Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winmgr105.exe keeps minimizing programs/pressing random buttons


  • Please log in to reply
10 replies to this topic

#1 someguy77

someguy77

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 16 February 2016 - 07:41 AM

Hello,

I founded that a process called winmgr105.exe run when the system starts and I'm unable to shut it down.

Malwarebytes Anti-Malware and ESET NOD32 don't see anything.

What should I do?

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:54 AM

Posted 17 February 2016 - 10:49 AM

Welcome to BC...

 

That file name is used by a worm according to SAS. If possible, double check that the file is actually malicious by

submitting it to VirusTotal - Free Online Virus and Malware Scan

 

Scan and clean up your computer using the programs below. Post the results of AdwCleaner and JRT scans.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 someguy77

someguy77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 February 2016 - 09:23 AM

Here it is, unfortunately winmgr105.exe is still running

 

# AdwCleaner v5.034 - Utworzono raport 18/02/2016 o 13:27:44
# Ostatnia aktualizacja 16/02/2016 przez Xplode
# Baza danych : 2016-02-16.2 [Serwer]
# System operacyjny : Windows 7 Home Premium Service Pack 1 (x64)
# Nazwa użytkownika : Misiek - PCQUAD
# Lokalizacja programu : C:\Users\Misiek\Desktop\AdwCleaner.exe
# Działanie : Skanuj
# Wsparcie : http://toolslib.net/forum

***** [ Usługi ] *****


***** [ Foldery ] *****

Folder znaleziono : C:\ProgramData\Ask
Folder znaleziono : C:\Users\Misiek\AppData\Local\28050

***** [ Pliki ] *****

Plik znaleziono : C:\Windows\SysNative\roboot64.exe

***** [ DLL ] *****


***** [ Skróty ] *****


***** [ Zaplanowane zadania ] *****


***** [ Rejestr ] *****

Klucz znaleziono : HKCU\Software\e936a10f968ac948cd351c9629dbd36d
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
Klucz znaleziono : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
Klucz znaleziono : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Klucz znaleziono : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Klucz znaleziono : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Klucz znaleziono : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Klucz znaleziono : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Klucz znaleziono : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Klucz znaleziono : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Klucz znaleziono : HKCU\Software\APN PIP
Klucz znaleziono : HKCU\Software\Conduit
Klucz znaleziono : HKCU\Software\dobreprogramy
Klucz znaleziono : HKCU\Software\PrivitizeVPNInstallDates
Klucz znaleziono : HKCU\Software\Red Sky
Klucz znaleziono : HKCU\Software\Softonic
Klucz znaleziono : HKCU\Software\StartSearch
Klucz znaleziono : HKLM\SOFTWARE\Classes\and

***** [ Przeglądarki internetowe ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2478 bajty] ##########

 

And JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 7 Home Premium x64
Ran by Misiek (Administrator) on 2016-02-18 at 15:15:53,38
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 36

Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\139TD19L (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1JXHKRME (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I339OQ2I (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OA67493K (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OWRHS6S2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCT3H3GA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQRQBSTN (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4JSUMP2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UJ56GA8B (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRB1HJS6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y5XRZLPG (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Misiek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTIZET4Y (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\139TD19L (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1JXHKRME (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I339OQ2I (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OA67493K (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OWRHS6S2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCT3H3GA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQRQBSTN (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4JSUMP2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UJ56GA8B (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRB1HJS6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y5XRZLPG (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTIZET4Y (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\SysWOW64\REN80F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\REN810.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\RENFE1E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\RENFE1F.tmp (File)



Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\ Maintance (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-02-18 at 15:17:51,81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


Edited by someguy77, 18 February 2016 - 09:24 AM.


#4 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:54 AM

Posted 18 February 2016 - 09:50 AM

Rerun AdwCleaner and be sure to click on Clean. Which will allow AdwCleaner to delete what is found.

