Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eleven 6.2gb files in c:\windows on Windows 7 Home Premium


  • This topic is locked This topic is locked
15 replies to this topic

#1 jockovonred

jockovonred

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 18 April 2018 - 11:19 AM

Continuation from https://www.bleepingcomputer.com/forums/t/673087/11-62gb-files-in-cwindows-on-windows-7-home-premium/
 
Within C:\Windows on Windows 7 Home Premium edition, there are eleven (11) 6.2 gb files which don't have recognizable or readable names.
Please see the image linked below which shows the files and the location.
 

https://pasteboard.co/HgBlQfJ.png

 

The files in question are highlighted in the image.

 
These files don't appear like they should be there or exist.
 
I am posting the FRST.txt and Addition.txt  logs files as requested.  Additionally I have attached the log files and the image too.
 
FRST.txt
 

Spoiler

 
ADDITION.txt
 
Spoiler

Attached Files


Edited by jockovonred, 18 April 2018 - 11:28 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 18 April 2018 - 01:05 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
CouponPrinterPlugin (HKLM-x32\...\{8AC6566B-131F-4987-82DF-932CED9FCA23}) (Version: 2.0.2.0 - Hopster) <==== ATTENTION
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2565791158-2251188054-424474701-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKLM-x32 -> {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=outbrowseaol-ie&s_qt=sb&tb_uuid=20130303134201404&tb_oid=03-03-2013 &tb_mrud=03-03-2013
SearchScopes: HKU\.DEFAULT -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKU\S-1-5-19 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKU\S-1-5-20 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKU\S-1-5-21-2565791158-2251188054-424474701-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-2565791158-2251188054-424474701-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1000590&geo=US&ver=22&locale=en_US&gct=kwd&qsrc=2869
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-2565791158-2251188054-424474701-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-2565791158-2251188054-424474701-1000: hopster.com/CouponPrinterPlugin -> C:\Users\jim.carol\AppData\Roaming\Hopster\CouponPrinterPlugin\2.0.2.0\npCouponPrinterPlugin.dll [2013-02-21] (Hopster)
CHR HomePage: Default -> hxxp://www.search.ask.com/?gct=hp
CHR DefaultSearchURL: Default -> hxxp://www.search.ask.com/web?q={searchTerms}
CHR DefaultSearchKeyword: Default -> search.ask.com
CHR DefaultSuggestURL: Default -> hxxp://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
CHR Extension: (MapsGalaxy) - C:\Users\jim.carol\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcpehlgijbdajfafffojllcaecaecngb [2015-06-19]
S1 CompuCleverBootor; \??\C:\Program Files (x86)\CompuClever\PC TuneUp Maestro\Bootor64.sys [X]

CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-2565791158-2251188054-424474701-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\jim.carol\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
Task: {F5A8E5FE-0B2C-4039-93FF-997496A0309E} - System32\Tasks\PC TuneUp Maestro Startup => C:\Program Files (x86)\CompuClever\PC TuneUp Maestro\pctum.exe
AlternateDataStreams: C:\ProgramData\TEMP:829C9EE6 [288]
MSCONFIG\startupreg: ApnTBMon => "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
C;\Windows\System32\Tasks\PC TuneUp Maestro Startup
C:\Program Files (x86)\CompuClever

2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\㐘ؤ
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\չ
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\ӹ
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\È忨ؤ
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\È忠ؤ㐘$
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\È뎕知㿨ؤ
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\È
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\ÄÈ⿐È
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\1
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\⟈
2018-04-13 15:19 - 2018-04-17 21:46 - 1878122496 ___SH C:\Windows\؝
2018-04-11 19:35 - 2018-04-11 19:35 - 558353401 _____ C:\Windows\MEMORY.DMP
2018-04-11 19:35 - 2018-04-11 19:35 - 000274936 _____ C:\Windows\Minidump\041118-37331-01.dmp
2018-04-11 19:35 - 2018-04-11 19:35 - 000000000 ____D C:\Windows\Minidump

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
===

Please post the logs and let me know what problem persists with this computer.

