Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET scanner found and deleted threats - computer still infected?


  • This topic is locked This topic is locked
13 replies to this topic

#1 girl.anachronism

girl.anachronism

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 September 2014 - 02:28 PM

Hello!

 

I noticed after a couple of USB transfers that my computer was suddenly incredible slow. Sometimes it would take a full minute to register a simple click (whether it be offline or online). Immediately, I jumped to the conclusion that I had been infected by my friends' UBS sticks.

 

I ran ESET scanner on it, and it found a whopping 10 threats (worms of various sorts, and things in the win32 files, sorry, I don't know much about computers and don't remember the specifics.)

 

I also ran Malwarebytes, SUPERAntispyware, and AdwCleaner, and quarantined/deleted a bunch of malware.

 

My computer is still a lot slower than it was before the USB transfers though, and I can't figure out if I'm still infected.

Could anyone help me figure this out?

 

Thank you!

 

Amy



BC AdBot (Login to Remove)

 


#2 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 13 September 2014 - 02:46 PM

Hello, 

 

Can you post the various logs from the programmes you've run please? 

ESET Online Scan logs can be found at the following locations (depending on your system's bit-type):

  • 32-bit machines: C:\Program Files\ESET\EsetOnlineScanner 
  • 64-bit machines: C:\Program Files (x86)\ESET\EsetOnlineScanner
     

MBAM (2.x) logs can be obtained by: 

  • Open Malwarebytes Anti-Malware and click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 

Edited by LiquidTension, 13 September 2014 - 02:51 PM.

Posted Image

#3 girl.anachronism

girl.anachronism
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 September 2014 - 03:41 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=15141
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-09-16 03:47:54
# local_time=2013-09-15 11:47:54 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5893 16776637 100 94 0 130846725 0 0
# scanned=636593
# found=1
# cleaned=0
# scan_time=34926
sh=5F6C504A21F99FCCFC4C8031D52336916FC74C3C ft=0 fh=0000000000000000 vn="Win32/Bundpil.S worm" ac=I fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=15261
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-09-26 06:44:26
# local_time=2013-09-26 02:44:26 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5893 16776637 100 94 0 131721317 0 0
# scanned=635212
# found=1
# cleaned=0
# scan_time=21992
sh=5F6C504A21F99FCCFC4C8031D52336916FC74C3C ft=0 fh=0000000000000000 vn="Win32/Bundpil.S worm" ac=I fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=15284
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-09-27 08:53:38
# local_time=2013-09-27 04:53:38 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5893 16776637 100 94 0 131858669 0 0
# scanned=663498
# found=1
# cleaned=0
# scan_time=22199
sh=5F6C504A21F99FCCFC4C8031D52336916FC74C3C ft=0 fh=0000000000000000 vn="Win32/Bundpil.S worm" ac=I fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"
esets_scanner_update returned -1 esets_gle=45314
esets_scanner_update returned -1 esets_gle=45314
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internet# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=15290
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-09-28 09:00:06
# local_time=2013-09-28 05:00:06 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776637 100 94 0 131945456 0 0
# scanned=690072
# found=1
# cleaned=0
# scan_time=31408
sh=5F6C504A21F99FCCFC4C8031D52336916FC74C3C ft=0 fh=0000000000000000 vn="Win32/Bundpil.S worm" ac=I fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=15455
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-10-12 04:05:25
# local_time=2013-10-12 12:05:25 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776637 100 94 0 133094175 0 0
# scanned=218448
# found=1
# cleaned=0
# scan_time=9171
sh=848C686280EAA04B172FCCFFBD312132A0C46172 ft=1 fh=7764b0effb0b9556 vn="a variant of Win32/DownloadSponsor.A application" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Amy\AppData\Local\Temp\OCS\ocs_v7f.exe.vir"
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=16126
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-12-04 08:07:06
# local_time=2013-12-04 03:07:06 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5893 16776637 100 94 0 137687876 0 0
# scanned=593441
# found=3
# cleaned=0
# scan_time=24545
sh=4E53E0FFACBBA628245D73BFF47EF4606132A65B ft=1 fh=fe7af0d76bf8d36a vn="a variant of Win32/4Shared.K application" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-511477340-227303313-2571166547-1001\$RFNXU7Q.exe"
sh=848C686280EAA04B172FCCFFBD312132A0C46172 ft=1 fh=7764b0effb0b9556 vn="a variant of Win32/DownloadSponsor.A application" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Amy\AppData\Local\Temp\OCS\ocs_v7f.exe.vir"
sh=5F6C504A21F99FCCFC4C8031D52336916FC74C3C ft=0 fh=0000000000000000 vn="Win32/Bundpil.S worm" ac=I fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=5e9e07cae6256f448766ce76af39ca53
# engine=20130
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-09-13 01:33:11
# local_time=2014-09-12 09:33:11 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776637 100 94 0 162115441 0 0
# scanned=745851
# found=10
# cleaned=10
# scan_time=20356
sh=848C686280EAA04B172FCCFFBD312132A0C46172 ft=1 fh=7764b0effb0b9556 vn="a variant of Win32/DownloadSponsor.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Users\Amy\AppData\Local\Temp\OCS\ocs_v7f.exe.vir"
sh=62C030C39DD11803BD13F7041A86830599752A02 ft=1 fh=f2cd12b7b4d217c3 vn="Win32/InstalleRex.M potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000000"
sh=4E53E0FFACBBA628245D73BFF47EF4606132A65B ft=1 fh=fe7af0d76bf8d36a vn="a variant of Win32/4Shared.K potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\File System\003\t\00\00000000"
sh=4DEED1C009B5E144F7F9AD86F2799CDDAAAEF966 ft=1 fh=ee2dd07e2672fb41 vn="Win32/AdWare.1ClickDownload.AT application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\File System\004\t\00\00000000"
sh=5F6C504A21F99FCCFC4C8031D52336916FC74C3C ft=0 fh=0000000000000000 vn="Win32/Bundpil.S worm (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"
sh=8A6709AECCC17192725A8AF35421911DB26CEDB0 ft=1 fh=a909aa4eeedd8c6b vn="Win32/OpenCandy potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Amy\Downloads\avc-free.exe"
sh=180C8ED7C81E3AE7B0507B26C927EA93584B017C ft=1 fh=b0b83453fcc7b480 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Amy\Downloads\ccsetup327.exe"
sh=86C42259F892D107BA300D5A561217AC1BD8F20A ft=1 fh=67acaae3c1fe9e74 vn="a variant of Win32/DownloadSponsor.A potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\Amy\Downloads\uTorrent3.3b29126.exe"
sh=A27BFBB4988E87828C8448A2EE5A6D1CC925BA2E ft=1 fh=ec9b5e18e14751a4 vn="a variant of Win32/Toolbar.Conduit.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Users\Amy\Videos\Paranormal Activity {2009} DVDRIP. Jaybob\Jaybob's_Movies_Toolbar.exe"
sh=5D22D0736EEE8B165A5E48B340E087A6DC733DA2 ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Windows\Installer\6645ec.msi"
 
