junkware Removal Tool and save it on your desktop.


  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.

Adware Removal Tool Scan.


Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.





Hit Ok.




Hit next make sure to leave all items checked, for removal.





The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.


ZHP Scan.

Please download Zhp Cleaner  to your desktop.  Right Click the icon and select run as administrator.




2. Once you have started the program, you will need to click the scanner button.


The program will close all open browsers!

3. Once the scan is completed, the you will want to click the Repair button.


At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop.

Copy and paste the report here in your next reply.

 Zemana Scan



Run a full scan with Zemana AntiMalware!

Install and select deep scan.


Remove any infections found.

Then click on the icon in the pic below.


Double click on the scan log, copy and paste here in your reply.

#3 spaceferret

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:49 PM

Posted 23 December 2015 - 08:57 PM

These are the logs from AdwCleaner, JRT, and Zemana.  Webroot didn't like me downloading Adware Removal Tool and ZHP Scan so I don't have those.


# AdwCleaner v5.026 - Logfile created 23/12/2015 at 20:41:30
# Updated 21/12/2015 by Xplode
# Database : 2015-12-23.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\AppData\Local\Microsoft\Windows\INetCache\IE\ZWDCQ9SK\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com


:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [921 bytes] ##########


Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 8.1 x64
Ran by Owner (Administrator) on Wed 12/23/2015 at 20:22:24.87


File System: 3

Successfully deleted: C:\Users\Owner\AppData\Roaming\sp_data.sys (File)
Successfully deleted: C:\WINDOWS\wininit.ini (File)
Successfully deleted: C:\WINDOWS\system32\REN1CD4.tmp (File)


Registry: 2

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\65149647 (Registry Key)
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\85053207 (Registry Key)


Scan was completed on Wed 12/23/2015 at 20:27:10.17
End of JRT log


Zemana AntiMalware (Installed)

Scan Result            : Completed
Scan Date              : 2015/12/23
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel® Core™ i5-3230M CPU @ 2.60GHz
BIOS Mode              : UEFI
CUID                   : 0026506D2E54864894B812
Scan Type              : Deep Scan
Duration               : 68m 48s
Scanned Objects        : 300989
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Yes
Include All Extensions : No
Scan Documents         : No
Domain Info            : WORKGROUP,0,2

Detected Objects

Status             : Scanned
Object             : %userprofile%\desktop\backup\bby446\administrator\videos\future stuff\old comp videos\vlc-1.1.11-win32.exe
MD5                : 0EE4DA8DCB30DA2FDA216A8AEC07178A
Publisher          : -
Size               : 141824
Version            : -
Detection          : Malware:Win32/Kloom.A!Tcei
Cleaning Action    : Delete
Traces             :
                File - %userprofile%\desktop\backup\bby446\administrator\videos\future stuff\old comp videos\vlc-1.1.11-win32.exe

Cleaning Result
Cleaned               : 1
Reported as safe      : 0
Failed                : 0



I was always looking back at my Temp folder again I noticed these three folders appearing today, the last two appearing just after my restart with AdwCleaner.  I can't access them (they say I don't have permissions) and there's no option to Run as Administrator.  Properties for these folders say they contain no files, but I scanned them with Webroot and it says there are about a dozen tmp files in each one.  This might be me being paranoid, but I figured I'd get all of this down just in case.



#4 InadequateInfirmity


    I Gots Me A Certified Edumication

  • Banned
  • 5,180 posts
  • Gender:Male
  • Local time:08:49 PM

Posted 23 December 2015 - 09:05 PM

  Webroot didn't like me downloading Adware Removal Tool and ZHP Scan so I don't have those.





Disable webroot and download and run those files.




Malwarebytes Scan.


We need you to run MalwareBytes to get a log, please download the free version of MalwareBytes HERE

http://data-cdn.mbamupdates.com/web/mbam-setup-  Alternate Link.

