Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Win 8 any worm/remote thing eat my laptop [Solved]


  • This topic is locked This topic is locked
33 replies to this topic

#16 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 12 August 2014 - 06:21 AM

Hi Catherine,

Please provide the full path and name of any folders you think you should have access to, but currently do not. Do the same for anything that has changed unexpectedly.

You can provide as much as information as you would like, but please try to be concise as a lot of unnecessary information may make my job harder. Any screenshots can be uploaded to Imgur.com, and the URL pasted in your reply.

Instead of using the Windows Key + r, please move your cursor to the top right of the screen to open the Charms Menu. Click Search, type Notepad, and proceed with the instructions.

Don't worry about ListParts for now. Please complete STEP1, and describe exactly which folders you do not have access to, and what has changed unexpectedly.

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

    Advertisements

Register to Remove


#17 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 12 August 2014 - 12:41 PM

The folder things may take a little while (not so long ) :) I start with this fixlist



#18 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 12 August 2014 - 01:08 PM

Fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-08-2014 01
Ran by Hespetreet at 2014-08-12 21:04:06 Run:1
Running from C:\Users\Hespetreet\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
SearchScopes: HKCU - DefaultScope {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL =
SearchScopes: HKCU - {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL =
2014-07-20 18:31 - 2014-07-20 18:31 - 00000000 ____D () C:\Users\Hespetreet\AppData\Roaming\Tencent
2014-07-20 18:31 - 2014-07-20 18:31 - 00000000 ____D () C:\ProgramData\Tencent
SearchScopes: HKLM - {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://no.yhs4.searc...p={searchTerms}
SearchScopes: HKLM-x32 - {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://no.yhs4.searc...p={searchTerms}
HKU\S-1-5-21-3604915464-1756807762-4202892429-1001\...\MountPoints2: {9e67ff6c-100b-11e4-be74-206a8a970a09} - "E:\LaunchU3.exe" -a
AlternateDataStreams: C:\ProgramData\Temp:792D4CF1
Folder: C:\Users\Hespetreet\AppData\Local\CrashRpt
CMD: ipconfig /release
CMD: ipconfig /flushdns
CMD: ipconfig /renew
CMD: netsh winsock reset all
CMD: netsh int ip reset all
​Hosts:
EmptyTemp:
end
*****************

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => Key deleted successfully.
"HKCR\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => Key not found.
C:\Users\Hespetreet\AppData\Roaming\Tencent => Moved successfully.
C:\ProgramData\Tencent => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => Key deleted successfully.
"HKCR\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => Key not found.
"HKU\S-1-5-21-3604915464-1756807762-4202892429-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e67ff6c-100b-11e4-be74-206a8a970a09}" => Key deleted successfully.
"HKCR\CLSID\{9e67ff6c-100b-11e4-be74-206a8a970a09}" => Key not found.
C:\ProgramData\Temp => ":792D4CF1" ADS removed successfully.

========================= Folder: C:\Users\Hespetreet\AppData\Local\CrashRpt ========================

2014-07-20 18:33 - 2014-07-20 18:33 - 0000000 ____D () C:\Users\Hespetreet\AppData\Local\CrashRpt\UnsentCrashReports
2014-07-20 18:33 - 2014-07-20 18:33 - 0000000 ____D () C:\Users\Hespetreet\AppData\Local\CrashRpt\UnsentCrashReports\Softonic for Windows_1.5.11

====== End of Folder: ======


=========  ipconfig /release =========


Windows IP Configuration

No operation can be performed on Lokal tilkobling* 12 while it has its media disconnected.
No operation can be performed on Wi-Fi while it has its media disconnected.

