Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
1 - 20 of 56 Posts

·
Registered
Joined
·
83 Posts
Discussion Starter · #1 ·
Tech Support Guy System Info Utility version 1.0.0.9
OS Version: Microsoft Windows 10 Home, 64 bit, Build 19044, Installed 20220406190226.000000-300
Processor: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz, Intel64 Family 6 Model 158 Stepping 10, CPU Count: 6
Total Physical RAM: 12 GB
Graphics Card: Intel(R) UHD Graphics 630, 1024 MB
Hard Drives: C: 476 GB (349 GB Free); D: 2794 GB (1245 GB Free);
Motherboard: HP 8653, ver A (SMVB), s/n PHZGP0CCYD2BEA
System: AMI, ver HPQOEM - 1072009, s/n 2MO0032TNJ
Antivirus: Windows Defender, Disabled

On July 20, 2022, I received a message from who I thought was Geek Squad. I currently have a contract for them to help me when needed. It turns out it wasn't Geek Squad but some bad people who loaded a program, 9190.org, on my computer. This gave them access to my computer. They got information from my Google password file and have tried to spend some of my money. I think I have blocked all of it.
I contacted Geek Squad on six occasions via remote and once in-store to look at my computer. They found nothing. I continue to have issues where the blue screen that they put up is there and I have to turn off my computer. I am enclosing an image of the blue screen. I have also contacted AVG who is my antivirus protector. They also found nothing. The second Geek Squad guy uninstalled the 9190.org program.
However, the blue screen keeps coming up on the screen. I'm never sure if someone is there or not so I have to turn the computer off and wait for a while. I work on this computer so I need it. I can't afford to buy another one.
I know this is my fault as I was mistaken about who it was. However, it is now getting ridiculous. I'm hoping that it is just an image that be deleted but I have no idea where it might be stored.
I just noticed that my AVG is not showing as my antivirus and I just had the blue screen pop up. Wondering if someone turned it off. I am paranoid now.
I'm asking for help!!!
 

Attachments

·
Malware Specialist
Joined
·
43 Posts
Hi there,

I am axe0 and I will be helping you with your computer problems.

Please follow these rules
  • Refrain from making changes to your system, unless instructed to, so I know the exact state of your system. This includes installing or uninstalling programs, deleting files, modifying the registry, running scanners or tools of any kind.
  • Follow the provided instructions in the order they are posted.
  • If you have any problem with a tool or instructions, or have questions, please stop and ask me before moving on.
  • Do not run any tool more than once, unless instructed to.
  • Copy and paste log files inside your reply, unless otherwise instructed.
  • Make sure to use Notepad for all logs, ensure Wordwrap is unchecked. In Notepad, click Format and uncheck Word wrap if it is checked
  • Share as many details about your problem as possible, the more you share the easier it will be to solve your problem.
  • I may not reply immediately because these logs can take some time to analyze. If it takes more than 48 hours you'll be notified. Feel free to PM me with a link to your thread if you haven't received a reply after 48 hours.
  • Please try to reply within 24 up to 48 hours to ensure quick and efficient removal of malware. If there's no response from you within 3 days, I will bump your thread. If there hasn't been a response from you after 5 days then your thread will be closed.
  • Stick with me until the end to ensure there are no remnants of malware left. When there is no malware present you will get a confirmation from me.
===============================================

FRST logs
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator".
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please attach both logs in your next reply.
===============================================

In your next post
In your next post, please include the following. Make sure to copy and paste any requested logs unless asked to attach it.
  • Attached FRST.txt
  • Attached Addition.txt
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #3 ·
Hi axe0

I'm so glad you agreed to help. I have run the scans tonight and am attaching the files. I have read your instructions and agree to abide by them. I work each day online with a website answering emails. There should be no changes to the files in this process. Let me know if that is a problem and I will let my boss know I need some time. Thanks again!
 

Attachments

·
Malware Specialist
Joined
·
43 Posts
Hi prpliris,

Thanks for your patience.

I would like to point out that Java is outdated. Because of the history the Java software has with many security vulnerabilities, I strongly recommend updating it as soon as possible if you really need it.

I see that you have AVG and Webroot antivirus, I recommend removing Webroot or AVG as having multiple antivirus programs on a computer causes problems.

----------------------------------------------

Run FRST Fix
Warning: This script was created for this specific system. Attempting to use the fix on another system may cause damage to the system
  • Right-click FRST64.exe then click "Run as administrator".[/*]
  • Select the entire content of the code below including "Start::" and "End::", right click and select "Copy"[/*]
  • Click Fix button once and wait[/*]
  • When finished, it will produce a log called Fixlog.txt in the same directory the tool was run from.[/*]
  • Please attach the log in your next reply.[/*]
Code:
Start::
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Winlogon: [Userinit] 
cmd: dism /online /cleanup-image /restorehealth
cmd: sfc /scannow
2022-07-20 15:36 - 2022-07-20 15:36 - 000000426 _____ () C:\Program Files (x86)\LMIR0CC2B001.tmp.bat
2022-07-20 15:36 - 2022-07-20 15:36 - 000000351 _____ () C:\Program Files (x86)\LMIR0CC2B001.tmp_r.bat
2022-07-20 15:53 - 2022-07-20 15:53 - 000000426 _____ () C:\Program Files (x86)\LMIR0DB54001.tmp.bat
2022-07-20 15:53 - 2022-07-20 15:53 - 000000351 _____ () C:\Program Files (x86)\LMIR0DB54001.tmp_r.bat
HKU\S-1-5-21-2871750407-119960628-754190386-1001\...\ChromeHTML: ->  <==== ATTENTION
MSCONFIG\startupreg: 0720_151332831671 => "C:\Program Files (x86)\LMIR0DB54001.tmp_r.bat"
MSCONFIG\startupreg: 0720_153443831671 => "C:\Program Files (x86)\LMIR0CC2B001.tmp_r.bat"
ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\
Folder: C:\Windows\System32\Tasks\Microsoft\Windows 
End::
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #5 ·
Hi Axe0
I have uninstalled the old Java files. This message came up when I clicked on the Get Java button to install the latest software.

C:\ProgramData\Oracle\tmpinstall\javatmp.lnk
The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxtrace.exe tool for more detail.

I checked the uninstall apps and did not find Webroot listed to uninstall. I just received a message that it will renew in a few days. I sure don't want to pay for it again. I just purchased the AVG, I didn't know I had both???

I haven't worked on the second part of your message. I am awaiting your instructions.
 

·
Malware Specialist
Joined
·
43 Posts
Remove Java and download the latest version here, if you have problems removing Java, please let me know.

If you paid for Webroot, you should be able to cancel any subscription on their website. Then, because Webroot is not listed, follow the instructions on their website for Windows 10 to remove it if possible.

