Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

no hard feelings please, i need guidance and others may have this prob


  • This topic is locked This topic is locked
28 replies to this topic

#1 kistonw

kistonw

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 06 May 2016 - 07:37 AM

I understand why it was hard to believe me, and i hope any1 whos read the passed threads understands why i was frustrated. Because ive bveen dealing with this piece of bleep, i knew to take tpictures before the evidence poofeed (comp restarted itself and its back to infected). I cant get into internet using windows 10, safe mode or normal, so im on windows xp via dvd. I cant stay on long

 

13198429_10205120207519831_3189796560754

 

enuff to get the pictures + keep this tab open, something shuts it off so i will edit this thread ina few.


Edited by Queen-Evie, 06 May 2016 - 07:56 AM.
edited to correct formatting


BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:12 AM

Posted 06 May 2016 - 07:48 AM

kistonw had 2 other topics which got closed due to the nature of the replies.

This topic is OFF LIMITS to the same types of replies.

If anyone who replied in the other two topics is tempted to post more of the same in this one, your posts will be deleted.

Can't offer any concrete help? Do not post in this one.

#3 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 06 May 2016 - 07:49 AM

jesus im hopeless. takes me 10 min trying to save the file before the web browser closes. then i realize idk how to even convert into a way that lets me post the pic here. had to upload to facebook heh. sorry they so big

 

13173140_10205120208079845_2279681305954



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,977 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:12 PM

Posted 06 May 2016 - 07:51 AM

While I understand you're frustrated about the problems with your computer, no matter the cause, I have to agree with everything already said in the other topics. However to clarify, can you tell me what tool or program created the list above and how you ran this tool/program?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 06 May 2016 - 08:05 AM

Ms, dont bring up the other topics and lets leave it at that please.

 

This is the first time avira was able to run, and idk how tbh. the processes are so long and tedious i cant name it all exactly, but after grinler suggested the iso download on the windows website, i downloaded it in safemode, burned to disc. HEAVY DISK WIPED, cleaned mbr, loaded hirens boot cd to clean anything i could off of the registry, as well as rescanning the harddrive for lost partitions. everything was going well till that last part, the program diskgenius was able to record an attempt at recovering something. that "something" was like a block of space that it seemed like my computer couldnt even look at, much less scan/repair/fix. <-- this part about hte partition i ignored, i didnt know what to do, it survived multiple hour-long disk wipes. from this point, i used the iso grinler suggested me to download to install windows 10 home. instantly after installing, i turned my pc off at reloaded hirens boot cd. In hirens, i downloaded rogue killer/jrt and ran it along with malwarebytes and cccleaner, all finding multiple things. Then i reloaded windows 10, and before connecting to the internet i  rescaned everything, a suppoesbly fresh install, and came up with minor infection. However, i went and deleted every single task in teh task scheduler library. then i rebooted into safe mode, but before pc actually loaded, i booted off of hirens cd to rerun all those scanners. around 75% of the malware that popped up in the first scans popped up again, i deleted and restarted to continue into safe mode windows 10. From there i ran jrt/roguekiller/rkill ~ then ran avira anti virus ( its installed on hirens). i didnt want to plug into the internet, so i ran avira without updating. it may have the name of the viruses different (not sure) but EVERY file listed, ive been watching closely but couldnt figure out. After the scan in the pics ran through, i was reading the log and suddenly pc restarts <-- that was in safe mode windows 10. i barely had time to take the pics cuz i couldnt find my damn phone.

 

Sorry for wall of text. Just trying to make it clear where i stand.

 

kistonw had 2 other topics which got closed due to the nature of the replies.

This topic is OFF LIMITS to the same types of replies.

If anyone who replied in the other two topics is tempted to post more of the same in this one, your posts will be deleted.

