Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with newly generated *.temp.exe files.


  • This topic is locked This topic is locked
5 replies to this topic

#1 fam007E

fam007E

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 19 May 2017 - 02:29 PM

These newly generated *.tmp.exe files for example (ge320.tmp.exe) causes to form many rundll32.exe in Task manager which shows 0% uses in CPU but 0.2 MB of memory.

Even if I end its process manually, it generates again angd again after a few minutes.


Edited by fam007E, 19 May 2017 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 fam007E

fam007E
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 19 May 2017 - 03:11 PM

My FRST scan log (Addition.txt)

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017
Ran by faisa (20-05-2017 02:04:58)
Running from D:\DOWNLOADS\Programs\FRST
Windows 10 Pro Version 1511 (X64) (2017-03-04 14:03:19)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4133247746-467490894-4013083430-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-4133247746-467490894-4013083430-503 - Limited - Disabled)
faisa (S-1-5-21-4133247746-467490894-4013083430-1002 - Administrator - Enabled) => C:\Users\faisa
Guest (S-1-5-21-4133247746-467490894-4013083430-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\uTorrent) (Version: 3.4.7.42330 - BitTorrent Inc.)
7-Zip 17.00 beta (x64) (HKLM\...\7-Zip) (Version: 17.00 beta - Igor Pavlov)
Adobe Flash Player 25 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.20)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.20 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{E92BB800-BCC5-4C25-8102-AC2C3B7C7C1E}) (Version: 5.5 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9C912B1E-06DD-43EF-BB2B-45CB2C88BAAE}) (Version: 5.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
BijoyBayanno (HKLM-x32\...\{3E381EAF-2E76-4189-B98B-C315B397734F}) (Version: 1.0.0 - Ananda Computers)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Facebook Gameroom 1.3.1.3 (HKLM-x32\...\{7E155A45-DE1A-46E0-A6B2-10FE1D8501FC}) (Version: 1.3.1.3 - Facebook)
FIFA 10 (HKLM-x32\...\{11202615-E557-4ECF-9B86-F59C81E52909}) (Version: 1.0.0.0 - Electronic Arts)
GitHub Desktop (HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\GitHubDesktop) (Version: 0.5.5 - GitHub, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.110 - Google Inc.)
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
Herramientas de corrección de Microsoft Office 2016: español (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
ISO to USB (HKLM-x32\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
iTunes (HKLM\...\{F0C7385A-9D20-45F3-8101-05D383885180}) (Version: 12.6.1.25 - Apple Inc.)
Java 8 Update 131 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
KMPlayer (remove only) (HKLM-x32\...\The KMPlayer) (Version: 4.1.5.8 - PandoraTV)
Manager (x32 Version: 5.0.15.31893 - 2017 pdfforge GmbH. All rights reserved) Hidden
Maple 2016 (HKLM\...\Maple 2016) (Version: 2016 - Maplesoft)
MATLAB Production Server R2015a (HKLM\...\MATLAB Production Server R2015a) (Version: 2.1 - MathWorks)
Microsoft ASP.NET MVC 2 (HKLM-x32\...\{DD8FF2F3-0D97-4CF3-AF78-FA0E1B242244}) (Version: 2.0.60926.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2016 (HKLM\...\Office16.PROPLUS) (Version: 16.0.4266.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.10.25008 (HKLM-x32\...\{f1e7e313-06df-4c56-96a9-99fdfd149c51}) (Version: 14.10.25008.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.10.25008 (HKLM-x32\...\{c239cea1-d49e-4e16-8e87-8c055765f7ec}) (Version: 14.10.25008.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Origin 2016 (HKLM-x32\...\{DC460501-EEFA-4701-8AD8-5F7DE1B70436}) (Version: 9.30.00 - OriginLab Corporation)