Please perform the instructions of the second part in my previous post.
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #7 ·
I have installed Java without any problems. I also was able to cancel the renewal of Webroot. It doesn't expire until 10/16/2022 just FYI.

I followed the instructions in the second part of your previous post. The file ran and produced results. I can read the file but when I attached it to this message, it has the strike-through below that I'm guessing does not sound good. I have searched my computer for fixitlog.txt trying to get a better copy. Do you want me to copy and paste what I found? This is weird. When Microsoft did the update that enabled Edge, a lot of changes were made to my computer, i.e., the most important was that Microsoft cloud was attached to everything as the default place to save. My Notepad saves to OneDrive.
.
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #11 ·
Received a message, Oops something went wrong. Try again later.

I'm going to try to send it in different files as it is quite long.
Fix result of Farbar Recovery Scan Tool (x64) Version: 30-08-2022

Ran by Owner (10-09-2022 11:54:17) Run:1

Running from C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Loaded Profiles: Owner

Boot Mode: Normal

==============================================



fixlist content:

*

Start::

CreateRestorePoint:

CloseProcesses:

HKLM-x32\...\Winlogon: [Userinit]

cmd: dism /online /cleanup-image /restorehealth

cmd: sfc /scannow

2022-07-20 15:36 - 2022-07-20 15:36 - 000000426 _ () C:\Program Files (x86)\LMIR0CC2B001.tmp.bat

2022-07-20 15:36 - 2022-07-20 15:36 - 000000351 _ () C:\Program Files (x86)\LMIR0CC2B001.tmp_r.bat

2022-07-20 15:53 - 2022-07-20 15:53 - 000000426 _ () C:\Program Files (x86)\LMIR0DB54001.tmp.bat

2022-07-20 15:53 - 2022-07-20 15:53 - 000000351 _ () C:\Program Files (x86)\LMIR0DB54001.tmp_r.bat

HKU\S-1-5-21-2871750407-119960628-754190386-1001\...\ChromeHTML: -> <==== ATTENTION

MSCONFIG\startupreg: 0720_151332831671 => "C:\Program Files (x86)\LMIR0DB54001.tmp_r.bat"

MSCONFIG\startupreg: 0720_153443831671 => "C:\Program Files (x86)\LMIR0CC2B001.tmp_r.bat"

ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\

Folder: C:\Windows\System32\Tasks\Microsoft\Windows

End::

*



Restore point was successfully created.

Processes closed successfully.

"HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit" => not found



========= dism /online /cleanup-image /restorehealth =========





Deployment Image Servicing and Management tool

Version: 10.0.19041.844



Image Version: 10.0.19044.1889





[== 3.8% ]



[== 4.2% ]



[=== 5.2% ]



[=== 5.8% ]



[=== 6.6% ]



[==== 7.5% ]



[==== 8.5% ]



[===== 9.4% ]



[====== 10.4% ]



[====== 11.4% ]



[======= 12.1% ]



[======= 13.1% ]



[======== 14.0% ]



[======== 15.0% ]



[========= 16.0% ]



[========= 17.0% ]



[========== 18.0% ]



[========== 18.9% ]



[=========== 19.9% ]



[============ 20.9% ]



[============ 21.9% ]



[============= 22.9% ]



[============= 23.8% ]



[============== 24.8% ]



[============== 25.5% ]



[=============== 26.4% ]



[=============== 26.9% ]



[=============== 27.0% ]



[=============== 27.2% ]



[================ 28.2% ]



[================ 29.2% ]



[================= 30.2% ]



[================== 31.2% ]



[================== 32.2% ]



[=================== 33.1% ]



[=================== 34.1% ]



[==================== 34.9% ]



[==================== 35.5% ]



[===================== 36.5% ]



[===================== 37.1% ]



[====================== 38.0% ]



[====================== 38.4% ]



[====================== 38.6% ]



[====================== 39.0% ]



[====================== 39.2% ]



[====================== 39.5% ]



[======================= 40.1% ]



[======================= 40.2% ]



[======================= 40.5% ]



[======================= 41.0% ]



[======================== 41.6% ]



[======================== 42.0% ]



[======================== 42.3% ]



[======================== 42.6% ]



[======================== 42.9% ]



[========================= 43.2% ]



[========================= 43.6% ]



[========================= 44.2% ]



[========================= 44.5% ]



[========================= 44.7% ]



[========================== 45.6% ]



[========================== 46.0% ]



[===========================46.8% ]



[===========================47.8% ]



[===========================48.8% ]



[===========================49.7% ]



[===========================50.7% ]



[===========================51.7% ]



[===========================52.7% ]



[===========================53.7% ]



[===========================54.3% ]



[===========================54.3% ]



[===========================54.3% ]



[===========================54.5% ]



[===========================54.6% ]



[===========================54.6% ]



[===========================54.6% ]



[===========================54.7% ]



[===========================54.8% ]



[===========================54.8% ]



[===========================54.9% ]



[===========================55.0% ]



[===========================55.1% ]



[===========================55.2% ]



[===========================55.3% ]



[===========================55.4% ]



[===========================55.5% ]



[===========================55.5% ]



[===========================55.6% ]



[===========================55.6% ]



[===========================55.7% ]



[===========================55.8% ]



[===========================55.8% ]



[===========================55.8% ]



[===========================55.9% ]



[===========================56.0% ]



[===========================56.0% ]



[===========================56.2% ]



[===========================56.2% ]



[===========================56.3% ]



[===========================56.6% ]



[===========================56.7% ]



[===========================56.8% ]



[===========================56.9%= ]



[===========================57.1%= ]



[===========================57.1%= ]



[===========================57.1%= ]



[===========================57.7%= ]



[===========================58.3%= ]



[===========================59.3%== ]



[===========================60.3%== ]



[===========================62.3%==== ]



[===========================84.9%================= ]



[==========================100.0%==========================]

The restore operation completed successfully.

The operation completed successfully.



========= End of CMD: =========
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #12 ·
========= sfc /scannow =========







Beginning system scan. This process will take some time.







Beginning verification phase of system scan.





Verification 0% complete.

Verification 1% complete.

Verification 2% complete.

Verification 2% complete.

Verification 3% complete.

Verification 4% complete.

Verification 4% complete.

Verification 5% complete.

Verification 6% complete.

Verification 6% complete.

Verification 7% complete.

Verification 8% complete.

Verification 8% complete.

Verification 9% complete.

Verification 10% complete.

Verification 10% complete.

Verification 11% complete.

Verification 12% complete.

Verification 13% complete.

Verification 13% complete.

Verification 14% complete.

Verification 15% complete.

Verification 15% complete.

Verification 16% complete.

Verification 17% complete.

Verification 17% complete.

Verification 18% complete.

Verification 19% complete.

Verification 19% complete.

Verification 20% complete.

Verification 21% complete.

