Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TelsaCrypt Virus will be solved Need help related to virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 danban

danban

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 02 March 2016 - 06:54 PM

Hello everyone and Administrators, my computer was infected with the Telsacrpt virus a few days ago and it turned all my PDF docs , video files and pics into MP3s. Believe it or not I got this virus off a legiate record label music site and I let my guard down thinking it was from the site to make it run better as I clicked on the pop up. Usually when I see a pop up , I closed down the computer right away and avoid the problem right in it's tracks , but I got tricked on a legaite site , so please everyone start being carefull.

 

What I did was basically was left everything alone on my computer because I know the problem will be fixed  regardless what people are saying you can't get the keys to decrypt the MP3s. I email Bloodolly and told him I'll pray for him that the whole situation will be fixed easily and quickly. You be surpised on what can happen when you pray , you can eradicate any computer problem regardless what it is , I've done it before and doing it again. 

Any thing can happen , Bloodolly or anyvbody else can find the answer and quickly implement it or someone may just show up out of the blue and supply the key to everyone because of guilty conscious or got it some other way if they weren't involved.

 

I still have to run a virus scan of the whole system with Bitdefender to find any of the viruses , it's extremely slow but very good software , I already use Malwarebytes scan and it didn;t show any thing.

Some of the music and video and graphics and radio podcast software is not running correctly but I figure once I run the Bitdefender it should have it fix if not then I'll have to download the software again.

I'm not a computer expert at all but I suspect some important pics and other files I'm not aware of has effected the music and video programs because it needs them for some reason and the files were encrypted into MP3's.

I'll find out after I do Bitdefender scan and quarennteen those viruses but my gut is telling me my whole computer had to have encrypted MP3s decrypted back for everything to work.

 

I do have one easy question for anybody here ,

There are 3 files made by the virus -

1) _RECOVERY_+pillt.html

2) _RECOVERY_+pillt.png

3) _RECOVERY_+pillt.txt

 

They are in every folder in my system , it will take forever to find and get rid of them all to another folder or delete them.

They don't seem to be dangerous unless you click on the first one (_RECOVERY_+pillt.html) which will lead you to the website link virus.

Never the less , I want to get rid all of them in one shot easily and quickly

I know there's got to be a free software or method to do this to ,

does anyone know ?

 

That's it for now , will keep coming to this post everyday until problem is solved.

 

Best

Dan

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 PM

Posted 03 March 2016 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

After reading about this infection you will understand that there is nothing we can do to restore your files.
http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information

I can only hope you have good backups.

===

The only thing we can help clean the computer of all the files left over by the infection.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 03 March 2016 - 01:30 PM

Thanks a lot , I just attached the 2 files you requested after making scan ,

let me know what to do next.

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 PM

Posted 03 March 2016 - 02:43 PM

FrostWire 6.0.8 (HKLM-x32\...\FrostWire 6) (Version: 6.0.8.1 - FrostWire LLC)