Outils de vérification linguistique 2016 de Microsoft Office - Français (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Oxford Advanced Learner's Dictionary - 8th Edition (HKLM-x32\...\NSIS_oald8) (Version:  - )
Oxygen XML Editor 18.0 (64-bit) (HKLM\...\8531-1278-6363-8538) (Version: 18.0 - SyncRO Soft)
Passware Kit Professional 12.3 (HKLM-x32\...\{FFFF4FFA-3CC9-4EC1-845A-8B24027820E3}) (Version: 12.3.6332 - Passware)
PdaNet+ for Android 4.19 (HKLM-x32\...\PdaNet_is1) (Version:  - June Fabrics Technology Inc)
PDF Architect 5 (HKLM-x32\...\PDF Architect 5) (Version: 5.0.21.32007 - pdfforge GmbH)
PDF Architect 5 Asian Fonts Pack (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Convert Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Create Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Edit Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Forms Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Insert Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Review Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 Secure Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
PDF Architect 5 View Module (Version: 5.0.22.32126 - pdfforge GmbH) Hidden
QUICKfind server v1.1 (HKLM-x32\...\QUICKfind) (Version:  - IDM)
SHAREit (HKLM-x32\...\www.ushareit.com_is1) (Version: 4.0.5.171 - SHAREit Technologies Co.Ltd)
WhatsApp (HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\WhatsApp) (Version: 0.2.4240 - WhatsApp)
WinDjView 2.1 (HKLM\...\WinDjView) (Version: 2.1 - Andrew Zhezherun)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (08/28/2014 11.0.0000.00000) (HKLM\...\092555911492C6959D2596D612F52DCA71881CA2) (Version: 08/28/2014 11.0.0000.00000 - Google, Inc.)
WinRAR 5.40 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
WinRAR 5.50 beta 1 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.1 - win.rar GmbH)
WinZip 21.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C2410B}) (Version: 21.0.12288 - WinZip Computing, S.L. )
Wise Care 365 4.64 (HKLM-x32\...\Wise Care 365_is1) (Version: 4.64 - WiseCleaner.com, Inc.)
Wise Program Uninstaller 2.01 (HKLM-x32\...\Wise Program Uninstaller_is1) (Version: 2.01 - WiseCleaner.com, Inc.)
Wolfram Mathematica 10.3 (M-WIN-L 10.3.1 5448563) (HKLM\...\M-WIN-L 10.3.1 5448563_is1) (Version: 10.3.1 - Wolfram Research, Inc.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-4133247746-467490894-4013083430-1002_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.dll ()
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0380BBBB-FB09-4776-A17B-2E925FFD037F} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2015-07-31] (Microsoft Corporation)
Task: {0B5AA62D-4614-4886-9B21-D61B48490AD8} - System32\Tasks\WinZipBackGroundToolsTask => C:\Program Files\WinZip\WzBGTools.exe [2016-10-22] (WinZip Computing, S.L.)
Task: {1DDE7251-0D37-4B62-965E-35973F96242F} - System32\Tasks\59u340N9859f781 => Rundll32.exe "C:\ProgramData\59u340N9859f781\59u340N9859f781.dll",uNfBtObo <==== ATTENTION
Task: {2489CA81-FF54-4F17-97C9-52CDB01924A8} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2017-05-01] ()
Task: {27E1FB2D-BEDF-45E8-984D-31FBEFD7FE40} - System32\Tasks\Wise Turbo Checker.job => C:\Program Files (x86)\Wise\Wise Care 365\WiseTurbo.exe [2017-05-03] (WiseCleaner.COM)
