Jump to content

C:/Windows/SysWOW64/runonce.exe is infected


Carelia
 Share

Recommended Posts

Do the following:

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\MountPoints2: {6db76f29-6ef3-11e7-83ce-2025644b0c4c} - "F:\LG_PC_Programs.exe"
GroupPolicy: Restriction <==== ATTENTION
FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\[email protected] [not found]
FF user.js: detected! => C:\Users\Kari\AppData\Roaming\Mozilla\Firefox\Profiles\fxwrna1v.default\user.js [2017-06-20]
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
2017-07-29 21:46 - 2017-07-29 21:46 - 00003030 _____ C:\WINDOWS\System32\Tasks\Driver Booster SkipUAC (Kari)
2017-07-29 20:03 - 2017-07-29 20:03 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignae6475ec811fb772
2017-07-29 20:02 - 2017-07-29 20:02 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign109c1c5e947545cd
2017-07-27 20:22 - 2017-07-27 20:22 - 00000000 ____D C:\Users\Kari\AppData\Local\Windows Performance Analyzer
2017-07-27 19:20 - 2017-07-27 19:20 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2965c2c9cac4df94
2017-07-27 19:13 - 2017-07-27 19:13 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignfecff11eee9caafb
2017-07-13 22:27 - 2017-07-13 22:27 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign8a9733ea8f86173b
2017-07-13 22:11 - 2017-07-13 22:11 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign6cf90fddc37175fe
2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign9c673a2564bca40e
2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign157ac7eafced7962
2017-07-08 00:07 - 2017-07-08 00:07 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2ee86ff31535035f
2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignaf25c826175e8a6a
2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign081d96629cd1a0f2
2016-09-02 13:30 - 2016-09-02 13:30 - 0000402 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp.bat
2016-09-02 13:30 - 2016-09-02 13:30 - 0000327 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp_r.bat
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10:n versiopäivitysavustaja.lnk [1420]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

6 hours ago, Kevin Zoll said:

HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-1712713172-3914250630-889545539-1001\...\MountPoints2: {6db76f29-6ef3-11e7-83ce-2025644b0c4c} - "F:\LG_PC_Programs.exe" GroupPolicy: Restriction <==== ATTENTION FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\[email protected] [not found] FF user.js: detected! => C:\Users\Kari\AppData\Roaming\Mozilla\Firefox\Profiles\fxwrna1v.default\user.js [2017-06-20] FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File] FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File] 2017-07-29 21:46 - 2017-07-29 21:46 - 00003030 _____ C:\WINDOWS\System32\Tasks\Driver Booster SkipUAC (Kari) 2017-07-29 20:03 - 2017-07-29 20:03 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignae6475ec811fb772 2017-07-29 20:02 - 2017-07-29 20:02 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign109c1c5e947545cd 2017-07-27 20:22 - 2017-07-27 20:22 - 00000000 ____D C:\Users\Kari\AppData\Local\Windows Performance Analyzer 2017-07-27 19:20 - 2017-07-27 19:20 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2965c2c9cac4df94 2017-07-27 19:13 - 2017-07-27 19:13 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignfecff11eee9caafb 2017-07-13 22:27 - 2017-07-13 22:27 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign8a9733ea8f86173b 2017-07-13 22:11 - 2017-07-13 22:11 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign6cf90fddc37175fe 2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign9c673a2564bca40e 2017-07-08 00:49 - 2017-07-08 00:49 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign157ac7eafced7962 2017-07-08 00:07 - 2017-07-08 00:07 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign2ee86ff31535035f 2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignaf25c826175e8a6a 2017-07-07 23:46 - 2017-07-07 23:46 - 00000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign081d96629cd1a0f2 2016-09-02 13:30 - 2016-09-02 13:30 - 0000402 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp.bat 2016-09-02 13:30 - 2016-09-02 13:30 - 0000327 _____ () C:\Users\Kari\AppData\Local\LMIR0001.tmp_r.bat AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10:n versiopäivitysavustaja.lnk [1420]

This appears when I pressed the black “Quote this”-square when selecting the text above. 

I plugged also the text into Notebad and saved it on my desktop. Then I copy the FRST64.exe back to the desktop from the downloaded files folder, where it was located (I had removed it already from my desktop after the previous scan) and have tried to run the fixing-process, but it failed. FRST 64 reported that "No fixlist.txt found". Maybe something has gone wrong during the process. See the attachments. Anyway, the Advanced SystemCare program seems to dropped out of the machine. 

