schtasks.exe

[jffabian2]

When I turn off the computer, a message appears that the application did not start correctly and the error 0xc0000142 appears with the name schtasks.exe also sometimes conhost.exe appears with error 0xc000012d

It happens to me that the task manager applications are closed while they are in progress. HiJackThis.log

[dragokas]

Hi, If you need our assistance:

• Read carefully: How to make a request for help in the PC cure section

• Attach 'Collection-[Date].zip' log created by AutoLogger

• Are there any other signs of infection, excepting the crashes of some applications?

---

Please, note that only members of VIRUSNET-Association are allowed to respond to PC cure topics. Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge in our free time. If you found our help useful, you can thank us with any amount using this form or you can leave feedback in Guestbook.

[jffabian2]

avz_log.txt

[dragokas]

This is the wrong file. See: Collection-[Date].zip

[jffabian2]

CollectionLog-2020.12.08-13.27.zip

[jffabian2]

is this file right?

[jffabian2]

[Uploading CollectionLog-2020.12.08-13.27.zip…]()

[Sandor-Helper]

Hello,

Please find this file

C:\ProgramData\RealtekHDUpdater\realtekdrv.exe

Upload it to www.virustotal,com copy link to result and paste it to your next post here.

[jffabian2]

the link doesn't work for me and I can't find RealtekHDUpdater in the folder

[jffabian2]

My accounts are being stolen, I think you are controlling my computer, I give it to restore.?

[Sandor-Helper]

I give it to restore.?

Lets try to fix it first.

Close all running programs, temporarily unload antivirus and other protecting software.

Run a script in AVZ (File - Run script):

begin
 QuarantineFile('C:\ProgramData\RealtekHDUpdater\realtekdrv.exe', '');
 CreateQurantineArchive(GetAVZDirectory + 'quarantine.zip');
end.

File quarantine.zip from extracted AVZ folder please send using this form or (if archive size exceeds the 8 MB) to this mailbox: quarantine at safezone.cc (change at to @) and specify your forum link in e-mail subject and password: virus in message body.

[jffabian2]

[Uploading quarantine.zip…]()

[jffabian2]

I am afraid, I lost two accounts, where I no longer receive password recovery emails, like they changed my email, and the antivirus threw me that there were threats in a win32 folder with a Trojan

[jffabian2]

[jffabian2]

They are controlling my computer, it has already extracted some things, how can I do?

[Sandor-Helper]

OK, this file was already deleted by Windows Defender.

Now please run Autologger again, get new CollecionLog.zip and attach it to your next post.

[jffabian2]

the problem is that this file is deleted by windows and then the same threat puts me again

[jffabian2]

has already notified me several times

[jffabian2]

windows has already removed it about 20 times

[Sandor-Helper]

Do new CollectionLog and we'll try to fix it.

[jffabian2]

[Uploading CollectionLog-2020.12.09-02.29.zip…]()

[Sandor-Helper]

This is just link to previous post. Drag and drop zip file itself like you did before.

[jffabian2]

CollectionLog-2020.12.09-02.29.zip

[Sandor-Helper]

Close all running programs, temporarily unload antivirus and other protecting software.

Run a script in AVZ (File - Run script):

begin
 ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
 ClearQuarantineEx(true);
 TerminateProcessByName('c:\programdata\realtekhdupdater\realtekdrv.exe');
 QuarantineFile('C:\ProgramData\RealtekHDUpdater\realtekdrv.exe', '');
 QuarantineFile('c:\windows\syswow64\schtasks.exe', '');
 DeleteSchedulerTask('Realtek Updater');
 DeleteFile('C:\ProgramData\RealtekHDUpdater\realtekdrv.exe', '64');
 RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1001', 1);
 RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1004', 3);
 RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1201', 3);
 RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '1804', 1);
 RegKeyIntParamWrite('HKCU', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\', '2201', 3);
 CreateQurantineArchive(GetAVZDirectory + 'quarantine.zip');
ExecuteSysClean;
 ExecuteWizard('SCU', 2, 3, true);
RebootWindows(true);
end.

Computer will reboot.

File quarantine.zip from extracted AVZ folder please send using this form or (if archive size exceeds the 8 MB) to this mailbox: quarantine at safezone.cc (change at to @) and specify your forum link in e-mail subject and password: virus in message body.

For third diagnostics please run AutoLogger again. Attach new CollectionLog to your post.

[jffabian2]

quarantine.zip

[jffabian2]

CollectionLog-2020.12.09-02.55.zip

[Sandor-Helper]

Fix in HijackThis:

O22 - Task: GPU Tweak II - D:\GPUTweakII.exe (file missing)
O22 - Task: Realtek Updater - C:\ProgramData\RealtekHDUpdater\realtekdrv.exe (file missing)

After that: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
• Please attach the logs back here.

[jffabian2]

FRST.txt

[jffabian2]

Addition.txt

[Sandor-Helper]

Temporarily turn off any antivirus. Highlight following code:

Start::
CreateRestorePoint:
HKU\S-1-5-21-538785442-3372959813-2752330216-1001\...\Run: [Chromium] => "c:\users\fabián\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
HKU\S-1-5-21-538785442-3372959813-2752330216-1001\...\MountPoints2: {d0a764b6-9f27-11ea-b68c-b42e99d6cfa7} - "E:\HiSuiteDownLoader.exe" 
GroupPolicy: Restricción ? <==== ATENCIÓN
Policies: C:\ProgramData\NTUSER.pol: Restricción <==== ATENCIÓN
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restricción <==== ATENCIÓN
S3 GPUZ-v2; \??\C:\Users\FABIN~1\AppData\Local\Temp\GPUZ-v2.sys [X] <==== ATENCIÓN
Folder: C:\ProgramData\RealtekHDUpdater
2020-12-03 10:50 - 2020-12-09 02:50 - 000000000 _RSHD C:\ProgramData\RealtekHDUpdater
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> Ningún archivo
EmptyTemp:
Reboot:
End::

Copy highlighted text (right click - Copy). Run FRST (FRST64) as Administrator. Press Fix button once and wait. Program will create (Fixlog.txt). Attach it to the next post.

PC will reboot.

[jffabian2]

Now I'm going to rest a moment, I'll answer you soon

[jffabian2]

Fixlog.txt

[Sandor-Helper]

What now with your problem?

[dragokas]

Closed. Reason: no answer for 10 days. If you still need our help, please, execute the last steps, requested by a helper.