Task: {3858B9B9-F362-4A07-9CF4-273EF0319B6F} - System32\Tasks\microsoft toolkit 2-6 beta 5 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {4F23D5F2-7CB8-422C-995A-2C2BF64881A5} - System32\Tasks\75u8295N822f171 => Rundll32.exe "C:\ProgramData\75u8295N822f171\75u8295N822f171.dll",uNfBtObo <==== ATTENTION
Task: {608EF927-9353-482E-A14E-C2C351BD3FDF} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_171_pepper.exe [2017-05-09] (Adobe Systems Incorporated)
Task: {6738DC84-2C4A-4E67-ADE1-5D37CC529D02} - System32\Tasks\804a425a203K393 => Rundll32.exe "C:\ProgramData\804a425a203K393\804a425a203K393.dll",aKecRQRn <==== ATTENTION
Task: {74C212DB-4A01-4893-9061-6128BD8487FC} - System32\Tasks\51u117N7372f506 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo <==== ATTENTION
Task: {74F22C71-1DC6-4248-AD27-F7B0880852EC} - System32\Tasks\86u514N4652f187 => Rundll32.exe "C:\ProgramData\86u514N4652f187\86u514N4652f187.dll",uNfBtObo <==== ATTENTION
Task: {8AE2ED3B-C3E5-45E0-AE9F-E1401378708D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-05-09] (Adobe Systems Incorporated)
Task: {8CD64955-E0FA-43EF-B93E-C53E1A53234E} - System32\Tasks\utorrent\updates\3-4 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {9014FA51-0291-45B2-BBEF-23E5E27D5387} - System32\Tasks\Wise Care 365.job => C:\Program Files (x86)\Wise\Wise Care 365\WiseTray.exe [2017-05-10] (WiseCleaner.com)
Task: {98915FE6-6584-48BC-A5A9-ED506E42B0D8} - System32\Tasks\OInstall => C:\Windows\OInstall.exe [2017-05-11] ()
Task: {A18EF8CE-ED4F-4A53-830A-9EE71F43ADE3} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\Office16\msoia.exe [2015-07-31] (Microsoft Corporation)
Task: {A8A69B60-0503-413E-8BB2-8D04AB461542} - System32\Tasks\utorrent\utorrent => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {A8BD1632-3F51-4024-9AF8-ADE86E067933} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\Office16\msoia.exe [2015-07-31] (Microsoft Corporation)
Task: {A94DDDC5-6BE6-4D4E-9C80-B9A17454ACC3} - System32\Tasks\utorrent\virusguard\bittorrentantivirus => Rundll32.exe "C:\ProgramData\9D7037M9524q859\9D7037M9524q859.dll",DMqvGuFu
Task: {AAC7BFA6-078D-4C52-B6FE-A4971F55454A} - System32\Tasks\deepburner pro\deepburner => Rundll32.exe "C:\ProgramData\17u6709N6984f630\17u6709N6984f630.dll",uNfBtObo
Task: {AE4A0CC9-F8D3-4C77-9794-A9978FFD5903} - System32\Tasks\systemsettings => Rundll32.exe "C:\ProgramData\17u6709N6984f630\17u6709N6984f630.dll",uNfBtObo
Task: {AF239DFC-AB12-41FD-9DCE-1221E59618F3} - System32\Tasks\utorrent\updates\3-4-7_42330\utorrentie => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {B9E54881-25E7-405C-A9E2-59960431B397} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-02-14] (Apple Inc.)
Task: {CB9E2D0E-D134-4BA0-A238-184255B9DC3D} - System32\Tasks\microsoft toolkit 2 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {CF3CACCF-21D5-488E-95DF-44F47B1B6BCE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-04] (Google Inc.)
Task: {D5F80589-3C1C-4C2B-B523-B84F021FE561} - System32\Tasks\ezCheckProfile => Rundll32.exe "C:\Program Files\ezCheckProfile\ezCheckProfile.dll",KONmSyIZwdm
Task: {D7330F61-EAEA-4344-8DBE-84DC4B9C15D5} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2016-01-12] (@ByELDI)
Task: {DF48498A-9259-4504-92E7-AA8E6A1E311F} - System32\Tasks\WiseUninsDetecter.job => C:\Program Files (x86)\Wise\Wise Program Uninstaller\UnMonitor.exe [2017-03-21] (WiseCleaner.com)
Task: {E975B1C6-F79F-43B9-8FEE-99B566FE0DAF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-04] (Google Inc.)