 

Did you submit the file winmgr105.exe to VirusTotal - Free Online Virus and Malware Scan

 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the malware scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 someguy77

someguy77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 February 2016 - 02:39 PM

I scanned it again with AdwCleaner and clicked clean just to make sure but it doesn't seem to help much, winmgr105.exe is still there.

I can't really scan this file because it looks like it's hidding (I do have 'show hidden folders and files' enabled).

Anyway, here's EEK report

 

Emsisoft Emergency Kit - Version 11.0
Last update: 2016-02-18 18:50:59
User account: PCQUAD\Misiek

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    2016-02-18 19:52:12
C:\ProgramData\winmgr105.exe     detected: Gen:Trojan.Heur.AutoIT.13 (B)

Scanned    75422
Found    1

Scan end:    2016-02-18 20:01:09
Scan time:    0:08:57
 



#6 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:54 AM

Posted 18 February 2016 - 03:21 PM

You didn't allow Emsisoft to delete the trojan it found........winmgr105.exe.

Rerun and allow Emsisoft to delete/ quarantine

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 someguy77

someguy77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 February 2016 - 04:54 AM

Sorry it took me so long, I really couldn't do it any faster
I used Emisoft to scan everything two more times but it just keeps finding this file again and again, no matter whether I quarantine or delete it.

 

Start up

 

Yes    HKCU:Run    2    Neil Hodgson neilh@scintilla.org    C:\ProgramData\winmgr105.exe
No    HKCU:Run    2    Neil Hodgson neilh@scintilla.org    C:\ProgramData\winmgr105.exe
No    HKCU:Run    ALLUpdate        "C:\Program Files (x86)\ALLPlayer\ALLUpdate.exe" "sleep"
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
No    HKCU:Run    DAEMON Tools Lite    Disc Soft Ltd    "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
No    HKCU:Run    DAEMON Tools Ultra Agent        "E:\Gry\DAEMON Tools Ultra\DTAgent.exe" -autorun
No    HKCU:Run    Prevent Restore Maintance    www.privacyroot.com    "C:\Program Files\Prevent Restore\net1.exe" windowsStartup
No    HKCU:Run    RGSC        C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
Yes    HKCU:Run    Steam    Valve Corporation    "E:\Steam\steam.exe" -silent
Yes    HKLM:Run    egui    ESET    "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
No    HKLM:Run    NvBackend        "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
No    HKLM:Run    PocketCloud Location        "C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe"
No    HKLM:Run    ProductUpdater        C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
Yes    HKLM:Run    RtHDVCpl    Realtek Semiconductor    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
No    HKLM:Run    ShadowPlay    Microsoft Corporation    C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
No    Startup User    OpenOffice.org 3.3.lnk        C:\PROGRA~2\OPENOF~1.ORG\program\QUICKS~1.EXE
 

Scheduled tasks

 

Yes    Task    Adobe Acrobat Update Task    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Yes    Task    CCleanerSkipUAC    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes    Task    ESET Windows 10 upgrade – Refresh settings    ESET    C:\Program Files\Common Files\AV\ESET NOD32 Antivirus 6.0\upgrade.exe
Yes    Task    SilverlightUpdater20110920        c:/silverlight.exe
Yes    Task    winmgr105.exe    Neil Hodgson neilh@scintilla.org    C:\ProgramData\winmgr105.exe
Yes    Task    {075982C4-400E-4DC8-99BA-65B62F4772E9}        E:\Gry\LaunchBFII.exe
Yes    Task    {11CA30B2-EFE2-4525-8395-7B457A271B66}        E:\Gry\Rock of Ages\Binaries\Win32\RoA.exe
Yes    Task    {18BD1D8D-5547-4690-8E45-231B5DA0C853}        E:\Gry\nosTEAM\Call of Duty Modern Warfare 3 PC multiplayer 4D1 ^^nosTEAM^^\Call of Duty Modern Warfare 3 multiplayer