Verification 21% complete.

Verification 22% complete.

Verification 23% complete.

Verification 24% complete.

Verification 24% complete.

Verification 25% complete.

Verification 26% complete.

Verification 26% complete.

Verification 27% complete.

Verification 28% complete.

Verification 28% complete.

Verification 29% complete.

Verification 30% complete.

Verification 30% complete.

Verification 31% complete.

Verification 32% complete.

Verification 32% complete.

Verification 33% complete.

Verification 34% complete.

Verification 35% complete.

Verification 35% complete.

Verification 36% complete.

Verification 37% complete.

Verification 37% complete.

Verification 38% complete.

Verification 39% complete.

Verification 39% complete.

Verification 40% complete.

Verification 41% complete.

Verification 41% complete.

Verification 42% complete.

Verification 43% complete.

Verification 43% complete.

Verification 44% complete.

Verification 45% complete.

Verification 45% complete.

Verification 46% complete.

Verification 47% complete.

Verification 48% complete.

Verification 48% complete.

Verification 49% complete.

Verification 50% complete.

Verification 50% complete.

Verification 51% complete.

Verification 52% complete.

Verification 52% complete.

Verification 53% complete.

Verification 54% complete.

Verification 54% complete.

Verification 55% complete.

Verification 56% complete.

Verification 56% complete.

Verification 57% complete.

Verification 58% complete.

Verification 59% complete.

Verification 59% complete.

Verification 60% complete.

Verification 61% complete.

Verification 61% complete.

Verification 62% complete.

Verification 63% complete.

Verification 63% complete.

Verification 64% complete.

Verification 65% complete.

Verification 65% complete.

Verification 66% complete.

Verification 67% complete.

Verification 67% complete.

Verification 68% complete.

Verification 69% complete.

Verification 70% complete.

Verification 70% complete.

Verification 71% complete.

Verification 72% complete.

Verification 72% complete.

Verification 73% complete.

Verification 74% complete.

Verification 74% complete.

Verification 75% complete.

Verification 76% complete.

Verification 76% complete.

Verification 77% complete.

Verification 78% complete.

Verification 78% complete.

Verification 79% complete.

Verification 80% complete.

Verification 80% complete.

Verification 81% complete.

Verification 82% complete.

Verification 83% complete.

Verification 83% complete.

Verification 84% complete.

Verification 85% complete.

Verification 85% complete.

Verification 86% complete.

Verification 87% complete.

Verification 87% complete.

Verification 88% complete.

Verification 89% complete.

Verification 89% complete.

Verification 90% complete.

Verification 91% complete.

Verification 91% complete.

Verification 92% complete.

Verification 93% complete.

Verification 94% complete.

Verification 94% complete.

Verification 95% complete.

Verification 96% complete.

Verification 96% complete.

Verification 97% complete.

Verification 98% complete.

Verification 98% complete.

Verification 99% complete.

Verification 100% complete.





Windows Resource Protection found corrupt files and successfully repaired them.



For online repairs, details are included in the CBS log file located at



windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline



repairs, details are included in the log file provided by the /OFFLOGFILE flag.





========= End of CMD: =========

C:\Program Files (x86)\LMIR0CC2B001.tmp.bat => moved successfully

C:\Program Files (x86)\LMIR0CC2B001.tmp_r.bat => moved successfully

C:\Program Files (x86)\LMIR0DB54001.tmp.bat => moved successfully

C:\Program Files (x86)\LMIR0DB54001.tmp_r.bat => moved successfully

HKU\S-1-5-21-2871750407-119960628-754190386-1001_Classes\ChromeHTML => removed successfully

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\0720_151332831671 => removed successfully

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\0720_153443831671 => removed successfully

================== ExportKey: ===================



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\]

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{0016B09F-CFDA-4F5B-A70B-84A75599B89B}]

"Path"="\Microsoft\Windows\DeviceDirectoryClient\HandleWnsCommand"

"Hash"="402264f5067bfd0e548620d11ee2d46e66ccd5d044bcd0cb69aafe8935795d4e"

"Schema"="65540"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FRFX;;;BA)"

"URI"="\Microsoft\Windows\DeviceDirectoryClient\HandleWnsCommand"

"Triggers"="170000000000000000e3611ad8e3611a000000000000000000e3611ad8e3611affffffffffffffff4805c2024848484817005225484848480e00000048484848530079007300740065006d00000048480000000048484848004848484848484800484848 (the data entry has 408 more characters)."

"Actions"="03000c000000530079007300740065006d0077770000000029b731aefdd51e40af42784074835afe160000002d0057006e00730043006f006d006d0061006e006400"

"DynamicInfo"="030000004e4e4c92124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{00446CF1-8668-472D-BEDD-D0BB88DBA009}]

"Path"="\Microsoft\Windows\Registry\RegIdleBackup"

"Hash"="a1515e0efc3a0215e2b6151589c1354c1210fb594e1e744d24c690a40bf21562"

"Version"="1.0"

"SecurityDescriptor"="O:BAG:BAD:p(A;;FA;;;BA)(A;;FA;;;SY)(A;;FR;;;IU)(A;;FRFX;;;S-1-5-80-2970612574-78537857-698502321-558674196-1451644582)(A;;FRFX;;;LS)"

"Source"="$(@%systemroot%\system32\regidle.dll,-601)"

"Author"="$(@%systemroot%\system32\regidle.dll,-600)"

"Description"="$(@%systemroot%\system32\regidle.dll,-602)"

"URI"="Microsoft\Windows\Registry\RegIdleBackup"

"Triggers"="170000000000000000c7e90b94c3d904ffffffffffffffff00c7e90b94c3d90400000000000000005821c2424848484849dd43a44848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000a87a76ca57910446b64b40747123d5f200000000"

"DynamicInfo"="0300000072f03dbe2446d801fdfe4e19e0c3d8010000000000000000afc35319e0c3d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{008539BF-83F9-4483-9E0A-EEEE6EAC0A08}]

"Path"="\Microsoft\Windows\Shell\UpdateUserPictureTask"

"Hash"="466f5e4113e481c6c87387d5253aa763f980c3a1e25fef18597a9c52c2ed60ee"

"SecurityDescriptor"="D:p(A;;FRFX;;;BA)(A;;FA;;;SY)"

"URI"="\Microsoft\Windows\Shell\UpdateUserPictureTask"

"Triggers"="170000000000000000e3611ad8e3611a000000000000000000e3611ad8e3611affffffffffffffff48a1404248484848d7e2ddc6484848480c00000048484848550073006500720073000000484848480000000048484848004848484848484800484848 (the data entry has 312 more characters)."