Save the file to somewhere you can easily find it. Double click the saved file to start the install, accept any security warnings that may appear, and after the install click the new desktop icon to start the program. We need to modify a couple of things with MalwareBytes before we use it so please follow the steps below.

  1. If the dashboard is not already displayed select it.
  2. Then select "Update Now" to get the latest database.


  1. Next we need to change a scanning option, select "Settings" on the main menu, then "Detection and Protection" on the left.
  2. Then select "Scan for rootkits" in the detection options, as well as the other two options already checked.


  • Now return to Dashboard on the main menu and select "Scan Now" at the bottom of the screen.


  • Allow MalwareBytes to scan your system, it may take some time depending on what you have loaded onto your hard drive.


When the scan is finished

  1. Click "Save Results"
  2. Then click on "Text file"


  • A window will then open allowing you to choose a name for the logfile and also allowing you to choose where to save it, save it to the desktop.
  • Please copy and paste the contents of this file in your next post.



Eset Online Scanner.


Eset Scan

Click Me To Download Eset Scan

Disable your antivirus prior to this scan.

  •  Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.


Minitoolbox scan.



Please download MINITOOLBOX and run it.

Checkmark following boxes:

Flush DNS
Reset FF proxy Settings
Reset Ie Proxy Settings
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List Devices (problems only)

Click Go and post the result.


Security Check Scan.


Download Security Check to your desktop, right click it run as administrator. When the program completes, the tool will automatically open a log file, please post that log here in your next post.

Edited by InadequateInfirmity, 23 December 2015 - 09:06 PM.

#5 spaceferret

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:49 PM

Posted 24 December 2015 - 01:09 AM

Sorry, I'll try to get the rest of the scans done tomorrow when I got some free time.  I would like to report that Rkill deleted another process from my Temp folder again as such:


Checking for processes to terminate:

 * C:\Users\Owner\AppData\Local\Temp\{DA34F588-1644-4B46-95B6-D7B399587D65}\{52C17FEA-3A1E-45C6-9851-3EC1926F5A39}.exe (PID: 7784) [T-HEUR]

1 proccess terminated!


So its a similar .exe file to what I found in my OP except a different combination of letters and numbers.  I also noticed that at the same time this was detected, two of those folder types mentioned before where I don't have permissions popped up at the same exact time.  They subsequently disappeared afterward.  (The other three folders I listed disappeared as well).

#6 InadequateInfirmity


    I Gots Me A Certified Edumication

  • Banned
  • 5,180 posts
  • Gender:Male
  • Local time:08:49 PM

Posted 24 December 2015 - 01:10 AM

When you complete the steps, we can move on. :) 

#7 spaceferret

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:49 PM

Posted 24 December 2015 - 02:21 PM

I actually resolved the issue.  Sort of.  Turns out when you run TDSSkiller at the same time you run Rkill, Rkill reads it as a malware process.  The folders that I couldn't access before?  They're created when you run TDSSKiller and subsequently disappear when you close it.  I've tested it a few times, and that's definitely what the "issue" is.


I think I'm good for now.  Thanks for the assistance, however, InadequateInfirmity :grinner:

#8 InadequateInfirmity


    I Gots Me A Certified Edumication

  • Banned
  • 5,180 posts
  • Gender:Male
  • Local time:08:49 PM

Posted 24 December 2015 - 02:32 PM

I would suggest putting yourself in full control of what is running on your machine with VooDoo Shield.


Qualys BrowserCheck To update plugins.


Web Of Trust  To Avoid  Shady Websites.


Unchecky To Avoid Bundled Software.





Now Lets Clean up the tools we used and remove old restore points.


Download DelFix by "Xplode" to your Desktop.
Right Click the tool and Run as Admin ( Xp Users Double Click)
Put a check mark next the items below:

Remove disinfection tools
Create registry backup
Purge System Restore

Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt)
Note: The report can be located at the following location C:\DelFix.txt



Have a great day. :guitar:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users