 
 
 
 
 
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 27/08/2014
Scan Time: 11:47:57 AM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.08.27.05
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Amy
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402449
Time Elapsed: 1 hr, 22 min, 53 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#4 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 13 September 2014 - 06:51 PM

Hello, 
 
This is the only concerning detection. 

vn="Win32/Bundpil.S worm" ac=I fn="C:\Users\Amy\Documents\IDS co-op\Work\nuevo video\amy's choice\KINGSTON (4GB).lnk"

 
You can read about the Bundpil Worm (also known as the Gamarue Worm) here.
 
Whether this is an accurate detection or false-positive is difficult to say. Lets run two scans and see what they show. 
 
STEP 1
xMgeHyNE.png.pagespeed.ic.49_rDPUa_4.png Batch File

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    echo Deleting temp files/folders...
    del %TEMP%\*.* /F /S /Q
    rd /S /Q %TEMP%
    echo. 
    echo Finished. 
    del %0
  • Click Format. Ensure Wordwrap is unchecked.
  • Click FileSave As and name the file delfile.bat.
  • Select All Files as the Save as type.
  • Save the file to your Desktop.
  • Locate delfile.bat xlmRDSkT.png.pagespeed.ic.UByFR5z3ld.jpg (W8/7/Vista) on your DesktopRight-click the icon and click xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator.
     

STEP 2
xA50erAh.png.pagespeed.ic.FnD5FRJqqo.png Sophos Virus Removal Tool

  • Please download Sophos Virus Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click the icon and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Click Next.
  • Select I accept the terms in this license agreement, then click Next twice.
  • Click Install.
  • Click Finish to launch the programme.
  • Once the virus database has been updated click Start scanning
  • If threats are found click Details, followed by View log file.
  • Copy the contents of the log and paste in your next reply.
  • Close the Notepad document, close the Threat Details screen, and click Start cleanup.
  • Click Exit to close the programme. 
  • Re-enable your anti-virus software. 
     