Wireless LAN adapter Lokal tilkobling* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e5f7:cc7c:9562:f40e%12
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{0702906F-0F02-4B1B-AA90-2042C1AFF492}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Lokal tilkobling* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:107a:132b:3f57:fefd
   Link-local IPv6 Address . . . . . : fe80::107a:132b:3f57:fefd%19
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========


=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  ipconfig /renew =========


Windows IP Configuration

No operation can be performed on Lokal tilkobling* 12 while it has its media disconnected.
No operation can be performed on Wi-Fi while it has its media disconnected.

Wireless LAN adapter Lokal tilkobling* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e5f7:cc7c:9562:f40e%12
   IPv4 Address. . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Tunnel adapter isatap.{0702906F-0F02-4B1B-AA90-2042C1AFF492}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Lokal tilkobling* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:107a:132b:3f57:fefd
   Link-local IPv6 Address . . . . . : fe80::107a:132b:3f57:fefd%19
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========


=========  netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


=========  netsh int ip reset all =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Ingen tilgang.

Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========

​Hosts: => Error: No automatic fix found for this entry.
EmptyTemp: => Removed 34 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====



#19 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 12 August 2014 - 01:52 PM

Thank you for the log, Catherine. 

 

I will return with instructions once you have provided information on the Access Denied issue. 


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#20 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 12 August 2014 - 05:29 PM

It's so weird.. No denied so far, I have tried almost all, but, I found something right now - This is important that you see it, I'm so afraid it will be gone next time I check so I have the notepad open all the time.it is here : c-progfilesx86-cyberlink-powerdvd12-subsys-activator

I copy a part of it so you can see if this will help you or not so I dont give you bad info- I so overhappy because you help me out of this..
 

