joses1977

Hi Aura. My system is working now in good conditions. I have not received any popping windows at all after your indications. Once more again, thanks for your help. Jose.

Hi Aura. Here you are the last files FRST.txt and Addition.txt. Thanks for all. Jose. Addition.txt FRST.txt

Hi Aura. This is the contents of the new fixlog.txt Jose. Fix result of Farbar Recovery Scan Tool (x64) Version: 01-11-2017 Ran by Jose (02-11-2017 18:18:35) Run:2 Running from C:\Users\Jose\Desktop Loaded Profiles: Jose (Available Profiles: Jose & Administrador) Boot Mode: Normal ============================================== fixlist content: ***************** Task: {1DCCA272-BACE-4475-8D87-A4A54BE47343} - System32\Tasks\ImageDownloader => C:\Users\Jose\AppData\Roaming\ImageDownloader\python\pythonw.exe <==== ATTENTION Task: {F371C38D-0A9C-4395-ACB8-F9F4F957168E} - System32\Tasks\ImageDownloader2 => C:\Users\Jose\AppData\Roaming\ImageDownloader\python\pythonw.exe <==== ATTENTION C:\Users\Jose\AppData\Local\Google\Chrome\User Data\atimershfuzerygrekuse\Extensions\dofdbcglfghanjdebnppcnhnagchcldm C:\Users\Jose\AppData\Roaming\ImageDownloader ***************** HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1DCCA272-BACE-4475-8D87-A4A54BE47343} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1DCCA272-BACE-4475-8D87-A4A54BE47343} => key removed successfully C:\WINDOWS\System32\Tasks\ImageDownloader => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ImageDownloader => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F371C38D-0A9C-4395-ACB8-F9F4F957168E} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F371C38D-0A9C-4395-ACB8-F9F4F957168E} => key removed successfully C:\WINDOWS\System32\Tasks\ImageDownloader2 => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ImageDownloader2 => key removed successfully "C:\Users\Jose\AppData\Local\Google\Chrome\User Data\atimershfuzerygrekuse\Extensions\dofdbcglfghanjdebnppcnhnagchcldm" => not found. C:\Users\Jose\AppData\Roaming\ImageDownloader => moved successfully ==== End of Fixlog 18:18:36 ====

Hi. Aura. Here you are. If you need something else, let's me know. Once again thanks. Jose. Addition.txt FRST.txt