Task: {EF1DC753-A69B-4FC7-8030-53C73B3C2A12} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-04-29 23:34 - 2017-03-04 11:31 - 00185856 _____ () C:\Windows\SYSTEM32\ism32k.dll
2017-01-13 13:56 - 2017-01-13 13:56 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-05-09 00:44 - 2017-05-09 00:44 - 01354040 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-05-10 15:02 - 2017-04-28 10:30 - 02656960 _____ () C:\Windows\system32\CoreUIComponents.dll
2017-05-10 15:02 - 2017-04-28 10:30 - 02656960 _____ () C:\Windows\System32\CoreUIComponents.dll
2017-02-22 23:56 - 2017-02-22 23:56 - 08911560 _____ () C:\Program Files\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2016-02-24 08:57 - 2015-12-07 10:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2017-03-06 14:03 - 2016-07-01 09:48 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2017-04-29 23:34 - 2017-03-04 09:19 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-04-29 23:33 - 2017-03-04 09:14 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-05-10 15:02 - 2017-04-28 05:46 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-05-10 15:02 - 2017-04-28 05:49 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-04-25 10:37 - 2015-06-01 11:03 - 02471424 _____ () C:\Program Files\ezCheckProfile\ezCheckProfile.dll
2017-05-20 02:00 - 2017-05-20 02:00 - 00335360 _____ () C:\Windows\TEMP\gDBDE.tmp.exe
2017-05-20 02:00 - 2017-05-20 02:00 - 00476160 _____ () C:\Windows\TEMP\gF497.tmp.exe
2015-10-30 13:18 - 2015-10-30 13:18 - 00218456 _____ () c:\windows\system32\WerEtw.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 13:24 - 2017-04-20 22:21 - 00000977 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1                   keystone.mwbsys.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4133247746-467490894-4013083430-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\faisa\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 103.62.143.30 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\StartupFolder: => "BijoyBayanno.lnk"
HKLM\...\StartupApproved\StartupFolder: => "WinZip Preloader.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Update Notifier.lnk"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\StartupApproved\StartupFolder: => "Facebook Gameroom.lnk"
HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\StartupApproved\StartupFolder: => "PdaNet Desktop.lnk"
HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\StartupApproved\Run: => "uTorrent"
HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\StartupApproved\Run: => "IDMan"
HKU\S-1-5-21-4133247746-467490894-4013083430-1002\...\StartupApproved\Run: => "OneDrive"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{B5B09233-BA2A-4EBF-B595-C63EF5450774}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{6B6E97AA-9545-47D6-9EF4-86F1C7BC888D}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C931FADF-B419-487D-9F3A-4CC4A931AD7B}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{26886E13-3914-4E7E-B15D-FD88BABA9626}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{24B00F70-8A8E-464B-B1E4-703C565B44D8}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{986BFBB1-4C00-420F-910D-3965B7D78C3B}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8D434DE1-21BF-45D6-9B4F-9FD6B025629D}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{AEB05103-21E7-45E5-AB1E-5BF5ACA2455F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{1E2C35F3-27FF-4D62-9150-057083AADD20}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F433CE50-1222-4DC3-9209-6A7BE52BF61C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FF3E41E9-5CA1-4958-B73E-E2D654786431}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{42FC09DD-2C6D-4D45-B550-45551CF410D4}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{93F69D88-4EC7-4E50-8C47-953DB71E4ABC}] => (Allow) C:\Users\faisa\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{DB68B28B-134F-417A-9142-5F38E3C31AEA}] => (Allow) C:\Program Files\Wolfram Research\Mathematica\10.3\Mathematica.exe