 Èn Èn bad allocation  S O F T W A R E \ C y b e r L i n k \ P o w e r D V D 1 2   t r a c e   
   D e l e t e     N o R e m o v e     F o r c e R e m o v e   V a l   B   D   M   S   ØCÔCÐCÌCÄC¬C˜CˆCU I _ P r o d u c t N a m e     P o w e r D V D 1 2     C o m p a n y N a m e   C y b e r L i n k   ØCÔCÐCÌCÄC¬C˜CˆC[ P y A c t i v a t o r ]   S h o w A c t i v a t i o n D i a l o g :   % s     % s   / R e s t o r e W i n d o w   " % s "     P C M   p a r e n t C l a s s N a m e       s t a r t u p . i n i   % s   / L a u n c h P r o g r a m   " % s "     " % s "   / T y p e   % s   . \ A c t i v a t e . e x e     [ P y A c t i v a t o r ]   L a u n c h A n d W a i t   e n d   [ P y A c t i v a t o r ]   L a u n c h A n d W a i t   E r r o r ,   S h e l l E x e c u t e E x ( )   f a i l e d .   [ P y A c t i v a t o r ]   L a u n c h A n d W a i t   b r e a k ,   W M _ C L O S E ,   W M _ Q U I T         [ P y A c t i v a t o r ]   L a u n c h A n d W a i t   :   w s z F i l e P a t h = % s ,   w s z P a r a m          8@      N@      8@U I _ N O N T R I A L   . p d L i t e 5 0 0     N _ L i t e     T _ L i t e     L i t e     H a s C D K E Y           ð¿      >@C L S I D \ { 8 0 4 B E 5 0 C - A C F 4 - 4 1 1 e - B 9 C 5 - 3 E 0 8 7 E F 1 F A C A }         { 9 D F F 4 E E 4 - D F 6 7 - 4 e f f - B 1 C A - E E 4 7 C 2 D 4 6 F 3 6 }     ØCÔCÐCÌCÄC¬C˜CˆCS o f t w a r e \ C y b e r l i n k \ P o w e r D V D 1 2       [ P D V D - w a r n i n g ]   ( 0 x % 0 8 x ,   % s ,   % d )     % s   m _ h K e y L M S a v e     m _ h K e y C U S a v e     m _ h K e y L M R e a d     m _ h K e y C U R e a d     S O F T W A R E \ C y b e r L i n k \ P o w e r D V D 1 2   m _ h K e y S a v e     m _ h K e y R e a d         [ P D V D - w a r n i n g ]   R e g C l o s e K e y ( m _ h K e y S a v e )     [ P D V D - w a r n i n g ]   R e g C l o s e K e y ( m _ h K e y R e a d )     [ P D V D - w a r n i n g ]   m _ h K e y = 0 x % 0 8 x   C R e g G e n e r a l : : S a v e S e t t i n g ( % s ,   D W O R D )         [ P D V D - w a r n i n g ]   m _ h K e y = 0 x % 0 8 x   C R e g G e n e r a l : : R e a d S e t t i n g ( % s ,   L P B Y T E ,   D W O R D )         [ P D V D - w a r n i n g ]   m _ h K e y = 0 x % 0 8 x   C R e g G e n e r a l : : S a v e S e t t i n g ( % s ,   L P B Y T E ,   D W O R D )     ØCÔCÐCÌCÄC¬C˜CˆC    [ S e c r e t S t o r a g e ]   S e t N a m e d S e c u r i t y I n f o ( )   E r r o r :   % d
       [ S e c r e t S t o r a g e ]   S e t E n t r i e s I n A c l ( )   E r r o r :   % d
         [ S e c r e t S t o r a g e ]   G e t N a m e d S e c u r i t y I n f o ( )   E r r o r :   % d
   $oP0 % s \ % s : % s     C L D S h o w X . i n i     U p d a t e . C L   [ S e c r e t S t o r a g e ]   g r a n t   A C L   f a i l e d :   % d
   E V E R Y O N E     wchar_t *|WCHAR *   _p_wchar_t  unsigned short *|WORD * _p_unsigned_short   unsigned long long *|uint64 *   _p_unsigned_long_long   unsigned long *|ULONG_PTR * _p_unsigned_long    unsigned int *|WPARAM * _p_unsigned_int unsigned char *|uint8 * _p_unsigned_char    long long *|int64 * _p_long_long    long *|LRESULT *    _p_long int *|INT_PTR * _p_int  float *|FLOAT * _p_float    double *|DOUBLE *   _p_double   char *|TCHAR *  _p_char DoEvalChecking  DoDelayChecking DoLiteChecking  IsHasCDKEY  LaunchAndWait   ShowActivationDialog    returns object representation   __repr__    returns the next 'this' object  next    appends another 'this' object   append  returns/sets ownership of the pointer   own aquires ownership of the pointer    acquire releases ownership of the pointer   disown  0123456789abcdef    %o  %x  <Swig Object of type '%s' at 0x%s>  swig/python detected a memory leak of type '%s', no destructor found.
  PySwigObject    >   at  <Swig Packed    <Swig Packed %s>    <Swig Packed at %s%s>   %s%s    PySwigPacked    this    swig_runtime_data3  type_pointer    in method 'ShowActivationDialog', argument 4 of type 'BOOL' in method 'ShowActivationDialog', argument 3 of type 'BOOL' in method 'ShowActivationDialog', argument 2 of type 'BOOL' Unicode string expected swig_ptr:   Wrong number of arguments for overloaded function 'ShowActivationDialog'.
  Possible C/C++ prototypes are:
    ShowActivationDialog(WCHAR const *,BOOL,BOOL,BOOL)
    ShowActivationDialog(WCHAR const *,BOOL,BOOL)
    ShowActivationDialog(WCHAR const *,BOOL)
    ShowActivationDialog(WCHAR const *)
   _PyActivator    lo¹W 1Y ìo>Y 1Y Unknown exception   csmà               “         p²Y ¡a „Ì „Ì     ( n u l l )     (null)      EEE50 P    ( 8PX 700WP        `h````  xpxxxx           €€†€€  †€†‚€EEE………  00€P€ˆ ('8PW€ 700PPˆ    (€ˆ€€   `h`hhhxppwpp     è´@µ‘ Hp 1Y bad exception   .mixcrt EncodePointer   KERNEL32.DLL    DecodePointer   FlsFree FlsSetValue FlsGetValue FlsAlloc    e+000      À~PA   €ÿÿGAIsProcessorFeaturePresent   KERNEL32    CorExitProcess  mscoree.dll runtime error   
  TLOSS error
   SING error
    DOMAIN error
  R6034