Hello Aura. I have done all you mentioned in your post and after that, the popping screen apparently has disappered. I enclose what you asked me for your exam. Thank you very much for your much appreciated help. Fix result of Farbar Recovery Scan Tool (x64) Version: 01-11-2017 Ran by Jose (01-11-2017 18:56:24) Run:1 Running from C:\Users\Jose\Desktop Loaded Profiles: Jose (Available Profiles: Jose & Administrador) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: Zip: C:\ProgramData\64489cdf8d;C:\WINDOWS\system32\Drivers\c3c5861ae51e181a29b54b6cb7b6bd68.sys DeleteKey: HKLM\SOFTWARE\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce HKLM-x32\...\Run: [] => [X] GroupPolicy: Restriction - Chrome <==== ATTENTION R2 system_wtl_controller; C:\ProgramData\64489cdf8d\c370f5ee91.exe [3377152 2017-10-27] () [File not signed] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X] Task: {0112D74E-4CA5-4DBB-A298-853D770CD632} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {0E19CC83-56F8-4A83-8B8F-30E8A7E2707D} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {2AB24C42-5051-4B3C-97E7-2CA5F3BB82DE} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {3C8F9507-0613-4F60-A386-94AAC08D0E21} - System32\Tasks\{7BC29E45-CD31-D8BC-D551-6AF17533C18B} => C:\Users\Jose\AppData\Roaming\7BC29E~1\updtask.exe <==== ATTENTION Task: {3EC2F99A-E4D5-44D8-8E06-57588966B07F} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {5308E8C2-C9DC-460B-8084-870565B744FC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {5917666D-1266-45CF-A6F2-F444503E4A14} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {6000EFBE-46AA-47D7-8EB5-5BCC8E80207B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {68E76875-8568-48F8-BEF1-168F1484694E} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {79C3D3E9-B56F-4144-ABB1-6BF896454CC6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {B3B4DCF8-1A5C-4194-A139-FB6F74A62911} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {B6FE15F9-4828-4E52-A744-61647C05E59E} - System32\Tasks\DecJose => C:\Users\Jose\AppData\Local\Temp\krk.tmp <==== ATTENTION Task: {C55EC93B-EA9E-420C-86A2-5997BB0B59D8} - System32\Tasks\zsCqxTyfS3RW => zscqxtyfs3rw.exe Task: {CB0FD385-2AFC-4909-AD3C-E0EAF2613257} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {F4937532-67D9-4919-A02A-46B9A5A1E539} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: C:\WINDOWS\Tasks\{7BC29E45-CD31-D8BC-D551-6AF17533C18B}.job => C:\Users\Jose\AppData\Roaming\7BC29E~1\updtask.exe <==== ATTENTION AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0] AlternateDataStreams: C:\ProgramData\Temp:1AAB2E68 [175] AlternateDataStreams: C:\ProgramData\Temp:A303874F [121] HKU\S-1-5-21-4212122917-848607232-3175083655-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_3ED929628CBA0BBB154585CC626B15F2" HKU\S-1-5-21-4212122917-848607232-3175083655-1001\...\StartupApproved\Run: => "Chromium" HKU\S-1-5-21-4212122917-848607232-3175083655-1001\...\StartupApproved\Run: => "Win64svc" HKU\S-1-5-21-4212122917-848607232-3175083655-1001\...\StartupApproved\Run: => "PQwick" FirewallRules: [{3B29A848-18AF-4EB2-9147-71D8C950FF24}] => (Allow) 㩃啜敳獲䩜獯履灁䑰瑡屡潒浡湩屧獳屮獳⹮硥e FirewallRules: [{5235528E-C1C1-4BD9-8BB4-E2B5A5D55F1C}] => (Allow) 㩃啜敳獲䩜獯履灁䑰瑡屡潒浡湩屧獳屮慳敶灵攮數 C:\Disk C:\Windat C:\ProgramData\64489cdf8d C:\ProgramData\ntuser.pol C:\Users\Jose\AppData\Local\Geckofx C:\Users\Jose\AppData\Roaming\7BC29E~1 C:\WINDOWS\uninstaller.dat C:\WINDOWS\system32\Drivers\c3c5861ae51e181a29b54b6cb7b6bd68.sys EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. ================== Zip: =================== C:\ProgramData\64489cdf8d -> copied successfully to C:\Users\Jose\Desktop\01.11.2017_18.57.17.zip "C:\WINDOWS\system32\Drivers\c3c5861ae51e181a29b54b6cb7b6bd68.sys" -> not found =========== Zip: End =========== HKLM\SOFTWARE\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully HKLM\System\CurrentControlSet\Services\system_wtl_controller => key removed successfully system_wtl_controller => service removed successfully HKLM\System\CurrentControlSet\Services\esgiguard => key removed successfully esgiguard => service removed successfully HKLM\System\CurrentControlSet\Services\EsgScanner => key removed successfully EsgScanner => service removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0112D74E-4CA5-4DBB-A298-853D770CD632} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0112D74E-4CA5-4DBB-A298-853D770CD632} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0E19CC83-56F8-4A83-8B8F-30E8A7E2707D} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0E19CC83-56F8-4A83-8B8F-30E8A7E2707D} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2AB24C42-5051-4B3C-97E7-2CA5F3BB82DE} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AB24C42-5051-4B3C-97E7-2CA5F3BB82DE} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C8F9507-0613-4F60-A386-94AAC08D0E21} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C8F9507-0613-4F60-A386-94AAC08D0E21} => key removed successfully