Carelia

C:/Windows/SysWOW64/runonce.exe is infected

Recommended Posts

Kevin Zoll    272

Do the following:

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\MountPoints2: {6db76f29-6ef3-11e7-83ce-2025644b0c4c} - "F:\LG_PC_Programs.exe"
GroupPolicy: Restriction <==== ATTENTION
FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\[email protected] [not found]
FF user.js: detected! => C:\Users\Kari\AppData\Roaming\Mozilla\Firefox\Profiles\fxwrna1v.default\user.js [2017-06-20]
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
2017-07-29 21:46 - 2017-07-29 21:46 - 00003030 _____ C:\WINDOWS\System32\Tasks\Driver Booster SkipUAC (Kari)
2017-07-29 20:03 - 2017-07-29 20:03 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignae6475ec811fb772
2017-07-29 20:02 - 2017-07-29 20:02 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign109c1c5e947545cd
2017-07-27 20:22 - 2017-07-27 20:22 - 00000000 ____D C:\Users\Kari\AppData\Local\Windows Performance Analyzer
2017-07-27 19:20 - 2017-07-27 19:20 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2965c2c9cac4df94
2017-07-27 19:13 - 2017-07-27 19:13 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignfecff11eee9caafb
2017-07-13 22:27 - 2017-07-13 22:27 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign8a9733ea8f86173b
2017-07-13 22:11 - 2017-07-13 22:11 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign6cf90fddc37175fe
2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign9c673a2564bca40e
2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign157ac7eafced7962
2017-07-08 00:07 - 2017-07-08 00:07 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2ee86ff31535035f
2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignaf25c826175e8a6a
2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign081d96629cd1a0f2
2016-09-02 13:30 - 2016-09-02 13:30 - 0000402 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp.bat
2016-09-02 13:30 - 2016-09-02 13:30 - 0000327 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp_r.bat
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10:n versiopäivitysavustaja.lnk [1420]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites
Carelia    0
6 hours ago, Kevin Zoll said:

HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\MountPoints2: {6db76f29-6ef3-11e7-83ce-2025644b0c4c} - "F:\LG_PC_Programs.exe" GroupPolicy: Restriction <==== ATTENTION FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\[email protected] [not found] FF user.js: detected! => C:\Users\Kari\AppData\Roaming\Mozilla\Firefox\Profiles\fxwrna1v.default\user.js [2017-06-20] FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File] FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File] 2017-07-29 21:46 - 2017-07-29 21:46 - 00003030 _____ C:\WINDOWS\System32\Tasks\Driver Booster SkipUAC (Kari) 2017-07-29 20:03 - 2017-07-29 20:03 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignae6475ec811fb772 2017-07-29 20:02 - 2017-07-29 20:02 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign109c1c5e947545cd 2017-07-27 20:22 - 2017-07-27 20:22 - 00000000 ____D C:\Users\Kari\AppData\Local\Windows Performance Analyzer 2017-07-27 19:20 - 2017-07-27 19:20 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2965c2c9cac4df94 2017-07-27 19:13 - 2017-07-27 19:13 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignfecff11eee9caafb 2017-07-13 22:27 - 2017-07-13 22:27 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign8a9733ea8f86173b 2017-07-13 22:11 - 2017-07-13 22:11 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign6cf90fddc37175fe 2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign9c673a2564bca40e 2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign157ac7eafced7962 2017-07-08 00:07 - 2017-07-08 00:07 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2ee86ff31535035f 2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignaf25c826175e8a6a 2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign081d96629cd1a0f2 2016-09-02 13:30 - 2016-09-02 13:30 - 0000402 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp.bat 2016-09-02 13:30 - 2016-09-02 13:30 - 0000327 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp_r.bat AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10:n versiopäivitysavustaja.lnk [1420]

This appears when I pressed the black “Quote this”-square when selecting the text above. 

I plugged also the text into Notebad and saved it on my desktop. Then I copy the FRST64.exe back to the desktop from the downloaded files folder, where it was located (I had removed it already from my desktop after the previous scan) and have tried to run the fixing-process, but it failed. FRST 64 reported that "No fixlist.txt found". Maybe something has gone wrong during the process. See the attachments. Anyway, the Advanced SystemCare program seems to dropped out of the machine. 

 

I press the quote this.JPG
Download Image

After launching JRT .JPG
Download Image

After copy the FRST64 to the desktop and launchin it .JPG
Download Image

Share this post


Link to post
Share on other sites
Kevin Zoll    272

do not click on "quote this" right-click on the selected text and copy it then paste it to notepad.