4D1\LaunchIW5M.exe
Yes    Task    {21FE11B2-1494-4436-B547-A24E4D951839}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a D:\start.exe -d D:\ -c /s
Yes    Task    {2720409A-620E-4E56-91E7-989CFE00B081}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a D:\start.exe -d D:\ -c /s
Yes    Task    {29E16B2A-0ACB-4396-8BD9-01F0A4F10A05}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "E:\The Elder Scrolls V - Skyrim\VCRedist\vcredist_x86.exe" -d "E:\The Elder Scrolls V - Skyrim\VCRedist"
Yes    Task    {3805F68C-37B7-42E3-BEF3-D13BD33E2014}        D:\autorun.exe
Yes    Task    {3E67338E-AF43-427F-914C-0D8F67C7136B}        E:\Gry\Adobe AIR\Versions\1.0\Resources\WebKit\Nowy folder\Nowy folder\Private\games\Princess Trainer 1.02-win\Princess Trainer 1.02-win\Princess Trainer.exe
Yes    Task    {469E7795-8A87-45C1-9E0D-0222089D53C8}        D:\autorun.exe
Yes    Task    {4EA993D5-EE91-4D24-AD87-4509A439542B}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\Uninstall.exe"
Yes    Task    {518056BC-849B-4A2F-AACB-26493ABFCAA5}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a E:\SpybotSD_Portable_1.6.2.46_MultiLang.paf.exe -d E:\
Yes    Task    {6A54812F-6032-4C95-85A0-ABF6E3DF85D7}        E:\Gry\nosTEAM\Call of Duty Modern Warfare 3 PC multiplayer 4D1 ^^nosTEAM^^\Call of Duty Modern Warfare 3 multiplayer 4D1\LaunchIW5M.exe
Yes    Task    {7F5159DA-795F-4505-AE9C-F3469294A434}        E:\Steam\SteamApps\common\The Bureau\thebureauv12+7tr.exe
Yes    Task    {8173844D-E29F-4FA4-9E28-F38C9916A8C6}        E:\Worms 3D\Launcher.exe
Yes    Task    {849BF1B6-F06C-452E-9C73-0326D667AFDA}    Mozilla Corporation    "c:\program files (x86)\mozilla firefox\firefox.exe" http://ui.skype.com/ui/0/7.15.0.103/pl/abandoninstall?page=tsProgressBar
Yes    Task    {872C881C-70FB-4E2E-A8CE-E7E76ABA082F}        E:\Gry\LaunchBFII.exe
Yes    Task    {876B830F-74AA-4D51-B7EE-CC8C2F1827E9}        E:\Worms 3D\Launcher.exe
Yes    Task    {8D1B1343-F9BD-40D0-89AD-A97012CBC742}        E:\Gry\nosTEAM\Call of Duty Modern Warfare 3 PC multiplayer 4D1 ^^nosTEAM^^\Call of Duty Modern Warfare 3 multiplayer 4D1\LaunchIW5M.exe
Yes    Task    {945298D4-8446-49F2-BF22-5F79FD736A02}        E:\Gry\Rock of Ages\Binaries\Win32\RoA.exe
Yes    Task    {96ABFD08-8F99-4873-9D63-DF2A7297F2ED}        E:\Gry\LaunchBFII.exe
Yes    Task    {A7074E7F-B1C7-43CB-9772-268F58C49FC2}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "E:\X-Ray Mod Installer\X-Ray Mod Installer.exe" -d "E:\X-Ray Mod Installer"
Yes    Task    {BA0119C5-AE16-4687-9FE0-9FBC1BA58B06}        D:\autorun.exe
Yes    Task    {C0651220-088E-44D5-8A0F-2DA748F83028}        E:\Gry\LaunchBFII.exe
Yes    Task    {C221B6C4-0563-4B23-917C-B05FAD44A3D6}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Windows\IsUn0415.exe -c -fe:\Uninst.isu -ce:\UninstallProject.dll
Yes    Task    {D010C607-AD35-4D60-A4F1-42BE0A0E10E7}    Mozilla Corporation    "c:\program files (x86)\mozilla firefox\firefox.exe" http://ui.skype.com/ui/0/6.16.0.105/pl/abandoninstall?page=tsProgressBar
Yes    Task    {D2DF73B6-C051-4B0B-8135-DDEDBFBBCB7E}        E:\Gry\nosTEAM\Call of Duty Modern Warfare 3 PC multiplayer 4D1 ^^nosTEAM^^\Call of Duty Modern Warfare 3 multiplayer 4D1\LaunchIW5M.exe
Yes    Task    {DFDFF3C8-6EA7-4454-A39A-33DC0A19C343}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{1C08A24C-B168-407E-A826-68FAF5F20710}\setup.exe" -c -runfromtemp -l0x0415
Yes    Task    {E1577FC1-4AFF-4D85-BB74-8D97C38FC059}    Mozilla Corporation    "c:\program files (x86)\mozilla firefox\firefox.exe" http://ui.skype.com/ui/0/6.16.0.105/id/abandoninstall?page=tsMain
Yes    Task    {EA622DE2-5505-4A46-B7D2-0FA2B407E11B}        E:\Gry\LaunchBFII.exe
Yes    Task    {EC237256-71F8-4715-B474-A7B2E26940B6}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a D:\Launcher.exe -d D:\
Yes    Task    {FC9CE784-E0F8-4324-A0F8-3C03D6997A2A}        E:\Gry\LaunchBFII.exe
 