Can't offer any concrete help? Do not post in this one.

ty sir. i def wasnt the victim either, i know i was frustrated. i cant seem to click after the picture to type to add another i apologize. this last 1

 

I am not sure what the removeable drive is about either, but i know for a fact now its related. i 4got to mention, while deleteing my task scheduler library, i read each one of them to determine whether or not it warranted deletion. Among many suspicious tasks, i remember seeing /autoclean -d (d is the removable drive). Its not much info, but the reason i have this removeable "empty" drive is because the task schedler library would empty and clean it whenever i came back from idle. I believe a lot of what was done involved custom events and triggers in task scheduler library

 

13198429_10205120207519831_3189796560754


Edited by kistonw, 06 May 2016 - 08:16 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,977 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:12 PM

Posted 06 May 2016 - 08:23 AM

In hirens, i downloaded rogue killer/jrt and ran it along with malwarebytes and cccleaner, all finding multiple thin

 

Doing this is a waste of time. These tools will scan the MiniXP installation, which contains a few tools that are considered risky by certain products. However those are not malicious. The problem with scanning this way is that no tool will "see" what is actually running or loaded in your Windows 10 installation.

 

However, i went and deleted every single task in teh task scheduler library

 

Not a good idea, usually those tasks aren't malware.

 

i booted off of hirens cd to rerun all those scanners. around 75% of the malware that popped up in the first scans popped up again,

 

Of course it is, its stuff loaded from the iso, you can't delete that; a PE disk like hiren's loads the entire OS in RAM from the iso. A tool that detects something, will not affect the iso and next time you boot things will be loaded again. However this is nothing to worry about (and if you can't believe that, then I suggest not to use Hiren's).

 

You did not answer my question though: what tool did you run and how did you run it that caused the report in the screenshot.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 06 May 2016 - 08:36 AM

 

In hirens, i downloaded rogue killer/jrt and ran it along with malwarebytes and cccleaner, all finding multiple thin

 

Doing this is a waste of time. These tools will scan the MiniXP installation, which contains a few tools that are considered risky by certain products. However those are not malicious. The problem with scanning this way is that no tool will "see" what is actually running or loaded in your Windows 10 installation.

 

However, i went and deleted every single task in teh task scheduler library

 

Not a good idea, usually those tasks aren't malware.

 

i booted off of hirens cd to rerun all those scanners. around 75% of the malware that popped up in the first scans popped up again,

 

Of course it is, its stuff loaded from the iso, you can't delete that; a PE disk like hiren's loads the entire OS in RAM from the iso. A tool that detects something, will not affect the iso and next time you boot things will be loaded again. However this is nothing to worry about (and if you can't believe that, then I suggest not to use Hiren's).

 

You did not answer my question though: what tool did you run and how did you run it that caused the report in the screenshot.

 

Ill say one thing and wont answer you again. After freshly installing the iso from windows site, malwarebytes found maybe 40 infections while in hirens. after that, every scan after found i believe 3? or 4. regardless, that alone contradicts whatever ur saying, and the fact you didnt realize i said 75% (meaning 25% DID get removed, and stayed removed, indicating the first 25% came from the iso install)makes me wonder why ur here...

 

 

first scanner i mentioned was avira, aswell as the last. If you cant put that together, why would i bother to answer your redundant question?

 

Btw, if you would humor me and assume im infected, why do you think what u do to ur task scheduler library is relevant to what i do to my infected library? jesus

 

Im here for serious help, ive humored your questions about bleep already mentioned. If you would do me the favor of private messaging me, so i can keep this thread as helpful-info-dense as possible, id appreciate it.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,977 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:12 PM

Posted 06 May 2016 - 08:58 AM

If you truly want help, you can do me the courtesy of answering a question that I think is relevant for very obvious reasons. 

If you don't believe me regarding Hirens, fine, frankly that is not my problem, it's yours. 

 

Nobody here has any interest in claiming you're not infected when in fact you are and I think there are a large number of people who we've helped over the years that can attest to this. However, you seem to forget something. Notobdy forces you to use BC for malware removal or to trust us. You're free to take your computer to a repair shop and have them fix whatever they find wrong. 

 

I'd also thank you if you could use appropriate language as you agreed to when you joined this forum.

 

You can either answer my question or have this topic closed (with the mention that, if you create a new one, it may considerably shorten your membership of this forum). It's your choice, you had enough chances, this is your last one.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Havachat

Havachat

  • Members
  • 1,044 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:10:12 PM

Posted 06 May 2016 - 09:49 AM

If i was there you would be up and running in 1Hr. { But Im Not }.

