New
#51
How does your PATH variable looks like?
C:\WINDOWS\System32\WindowsPowerShell\v1.0\;*should be part of it.
Thanks a lot guys ! I solve my problem ! I use code (between posts #13 and #20 of this topic) and all is good.
(sorry for my poor english, i'm french)
: )
Dear gurus: Please your comments.
I had the same problem than creator. I think I resolved it by executing the following procedure.
On Windows 10. Not familiar with PowerShell. I’m not experienced, not professional.
Trivia: Check Windows Defender. Check Microsoft msert.exe. Check Antivirus. Check commercial antivirus. Check for programed task.
A) STEP 1. Know what informs the screenshots. Capture a screenshot. For that, use a screen recorder. Use a commercial or shareware one. If not it is has, use a search engine in Internet. My screenshot says:
“BITSADMIN version 3.0
[… bla bla bla …]
Found 2 jobs named ‘task3’- Use the job identifier instead of the job name.”
So, we know which program and task was running: A job of BitsAdmin.exe
B) STEP 2. From CMD, execute: “BITSADMIN /list /verbose”. This is the report:
GUID: {3F1C911A-2899-4980-8E48-9D2B87D68A81}
DISPLAY: 'task3'
TYPE: DOWNLOAD
STATE: TRANSFERRED
OWNER: XXXXXX\xxxxxx
PRIORITY: FOREGROUND
FILES: 1 / 1
BYTES: 283136 / 283136
CREATION TIME: 19.01.17 22:52:14
MODIFICATION TIME: 20.01.17 08:35:33
COMPLETION TIME: 20.01.17 08:35:33
ACL FLAGS:
NOTIFY INTERFACE: UNREGISTERED
NOTIFICATION FLAGS: 1
RETRY DELAY: 3600
NO PROGRESS TIMEOUT: 1209600
ERROR COUNT: 8
PROXY USAGE: PRECONFIG
PROXY LIST: NULL
PROXY BYPASS LIST: NULL
DESCRIPTION:
JOB FILES: 283136 / 283136
WORKING https://### dk5gckyelnxjl.cloudfront...3-d775c525aa16, -> C:\WINDOWS\system32\bi3.exe
NOTIFICATION COMMAND LINE: 'C:\WINDOWS\system32\cmd.exe' ' /C C:\WINDOWS\system32\bitsadmin.exe /COMPLETE task3 && C:\WINDOWS\system32\bi3.exe /sparam=H1Jzftptn095001AU,5f0ceeb2-237c-4f18-a9c3-d775c525aa16, /rnd=0 2>nul'
owner MIC integrity level: HIGH
owner elevated? true
Peercaching flags
Enable download from peers: false
Enable serving to peers: false
CUSTOM HEADERS: NULL
GUID: {8B1E9F81-E8B7-4E6D-A983-D8EABEE2CD7B}
DISPLAY: 'task3'
[…… etc. Like above]
GUID: {08C992C2-0523-4751-AFC2-D911EE6B1F94}
DISPLAY: 'UpdateDescriptionXml'
[…… etc. Similar above]
WORKING http://###g.live.com/1rewlive5skydrive/ODSUProduction -> C:\Users\XXXXXXXX\AppData\Local\Temp\wct81B6.tmp
[…… etc. Similar above]
GUID: {3621A429-705F-4DAB-A153-D5224B706C75}
DISPLAY: 'UpdateDescriptionXml'
[…… etc. Like above]
Listed 4 job(s).””
C) STEP 3. C.1) List jobs. C.2) Delete Jobs. C.3) Check jobs deletion.
COMMAND C.1) “C:\windows\system32>bitsadmin /list /allusers”
REPORT C.1):
{3F1C911A-2899-4980-8E48-9D2B87D68A81} 'task3'
TRANSFERRED 1 / 1 283136 / 283136
{8B1E9F81-E8B7-4E6D-A983-D8EABEE2CD7B} 'task3'
TRANSFERRED 1 / 1 283136 / 283136
{08C992C2-0523-4751-AFC2-D911EE6B1F94} 'UpdateDescriptionXml' TRANSFERRED 1 / 1 387 / 387
{3621A429-705F-4DAB-A153-D5224B706C75} 'UpdateDescriptionXml' TRANSFERRED 1 / 1 387 / 387
Listed 4 job(s).”
COMMAND C.2) “C:\windows\system32>bitsadmin /reset /allusers”
REPORT C.2):
{3F1C911A-2899-4980-8E48-9D2B87D68A81} canceled.
{8B1E9F81-E8B7-4E6D-A983-D8EABEE2CD7B} canceled.
{08C992C2-0523-4751-AFC2-D911EE6B1F94} canceled.
{3621A429-705F-4DAB-A153-D5224B706C75} canceled.
4 out of 4 jobs canceled.
COMMAND C.3) “C:\windows\system32>bitsadmin /list /allusers”
REPORT C.3):
Listed 0 job(s).””
D) RESULT: On my computer, It does not appear more screenshots
E.1) COMMENT 1. Who are inside the servers transferring to/from information on my computer? Unknown.
E.2) COMMENT 2. I would suppose Windows Defender and Malwarebytes are doing its job. Files bi3.exe and C:\Users\xxxxxx\AppData\Local\Temp\*.tmp files do not exist on my computer.
In my case, the problem started when I ran the program "Phoenix_Service_Software_2012.04.003.47798.exe". This is a program used to flash a Nokia model 2012 phone. This program is not designated as unsafe application neither by MS Defender nor by Malwarebytes. But yes is marked as potentially unsafe application by ESET OnlineScanner: "a variant of Win32/HackTool.Patcher.A"
Last edited by Hozeluii; 17 Feb 2017 at 04:34. Reason: To add information about the problem started. To delete potentialy unsafe included links.