Uninstall

 

Adobe Acrobat Reader DC - Polish    Adobe Systems Incorporated    2016-02-18    202 MB    15.010.20059
Adobe AIR    Adobe Systems Incorporated    2012-07-20        3.2.0.2070
Adobe Flash Player 17 ActiveX    Adobe Systems Incorporated    2015-06-10    6,00 MB    17.0.0.188
Adobe Flash Player 18 NPAPI    Adobe Systems Incorporated    2015-08-07    17,6 MB    18.0.0.209
Adobe Shockwave Player 12.1    Adobe Systems, Inc.    2015-07-05        12.1.8.158
Age of Empires III - The WarChiefs    Microsoft Game Studios    2012-10-21    817 MB    1.00.0000
Audacity 2.0.5    Audacity Team    2015-02-18    45,5 MB    2.0.5
Call of Juarez: The Cartel    Techland    2013-11-14        
CCleaner    Piriform    2016-02-19        5.14
CDisplayEx 1.10.29    Progdigy Software S.A.R.L.    2015-10-30    15,3 MB    
Counter-Strike: Global Offensive    Valve    2013-10-30        
DAEMON Tools Lite    Disc Soft Ltd    2015-04-21        5.0.1.0407
Deus Ex: Human Revolution    Eidos Montreal    2016-02-13        
ESET NOD32 Antivirus    ESET, spol s r. o.    2013-08-07    33,1 MB    6.0.316.1
Garry's Mod    Facepunch Studios    2015-01-03        
Ghost Master    Sick Puppies    2014-12-27        
GIMP 2.8.14    The GIMP Team    2015-06-28    268 MB    2.8.14
Google Chrome    Google Inc.    2015-10-07        47.0.2526.111
GTA III    Rockstar Games    2015-12-21        1.00.0000
Hotline Miami    Dennaton Games    2016-02-01        
Intel® Management Engine Components    Intel Corporation    2012-04-14        7.0.0.1144
Java 8 Update 45    Oracle Corporation    2015-06-16    77,1 MB    8.0.450
Java 8 Update 51    Oracle Corporation    2015-08-07    9,36 MB    8.0.510
Java™ 6 Update 31        2012-04-14        
LEGO® Star Wars™: The Complete Saga    LucasArts    2016-02-10    5,26 GB    1.00.0000
LibreOffice 5.0.4.2    The Document Foundation    2016-01-27    536 MB    5.0.4.2
Malwarebytes Anti-Malware wersja 2.2.0.1024    Malwarebytes    2016-02-13    66,0 MB    2.2.0.1024
Microsoft .NET Framework 4.6.1    Microsoft Corporation    2016-01-15    38,8 MB    4.6.01055
Microsoft .NET Framework 4.6.1 (Polski)    Microsoft Corporation    2016-01-15    2,93 MB    4.6.01055
Microsoft ASP.NET MVC 4 Runtime    Microsoft Corporation    2015-06-16    1,59 MB    4.0.40804.0
Microsoft Games for Windows - LIVE    Microsoft Corporation    2015-11-10    7,86 MB    3.3.24.0
Microsoft Games for Windows - LIVE Redistributable    Microsoft Corporation    2015-11-12    31,3 MB    3.5.95.0
Microsoft SQL Server 2005 Compact Edition [ENU]    Microsoft Corporation    2013-08-19    1,69 MB    3.1.0000
Microsoft Visual C++ 2005 Redistributable    Microsoft Corporation    2016-01-10    2,38 MB    8.0.59193
Microsoft Visual C++ 2005 Redistributable (x64)    Microsoft Corporation    2012-06-22    708 KB    8.0.61000