Dont know if this is a Joke ....We,ll See ?

 

We can only provide Advice and Guide you.....with your input being Positive !

 

Basic Installation of Windows :

 

1/ Download ISO [ Clean }  burn to Disc and Use Your Product Key { Or use Purchased Windows Disc }.

2/ Format the drive you wish to use and Connect this Drive Only.

3/ Disconnect all USBs / Other Hard Drives.

4/ Disconnect from Internet.

5/ Boot from Created Dvd / or Windows Disk.

6/ Wait for Installation to complete.

7/ Test if all is running OK...Ensure This...eg: No Issues.

8/ Reboot.

9/ Connect to Internet.

10/ Install Drivers / Windows Updates.

11/ Reconnect other Drives if needed. 

 

Any issues that arise after may be USBs / Other Drives are Infected and not the Installation Media Used Previously.

Or Operator Error.

 

I wont be Responding at this Time.



#10 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 06 May 2016 - 11:25 AM

Jesus this thing is tricky, malwarebytes doesn't even load a version anymore and Avira now says no liscense found.

#11 RolandJS

RolandJS

  • Members
  • 4,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:07:12 AM

Posted 06 May 2016 - 12:11 PM

  From my experience from Windows 3.1/DOS 3.3 to Windows 95/98/98SE, now on Windows 7 Pro -- I believe your computer indeed was hit by something bad -- and the attempted fixes led to the deletion of not only infected files, but very likely files that were not infected, just simply "looked" suspicious by some of the anti-virus/anti-malware fighters.

  My new found friend, I believe not only was your computer "helped" by the infection[s], it was "helped" by the cleanings.

This happened to me awhile back.  A local computer tech ran some stuff on it, several of my normal programs were not normal anymore, so, the only solution for me was to restore a week-old OS image via Acronis True Image.

  My question to you -- there are no recent, current, restorable backups, correct?  If no backups, then we're back to somehow creating a new Windows 10 installation after obliterating the old.

  I'm at school, I have bad eyesight, I hope I have read your informative thread correctly.


Edited by RolandJS, 06 May 2016 - 12:12 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,977 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:12 PM

Posted 06 May 2016 - 12:32 PM

So, the screenshot you posted was the result of an Avira scan? From Hiren's MiniXP? 

 

If you're not interested in feedback and just randomly post things you think are of interest, and as a result get upset because nobody helps you, then let's all save our time and just lock this topic.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 06 May 2016 - 12:41 PM

  From my experience from Windows 3.1/DOS 3.3 to Windows 95/98/98SE, now on Windows 7 Pro -- I believe your computer indeed was hit by something bad -- and the attempted fixes led to the deletion of not only infected files, but very likely files that were not infected, just simply "looked" suspicious by some of the anti-virus/anti-malware fighters.
  My new found friend, I believe not only was your computer "helped" by the infection[s], it was "helped" by the cleanings.
This happened to me awhile back.  A local computer tech ran some stuff on it, several of my normal programs were not normal anymore, so, the only solution for me was to restore a week-old OS image via Acronis True Image.
  My question to you -- there are no recent, current, restorable backups, correct?  If no backups, then we're back to somehow creating a new Windows 10 installation after obliterating the old.
  I'm at school, I have bad eyesight, I hope I have read your informative thread correctly.

Heya bud. Your eyes seem to be working fine to me. I believe you're partially right about the deletions of good files, but when I do actually delete good files, I usually delete wayy too many and end up having to restore. This means I don't delete many legit things. I forgot to mention earlier and I'm glad you reminded me, right after installing the Windows 10 earlier, the reason I went into all this was because the first thing i tried to do was update. The update service wasn't found, from that instant i just went into hirens. From hirens, I immediately scanned the fresh install and found all these viruses.