FirewallRules: [{372DD782-E7D1-409F-A3F7-F9A3F625AA78}] => (Allow) C:\Program Files\Wolfram Research\Mathematica\10.3\Mathematica.exe
FirewallRules: [{2661F36E-CBDC-4915-83FA-9D305411BD7C}] => (Allow) C:\Program Files\Wolfram Research\Mathematica\10.3\MathKernel.exe
FirewallRules: [{387FE5F3-7EF0-4F54-8BB0-B0D06EA6C1EF}] => (Allow) C:\Program Files\Wolfram Research\Mathematica\10.3\MathKernel.exe
FirewallRules: [{9E8331C6-3115-4D65-AA07-8A58A2C62183}] => (Allow) C:\Program Files\Wolfram Research\Mathematica\10.3\math.exe
FirewallRules: [{3C92B5B0-B182-49A3-84D0-D60D02300C4A}] => (Allow) C:\Program Files\Wolfram Research\Mathematica\10.3\math.exe
FirewallRules: [{8817784C-7689-447B-803D-906DFFC54473}] => (Allow) C:\Program Files (x86)\SHAREit Technologies\SHAREit\SHAREit.exe
FirewallRules: [{FCE8D9ED-C252-44A2-9571-4E29223F63CF}] => (Allow) C:\Program Files (x86)\SHAREit Technologies\SHAREit\SHAREit.exe
FirewallRules: [TCP Query User{93FAB19F-2867-4A6E-A62E-A212F9E9F06D}C:\program files\maple 2016\jre\bin\javaw.exe] => (Allow) C:\program files\maple 2016\jre\bin\javaw.exe
FirewallRules: [UDP Query User{9F0983E4-8D0C-4BB9-899C-92327F810445}C:\program files\maple 2016\jre\bin\javaw.exe] => (Allow) C:\program files\maple 2016\jre\bin\javaw.exe
FirewallRules: [TCP Query User{0DB5C87B-FCFD-42A6-A765-69C1FE9D0571}C:\program files\maple 2016\jre\bin\java.exe] => (Allow) C:\program files\maple 2016\jre\bin\java.exe
FirewallRules: [UDP Query User{596DE232-9978-4D41-AA58-9A287A7EE7B9}C:\program files\maple 2016\jre\bin\java.exe] => (Allow) C:\program files\maple 2016\jre\bin\java.exe
FirewallRules: [{C4049B13-E67F-463E-AF4D-878BEF6B2FAC}] => (Allow) C:\Program Files (x86)\SHAREit Technologies\SHAREit\SHAREit.exe
FirewallRules: [{07AE09CB-0F73-4F7F-83E3-3B4548BA15F3}] => (Allow) C:\Program Files (x86)\SHAREit Technologies\SHAREit\SHAREit.exe
FirewallRules: [{C23441B3-F522-4251-9BBB-965B643E0969}] => (Allow) D:\DOWNLOADS\microsoft-toolkit-2.6.5\Microsoft Toolkit.exe
FirewallRules: [{2F9490C0-E646-4500-B9D8-1D67572A4A1C}] => (Allow) D:\DOWNLOADS\microsoft-toolkit-2.6.5\Microsoft Toolkit.exe
FirewallRules: [TCP Query User{173720B3-27F6-4310-B4E3-AFE55B9BB4CE}C:\program files\matlab\matlab production server\r2015a\bin\win64\matlab.exe] => (Allow) C:\program files\matlab\matlab production server\r2015a\bin\win64\matlab.exe
FirewallRules: [UDP Query User{9702CB7C-D887-44B4-846C-51307CDC515E}C:\program files\matlab\matlab production server\r2015a\bin\win64\matlab.exe] => (Allow) C:\program files\matlab\matlab production server\r2015a\bin\win64\matlab.exe
FirewallRules: [{D03DE60A-D514-4CBD-A397-D2FC22F6BA1F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{CCC5556F-F0AA-4D09-8341-B9BAE74822B1}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{3C4F7553-EF53-4FB3-A200-7EC1E22936B7}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{C9684FBB-E396-47A4-860C-DA0E97417477}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{BFB49C70-5A73-4AB1-A313-5081F1963E76}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{347EE9E4-A64A-4625-8A96-E0F994F14D46}] => (Allow) C:\Windows\System32\rundll32.exe
 