STEP 3
x7D2ig3K.png.pagespeed.ic.x4TC1AK8OX.jpg Emsisoft Emergency Kit (Portable)

  • Using a clean PC, please download Emsisoft Emergency Kit and save the file to a clean USB drive.
  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type explorer and click OK. Double-click your USB drive. 
  • Double-click EmsisoftEmergencyKit.exe.
  • Click Browse and select the drive letter for your USB drive. 
  • Click Accept and Extract.
  • Once extracted, locate and double-click EmergencyKitScanner.bat on your USB drive.
  • Click Yes to update the programme definitions.
  • Click Yes to detect Potentially Unwanted Programs (PUP's).
  • Close all windows. 
  • Remove the USB drive and insert it into the infected PC.
  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type explorer and click OK. Double-click your USB drive. 
  • Double-click EmergencyKitScanner.bat in your USB drive.
  • Click Scan now.
  • Select Deep Scan (default setting) followed by Scan.
  • Close any High Risk notification screen that may appear.
  • Upon completion, click the Quarantine tab.
  • Click View Report.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Sophos log
  • Emsisoft log

Posted Image

#5 girl.anachronism

girl.anachronism
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 17 September 2014 - 12:13 PM

Hi,

 

 

This the log for my Sophos scan
 

2014-09-16 04:13:02.459 Sophos Virus Removal Tool version 2.5.3
2014-09-16 04:13:02.512 Copyright © 2009-2014 Sophos Limited. All rights reserved.
 
2014-09-16 04:13:02.512 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.
 
2014-09-16 04:13:02.512 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x300 PT=0x1 WOW64
2014-09-16 04:13:02.515 Checking for updates...
2014-09-16 04:13:05.158 Update progress: proxy server not available
2014-09-16 04:13:42.342 Downloading updates...
2014-09-16 04:13:42.350 Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2014-09-16 04:13:42.350 Update progress: [I49502] Found supplement SAVIW32 LATEST 
2014-09-16 04:13:42.350 Update progress: [I49502] Found supplement IDE505 LATEST 
2014-09-16 04:13:42.350 Update progress: [I49502] Found supplement IDE506 LATEST 
2014-09-16 04:13:42.350 Update progress: [I49502] Found supplement IDE507 LATEST 
2014-09-16 04:13:42.350 Update progress: [I49502] Found supplement IDE508 LATEST 
2014-09-16 04:13:42.350 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2014-09-16 04:13:42.350 Update progress: [I19463] Syncing product SAVIW32 43
2014-09-16 04:13:54.362 Update progress: [I19463] Syncing product IDE505 175
2014-09-16 04:14:06.801 Option all = no
2014-09-16 04:14:06.801 Option recurse = yes
2014-09-16 04:14:06.801 Option archive = no
2014-09-16 04:14:06.801 Option service = yes
2014-09-16 04:14:06.801 Option confirm = yes
2014-09-16 04:14:06.801 Option sxl = yes
2014-09-16 04:14:06.806 Option max-data-age = 35
2014-09-16 04:14:06.806 Option EnableSafeClean = yes
2014-09-16 04:14:06.846 Installing updates...
2014-09-16 04:14:09.052 Option vdl-logging = yes
2014-09-16 04:14:11.612 Component SVRTcli.exe version 2.5
2014-09-16 04:14:11.613 Component control.dll version 2.5
2014-09-16 04:14:11.613 Component SVRTservice.exe version 2.5
2014-09-16 04:14:11.613 Component engine\osdp.dll version 1.44.1.2171
2014-09-16 04:14:11.613 Component engine\veex.dll version 3.56.0.2171
2014-09-16 04:14:11.613 Component engine\savi.dll version 8.1.4.2171
2014-09-16 04:14:11.613 Component rkdisk.dll version 1.5.30.0
2014-09-16 04:14:11.613 Version info: Product version 2.5
2014-09-16 04:14:11.614 Version info: Detection engine 3.56.0
2014-09-16 04:14:11.614 Version info: Detection data 5.04
2014-09-16 04:14:11.614 Version info: Build date 29/07/2014
2014-09-16 04:14:11.614 Version info: Data files added 542
2014-09-16 04:14:11.614 Version info: Last successful update (not yet updated)
2014-09-16 04:14:12.186 Update progress: [I19463] Syncing product IDE506 201
2014-09-16 04:14:12.186 Update progress: [I19463] Syncing product IDE507 161
2014-09-16 04:14:12.186 Update progress: [I19463] Syncing product IDE508 1
2014-09-16 04:14:37.540 Update successful
2014-09-16 04:15:04.130 Option all = no
2014-09-16 04:15:04.130 Option recurse = yes
2014-09-16 04:15:04.130 Option archive = no
2014-09-16 04:15:04.130 Option service = yes
2014-09-16 04:15:04.130 Option confirm = yes
2014-09-16 04:15:04.130 Option sxl = yes
2014-09-16 04:15:04.133 Option max-data-age = 35
2014-09-16 04:15:04.133 Option EnableSafeClean = yes
2014-09-16 04:15:04.303 Option vdl-logging = yes
2014-09-16 04:15:04.313 Component SVRTcli.exe version 2.5
2014-09-16 04:15:04.313 Component control.dll version 2.5
2014-09-16 04:15:04.314 Component SVRTservice.exe version 2.5
2014-09-16 04:15:04.314 Component engine\osdp.dll version 1.44.1.2171
2014-09-16 04:15:04.314 Component engine\veex.dll version 3.56.0.2171
2014-09-16 04:15:04.314 Component engine\savi.dll version 8.1.4.2171
2014-09-16 04:15:04.315 Component rkdisk.dll version 1.5.30.0
2014-09-16 04:15:04.315 Version info: Product version 2.5
2014-09-16 04:15:04.317 Version info: Detection engine 3.56.0
2014-09-16 04:15:04.317 Version info: Detection data 5.04G
2014-09-16 04:15:04.317 Version info: Build date 29/07/2014
2014-09-16 04:15:04.317 Version info: Data files added 542
2014-09-16 04:15:04.317 Version info: Last successful update 16/09/2014 12:14:37 AM
 