"Actions"="03000a0000005500730065007200730077770000000034ddc5099d00fa40bcb90165ad0c15d400000000"

"DynamicInfo"="0300000072b04e92124ad801765c1c458d4bd8010000000000000000b2f43a458d4bd801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{024C9422-59E1-4E59-AABC-9E338E1ABBD6}]

"Path"="\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures"

"Hash"="78b6d37e1b8b59780adc1ac2b3b3c1b0ccc65cdb6eb9887b5ee60e10f3cc974d"

"Schema"="65542"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;AU)"

"Source"="$(@%systemroot%\system32\fcon.dll,-602)"

"Author"="$(@%systemroot%\system32\fcon.dll,-601)"

"Description"="$(@%systemroot%\system32\fcon.dll,-603)"

"URI"="\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures"

"Triggers"="1700000000000000006c03dea70100000000000000000000006c03dea7010000ffffffffffffffff0021424248484848355c80ff4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 1258 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000fecbee59f5c219449b9913fe05ff267500000000"

"DynamicInfo"="03000000aa125192124ad8019b72b1c722c5d8010000000000000000bda4b4c722c5d801"
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #13 ·
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{051DF697-AF10-4DB6-9B93-E1A4E35F00F7}]

"Path"="\Microsoft\Windows\Sysmain\ResPriStaticDbSync"

"Hash"="c93de7be932866f3b31e0d2322ca57f873b1160add43ed8d216e133e4ff2c105"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)"

"Author"="$(@%systemRoot%\System32\sysmain.dll,-3000)"

"Description"="$(@%systemRoot%\System32\sysmain.dll,-3004)"

"URI"="\Microsoft\Windows\Sysmain\ResPriStaticDbSync"

"Triggers"="170000000000000000f1c21e94c3d904ffffffffffffffff00f1c21e94c3d904000000000000000008214203484848482338a72b4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d007777000000008ce77e2995ba944e81d3d6e7f089c7b500000000"

"DynamicInfo"="03000000aa52e7674949d801148702f2edc2d8010000000000000000845009f2edc2d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{07271423-32CC-48B9-83DE-89F59DC767AB}]

"Path"="\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"

"Hash"="b6f639eba7d6ef3371d657c4f5ef7b6dd726d9cd3b3ed4becaf916e1b7f9f10b"

"Schema"="65539"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)"

"URI"="\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"

"Triggers"="1700000000000000010701000000010000207385c9a1d4010007010000000100ffffffffffffffffc021424248484848636a5b35484848480e0000004848484841007500740068006f007200000048480000000048484848004848484848484800484848 (the data entry has 408 more characters)."

"Actions"="03000c00000041007500740068006f007200666600000000460000002500730079007300740065006d0072006f006f00740025005c00730079007300740065006d00330032005c00750073006f0063006c00690065006e0074002e006500780065001200 (the data entry has 52 more characters)."

"DynamicInfo"="03000000961a5502134ad801cfca67c722c5d8010000000000000000abc58cc722c5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{0749EACE-77B2-49FB-A4E4-7DF6B34FE472}]

"Path"="\Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing"

"Hash"="e29b6f1e2bfe8fe8dcc2c9f65a6377c6caebd65756ada1c7e234e57318fd64ed"

"Schema"="65542"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;AU)"

"Source"="$(@%systemroot%\system32\fcon.dll,-601)"

"Author"="$(@%systemroot%\system32\fcon.dll,-602)"

"Description"="$(@%systemroot%\system32\fcon.dll,-605)"

"URI"="\Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing"

"Triggers"="170000000000000000ab03dea7010000000000000000000000ab03dea7010000ffffffffffffffff4021424248484848a2cf53f84848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 840 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000d1daef99110f6b4aa7024e1c37d1a3ef00000000"

"DynamicInfo"="03000000aa125192124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{077333D6-06BA-4EA4-BDF4-1CD1439558F2}]

"Path"="\Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask"

"Hash"="dddfb2c4d00923c96c243bdfb93a3aac4d91ed008c3c6a9cc27c14c8ca39aefb"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)"

"Author"="$(@%systemRoot%\System32\bisrv.dll,-102)"

"Description"="$(@%systemRoot%\System32\bisrv.dll,-103)"

"URI"="\Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask"

"Triggers"="170000000000000000543c1b94c3d904ffffffffffffffff00543c1b94c3d90400000000000000003a21420348484848f434483c4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d0077770000000039d984e9000ed94dac3a7aca0474552100000000"

"DynamicInfo"="03000000c573ace8ed46d80167bb306576c0d8010000000000000010e2f1316576c0d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{082F4875-D88C-40EA-8706-87480962C446}]

"Path"="\Microsoft\Windows\Device Setup\Metadata Refresh"

"Hash"="763eb598be1caca85da18479ac072bd465ea84daa27f2d83b927e2c6af753079"

"SecurityDescriptor"="D:p(A;;FRFX;;;BA)(A;;FA;;;SY)"

"Source"="$(@%SystemRoot%\System32\DeviceSetupManager.dll,-601)"

"Author"="$(@%SystemRoot%\System32\DeviceSetupManager.dll,-600)"

"Description"="$(@%SystemRoot%\System32\DeviceSetupManager.dll,-602)"

"URI"="\Microsoft\Windows\Device Setup\Metadata Refresh"

"Triggers"="170000000000000000f1c21e94c3d904ffffffffffffffff00f1c21e94c3d9040000000000000000f885c042484848485e61eca9484848480c00000048484848550073006500720073000000484848480000000048484848004848484848484800484848 (the data entry has 280 more characters)."

"Actions"="03000a00000055007300650072007300777700000000cff3c12310c11245aca97b6174ece88800000000"

"DynamicInfo"="03000000fdd5073fc943d80121bb78467dbcd80100000000000000000a5b9d467dbcd801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{0CBABB27-6DFC-4155-BAE7-AE919B92FEF2}]

"Path"="\Microsoft\Windows\DirectX\DXGIAdapterCache"

"Hash"="33804f7055b35608c69898aa68d460da2fc055a36999a01362625bb82101ea29"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)"

"URI"="\Microsoft\Windows\DirectX\DXGIAdapterCache"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffff4808c24348484848c7699e2d4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 536 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d006666000000004c0000002500770069006e0064006900720025005c00730079007300740065006d00330032005c006400780067006900610064006100700074006500720063006100 (the data entry has 48 more characters)."