#3 jockovonred

jockovonred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 20 April 2018 - 01:10 PM

Spoiler

 

I have uninstalled the two programs mentioned:

CouponPrinterPlugin

Java 8 Update 31

 

Below are the log files.

 

Fixlog.txt

Spoiler

 

AdwCleaner[S00].txt

Spoiler

 

AdwCleaner[C00].txt

Spoiler

 

Please let me know the next steps, thanks!



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 21 April 2018 - 06:35 AM



Hi,

Please let me know the next steps, thanks!


Any remaining issues with this computer?

#5 jockovonred

jockovonred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 23 April 2018 - 10:09 AM

Hi,
 

Please let me know the next steps, thanks!


Any remaining issues with this computer?

 

 

Yes, the problem still remains. 

 

As indicated in the FixLog file, the files requested to be 'moved' (deleted) failed.  

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-04-2018 09:56:10)


C:\Windows\㐘ؤ => Could not move
C:\Windows\չ => Could not move
C:\Windows\ӹ => Could not move
C:\Windows\È忨ؤ => Could not move
C:\Windows\È忠ؤ㐘$ => Could not move
C:\Windows\È뎕知㿨ؤ => Could not move
C:\Windows\È => Could not move
C:\Windows\ÄÈ⿐È => Could not move
C:\Windows\1 => Could not move
C:\Windows\⟈ => Could not move
C:\Windows\؝ => Could not move

 

Those files are the main issue.  They are still present and appear to have the timestamp updated when the computer restarts.  This indicates they are being updated/created somehow.  

 

I've reviewed other Windows 8.1 and Windows 7 computers and those files don't exist.  This means something else is creating them.

I don't know how these files are made but it appears highly suspicious and that they shouldn't be there.  

 

Any ideas?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 24 April 2018 - 06:39 AM

Hi,

Boot to safe mode and delete them if you can.

Keep me posted.

#7 jockovonred

jockovonred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 24 April 2018 - 11:07 AM

Hi,

Boot to safe mode and delete them if you can.

Keep me posted.

I booted into a Linux Live CD (Debian version, Sparky Linux) to remove the files (to avoid Safe Mode for now). 

The files are deleted after rebooting back into the Linux Live CD and confirming they are gone.

When I boot back into Windows and check the directory, the eleven (11) 6.2 GB files are there again, albeit with different looking 'names' (symbols actually in place of a decipherable name).

 

I can only suspect another process is creating these files but am at a loss on which or what process is doing it.

Is this a virus, root kit, trojan or something else entirely?

 

I can try other steps if you have some I can follow.  



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 24 April 2018 - 01:27 PM

Hi,

These files/folders are marked as System and Hidden.

I do not think its malware driven, Let check further.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

BIOS CHECK.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • ===


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 30 April 2018 - 10:00 AM

Hi,

Are you still with me?

#10 jockovonred

jockovonred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 30 April 2018 - 07:00 PM

Hi,

Are you still with me?

Yes, still here.  Got busy working on it this weekend and was tied up with work.

 

Here's the findings:

 

ReportRogue.txt 

Spoiler

 

TDSSKiller.2.8.16.0_27.04.2018_14.07.52_log.txt

Spoiler

 

At this point the eleven 6.2 GB files still existed.

 

I ran the fix for the registry entries from ReportRogue and is said it deleted them.

Spoiler

Upon reviewing the registry, they were still there so I manually deleted them.

 

I booted to safe mode to try and delete the eleven files.  A message indicated they were in use and couldn't be deleted.

I uninstalled Norton, McAfee and Malwarebytes programs at this point to see if they would help with this issue (in case one of them was creating the files).

 

I booted the Sparky Linux live CD and removed the eleven files.  Rebooted back into the Linux Live environment and confirmed they were no longer existent in C:\Windows.