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022    Microsoft Corporation    2015-06-13    1,70 MB    9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148    Microsoft Corporation    2012-04-14    788 KB    9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161    Microsoft Corporation    2012-05-14    788 KB    9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022    Microsoft Corporation    2012-08-11    8,66 MB    9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17    Microsoft Corporation    2012-09-10    236 KB    9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148    Microsoft Corporation    2012-04-14    596 KB    9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161    Microsoft Corporation    2012-05-14    600 KB    9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219    Microsoft Corporation    2013-09-20    13,8 MB    10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219    Microsoft Corporation    2015-11-24    11,1 MB    10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030    Microsoft Corporation    2015-11-29    20,5 MB    11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030    Microsoft Corporation    2015-11-29    17,3 MB    11.0.61030.0
Microsoft XNA Framework Redistributable 4.0    Microsoft Corporation    2014-09-16    8,03 MB    4.0.20823.0
Mozilla Firefox 43.0.1 (x86 pl)    Mozilla    2016-01-26    97,1 MB    43.0.1
MSXML 4.0 SP3 Parser    Microsoft Corporation    2012-07-20    1,47 MB    4.30.2100.0
MSXML 4.0 SP3 Parser (KB2721691)    Microsoft Corporation    2012-07-29    1,53 MB    4.30.2114.0
MSXML 4.0 SP3 Parser (KB2758694)    Microsoft Corporation    2013-01-10    1,54 MB    4.30.2117.0
NapiProjekt (2.2.0.2399)        2015-06-23    20,4 MB    
NVIDIA PhysX (Legacy)    NVIDIA Corporation    2015-06-13    42,1 MB    9.12.1031
NVIDIA Sterownik dźwięku HD 1.3.30.1    NVIDIA Corporation    2014-06-23        1.3.30.1
NVIDIA Sterownik graficzny 337.88    NVIDIA Corporation    2014-06-23        337.88
OpenAL        2016-02-01        
OpenOffice.org 3.3    OpenOffice.org    2012-04-14    386 MB    3.3.9567
Painkiller Black    GOG.com    2016-01-09        
paint.net    dotPDN LLC    2016-01-15    27,8 MB    4.0.9
PAYDAY 2    OVERKILL - a Starbreeze Studio.    2014-04-23        
PlanetSide 2    Daybreak Games    2016-01-27        
PocketCloud Windows Companion    Wyse Technology    2013-01-25    18,2 MB    2.5.13
Podstawowe programy Windows Live    Microsoft Corporation    2013-08-19        16.4.3508.0205
Portal 2    Valve    2015-10-04        
Prevent Restore    PrivacyRoot.com    2016-02-05    1,42 MB    4.14
Quake Live    id Software    2014-09-21        
Realtek Ethernet Controller Driver    Realtek    2012-04-14        7.44.421.2011
Realtek High Definition Audio Driver    Realtek Semiconductor Corp.    2012-04-14        6.0.1.6251
Recuva    Piriform    2015-07-02        1.52
Skype™ 7.14    Skype Technologies S.A.    2015-12-06    81,7 MB    7.14.106
Steam        2012-04-14        
Steam    Valve Corporation    2015-04-26        2.10.91.91
Team Fortress 2    Valve    2013-12-27        
TeamViewer 11    TeamViewer    2016-02-18        11.0.55321
The Sims Pełna kolekcja        2012-08-15    3,51 GB    
Total Commander 64-bit (Remove or Repair)    Ghisler Software GmbH    2015-11-04        8.52a
Ubisoft Game Launcher    UBISOFT    2016-02-06        1.0.0.0
Unity Web Player    Unity Technologies ApS    2016-01-28    12,0 MB    5.3.2f1
VLC media player 2.0.3    VideoLAN    2012-08-06        2.0.3
Warface    Crytek    2015-11-03        
Warface Launcher (Beta)    Crytek GmbH    2014-12-20    61,0 MB    1.0.0
WinRAR 4.11 (32-bitowy)    win.rar GmbH    2012-04-29        4.11.0
World of Guns: Gun Disassembly    Noble Empire Corp.    2015-10-19        
 