"DynamicInfo"="0300000032385892124ad801e86f505c22c5d8010000000000000000afe38b5d22c5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{0CEC0B91-4AE9-4E8A-ACB2-3B4C811F442C}]

"Path"="\Microsoft\Windows\WaaSMedic\PerformRemediation"

"Hash"="177782632ec26eb5f444d66df5f7dbb283115035263733c63e22ff3dae1da028"

"Schema"="65540"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)"

"Source"="$(@%systemroot%\system32\WaasMedicSvc.dll,-103)"

"Author"="$(@%systemroot%\system32\WaasMedicSvc.dll,-102)"

"Description"="$(@%systemroot%\system32\WaasMedicSvc.dll,-104)"

"URI"="\Microsoft\Windows\WaaSMedic\PerformRemediation"

"Triggers"="170000000000000001070a0000000f000078b2015436c0010099327200001005ffffffffffffffff48214242484848480a5baef64848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 424 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000276e5672bb1ab34eb4f0eb431cb1cb32080000004e006f006e006500"

"DynamicInfo"="0300000032385892124ad8013b3e1d6b6fc0d80100000000000000008438266b6fc0d801"
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #14 ·
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{0E2DCCB3-7B11-40CF-B973-90F22732E317}]

"Path"="\Microsoft\Windows\EDP\EDP Inaccessible Credentials Task"

"Hash"="94040de26c6e164b33038250cb356042cde3e053bccf6227f8ba5dc914bac1f9"

"SecurityDescriptor"="D:p(A;;FRFX;;;AU)(A;;FA;;;SY)"

"URI"="\Microsoft\Windows\EDP\EDP Inaccessible Credentials Task"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffff28a1404248484848ad8a3e53484848480c00000048484848550073006500720073000000484848480000000048484848004848484848484800484848 (the data entry has 408 more characters)."

"Actions"="03000a00000055007300650072007300777700000000b9d1bc610c34ec409d41d7f1c0632f05240000004d0069007300730069006e006700430072006500640065006e007400690061006c007300"

"DynamicInfo"="03000000649a5a92124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{0EDEA23A-3DEC-41C3-B03E-BC7A3356D6BC}]

"Path"="\Microsoft\Windows\CertificateServicesClient\UserTask"

"Hash"="9d18e82c4f7061ed62d9c41bce1cbe64b2e38a2a16b0cc2a470d2c27e48b2656"

"Version"="1.0"

"SecurityDescriptor"="D:p(A;;FA;;;BA)(A;;FA;;;SY)(A;;FR;;;IU)"

"Source"="$(@%SystemRoot%\system32\dimsjob.dll,-100)"

"Author"="$(@%SystemRoot%\system32\dimsjob.dll,-101)"

"Description"="$(@%SystemRoot%\system32\dimsjob.dll,-102)"

"URI"="\Microsoft\Windows\CertificateServicesClient\UserTask"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffffe8854042484848482270ddc848484848220000004848484849006e007400650072006100630074006900760065005500730065007200730000004848 (the data entry has 2120 more characters)."

"Actions"="03002000000049006e0074006500720061006300740069007600650055007300650072007300777700000000b976fb5885ac554eac04427593b1d060080000005500530045005200"

"DynamicInfo"="03000000d5292692124ad801b8c2286b22c5d80100000000000000000519556c22c5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{114EC267-55F2-45DA-9AB6-B98CA9DC0D01}]

"Path"="\Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePolicyChange"

"Hash"="b4eb50bb6f6bd8cfd1b9b18dd1b96e055171d0f8555e991e8a920cbeaf93406d"

"Schema"="65540"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FRFX;;;BA)"

"URI"="\Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePolicyChange"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffffc805c20248484848345e81a6484848480e00000048484848530079007300740065006d00000048480000000048484848004848484848484800484848 (the data entry has 616 more characters)."

"Actions"="03000c000000530079007300740065006d0077770000000029b731aefdd51e40af42784074835afe3c0000002d005200650067006900730074006500720044006500760069006300650020002d00530065007400740069006e0067004300680061006e00 (the data entry has 8 more characters)."

"DynamicInfo"="03000000649a5a92124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{117E2D01-1275-4560-90E9-A34BB4EE69A3}]

"Path"="\Microsoft\Windows\DiskFootprint\StorageSense"

"Hash"="b2ad9b5430598d75b61be39148fe0c310378061596bd3e33ddfe67047982913e"

"Schema"="65540"

"URI"="\Microsoft\Windows\DiskFootprint\StorageSense"

"Triggers"="1700000000000000002ad30694c3d904ffffffffffffffff002ad30694c3d90400000000000000003aa140434848484812c28558484848482800000048484848410075007400680065006e00740069006300610074006500640020005500730065007200 (the data entry has 328 more characters)."

"Actions"="030026000000410075007400680065006e0074006900630061007400650064002000550073006500720073007777000000009b512aabb003ce43940aa73df850b49a00000000"

"DynamicInfo"="0300000099fc5c92124ad801d45649a5bbc4d8010000000000000000941356a5bbc4d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{12514C9A-1DE5-40CE-B66C-D6838DA9A169}]

"Path"="\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"

"Hash"="89b2d4713ccbfc08f991321bc865b121884b140751dfaf39a03fc1f832e0b366"

"Version"="1.0"

"SecurityDescriptor"="D:(A;;FA;;;SY)(A;;FRFX;;;IU)"

"URI"="\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"

"Triggers"="170000000000000000700c1c94c3d904ffffffffffffffff00700c1c94c3d90400000000000000000821c24248484848910f703e4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 216 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000ba4a54e4bf62544caab2ec246342626c00000000"

"DynamicInfo"="03000000ce5e5f92124ad801251b41c6124ad80100000000000000000000000000000000"
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #15 ·
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{12DF3F8A-9612-48CA-AE38-2818FA70CA73}]

"Path"="\Microsoft\Windows\HelloFace\FODCleanupTask"

"Hash"="b9b85f7ce97f2d33c778a644cc229062d12b36ba221cda8a85924b329ce3979a"

"SecurityDescriptor"="D:p(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;NU)"

"URI"="Microsoft\Windows\HelloFace\FODCleanupTask"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffff5221c24348484848f671dc1c484848480e00000048484848530079007300740065006d00000048480000000048484848004848484848484800484848 (the data entry has 456 more characters)."

"Actions"="03000c000000530079007300740065006d006666000000006c0000002500570069006e0044006900720025005c00530079007300740065006d00330032005c00570069006e00420069006f0050006c007500670049006e0073005c004600610063006500 (the data entry has 92 more characters)."

