Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Opened downloads folder, lots of folders opened


  • This topic is locked This topic is locked
5 replies to this topic

#1 Cire86

Cire86

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 April 2017 - 11:00 AM

I just checking my files, opened Downloads folder and right after that few other folder windows popped up without me doing it. They looked like either same downloads folder/or other windows folders, I am not sure I didnt check them that throughly because i closed them pretty fast (yeah, i know i should have made sure what each of them were), partly because i assumed its probably a bug. Then when i was trying to replicate this if it was a bug, i noticed Onedrive log in window opening, i dont think i clicked onedrive.

 

Here are farbar logs

 

Scanned with Sophos, while turning off avas and malwarebytes, said computer is clean.

 

Added roguekiller logs, it found something!

 

RogueKiller V12.10.4.0 (x64) [Apr 10 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : CAFD [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/16/2017 17:24:35 (Duration : 00:11:19)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3d0118e1-8c73-4471-8af0-61bc018a1f97} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4134899153-3425773317-4195322805-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4134899153-3425773317-4195322805-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Adw.WinSec|PUP.Gen1][Folder] C:\Program Files\Windows Security -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 99 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1126400 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1159168 | Size: 476374 MB
User = LL1 ... OK
User = LL2 ... OK

Attached Files


Edited by Cire86, 16 April 2017 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 Cire86

Cire86
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 17 April 2017 - 10:23 PM

Forget the logs in the original post, download and analyze these ones instead. Sorry for inconvenience.

Attached Files



#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:01 PM

Posted 18 April 2017 - 08:16 PM

Hi Cire86

 

My name is TsVk!. I'll be helping you with your issue.

I've looked at your post and will respond as soon as possible with instructions.

Please be aware that I am still in training and everything that I say needs to be covered in detail with my instructor. This is a bonus for you because you have two sets of eyes on your thread, but you need to be aware this can take some time so my responses may take a day or so.

 

John


Edited by TsVk!, 18 April 2017 - 08:19 PM.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:03:01 PM

Posted 18 April 2017 - 10:40 PM

Hi Cire86

 

I see no malicious entries in any of your logs. Let's run a couple of scans to double check the adware detected by RogueKiller was removed.

 

29bgcgg.jpg  Please download AdwCleaner and save to your Desktop.

  • Right click and "Run as Administrator"
  • Click on the Scan button.
  • After the scan has finished, click Clean and ok the reboot
  • When complete, your machine will restart and a log file will appear to copy into your reply
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

2zh1g08.jpg  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Right click and "Run as Administrator".
  • The tool will open and start scanning your system.
  • On completion a log will open, note the saved JRT.txt on your desktop to copy into your reply

 

 

Please copy and paste into your reply

  • ADWCleaner log
  • JRT log

TsVk!



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:01 PM

Posted 19 April 2017 - 07:49 PM

User claims unable to post under this user name and sent PM to indicate she reformatted the drive.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:01 PM

Posted 19 April 2017 - 07:50 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users