2014-09-16 05:23:34.111 Could not open C:\hiberfil.sys
2014-09-16 05:24:59.956 Could not open C:\pagefile.sys
2014-09-16 15:43:18.112 Could not check C:\ProgramData\Rosetta Stone\Content\data\e3\2\e3224dad0350485767de9d3f098631549f9dcf64 (out of memory)
2014-09-16 16:09:57.476 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-09-16 16:09:57.523 Could not open C:\System Volume Information\{7a88c555-3afa-11e4-a42a-002622a38f56}{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-09-16 16:13:10.054 Could not open C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Current Session
2014-09-16 16:13:10.055 Could not open C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
2014-09-16 16:13:10.832 Could not check C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK (virus scan failed)
2014-09-16 16:13:10.962 Could not check C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK (virus scan failed)
2014-09-16 16:13:46.692 Could not check C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\LOCK (virus scan failed)
2014-09-16 16:13:57.578 Could not check C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOCK (virus scan failed)
2014-09-16 16:16:49.634 Could not check C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK (virus scan failed)
2014-09-16 16:39:45.800 Password protected file C:\Users\Amy\Documents\rrmp.docx
2014-09-16 16:40:00.161 Password protected file C:\Users\Amy\Documents\bleep i write\catharsis.docx
2014-09-16 16:40:02.923 Password protected file C:\Users\Amy\Documents\bleep i write\tp.docx
2014-09-16 16:46:08.006 >>> Virus 'Mal/ObfsVP-A' found in file C:\Users\Amy\Downloads\PhotoshopPortable\App\CommonFiles\APE\3.4\adbeapeengine.dll
2014-09-16 16:46:08.006 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell
2014-09-16 16:46:08.007 >>> Virus 'Mal/ObfsVP-A' found in file HKU\S-1-5-21-511477340-227303313-2571166547-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2014-09-16 16:46:08.007 >>> Virus 'Mal/ObfsVP-A' found in file HKU\S-1-5-21-511477340-227303313-2571166547-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2014-09-16 16:46:08.007 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2014-09-16 16:46:08.007 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
2014-09-16 16:46:08.008 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
2014-09-16 16:46:08.037 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208
2014-09-16 16:46:08.037 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208
2014-09-16 16:46:08.038 >>> Virus 'Mal/ObfsVP-A' found in file HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell
2014-09-17 13:24:47.175 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2014-09-17 13:24:47.289 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2014-09-17 18:16:55.572 The following items will be cleaned up:
2014-09-17 18:16:55.813 Mal/ObfsVP-A
2014-09-17 19:10:05.978 Threat 'Mal/ObfsVP-A' has been cleaned up.
2014-09-17 19:10:06.020 Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.045 Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell" has been cleaned up.
2014-09-17 19:10:06.045 File "C:\Users\Amy\Downloads\PhotoshopPortable\App\CommonFiles\APE\3.4\adbeapeengine.dll" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.045 File "C:\Users\Amy\Downloads\PhotoshopPortable\App\CommonFiles\APE\3.4\adbeapeengine.dll" has been cleaned up.
2014-09-17 19:10:06.046 Registry value "HKU\S-1-5-21-511477340-227303313-2571166547-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.046 Registry value "HKU\S-1-5-21-511477340-227303313-2571166547-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" has been cleaned up.
2014-09-17 19:10:06.046 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.046 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect" has been cleaned up.
2014-09-17 19:10:06.046 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.047 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500" has been cleaned up.
2014-09-17 19:10:06.047 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.047 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500" has been cleaned up.
2014-09-17 19:10:06.047 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.047 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208" has been cleaned up.
2014-09-17 19:10:06.048 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208" belongs to malware 'Mal/ObfsVP-A'.
2014-09-17 19:10:06.048 Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208" has been cleaned up.
2014-09-17 19:10:06.075 Removal successful
2014-09-17 19:10:06.249 Contents of SafeClean bin directory:
2014-09-17 19:10:06.309 {
2014-09-17 19:10:06.309    RecordID   : "0000000000000001",
2014-09-17 19:10:06.309    ItemType   : "1",
2014-09-17 19:10:06.309    Location   : "C:\Users\Amy\Downloads\PhotoshopPortable\App\CommonFiles\APE\3.4\",
2014-09-17 19:10:06.310    FileName   : "adbeapeengine.dll",
2014-09-17 19:10:06.310    ThreatName : "Mal/ObfsVP-A",
2014-09-17 19:10:06.310    Checksum   : "c8d2b21ba8c95c1d6b5b597b3728e3cb9ae5fa686a979472550ccb18c47ad50a",
2014-09-17 19:10:06.336    TimeStamp  : "Wed Sep 17 15:09:14 2014"
2014-09-17 19:10:06.336 }