"DynamicInfo"="03000000cede8b3d8048d80145dcf1d0f3c1d8010000000003400080830effd0f3c1d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{15E69FB7-BC19-4737-A3DF-0700D3959249}]

"Path"="\Microsoft\Windows\TPM\Tpm-Maintenance"

"Hash"="ccfe0ad269d541ebf3cc43f7b51e1fb95589786b9bb5502c4e3ea584b0c6c5a6"

"Date"="2010-06-10T17:49:20.8844064"

"SecurityDescriptor"="D:p(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;S-1-5-87-1469317444-2401623638-2778953283-1691679301-3481717153)"

"Source"="$(@%SystemRoot%\system32\TpmTasks.dll,-601)"

"Author"="$(@%SystemRoot%\system32\TpmTasks.dll,-600)"

"Description"="$(@%SystemRoot%\system32\TpmTasks.dll,-602)"

"URI"="\Microsoft\Windows\TPM\TPM-Maintenance"

"Triggers"="170000000000000000dd2f0506000000000000000000000000dd2f0506000000ffffffffffffffff0811424248484848382d6a6d4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 1048 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000c8b714504e9362429816887fa745a6c410000000540070006d005400610073006b007300"

"DynamicInfo"="0300000032c16192124ad801ef1ff35e22c5d801000000000000000001e1e46122c5d801"

"Schema"="65542"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{1D44DA44-C6A2-454A-AD76-389CB7AB7B77}]

"Path"="\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical"

"Hash"="b305b5ac4a8046ad56d1c136ee1b86a80645273df4af035ae1c987b73a5c57cd"

"Date"="2010-09-30T14:53:37.9516706"

"SecurityDescriptor"="D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GR;;;AU)(A;;FRFX;;;LS)"

"URI"="Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffff082382424848484837614c9d484848480e0000004848484841007500740068006f007200000048480000000048484848004848484848484800484848 (the data entry has 456 more characters)."

"Actions"="03000c00000041007500740068006f00720077770000000038ba3f61dfa3b84a96745604984a299a180000002f00520075006e00740069006d0065005700690064006500"

"DynamicInfo"="0300000032c16192124ad8013ae537de03aed8010000000000000000ea4b33e003aed801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{1E334E22-CBC0-4D9C-B830-F1CC1BD6DCFD}]

"Path"="\Microsoft\Windows\WCM\WiFiTask"

"Hash"="18027902cb7207c3d35d0486467730f741532fc1603cbc3fdb10e676c1f50b40"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;BU)(A;;FA;;;S-1-5-80-1428027539-3309602793-2678353003-1498846795-3763184142)"

"Author"="$(@%SystemRoot%\system32\wifitask.exe,-1)"

"Description"="$(@%SystemRoot%\system32\wifitask.exe,-2)"

"URI"="\Microsoft\Windows\WCM\WiFiTask"

"Triggers"="170000000000000000d5611ac8d5611a000000000000000000d5611ac8d5611affffffffffffffff0090c042484848482782bb7f484848480c00000048484848550073006500720073000000484848480000000048484848004848484848484800484848 (the data entry has 408 more characters)."

"Actions"="03000a00000055007300650072007300666600000000440000002500530079007300740065006d0052006f006f00740025005c00530079007300740065006d00330032005c0057006900460069005400610073006b002e00650078006500000000000000 (the data entry has 8 more characters)."

"DynamicInfo"="0300000036236492124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{1FDAEDB1-C8AA-43FA-B046-3CDDDA12661E}]

"Path"="\Microsoft\Windows\Time Synchronization\SynchronizeTime"

"Hash"="630c0e049f04d56382081e7cb22e7eb0f614ee7d07e17768e094a6b548d47cb1"

"Source"="$(@%systemroot%\system32\w32time.dll,-200)"

"Author"="$(@%systemroot%\system32\w32time.dll,-202)"

"Description"="$(@%systemroot%\system32\w32time.dll,-201)"

"URI"="Microsoft\Windows\Time Synchronization\SynchronizeTime"
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #16 ·
"Triggers"="17000000000000000090151d94c3d904ffffffffffffffff0090151d94c3d9040000000000000000f821424348484848af439a31484848481a000000484848484c006f00630061006c005300650072007600690063006500000048484848484800000000 (the data entry has 312 more characters)."

"Actions"="0300180000004c006f00630061006c005300650072007600690063006500666600000000300000002500770069006e0064006900720025005c00730079007300740065006d00330032005c00730063002e00650078006500340000007300740061007200 (the data entry has 100 more characters)."

"DynamicInfo"="0300000074856692124ad801d4854da5bbc4d8010000000000000000755779a5bbc4d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{20546688-8F7B-4B82-8429-7E7E4F537E96}]

"Path"="\Microsoft\Windows\SystemRestore\SR"

"Hash"="6b415675519fe9c847853a6a62eef1d4a271a123fca8a250e04b5ef71566adc1"

"SecurityDescriptor"="D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;FRFX;;;LS)"

"Source"="$(@%systemroot%\system32\srrstr.dll,-320)"

"Author"="$(@%systemroot%\system32\srrstr.dll,-321)"

"Description"="$(@%systemroot%\system32\srrstr.dll,-322)"

"URI"="Microsoft\Windows\SystemRestore\SR"

"Triggers"="1700000000000000002ad30694c3d904ffffffffffffffff002ad30694c3d90400000000000000005a214242484848485ee9b09e4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d006666000000003a0000002500770069006e0064006900720025005c00730079007300740065006d00330032005c00730072007400610073006b0073002e0065007800650036000000 (the data entry has 120 more characters)."

"DynamicInfo"="030000007405933d8048d801b4bf8415a8c3d8010000000000000000c49cda2aa8c3d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{2072CDC5-C37E-4AAD-8704-317CA4891449}]

"Path"="\AVG\AVG Secure VPN Update"

"Hash"="0b098936bbcae427a635372e8d0728e4ee17272c4e163221897792ec2007073c"

"Schema"="65538"

"Date"="2022-08-19T18:46:18Z"

"Author"="AVG"

"URI"="\AVG\AVG Secure VPN Update"

"Triggers"="170000000000000000de2f547f000000000000000000000000de2f547f000000ffffffffffffffff4821c242484848486d497e0a484848480e0000004848484841007500740068006f007200000048480000000048484848004848484848484800484848 (the data entry has 584 more characters)."

"Actions"="03000c00000041007500740068006f0072006666000000007600000043003a005c00500072006f006700720061006d002000460069006c00650073005c0043006f006d006d006f006e002000460069006c00650073005c004100560047005c0049006300 (the data entry has 204 more characters)."

"DynamicInfo"="03000000e8c0b1f7fbb3d801fc32907a23c5d8010000000000000000a258807b23c5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{21BA6C58-EC20-4133-8D3F-67C2A6CAA411}]

"Path"="\AVG\AVG TuneUp Update"

"Hash"="aa7873a49a270a69028f110407feb5b78588ee1ee18c28f331a45419cb965882"

"Schema"="65538"

"Date"="2022-09-07T15:46:25Z"

"Author"="AVG"

"URI"="\AVG\AVG TuneUp Update"

"Triggers"="170000000000000000de3fb918000000000000000000000000de3fb918000000ffffffffffffffffc821c24248484848647780ec484848480e0000004848484841007500740068006f007200000048480000000048484848004848484848484800484848 (the data entry has 584 more characters)."

"Actions"="03000c00000041007500740068006f0072006666000000007400000043003a005c00500072006f006700720061006d002000460069006c00650073005c0043006f006d006d006f006e002000460069006c00650073005c004100560047005c0049006300 (the data entry has 196 more characters)."