==================== Restore Points =========================
 
12-05-2017 19:47:12 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
12-05-2017 19:47:39 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
12-05-2017 19:55:48 Installed Microsoft Office Professional Plus 2016
12-05-2017 19:56:09 PROPLUS
16-05-2017 15:05:20 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/20/2017 02:00:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FIFA10.exe, version: 0.0.0.0, time stamp: 0x4aa71721
Faulting module name: FIFA10.exe, version: 0.0.0.0, time stamp: 0x4aa71721
Exception code: 0xc0000005
Fault offset: 0x003f9306
Faulting process id: 0x1694
Faulting application start time: 0x01d2d0d9dde4dae7
Faulting application path: C:\Program Files (x86)\EA Sports\FIFA 10\FIFA10.exe
Faulting module path: C:\Program Files (x86)\EA Sports\FIFA 10\FIFA10.exe
Report Id: 88081ebb-e626-4833-8e81-cfd83cfb3ea0
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (05/20/2017 01:55:53 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (05/20/2017 01:46:07 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/20/2017 01:45:42 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/19/2017 07:31:22 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/19/2017 07:08:13 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/19/2017 06:38:13 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/19/2017 06:08:13 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/19/2017 05:30:46 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/19/2017 05:16:52 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-D685DPJ)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (05/19/2017 03:16:34 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:34 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:34 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:34 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
Error: (05/19/2017 03:16:33 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_dc53ac service to connect.
 
 
CodeIntegrity:
===================================
  Date: 2017-05-19 14:15:09.576
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-05-14 21:02:58.288
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-05-13 01:44:15.730
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-13 00:58:50.917
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2017-05-12 20:11:03.372
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-12 20:01:10.108
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-12 19:53:36.000
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-12 18:21:15.426
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-10 16:02:48.194
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-05-09 16:41:36.500
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Pentium® Dual-Core CPU E5300 @ 2.60GHz
Percentage of memory in use: 40%
Total physical RAM: 4086.24 MB
Available physical RAM: 2424.39 MB
Total Virtual: 5492.24 MB
Available Virtual: 3919.23 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:136.64 GB) (Free:51.81 GB) NTFS
Drive d: () (Fixed) (Total:92.77 GB) (Free:58.65 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 7B7E8EB4)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=136.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=92.8 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=68.2 GB) - (Type=05)
 