I see where you're going, but I downloaded and burned that Windows 10 using Windows xp, yesterday. Do you think it became infected in that time? I mean it must have... Unless

I did multiple heavy duty disk wipes, and after i install Windows 10 in instantly infected. How would you download a new Windows disk? Also, it sounds crazy but I wouldn't ask you to consider it unless I strongly felt it was possible - what if indeed the windows 10 cd is infected, but is the rootkit or whatever this is immune to even disk wipes? I mean this is complex stuff it seems, I'm not sure what you've read so far. many sector scans and partition tables tell me there's something weird about my hard drive. I believe it has to do with this removable disc E, it consistently shows up, even in scans before saying its nothing, but anything that attempts to even look at it just gets a error. Is it possible these encrypted files lost inside free space, is connected to how this infection won't go away? Inside of my task scheduler library I would find tasks referencing the drive, and from then I knew forsure the drive was malicious (one task told my pc to sync files when I go ask. Then it said to end when I'm back)


Sorry bud, I guess what I'm asking is, is it possible for the rootkit to hide on my drive somewhere? i managed to get a log file instead of those pictures, hope it helps

 

~ to answer you, no backups. I have a windows 10 dvd, and a windows 10 usb, both install a windows that doesn't even have windows update.

 

 

Scan start time: 5/6/2016 11:14:43 AM
Command line: scancl.exe --logformat=singleline --quarantine=c:\Quarantine --logappend --log=scan.log --colors --heurlevel=2 --defaultaction=clean --suspiciousaction=clean c:

configuration file: C:\Users\kiston\AppData\Local\Temp\HBCD\Avira\scancl.conf
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\hiberfil.sys
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\pagefile.sys
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Program Files (x86)\Windows Mail\WinMail.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\swapfile.sys
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group1\desktop.ini
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group2\1 - Run.lnk
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group2\desktop.ini
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group3\desktop.ini
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk
WARNING: [Error opening file. (No error)] c:\Users\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F71FEB53-13B4-11E6-9D92-1078D2CFD179}.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F71FEB55-13B4-11E6-9D92-1078D2CFD179}.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F71FEB59-13B4-11E6-9D92-1078D2CFD179}.dat
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5493.tmp
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmEB64.tmp
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmp
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\UsrClass.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\WebCache\V01.log
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\Microsoft\Windows\WebCacheLock.dat
WARNING: [Error opening file. (No error)] c:\Users\kiston\AppData\Local\Temp\~DF467034DE608DB8D6.TMP
WARNING: [Error opening file. (No error)] c:\Users\kiston\AppData\Local\Temp\~DFCD04BFB62C9B4C44.TMP
WARNING: [Error opening file. (No error)] c:\Users\kiston\AppData\Local\Temp\~DFE7065EE510F60B14.TMP
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\TileDataLayer\Database\EDB.log
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\AppData\Local\TileDataLayer\Database\vedatamodel.edb
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F71FEB53-13B4-11E6-9D92-1078D2CFD179}.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Internet Explorer\Recovery\High\Active\{F71FEB55-13B4-11E6-9D92-1078D2CFD179}.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Internet Explorer\Recovery\High\Active\{F71FEB59-13B4-11E6-9D92-1078D2CFD179}.dat
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\iconcache_32.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\iconcache_48.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5493.tmp
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmEB64.tmp
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_1280.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_16.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_1920.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_256.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_2560.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_32.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_768.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_96.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_exif.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_sr.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_wide.db
WARNING: [Error opening file. (Access is denied.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\Notifications\WPNPRMRY.tmp
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\UsrClass.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\UsrClass.dat.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\UsrClass.dat.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\WebCache\V01.log
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\WebCache\WebCacheV01.dat
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\Microsoft\Windows\WebCacheLock.dat
WARNING: [Error opening file. (No error)] c:\Users\kiston\Local Settings\Temp\~DF467034DE608DB8D6.TMP
WARNING: [Error opening file. (No error)] c:\Users\kiston\Local Settings\Temp\~DFCD04BFB62C9B4C44.TMP
WARNING: [Error opening file. (No error)] c:\Users\kiston\Local Settings\Temp\~DFE7065EE510F60B14.TMP
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\TileDataLayer\Database\EDB.log
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\Local Settings\TileDataLayer\Database\vedatamodel.edb
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\NTUSER.DAT
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\ntuser.dat.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Users\kiston\ntuser.dat.LOG2
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x86__8wekyb3d8bbwe\SharedLibrary.dll <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen2] c:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe\mrt100_app.dll <<< Is the TR/Crypt.XPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen2] c:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x86__8wekyb3d8bbwe\mrt100_app.dll <<< Is the TR/Crypt.XPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\InfusedApps\Packages\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Money.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Money.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\InfusedApps\Packages\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.News.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.News.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\InfusedApps\Packages\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Sports.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Sports.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Weather.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\InfusedApps\Packages\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\MessagingApplication.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\MessagingApplication.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen2] c:\Windows\InfusedApps\Packages\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\MessagingNativeBase.dll <<< Is the TR/Crypt.XPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeApp.dll <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeApp.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen] c:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\GetSkype.exe <<< Is the TR/Crypt.XPACK.Gen Trojan
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\blackbox.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Dropper.Gen] c:\Windows\System32\compact.exe <<< Is the TR/Dropper.Gen Trojan
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\DEFAULT
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\DEFAULT.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\DEFAULT.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\SOFTWARE
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\SOFTWARE.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\SOFTWARE.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\SYSTEM
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\SYSTEM.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\System32\config\SYSTEM.LOG2
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\CPFilters.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\DeviceProperties.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\DisplaySwitch.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\drmmgrtn.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\dxtmsft.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\EncDec.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\fontdrvhost.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\System32\IME\IMEJP\IMJPDCT.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\System32\IME\SHARED\IMESEARCH.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\System32\IME\SHARED\IMEWDBLD.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\iscsicpl.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTPROCEXP TRACE.etl
WARNING: [Error opening file. (No error)] c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\MshtmlDac.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\msnetobj.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\msscp.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\Narrator.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\ntasn1.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\pidgenx.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\qcap.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\qdv.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\System32\ReAgentc.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\wmdrmnet.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.CFI.Gen] c:\Windows\System32\write.exe <<< Is the TR/Crypt.CFI.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\System32\wscript.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\System32\xpsrchvw.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\blackbox.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Dropper.Gen] c:\Windows\SysWOW64\compact.exe <<< Is the TR/Dropper.Gen Trojan
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\DEFAULT
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\DEFAULT.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\DEFAULT.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\SOFTWARE
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\SOFTWARE.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\SOFTWARE.LOG2
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\SYSTEM
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\SYSTEM.LOG1
WARNING: [Error opening file. (The process cannot access the file because it is being used by another process.  )] c:\Windows\SysWOW64\config\SYSTEM.LOG2
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\CPFilters.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\DeviceProperties.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\DisplaySwitch.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\drmmgrtn.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\dxtmsft.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\EncDec.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\fontdrvhost.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\iscsicpl.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\MshtmlDac.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\msnetobj.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\msscp.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\Narrator.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\ntasn1.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\pidgenx.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\qcap.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\qdv.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\SysWOW64\ReAgentc.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\wmdrmnet.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.CFI.Gen] c:\Windows\SysWOW64\write.exe <<< Is the TR/Crypt.CFI.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\SysWOW64\wscript.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\SysWOW64\xpsrchvw.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\WinSxS\wow64_microsoft-windows-d..-externaldictionary_31bf3856ad364e35_10.0.10586.0_none_d375cc5a97572bb9\IMEWDBLD.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\WinSxS\wow64_microsoft-windows-d..d-searchintegration_31bf3856ad364e35_10.0.10586.0_none_1c91f4476e19a332\IMESEARCH.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-directshow-capture_31bf3856ad364e35_10.0.10586.0_none_4fb365ddfe42ab4b\qcap.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-directshow-dv_31bf3856ad364e35_10.0.10586.0_none_93b108edfeda7a0f\qdv.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.10586.0_none_839bf3a4033369a6\DisplaySwitch.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.10586.3_none_40ad60d5393e49ed\fontdrvhost.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_11.0.10586.0_none_62920c92cb35e56a\dxtmsft.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_10.0.10586.0_none_6ec56d5c3ac9d450\iscsicpl.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.10586.0_none_b1d4f3491eb2b509\wmlaunch.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_10.0.10586.0_none_05085deda384e375\blackbox.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_10.0.10586.0_none_05085deda384e375\drmmgrtn.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_10.0.10586.0_none_05085deda384e375\msnetobj.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_10.0.10586.0_none_05085deda384e375\msscp.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_10.0.10586.0_none_05085deda384e375\wmdrmnet.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-narrator_31bf3856ad364e35_10.0.10586.0_none_54f81b9b8270ed65\Narrator.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-ntasn1-dll_31bf3856ad364e35_10.0.10586.0_none_510e32b1a38cafee\ntasn1.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.10586.63_none_d6d606fbe568c23e\wscript.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\WinSxS\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_10.0.10586.0_none_abf5962b2cef76ba\xpsrchvw.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Dropper.Gen] c:\Windows\WinSxS\x86_microsoft-windows-compact_31bf3856ad364e35_10.0.10586.0_none_2a5c379fa78c4b50\compact.exe <<< Is the TR/Dropper.Gen Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\x86_microsoft-windows-cpfilters_31bf3856ad364e35_10.0.10586.0_none_67d1ee5dd0281185\CPFilters.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\WinSxS\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_10.0.10586.71_none_15414eb36a5b0c93\IMJPDCT.EXE <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\x86_microsoft-windows-deviceproperties_31bf3856ad364e35_10.0.10586.0_none_1ab15fd82be2c6b6\DeviceProperties.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\x86_microsoft-windows-ie-mshtmldac_31bf3856ad364e35_11.0.10586.0_none_3c961a4953f16c3a\MshtmlDac.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\x86_microsoft-windows-mail-app_31bf3856ad364e35_10.0.10586.0_none_21bf2a5d41aef4f6\WinMail.exe <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\x86_microsoft-windows-security-spp-pidgenx_31bf3856ad364e35_10.0.10586.0_none_31d9d1abb59f0823\pidgenx.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.XPACK.Gen3] c:\Windows\WinSxS\x86_microsoft-windows-tvencdec_31bf3856ad364e35_10.0.10586.0_none_10df1345806062cd\EncDec.dll <<< Is the TR/Crypt.XPACK.Gen3 Trojan
 ALERT: [TR/Crypt.EPACK.Gen2] c:\Windows\WinSxS\x86_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.10586.0_none_05b4d14963230c63\ReAgentc.exe <<< Is the TR/Crypt.EPACK.Gen2 Trojan
 ALERT: [TR/Crypt.CFI.Gen] c:\Windows\WinSxS\x86_microsoft-windows-write_31bf3856ad364e35_10.0.10586.0_none_8fe9cf04cf119f4a\write.exe <<< Is the TR/Crypt.CFI.Gen Trojan
                                                                                                                            