The Emsisoft scan is underway, update coming soon!

Edited by girl.anachronism, 17 September 2014 - 02:27 PM.


#6 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 17 September 2014 - 12:15 PM

Hello,

How long has Sophos been scanning for?
Posted Image

#7 girl.anachronism

girl.anachronism
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 19 September 2014 - 01:32 PM

Hi,

 

Sophos was scanning for quite a while before it was complete. The log is posted above. I'm trying to get to someone with a clean computer and clean usb stick to download Emsisoft, but this week has been hectic for myself and those around me. I will be travelling for the weekend and will be back next Monday - please do not close this thread!

 

Thank you,

 

Amy



#8 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 19 September 2014 - 02:00 PM

Hi Amy, 
 
Those instructions for Emsisoft are outdated. The insructions below do not require the use of a second PC.

There's no rush, so by all means take your time.
 
7D2ig3K.png Emsisoft Emergency Kit (Portable)

  • Please download Emsisoft Emergency Kit and save the file to a your Desktop.
  • Double-click EmsisoftEmergencyKit.exe.
  • Click Extract.
  • Upon completion, double-click the Emsisoft Emergency Kit shortcut on your Desktop to start the programme.
  • Click Yes to update the programme definitions.
  • Click Yes to detect Potentially Unwanted Programs (PUP's).
  • Click Scan now.
  • Select Full Scan and click Scan.
  • Close any High Risk notification screen that may appear.
  • When the scan is finished click Quarantine selected objects if malicious objects were found.
  • Click View Report, and open the most recent log. 
  • Copy the contents of the log and paste in your next reply.

Posted Image

#9 girl.anachronism

girl.anachronism
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 13 November 2014 - 01:50 AM

Hi!

Sorry this took so long - I got carried away with my thesis in the past couple of months!