Share this post


Link to post
Share on other sites
Kevin Zoll    272

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites
Carelia    0

This time, everything seemed to go smoothly. - First time at the very beginning, Windows Defender SmartScreen tried to prevent FRST64 scanning, so I had to temporarily disable it. For the second time, when I initiated a fixing scan, EAM warned of suspicious behavior of FRST64. But now everything went without distractions. Hopefully the logs are also good for their content.

scan_170802-212511.txt

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites
Kevin Zoll    272

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2017-08-02 21:21 - 2017-08-02 21:21 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignf6e9332c0e6cd7b2
2017-08-02 21:21 - 2017-08-02 21:21 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign05cf856ba1050cc4
2017-07-31 11:42 - 2017-07-31 11:42 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign5adb0e3b65655bda
2017-07-31 11:30 - 2017-07-31 11:30 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignb4d93390dc807ad2
2017-07-30 21:43 - 2017-07-30 21:43 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign1ef872acf22acc29
2017-07-30 21:41 - 2017-07-30 21:41 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign81573a236dfa62a3
2017-07-30 10:46 - 2017-07-30 10:46 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign0902e89cd1b509dd
2017-07-30 10:45 - 2017-07-30 10:45 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign74001bf31bfd4993
2017-07-30 00:22 - 2017-07-30 00:22 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignfe85a8000a8c0619
2017-07-21 20:31 - 2017-07-21 20:31 - 000000000 ___HD C:\Users\Kari\Documents\PDRMUSIC.TMP
2017-08-02 00:56 - 2017-06-06 22:50 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-07-27 20:44 - 2016-12-11 01:20 - 000000000 ____D C:\Users\Kari\AppData\LocalLow\ADSRemoval
ContextMenuHandlers1: [Advanced SystemCare] -> {2803063F-4B8D-4dc6-8874-D1802487FE2D} => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCExtMenu_64.dll -> No File

Close Notepad.



NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites
Kevin Zoll    272

They apparently did not delete as your last set of logs FRST logs showed them as still being present.

Run a fresh scan with FRST, attach the FRST scan logs to your reply.

Share this post


Link to post
Share on other sites
Kevin Zoll    272

Something is still creating a bunch of Tempzxpsign folders in your AppData/Local folder.

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Share this post


Link to post
Share on other sites
Carelia    0

The reason for scanning without internet connection was that it was the only way to do it at all. Means that WITH the connection the process will be ended always in the middle. And I hope your team could advise me how to prevent such an external manipulation of the PC.

Share this post


Link to post
Share on other sites
Kevin Zoll    272

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Select the following items:
      [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1712713172-3914250630-889545539-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
      [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1712713172-3914250630-889545539-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
      [PUP.Gen1][Folder] C:\ProgramData\SecTaskMan -> Found
      [PUP.Gen1][Folder] C:\ProgramData\SecTaskMan -> Found
    • Click the Delete button.

  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt)
    • The highest number of [X], is the most recent Delete log.


Update your nVidia drivers to the lasest drivers for you video card.

Share this post


Link to post
Share on other sites
Kevin Zoll    272

Yes, RogueKiller opens a browser Window to it purchase page for unlicensed versions.

Run a fresh scan with FRTS, attach the new FRST scan logs to your reply.

Share this post


Link to post
Share on other sites
Kevin Zoll    272
9 hours ago, Carelia said:

https://www.tenforums.com/general-support/77650-empty-temporary-folders-appearing-outside-system-temp-folder.html

Something about temporary folders appearing outside system temp folder. Maybe not so interesting...

 

That looks like that may actually be the issue here.

Open a Command Prompt and type the following command:

set

What is shown for your TEMP folders?
 

Share this post


Link to post
Share on other sites
Kevin Zoll    272

Change the TEMP and TMP environment variables:

  1. From the Start Menu, choose Settings then choose Control Panel.
  2. Click the System icon
  3. Open the Advanced tab in the System Properties window.
  4. Click Environment Variables to view the user variables and system variables for Windows.
  5. Look in the section for System variables and locate the TEMP and TMP settings.
  6. To modify the location of the TEMP and TMP variables, select each setting and click Edit and change the path to C:\Users\Kari\AppData\Local\Temp\  
  7. Restart Windows after modifying these settings. Windows will recreate any necessary files in the new location.

Share this post


Link to post
Share on other sites
Carelia    0

And now TMP and TEMP-paths are like this. Can't, in the earth, even guess what the actual “Path”-rows means in that windows. - Can I now remove all those “Tempzxpsignf3868bae9fdfe16d” etc.-files from my computer? 

Maybe we're again a bit closer to the solution, thank you for it!

 

All the TMP and TEMP-files at the moment..JPG
Download Image

Share this post


Link to post
Share on other sites
Kevin Zoll    272

The PATH tells the system where to look for files automatically.

That should resolve the weird looking folder names is the AppData folder.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.