"DynamicInfo"="0300000061a9977707b7d801e32c557c2cc5d8010000000000000000b88a437d2cc5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{236EEE35-EDD5-418B-BCD5-293F6FAD7966}]

"Path"="\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance"

"Hash"="c13b99c5c1642369d7dd1a7fce8bccc244181eb57c1f042b9e861cfab4e73d77"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)"

"Author"="$(@%systemRoot%\System32\sysmain.dll,-3000)"

"Description"="$(@%systemRoot%\System32\sysmain.dll,-3002)"

"URI"="\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance"

"Triggers"="17000000000000000090151d94c3d904ffffffffffffffff0090151d94c3d90400000000000000000a2102034848484837e2a90b4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000b87743d42f1faa4f9c8e6c4ad2928e4700000000"

"DynamicInfo"="03000000a3e76892124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{24E7277B-F8E2-4E3F-8D24-38312602768B}]

"Path"="\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work"

"Hash"="40bcd18b91c7e4a9ffb0cf8faa979a006dc648adde45aad9dbdc830494e97b3d"

"Schema"="65538"

"URI"="\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work"

"Triggers"="170000000000000000ffffffffffffffffffffffffffffff00ffffffffffffff000000000000000038210242484848482f69855c484848480e0000004848484841007500740068006f007200000048480000000048484848004848484848484800484848 (the data entry has 200 more characters)."

"Actions"="03000c00000041007500740068006f007200666600000000460000002500730079007300740065006d0072006f006f00740025005c00730079007300740065006d00330032005c00750073006f0063006c00690065006e0074002e006500780065002800 (the data entry has 96 more characters)."

"DynamicInfo"="03000000c203b07c024ad801000000000000000000000000000000000000000000000000"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{29903646-8B95-441C-AE59-CC43C0C76FF5}]

"Path"="\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic"

"Hash"="63a3e7edc8d5e288a1c5bb47979612b40bc0b69d5e2778b3f159d95f47571338"

"Version"="1.0"

"SecurityDescriptor"="D:p(A;;FA;;;BA)(A;;FA;;;SY)(A;;FR;;;AU)(A;;FRFX;;;LS)"

"Source"="$(@%SystemRoot%\system32\MemoryDiagnostic.dll,-601)"

"Author"="$(@%SystemRoot%\system32\MemoryDiagnostic.dll,-600)"

"Description"="$(@%SystemRoot%\system32\MemoryDiagnostic.dll,-602)"

"URI"="\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic"
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #17 ·
"Triggers"="170000000000000000c0ad1c94c3d904ffffffffffffffff00c0ad1c94c3d90400000000000000007ea1c003484848482ad20f634848484816000000484848484c006f00630061006c00410064006d0069006e0000004848000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300140000004c006f00630061006c00410064006d0069006e007777000000004ae768819fb3d846adcd7bed477b80a308000000540069006d006500"

"DynamicInfo"="03000000df496b92124ad80192464d292ec5d80100000000e0100780bcceb270a0c3d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{2A89BCC4-A931-490E-83E9-8CE4ECB74507}]

"Path"="\Microsoft\Windows\WwanSvc\OobeDiscovery"

"Hash"="f20b9735e34d4f0770bb83552cf8aed18cab81f718f4701780a55db0cb109642"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)"

"URI"="\Microsoft\Windows\WwanSvc\OobeDiscovery"

"Triggers"="1700000000000000006103dea70100000000000000000000006103dea7010000ffffffffffffffff0011420348484848b4ef77e74848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 842 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000d5f93cc91b03aa4aab0bef802347b38100000000"

"DynamicInfo"="030000000eac6d92124ad80120d2525c22c5d8010000000000000000d26a965d22c5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{2AD5F8AE-8128-49DD-AB67-7D9052D0C609}]

"Path"="\Microsoft\Windows\Management\Provisioning\Retry"

"Hash"="3405d12d8120de47b73a612fa841a752c8ebfee431299245994e74047355c753"

"SecurityDescriptor"="D:(A;;FA;;;BA)(A;;FA;;;SY)"

"URI"="\Microsoft\Windows\Management\Provisioning\Retry"

"Triggers"="170000000000000000a4611a90a4611a000000000000000000a4611a90a4611affffffffffffffff481002034848484871fda0664848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 296 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d006666000000003c0000002500770069006e0064006900720025005c00730079007300740065006d00330032005c00500072006f00760054006f006f006c002e006500780065003a00 (the data entry has 132 more characters)."

"DynamicInfo"="03000000cc3e1a92124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{2DFC28A5-3035-4555-A9E6-CE6D44EB1DB3}]

"Path"="\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

"Hash"="eee64cd3ca6ac92db8d875d6c98966f9bb6b8d3307ff676e5d708a90101c34f3"

"Version"="1.0"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)"

"Source"="$(@%systemroot%\system32\sppc.dll,-200)"

"Author"="$(@%systemroot%\system32\sppc.dll,-200)"

"Description"="$(@%systemroot%\system32\sppc.dll,-201)"

"URI"="\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"

"Triggers"="1700000000000000000808000000110080d0691507cf48020008080000001100ffffffffffffffff4821c2024848484852e097eb484848481e000000484848484e006500740077006f0072006b0053006500720076006900630065000000484800000000 (the data entry has 440 more characters)."

"Actions"="03001c0000004e006500740077006f0072006b0053006500720076006900630065007777000000005dbbaeb1d9ea7644b3759c3ed9f32afc0a000000740069006d0065007200"

"DynamicInfo"="030000000eac6d92124ad801000000000000000000000000000000000000000000000000"

"Schema"="65542"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{2EE7F450-D2B6-4D5E-AFE0-A8699149E79E}]

"Path"="\Microsoft\Windows\FileHistory\File History (maintenance mode)"

"Hash"="39fc5f8e9e3c3e6bb6531f39da29b33bb9e1829b80a00cb0e871bcb3e4aa14d6"

"Version"="1.0"

"Date"="2010-08-12T00:00:00"

"SecurityDescriptor"="D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FRFX;;;LS)(A;OICI;FRFX;;;AU)"

"Source"="$(@%systemRoot%\system32\fhtask.dll,-200)"

"Author"="$(@%systemRoot%\system32\fhtask.dll,-201)"

"Description"="$(@%systemRoot%\system32\fhtask.dll,-202)"

"URI"="\Microsoft\Windows\FileHistory\File History (maintenance mode)"

"Triggers"="17000000000000000090151d94c3d904ffffffffffffffff0090151d94c3d90400000000000000003021424248484848751eb5db484848481a000000484848484c006f00630061006c005300650072007600690063006500000048484848484800000000 (the data entry has 312 more characters)."