 

I press the quote this.JPG

After launching JRT .JPG

After copy the FRST64 to the desktop and launchin it .JPG

Link to comment
Share on other sites

This time, everything seemed to go smoothly. - First time at the very beginning, Windows Defender SmartScreen tried to prevent FRST64 scanning, so I had to temporarily disable it. For the second time, when I initiated a fixing scan, EAM warned of suspicious behavior of FRST64. But now everything went without distractions. Hopefully the logs are also good for their content.

scan_170802-212511.txt

FRST.txt

Addition.txt

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2017-08-02 21:21 - 2017-08-02 21:21 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignf6e9332c0e6cd7b2
2017-08-02 21:21 - 2017-08-02 21:21 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign05cf856ba1050cc4
2017-07-31 11:42 - 2017-07-31 11:42 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign5adb0e3b65655bda
2017-07-31 11:30 - 2017-07-31 11:30 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignb4d93390dc807ad2
2017-07-30 21:43 - 2017-07-30 21:43 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign1ef872acf22acc29
2017-07-30 21:41 - 2017-07-30 21:41 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign81573a236dfa62a3
2017-07-30 10:46 - 2017-07-30 10:46 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign0902e89cd1b509dd
2017-07-30 10:45 - 2017-07-30 10:45 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsign74001bf31bfd4993
2017-07-30 00:22 - 2017-07-30 00:22 - 000000000 ____D C:\Users\Kari\AppData\Local\Tempzxpsignfe85a8000a8c0619
2017-07-21 20:31 - 2017-07-21 20:31 - 000000000 ___HD C:\Users\Kari\Documents\PDRMUSIC.TMP
2017-08-02 00:56 - 2017-06-06 22:50 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-07-27 20:44 - 2016-12-11 01:20 - 000000000 ____D C:\Users\Kari\AppData\LocalLow\ADSRemoval
ContextMenuHandlers1: [Advanced SystemCare] -> {2803063F-4B8D-4dc6-8874-D1802487FE2D} => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCExtMenu_64.dll -> No File

Close Notepad.



NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
Link to comment
Share on other sites

Something is still creating a bunch of Tempzxpsign folders in your AppData/Local folder.

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Link to comment
Share on other sites

The reason for scanning without internet connection was that it was the only way to do it at all. Means that WITH the connection the process will be ended always in the middle. And I hope your team could advise me how to prevent such an external manipulation of the PC.

Link to comment
Share on other sites

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Select the following items:
      [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1712713172-3914250630-889545539-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
      [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1712713172-3914250630-889545539-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
      [PUP.Gen1][Folder] C:\ProgramData\SecTaskMan -> Found
      [PUP.Gen1][Folder] C:\ProgramData\SecTaskMan -> Found
    • Click the Delete button.

  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt)
    • The highest number of [X], is the most recent Delete log.


Update your nVidia drivers to the lasest drivers for you video card.

Link to comment
Share on other sites

9 hours ago, Carelia said:

https://www.tenforums.com/general-support/77650-empty-temporary-folders-appearing-outside-system-temp-folder.html

Something about temporary folders appearing outside system temp folder. Maybe not so interesting...

 

That looks like that may actually be the issue here.

Open a Command Prompt and type the following command:

set

What is shown for your TEMP folders?
 

Link to comment
Share on other sites

Change the TEMP and TMP environment variables:

  1. From the Start Menu, choose Settings then choose Control Panel.
  2. Click the System icon
  3. Open the Advanced tab in the System Properties window.
  4. Click Environment Variables to view the user variables and system variables for Windows.
  5. Look in the section for System variables and locate the TEMP and TMP settings.
  6. To modify the location of the TEMP and TMP variables, select each setting and click Edit and change the path to C:\Users\Kari\AppData\Local\Temp\  
  7. Restart Windows after modifying these settings. Windows will recreate any necessary files in the new location.
Link to comment
Share on other sites

And now TMP and TEMP-paths are like this. Can't, in the earth, even guess what the actual “Path”-rows means in that windows. - Can I now remove all those “Tempzxpsignf3868bae9fdfe16d” etc.-files from my computer? 

Maybe we're again a bit closer to the solution, thank you for it!

 

All the TMP and TEMP-files at the moment..JPG

Link to comment
Share on other sites

All of what was found were unwanted modifications and orphaned registry entries, that we fixed.  Photoshop CC is not correctly appending the path variable when creating temp folders.  Editing TEMP folder variables and adding the backslash to the end of the path compensates for this oversight by Adobe's programmers.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore

  • Click the Run button.


When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...