Statistics :               
    Directories............... : 21277
    Files..................... : 97715
        Infected.............. : 98
            Ignored........... : 98
        Warnings.............. : 109
        Suspicious............ : 0
    Infections................ : 98
    Time...................... : 00:05:41


Edited by kistonw, 06 May 2016 - 12:50 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,977 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:12 PM

Posted 06 May 2016 - 01:03 PM

<<< Is the TR/Crypt.XPACK.Gen3 Trojan

 

This shows up a lot. It might be an Avira FP, it might be an infected file. If you'd like to know for sure, you can upload a few of those files to http://www.virustotal.com and scan them. 

However, to know what exactly you're looking at, again, did you run this using MiniXP? Because if you did, you canned the loaded OS from Hiren's, not your Windows 10 installation which makes the scan useless.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 RolandJS

RolandJS

  • Members
  • 4,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:07:12 AM

Posted 06 May 2016 - 01:03 PM

"...it sounds crazy but I wouldn't ask you to consider it unless I strongly felt it was possible - what if indeed the windows 10 cd is infected, but is the rootkit or whatever this is immune to even disk wipes? I mean this is complex stuff it seems..."

I forgot where the Windows 10 dvd and Windows 10 usb come from; did you earlier say what source?  If the DVD came from a 3rd party from "The 'Net," it's remotely possible the DVD brought a "nasty" or two with it.  A computer company accidentally sent out a sales CD that had a few Word macros on it, so I can believe some things can happen from "The 'Net."  From my olde days, I remember anything existing on Track Zero can be overlooked by many security utilities.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users