==================== End of Addition.txt ============================


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 AM

Posted 21 May 2017 - 09:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {2489CA81-FF54-4F17-97C9-52CDB01924A8} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2017-05-01] ()
Task: {3858B9B9-F362-4A07-9CF4-273EF0319B6F} - System32\Tasks\microsoft toolkit 2-6 beta 5 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {4F23D5F2-7CB8-422C-995A-2C2BF64881A5} - System32\Tasks\75u8295N822f171 => Rundll32.exe "C:\ProgramData\75u8295N822f171\75u8295N822f171.dll",uNfBtObo <==== ATTENTION
Task: {6738DC84-2C4A-4E67-ADE1-5D37CC529D02} - System32\Tasks\804a425a203K393 => Rundll32.exe "C:\ProgramData\804a425a203K393\804a425a203K393.dll",aKecRQRn <==== ATTENTION
Task: {74C212DB-4A01-4893-9061-6128BD8487FC} - System32\Tasks\51u117N7372f506 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo <==== ATTENTION
Task: {74F22C71-1DC6-4248-AD27-F7B0880852EC} - System32\Tasks\86u514N4652f187 => Rundll32.exe "C:\ProgramData\86u514N4652f187\86u514N4652f187.dll",uNfBtObo <==== ATTENTION
Task: {8CD64955-E0FA-43EF-B93E-C53E1A53234E} - System32\Tasks\utorrent\updates\3-4 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {98915FE6-6584-48BC-A5A9-ED506E42B0D8} - System32\Tasks\OInstall => C:\Windows\OInstall.exe [2017-05-11] ()
Task: {A8A69B60-0503-413E-8BB2-8D04AB461542} - System32\Tasks\utorrent\utorrent => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {A94DDDC5-6BE6-4D4E-9C80-B9A17454ACC3} - System32\Tasks\utorrent\virusguard\bittorrentantivirus => Rundll32.exe "C:\ProgramData\9D7037M9524q859\9D7037M9524q859.dll",DMqvGuFu
Task: {AAC7BFA6-078D-4C52-B6FE-A4971F55454A} - System32\Tasks\deepburner pro\deepburner => Rundll32.exe "C:\ProgramData\17u6709N6984f630\17u6709N6984f630.dll",uNfBtObo
Task: {AE4A0CC9-F8D3-4C77-9794-A9978FFD5903} - System32\Tasks\systemsettings => Rundll32.exe "C:\ProgramData\17u6709N6984f630\17u6709N6984f630.dll",uNfBtObo
Task: {AF239DFC-AB12-41FD-9DCE-1221E59618F3} - System32\Tasks\utorrent\updates\3-4-7_42330\utorrentie => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {CB9E2D0E-D134-4BA0-A238-184255B9DC3D} - System32\Tasks\microsoft toolkit 2 => Rundll32.exe "C:\ProgramData\51u117N7372f506\51u117N7372f506.dll",uNfBtObo
Task: {D5F80589-3C1C-4C2B-B523-B84F021FE561} - System32\Tasks\ezCheckProfile => Rundll32.exe "C:\Program Files\ezCheckProfile\ezCheckProfile.dll",KONmSyIZwdm
Task: {D7330F61-EAEA-4344-8DBE-84DC4B9C15D5} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2016-01-12] (@ByELDI)
2017-05-20 02:00 - 2017-05-20 02:00 - 00335360 _____ () C:\Windows\TEMP\gDBDE.tmp.exe
2017-05-20 02:00 - 2017-05-20 02:00 - 00476160 _____ () C:\Windows\TEMP\gF497.tmp.exe[/B]
C:\Windows\AutoKMS
C:\Windows\OInstall.exe
C:\Program Files\KMSpico
C:\windows\System32\Tasks\microsoft toolkit 2-6 beta 5
C:\windows\System32\Tasks\75u8295N822f171
C:\windows\System32\Tasks\804a425a203K393
C:\windows\System32\Tasks\51u117N7372f506
C:\windows\System32\Tasks\86u514N4652f187
C:\windows\System32\Tasks\utorrent\updates\3-4
C:\windows\System32\Tasks\OInstall
C:\windows\System32\Tasks\utorrent\utorrent
C:\windows\System32\Tasks\utorrent\virusguard\bittorrentantivirus
C:\windows\System32\Tasks\deepburner pro\deepburner
C:\windows\System32\Tasks\systemsettings
C:\windows\System32\Tasks\utorrent\updates\3-4-7_42330\utorrentie
C:\windows\System32\Tasks\microsoft toolkit 2
C:\windows\System32\Tasks\ezCheckProfile
C:\windows\System32\Tasks\AutoPico Daily Restart

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

Please post the Fixlog.txt and the JRT.txt logs.

Include for my review the FRST.txt log that was created by Farbar.

Let me know what problem persists.

#4 fam007E

fam007E
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 21 May 2017 - 10:41 AM

I've provided you with the "Fixlog.txt" and the following error message comes whenever I wanted to run JRT.exe file as an administrator. I don't use any external antivirus software package. I use only Windows defender of Windows 10 for which I disabled its real time protection while running the aforementioned .exe file.

Attached Files



#5 fam007E

fam007E
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 21 May 2017 - 11:15 AM

I've ran it (JRT.exe) as an administrator by following the procedures mentioned in this link:

http://www.ibtimes.co.uk/windows-10-how-fix-this-app-has-been-blocked-your-protection-error-1516240

Attached Files

  • Attached File  JRT.txt   1.2KB   3 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 AM

Posted 22 May 2017 - 07:33 AM



JRT was block by your User Account Control

You can disable the UAC when you get the Not trusted message.
You must however make sure you wish to run the program.
https://www.howtogeek.com/howto/windows-vista/disable-user-account-control-uac-the-easy-way-on-windows-vista/

p.s.
If you have downloaded the program and know of it's origin trust it. Other wise do not run it.

===

How is the computer running now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users