C:\WINDOWS\System32\Tasks\{7BC29E45-CD31-D8BC-D551-6AF17533C18B} => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7BC29E45-CD31-D8BC-D551-6AF17533C18B} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3EC2F99A-E4D5-44D8-8E06-57588966B07F} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3EC2F99A-E4D5-44D8-8E06-57588966B07F} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5308E8C2-C9DC-460B-8084-870565B744FC} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5308E8C2-C9DC-460B-8084-870565B744FC} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5917666D-1266-45CF-A6F2-F444503E4A14} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5917666D-1266-45CF-A6F2-F444503E4A14} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6000EFBE-46AA-47D7-8EB5-5BCC8E80207B} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6000EFBE-46AA-47D7-8EB5-5BCC8E80207B} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{68E76875-8568-48F8-BEF1-168F1484694E} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{68E76875-8568-48F8-BEF1-168F1484694E} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{79C3D3E9-B56F-4144-ABB1-6BF896454CC6} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{79C3D3E9-B56F-4144-ABB1-6BF896454CC6} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B3B4DCF8-1A5C-4194-A139-FB6F74A62911} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3B4DCF8-1A5C-4194-A139-FB6F74A62911} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B6FE15F9-4828-4E52-A744-61647C05E59E} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B6FE15F9-4828-4E52-A744-61647C05E59E} => key removed successfully C:\WINDOWS\System32\Tasks\DecJose => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DecJose => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C55EC93B-EA9E-420C-86A2-5997BB0B59D8} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C55EC93B-EA9E-420C-86A2-5997BB0B59D8} => key removed successfully C:\WINDOWS\System32\Tasks\zsCqxTyfS3RW => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\zsCqxTyfS3RW => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CB0FD385-2AFC-4909-AD3C-E0EAF2613257} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB0FD385-2AFC-4909-AD3C-E0EAF2613257} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F4937532-67D9-4919-A02A-46B9A5A1E539} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4937532-67D9-4919-A02A-46B9A5A1E539} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully C:\WINDOWS\Tasks\{7BC29E45-CD31-D8BC-D551-6AF17533C18B}.job => moved successfully C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully. C:\ProgramData\Temp => ":1AAB2E68" ADS removed successfully. C:\ProgramData\Temp => ":A303874F" ADS removed successfully. HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\GoogleChromeAutoLaunch_3ED929628CBA0BBB154585CC626B15F2 => value removed successfully HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_3ED929628CBA0BBB154585CC626B15F2 => value not found. HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Chromium => value removed successfully HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Chromium => value not found. HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Win64svc => value removed successfully HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Win64svc => value not found. HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\PQwick => value removed successfully HKU\S-1-5-21-4212122917-848607232-3175083655-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PQwick => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3B29A848-18AF-4EB2-9147-71D8C950FF24} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5235528E-C1C1-4BD9-8BB4-E2B5A5D55F1C} => value removed successfully C:\Disk => moved successfully C:\Windat => moved successfully C:\ProgramData\64489cdf8d => moved successfully C:\ProgramData\ntuser.pol => moved successfully C:\Users\Jose\AppData\Local\Geckofx => moved successfully "C:\Users\Jose\AppData\Roaming\7BC29E~1" => not found. C:\WINDOWS\uninstaller.dat => moved successfully "C:\WINDOWS\system32\Drivers\c3c5861ae51e181a29b54b6cb7b6bd68.sys" => not found. =========== EmptyTemp: ========== BITS transfer queue => 34052 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 93432044 B Java, Flash, Steam htmlcache => 524 B Windows/system/drivers => 1590069 B Edge => 1191 B Chrome => 783025 B Firefox => 15138950 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 7680 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 0 B LocalService => 41406 B NetworkService => 3012 B Jose => 170847167 B Administrator => 130 B RecycleBin => 1237353338 B EmptyTemp: => 1.4 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 18:57:55 ====

Hi. I think i have been infected by a virus or some type of malware, because I received continuosly a popping screen asking me how I want to open a .tmp archive. If I answer for example with notepad, it tries to open a krk.tmp file. I could delete it, I have not any threat now, as you can see in the Malwarebytes inform attached, but it remains popping this mentioned screen. Can you help me, please? Thanks in advance. Addition.txt FRST.txt malwarebytes inform.txt