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [kacebgllsvaa] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [quoaufflklka] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [dlaowoexhueu] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [tlepowdlnace] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [nmbqwjgcyfqu] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [qwjgcyfquvnp] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [rowciblrecev] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001\...\Run: [mhrhvxqcsmco] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [kacebgllsvaa] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [quoaufflklka] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [dlaowoexhueu] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [tlepowdlnace] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [nmbqwjgcyfqu] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [qwjgcyfquvnp] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [rowciblrecev] => C:\Windows\system32\cmd.exe /c start "" "
HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [mhrhvxqcsmco] => C:\Windows\system32\cmd.exe /c start "" "
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.html [2016-02-28] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.png [2016-02-28] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.txt [2016-02-28] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pillt.html [2016-02-28] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pillt.png [2016-02-28] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pillt.txt [2016-02-28] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.html [2016-02-28] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.png [2016-02-28] ()
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.txt [2016-02-28] ()
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll [2015-01-19] (Yahoo! Inc.)
BHO-x32: No Name -> {D40C654D-7C51-4EB3-95B2-1E23905C2A2D} -> No File
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll [2015-01-19] (Yahoo! Inc.)
Toolbar: HKU\S-1-5-21-1066246007-1091995785-1061003623-1001 -> No Name - {2E924F4F-67F0-4BD8-9560-49F468E843D2} -  No File
Toolbar: HKU\S-1-5-21-1066246007-1091995785-1061003623-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {2E924F4F-67F0-4BD8-9560-49F468E843D2} -  No File
Handler: WSAllMyTubechrome - {0A0C95CF-A116-4C74 -  No File
FF SearchPlugin: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\searchplugins\_RECOVERY_+pillt.html [2016-02-28]
FF SearchPlugin: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\searchplugins\_RECOVERY_+pillt.png [2016-02-28]
FF SearchPlugin: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\searchplugins\_RECOVERY_+pillt.txt [2016-02-28]
FF SearchPlugin: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\searchplugins\_RECOVERY_+vplym.html [2016-02-28]
FF SearchPlugin: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\searchplugins\_RECOVERY_+vplym.png [2016-02-28]
FF SearchPlugin: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\searchplugins\_RECOVERY_+vplym.txt [2016-02-28]
FF Extension: DVDVideoSoft YouTube MP3 and Video Download - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\i1ijieam.default\Extensions\{B64D9B05-48E1-4CEB-BF58-E0643994E900}.xpi [2015-02-19] [not signed]
CHR Extension: (Video download helper) - C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mngdadkapbemiekajhhalpakdpleogfn [2016-03-02]
S2 BrsHelper; C:\PROGRA~2\YTDOWN~1\BROWSE~2.EXE [X]
U0 msahci; system32\drivers\msahci.sys [X]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.html
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.png
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.txt
C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pillt.html
C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pillt.pn
C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+pillt.txt
C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.html
C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.png
C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+vplym.txt
C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mngdadkapbemiekajhhalpakdpleogfn
Task: {1E8DD9B8-9417-4C0B-8503-70F2E72F3CA6} - \BBQLeads -> No File <==== ATTENTION
Task: {2232F14E-014D-46AF-BD27-9264D96A64BE} - \SmartWeb Upgrade Trigger Task -> No File <==== ATTENTION
Task: {312C8324-5F5F-47F9-A405-23C35F3D1B41} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3 <==== ATTENTION
Task: {6405E259-834F-46A0-8F09-CADF12112511} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2 <==== ATTENTION
Task: {6CFB9703-05E4-4034-94ED-B155AEE5D8F8} - System32\Tasks\YTDownloaderUpd => C:\Program Files (x86)\YTDownloader\updater.exe <==== ATTENTION
Task: {7E493590-4522-4294-90EA-7CBF19F216EA} - \SMupdate1 -> No File <==== ATTENTION
Task: {91952E47-EED8-4C6C-8814-9377CCC1B48D} - System32\Tasks\WPLAEHX => C:\Users\Dan\AppData\Roaming\WPLAEHX.exe <==== ATTENTION
Task: {A667DC3B-0D63-4816-A8D7-FFA624CE616D} - System32\Tasks\YTDownloader => C:\Program Files (x86)\YTDownloader\YTDownloader.exe <==== ATTENTION
Task: {CDBB3676-19F5-4A56-BA10-67DB3574564B} - \Tempo Runner coz64host -> No File <==== ATTENTION
Task: {D808198F-C0D2-4364-AE2C-882C6665C443} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
Task: C:\Windows\Tasks\WPLAEHX.job => C:\Users\Dan\AppData\Roaming\WPLAEHX.exe <==== ATTENTION
C:\PROGRA~1\COMMON~1\System\SysMenu.dll
C:\Program Files (x86)\YTDownloader
C:\Users\Dan\AppData\Roaming\WPLAEHX.exe
C:\Program Files (x86)\MyPC Backup

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.

====

Please let me know what problem persists with this computer.

#5 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 03 March 2016 - 04:34 PM

Ok , good , I did what you asked , I fixed using FRST then Restart computer then reset Google Chrome and cleared everything.

I also uploaded the (Fixlog.txt).

I did try running some my video and graphics like CrazyTalk 7 and music radio Winamp & music recording software and other programs and some still some not work or run properly so mayby I have to re-download them again to another folder

will let you know ,

also all those 3 files are still in every folder in my computer.

1) _RECOVERY_+pillt.html

2) _RECOVERY_+pillt.png

3) _RECOVERY_+pillt.txt

 

I'm a computer novice but I did some reading and I found I can recover all docs , pics , and videos by using data recovery program.

Do you have a free and simple one that I can use to get those files back.

Also I have'nt run my Bitdefender yet to get rid of viruses.

Let me know if I should do free data recovery program that you can recommend and send before I run Virus scan with Bitdefender

or one you recommend.

I have 500 GB hard disk in my computer and the video , pics , and docs that I want to get back they take up around 300 GB space.