#8 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:54 AM

Posted 21 February 2016 - 06:53 AM

Delete these Windows Startups: Use CCleaner by clicking on each item and choosing Delete on the right.

Yes    HKCU:Run    2    Neil Hodgson neilh@scintilla.org    C:\ProgramData\winmgr105.exe
No    HKCU:Run    2    Neil Hodgson neilh@scintilla.org    C:\ProgramData\winmgr105.exe
No    HKCU:Run    ALLUpdate        "C:\Program Files (x86)\ALLPlayer\ALLUpdate.exe" "sleep"
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
No    HKCU:Run    DAEMON Tools Lite    Disc Soft Ltd    "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

No    HKCU:Run    Prevent Restore Maintance    www.privacyroot.com    "C:\Program Files\Prevent Restore\net1.exe" windowsStartup

 

Disable these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    HKCU:Run    Steam    Valve Corporation    "E:\Steam\steam.exe" -silent

 

Disable ALL Scheduled Tasks. Use CCleaner by clicking on each item and choosing Disable on the right.

 

Uninstall these programs:

Adobe AIR    Adobe Systems Incorporated    2012-07-20        3.2.0.2070
Adobe Flash Player 17 ActiveX    Adobe Systems Incorporated    2015-06-10    6,00 MB    17.0.0.188 (Use Uninstall Flash Player for Windows
Adobe Flash Player 18 NPAPI    Adobe Systems Incorporated    2015-08-07    17,6 MB    18.0.0.209 (Use Uninstall Flash Player for Windows

DAEMON Tools Lite    Disc Soft Ltd    2015-04-21        5.0.1.0407

Java 8 Update 45    Oracle Corporation    2015-06-16    77,1 MB    8.0.450
Java 8 Update 51    Oracle Corporation    2015-08-07    9,36 MB    8.0.510
Java™ 6 Update 31        2012-04-14      

PocketCloud Windows Companion    Wyse Technology    2013-01-25    18,2 MB    2.5.13

Prevent Restore    PrivacyRoot.com    2016-02-05    1,42 MB    4.14

Ubisoft Game Launcher    UBISOFT    2016-02-06        1.0.0.0 (Unless you absolutely need it)
Unity Web Player    Unity Technologies ApS    2016-01-28    12,0 MB    5.3.2f1 (Unless you absolutely need it)

 

Update Mozilla Firefox 43.0.1 (x86 pl)    Mozilla    2016-01-26    97,1 MB    43.0.1


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 someguy77

someguy77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 February 2016 - 09:27 AM

The only thing I couldn't do was deleting winmgr105.exe scheduled task.

It just keeps showing again after few seconds after being deleted.



#10 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:54 AM

Posted 21 February 2016 - 09:47 AM

Need to start a new topic in the Malware Removal Forum.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 someguy77

someguy77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 February 2016 - 11:17 AM

http://www.bleepingcomputer.com/forums/t/606045/winmgr105exe/

Here it is.

Thank you for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users