 

Here is the log:

 

Emsisoft Emergency Kit - Version 9.0
Last update: 11/12/2014 3:52:39 PM
User account: Lunchbox-II\Amy
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 11/12/2014 3:53:44 PM
Key: HKEY_USERS\S-1-5-21-511477340-227303313-2571166547-501\SOFTWARE\APN detected: Application.InstallAd (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Key: HKEY_USERS\S-1-5-21-511477340-227303313-2571166547-501\SOFTWARE\CONDUIT detected: Application.InstallAd (A)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\08FC0000\58FEDE6F.VBN -> (Quarantine-9) detected: Generic.Malware.SDB.3C16ED89 ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\09F80000\4DFCCC0F.VBN -> (Quarantine-9) detected: Gen:Trojan.Heur.RP.hibdaGfIA2ni ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\0A300000\4EFD48F7.VBN -> (Quarantine-9) detected: EICAR-Test-File (not a virus) ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00001.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00001.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00002.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00002.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00003.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00003.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00004.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00004.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00005.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00005.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00006.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00006.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00007.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00007.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00008.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00008.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00009.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00009.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D0000A.VBN -> (Quarantine-9) -> vload.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D0000A.VBN -> (Quarantine-9) -> vmain.class detected: Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240001.VBN -> (Quarantine-9) -> Uutecwv.class detected: Java.Exploit.Smid.A ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240002.VBN -> (Quarantine-9) -> sklif/Hieeyfc.class detected: Java.Trojan.Exploit.Bytverify.J ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240002.VBN -> (Quarantine-9) -> sklif/Hirwfee.class detected: Java.Trojan.Exploit.Bytverify.I ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240002.VBN -> (Quarantine-9) -> sklif/Hiydcxed.class detected: Java.Trojan.Exploit.Bytverify.I ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240003.VBN -> (Quarantine-9) -> ________vload.class detected: Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240003.VBN -> (Quarantine-9) -> vmain.class detected: Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000001.VBN -> (Quarantine-9) -> vmain.class detected: Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000002.VBN -> (Quarantine-9) -> vmain.class detected: Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000003.VBN -> (Quarantine-9) -> vmain.class detected: Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000004.VBN -> (Quarantine-9) -> vmain.class detected: Java.Trojan.Exploit.Bytverify.O ( B)
C:\Users\Amy\Documents\cr-wr391\CORE10k.EXE detected: Riskware.Win32.Keygen (A)
 
Scanned 573528
Found 37
 
Scan end: 11/12/2014 10:49:00 PM
Scan time: 6:55:16
 
C:\Users\Amy\Documents\cr-wr391\CORE10k.EXE Quarantined Riskware.Win32.Keygen (A)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000004.VBN Quarantined Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000003.VBN Quarantined Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000002.VBN Quarantined Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\31000001.VBN Quarantined Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240003.VBN Quarantined Java.Trojan.Exploit.Bytverify.O ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240002.VBN Quarantined Java.Trojan.Exploit.Bytverify.I ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\1C240001.VBN Quarantined Java.Exploit.Smid.A ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D0000A.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00009.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00008.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00007.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00006.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00005.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00004.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00003.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00002.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\13D00001.VBN Quarantined Exploit.Java.CVE.AU ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\0A300000\4EFD48F7.VBN Quarantined EICAR-Test-File (not a virus) ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\09F80000\4DFCCC0F.VBN Quarantined Gen:Trojan.Heur.RP.hibdaGfIA2ni ( B)
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\08FC0000\58FEDE6F.VBN Quarantined Generic.Malware.SDB.3C16ED89 ( B)
Key: HKEY_USERS\S-1-5-21-511477340-227303313-2571166547-501\SOFTWARE\CONDUIT Quarantined Application.InstallAd (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Key: HKEY_USERS\S-1-5-21-511477340-227303313-2571166547-501\SOFTWARE\APN Quarantined Application.InstallAd (A)
 
Quarantined 24
 
 
 
 
 
 
 
 
Thank you for your patience!
 
Amy


#10 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 25 November 2014 - 10:54 PM

Hi Amy, 

 

Please can you describe the issues you're currently experiencing?


Posted Image

#11 girl.anachronism

girl.anachronism
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 26 November 2014 - 02:37 AM

I realize this may be incredibly vague, but my computer is being incredibly slow... sometimes it will take a full two or three minutes to register a simple mouse click. Other times, it works at a reasonable speed... I've noticed that this happens both online and offline. It also can't really handle more than one application open at a time. Please let me know if you need any other information!

 

Thank you,

 

Amy



#12 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 26 November 2014 - 08:29 PM

Hi Amy, 
 
I'm going to request this topic be moved to the Virus and Malware removal section. 
 
Please run the following programme. 
 
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe / FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 

Posted Image

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:29 AM

Posted 26 November 2014 - 08:57 PM

Hello, just letting you know I moved this topic to here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 AM

Posted 01 December 2014 - 09:05 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users