I don't have another disk to store backup so I know I have to use data recovery carefully to put it all on the same hard disk from what I read.

 

Besides all that , the computer seems to be running fine and internet.

 

Get back to me for further instructions ,

Best

Dan

 

 

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 PM

Posted 04 March 2016 - 07:52 AM


I informed you in my first post of this.

Quote
After reading about this infection you will understand that there is nothing we can do to restore your files.

If some programs were compromised then you can reinstall them but your files can only be restored from a back up you should have made on CDs, Flash drives or an external hard disk.
If you do not have such a back up then you are out of luck.
===

This scan will list all of the files with the following string *_RECOVERY_+pillt.*
Post the log for my review. I will see what I can do to help you remove them.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :filefind
    *_RECOVERY_+pillt.html
    *_RECOVERY_+pillt.png
    *_RECOVERY_+pillt.txt
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===

#7 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 04 March 2016 - 01:06 PM

Ok , I just used systmlook and did the scan.

Here is the systemlook.txt.

As you can see it put the 3 files in every folder in my computer ,

amazing ,

See what you can do to get rid of all them in one shot , I would appreciate it ,

 

Note , the sytemlooktxt file was too big to upload ,

The attached file wouldn't take it.

what should I do ?

The file is 15.2 MB

 

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 PM

Posted 05 March 2016 - 07:58 AM

I understand. You must have a lot of folders.

Break the file into 3 or 4 parts.

Paste each one in a new post.

#9 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 05 March 2016 - 01:00 PM

Hi , it's a lot in the file , it's a little confusing to split it in the text file if I cut and resave another text in parts ,

I'll be missing listing files or something , I know it.

Do you have a program where I can split the actual file or is there a easy way of doing it that I'm not aware of ?

Get back to me , thanks,

Dan


Edited by danban, 05 March 2016 - 01:01 PM.


#10 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 05 March 2016 - 01:14 PM

Disregard the last post , I found out how to split the txt file ,

here are the 2 files -

 

Attached Files



#11 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 05 March 2016 - 01:32 PM

When I split the txt file into 2 8MB files ,

I was able to upload the first one which is posted

but when I tried to upload the 2nd file , it saids limit size to upload 1.8 MB

what happened ? , the size limit shrunk , I don't want to split the 2nd file again into 1.8 which would be around 8 files to upload ,

is there daily limit on this site , I don't know ,

please get back.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 PM

Posted 05 March 2016 - 02:34 PM



Run this fix.
When completed check to see if the files have been deleted.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


C:\AsusVibeData\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E
C:\AsusVibeData\FIX_lnk\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E
C:\AsusVibeData\FRG32\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E
C:\AsusVibeData\Frg32EXE\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E
C:\AsusVibeData\icons\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E
C:\AsusVibeData\lnk\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E
C:\AsusVibeData\skin\_RECOVERY_+pillt.html	--a---- 11680 bytes	[20:51 28/02/2016]	[20:51 28/02/2016] D1D9F01A5F61ECF35DC906E441389A7E

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If this succeed it will be easy to clean the rest of the files otherwise I have some work to do.

Will take care of the 2nd half of the search log later.

#13 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 05 March 2016 - 03:08 PM

Ok , did the fix and here is the fixlog.txt

 

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 PM

Posted 06 March 2016 - 07:41 AM


It did not go so well. Try this new fixlist.txt
p.s. delete the old fixlist.txt before creating this one.

Run this fix.
When completed check to see if the files have been deleted.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


C:\AsusVibeData\_RECOVERY_+pillt.html
C:\AsusVibeData\FIX_lnk\_RECOVERY_+pillt.html
C:\AsusVibeData\FRG32\_RECOVERY_+pillt.html
C:\AsusVibeData\Frg32EXE\_RECOVERY_+pillt.html
C:\AsusVibeData\icons\_RECOVERY_+pillt.html
C:\AsusVibeData\lnk\_RECOVERY_+pillt.htm
C:\AsusVibeData\skin\_RECOVERY_+pillt.htm

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

p.s.
If the files are deleted please check your Recycle bin and let me know if the deleted are now saved in the Recycle bin.
You should then clean it.

#15 danban

danban
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bronx New York
  • Local time:04:51 PM

Posted 06 March 2016 - 12:00 PM

I don't think it worked again , folders still clutterd with those files, also nothing in the trash folder.

Here's the fixlog.txt -

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users