"Actions"="0300180000004c006f00630061006c0053006500720076006900630065007777000000007c7b9189a6a1df118bf618a90531a85a00000000"

"DynamicInfo"="030000000eec03684949d801fdfe4e19e0c3d8010000000000000000c3255619e0c3d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{2F63CF7F-0537-4E2A-9F8A-B763EFE907F5}]

"Path"="\Microsoft\Windows\CertificateServicesClient\KeyPreGenTask"

"Hash"="3fe918c05197d6c4bcd91c8f92ae9156bb9ee70f50320a4b872dd92060f58151"

"SecurityDescriptor"="D:p(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;NS)"

"Source"="$(@%SystemRoot%\system32\ngctasks.dll,-101)"

"Author"="$(@%SystemRoot%\system32\ngctasks.dll,-100)"

"Description"="$(@%SystemRoot%\system32\ngctasks.dll,-102)"

"URI"="\Microsoft\Windows\CertificateServicesClient\KeyPreGenTask"

"Triggers"="170000000000000000e00fb918000000000000000000000000e00fb918000000ffffffffffffffff08114242484848481cf5a9ad4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 1592 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000540de347c1da3a47aff72355bf78881f180000004e00470043004b0065007900500072006500670065006e00"

"DynamicInfo"="03000000a8b22f92124ad801ac1c476122c5d801000000000000000047444e6122c5d801"

"Schema"="65542"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{304D2127-E6ED-4C82-B9B3-63B3B54A4D66}]

"Path"="\Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan"

"Hash"="6e0308eda88845fc15b2ad527676df24f7081cae8c72cb38b4d0c8ee9fac9ef1"

"SecurityDescriptor"="D:AI(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FR;;;AU)"

"Source"="$(@%systemroot%\system32\discan.dll,-601)"

"Author"="$(@%systemroot%\system32\discan.dll,-600)"

"Description"="$(@%systemroot%\system32\discan.dll,-602)"

"URI"="\Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan"

"Triggers"="170000000000000000d5611ac8d5611a000000000000000000863e1dc08bb71cffffffffffffffff70214243484848486a95fecf4848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 632 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00777700000000a83efddc60d919478206490ae315f94f00000000"

"DynamicInfo"="03000000cc3e1a92124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{309BA321-F7C8-46A4-BA50-5FAC484229CB}]

"Path"="\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"

"Hash"="7501fe87f3e549f7e0015363345916bdb8771dc3b57415cc0e7b083b042acdf8"

"Version"="1.0"

"SecurityDescriptor"="D:p(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)"

"Source"="$(@%systemRoot%\system32\usosvc.dll,-104)"

"Author"="$(@%systemRoot%\system32\usosvc.dll,-103)"

"Description"="$(@%systemRoot%\system32\usosvc.dll,-105)"

"URI"="\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"

"Triggers"="170000000000000000d5611ac8d5611a000000000000000000d5611ac8d5611affffffffffffffffc021424248484848c29bb4344848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 1756 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d00666600000000460000002500730079007300740065006d0072006f006f00740025005c00730079007300740065006d00330032005c00750073006f0063006c00690065006e007400 (the data entry has 72 more characters)."

"DynamicInfo"="03000000400e7092124ad8012e590cd633c5d801000000000000000005f653d633c5d801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{312317E8-FAE8-4A62-B864-9C63FF667EA3}]

"Path"="\Microsoft\Windows\Management\Autopilot\DetectHardwareChange"

"Hash"="b591316b08153b2cf74849c36f492b65eb169f9154fade0357bae94191e2696e"

"Source"="$(@%SystemRoot%\system32\Autopilot.dll,-601)"

"Author"="$(@%SystemRoot%\system32\Autopilot.dll,-600)"

"Description"="$(@%SystemRoot%\system32\Autopilot.dll,-602)"
 

·
Registered
Joined
·
83 Posts
Discussion Starter · #18 ·
"URI"="\Microsoft\Windows\Management\Autopilot\DetectHardwareChange"

"Triggers"="170000000000000000dd2f049e000000000000000000000000dd2f049e000000ffffffffffffffff0821024348484848978496644848484818000000484848484c006f00630061006c00530079007300740065006d000000000000004848484800484848 (the data entry has 536 more characters)."

"Actions"="0300160000004c006f00630061006c00530079007300740065006d007777000000002cddb26229f1ee42bf5955d3fd21c21528000000440065007400650063007400480061007200640077006100720065004300680061006e0067006500"

"DynamicInfo"="03000000a3ea02d839a1d801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{3125FC0E-5265-4D00-B5C1-FD596A6739AE}]

"Path"="\Microsoft\Windows\UpdateOrchestrator\Schedule Work"

"Hash"="9571b2d9b776dc89bc7a4d9cfef2c58c87fa093277ee31c3577794bf3487e66b"

"Schema"="65538"

"URI"="\Microsoft\Windows\UpdateOrchestrator\Schedule Work"

"Triggers"="17000000000000000007090000000a00803c08a6d7c4d801003dd2b4ad010000803c08a6d7c4d8017821024248484848755f82df484848480e0000004848484841007500740068006f007200000048480000000048484848004848484848484800484848 (the data entry has 408 more characters)."

"Actions"="03000c00000041007500740068006f007200666600000000460000002500730079007300740065006d0072006f006f00740025005c00730079007300740065006d00330032005c00750073006f0063006c00690065006e0074002e006500780065001200 (the data entry has 52 more characters)."

"DynamicInfo"="03000000abf06c02134ad801c72eae87d5abd8010000000000000000baeabb87d5abd801"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{34ADEFE8-89DB-43BC-8C0B-14BB34D69F6D}]

"Path"="\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives"

"Hash"="ec30731670a731620b47f429e313da7bdded4eebc197e69f7cc2122cdb99ca2e"

"SecurityDescriptor"="D:p(A;;FRFX;;;AU)(A;;FA;;;SY)"

"URI"="\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives"

"Triggers"="170000000000000000ea611ae0ea611a000000000000000000ea611ae0ea611affffffffffffffff88a1404248484848e20e8619484848480c00000048484848550073006500720073000000484848480000000048484848004848484848484800484848 (the data entry has 408 more characters)."

"Actions"="03000a00000055007300650072007300777700000000b9d1bc610c34ec409d41d7f1c0632f05320000004200690074004c006f0063006b006500720045006e006300720079007000740041006c006c00440072006900760065007300"

"DynamicInfo"="03000000400e7092124ad801000000000000000000000000000000000000000000000000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\\{35525E8D-FD60-47BF-8D11-FA4F778C57C3}]
 

·
Malware Specialist
Joined
·
43 Posts
Alternatively, you can either PM me the file, or upload it to onedrive, google drive, dropbox or a similar service and post a share link. I think the latter has the most chance of success.
 
1 - 20 of 56 Posts
Top