 

I booted back into Safe Mode and the files were there again, with the creation time set at the time of boot. 

 

I can only think this is virus based at this point as the problem is occurring even in Safe Mode.

I could ignore this but the files are taking up over 66 GB of space but I don't think it's a good idea.  The only option I can come up with is to refresh the system by reinstalling windows.

 

Do you have another ideas at this time?  If you do I'm game to try!

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 01 May 2018 - 08:33 AM


Hi,

As reported by the TDSS rootkit removing tool you have a MBR and a VBR

14:08:11.0589 2076 ================ Scan MBR ==================================
14:08:11.0604 2076 [ CDB4DE4BBD714F152979DA2DCBEF57EB ] \Device\Harddisk0\DR0
14:08:11.0807 2076 \Device\Harddisk0\DR0 - ok
14:08:11.0807 2076 ================ Scan VBR ==================================
14:08:11.0807 2076 [ 5B1AB06B38526946362E0A0EB86C1429 ] \Device\Harddisk0\DR0\Partition1
14:08:11.0807 2076 \Device\Harddisk0\DR0\Partition1 - ok
14:08:11.0823 2076 [ AFED99D5ADD281372475ABD74C7B2289 ] \Device\Harddisk0\DR0\Partition2
14:08:11.0838 2076 \Device\Harddisk0\DR0\Partition2 - ok


If I read this article correctly
https://en.wikipedia.org/wiki/Volume_boot_record

The 6 files you are seeing may well be required by the VBR.

A volume boot record (VBR) (also known as a volume boot sector, a partition boot record or a partition boot sector) is a type of boot sector introduced by the IBM Personal Computer. It may be found on a partitioned data storage device, such as a hard disk, or an unpartitioned device, such as a floppy disk, and contains machine code for bootstrapping programs ....


This is not my forte and I suggest that you start a new topic in the Linux forum.
An expert should be able to help you better than I can.

https://www.bleepingcomputer.com/forums/f/11/linux-unix/

I will leave this topic open until you return.

#12 jockovonred

jockovonred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 01 May 2018 - 01:48 PM

Hi,

Spoiler

This is not my forte and I suggest that you start a new topic in the Linux forum.
An expert should be able to help you better than I can.

https://www.bleepingcomputer.com/forums/f/11/linux-unix/

I will leave this topic open until you return.

 

 

I am unclear why I should start a new topic in the Linux forum for the Windows OS issue.  This computer doesn't use Linux.  I was only using a Linux Live CD since Windows wasn't deleting the files.

 

Do you have a colleague that deals with Windows that's seen this before on a Dell computer?  Are you able to ask any of your resources if they've experienced this with a Dell Windows 7 Home version computer?

 

Thanks for all your help so far.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 02 May 2018 - 07:16 AM

Hi,

The VBR seen by the RogueKiller is not reported on any of the Windows 7 or 10 Forums.

I do not think it's malware otherwise you would have other issues with this compute. These files are recreated with new names after a restart of the computer, after the previous files were deleted.

The Dell computer BIOS has it's own proterties. These files may be part of the Computer Restore.
Or the Section of the boot partition can be deleted.
Dell can answer these questions. I would check with them.

In the mean time please run this scan and see what is found.

Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

#14 jockovonred

jockovonred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 02 May 2018 - 09:27 PM

Spoiler
 
Trying to use the link provided fails.  Here's the output:
Spoiler
I went to https://secure2.sophos.com/en-us/products/free-tools/virus-removal-tool/free-download.aspx, entered some details and downloaded what I believe is the correct file.
I can't upload it here due to the file size, 187 MB.  It is labeled as Sophos Virus Removal Tool.exe
 
I will run this tool from the alternate location I found and report back.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 03 May 2018 - 08:03 AM

Hi,

Thank you for the information on the new link.

I have corrected by Canned speech.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users