An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
      R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
  R6032
- not enough space for locale information
      R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
  R6030
- CRT not initialized
  R6028
- unable to initialize heap
    R6027
- not enough space for lowio initialization
    R6026
- not enough space for stdio initialization
    R6025
- pure virtual function call
   R6024
- not enough space for _onexit/atexit table
    R6019
- unable to open console device
    R6018
- unexpected heap error
    R6017
- unexpected multithread lock error
    R6016
- not enough space for thread data
 
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
   R6009
- not enough space for environment
 R6008
- not enough space for arguments
   R6002
- floating point support not loaded
    Microsoft Visual C++ Runtime Library    

  ... <program name unknown>  Runtime Error!

Program:            

!"#$%&'()*+,-



#21 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 12 August 2014 - 06:11 PM

Hi Catherine,
 

it is here : c-progfilesx86-cyberlink-powerdvd12-subsys-activator

That file is OK and not something you should worry about. You can read about it here. The file is created by Cyberlink PowerDVD, which I see you have installed.
 
If you come across any files you're unsure of, I'd like you to visit VirusTotal (as instructed here) and upload the file. If the file is malicious it will be flagged. You can go ahead and upload the file you've just mentioned, and it should return clean. 
 
Let me know if there are any folders you are concerned about. 
 

ListParts was download to desktop, but it disappeared it wasn't there so much as a second..

Move your cursor to the top-right corner of the screen. Click Search, and type ListParts in the search bar. If a result is returned, please right-click the file and click Open file location. Cut the file from that location, paste onto your Desktop and run ListParts.
 
If no results are returned, please redownload ListParts, but do not save the file to your Desktop. Instead, let it download to your default location (probably C:\Users\Hespetreet\Downloads). Now navigate to your Downloads folder, cut the file, paste onto your Desktop and run ListParts. 
 
======================================================
 
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Are you concerned about any other files/folders? 
  • ListParts log

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#22 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 14 August 2014 - 04:38 AM

Hi I'm sorry for I didn't show up yesterday- I had a bit to do and has been working with this for many many hours - I really really hope you can use some of this so I don't make a fool of my self again :)

 

List part is a problem for me, I manage to click run as admin before it disappered but then i got these msg <Pic could not be posted>
 
Another thing is that I have 2 360 I had to disable both when I download Listpart, but even if I disabeled for 5 hours they enabeled themself after about 30 sec... <this pic is also missing, the icons is on the taskbar (have to press arrow to see) I will find a way to show you
 
Changes in pc - yesterday when I was checking folders there was so few compered to earlier - Many empty, all last folder in a folder was empty all of them.
My pic's was gone but the folder wasn't empty maybe they was hidden or something- They and my docs are back now, I dont know if the last folders still are empty cause I have been reading very clearly on all I had found to see if I read the words  different after seen the fileexplorer :) Even thu they wasn't sure if the file was 100% safe I learn much about the docs on my pc. I have been paranoid sometimes when the mouse did live it's own life og color was changed so I have been looking around, but I'm 45 and no expert so I have never done anything with these folders/files
When I double click a forlder I open it as normal, but when I right click amd vision control center showed up..

My pics are back and not all the last folders are empty anymore
I also found denied folders (below)

Denied:
C:\  Windows \ LiveKernelReports
C:\  Windows \ Minidump
C:\  Windows \ PLA \ Reports
C:\  Windows \ PLA \  Rules
  C:\  Windows \ PLA \  Templates
C:\Windows \ Resources\Themes \ aero \VSCatche
C:\Windows \  ServiceProfiles \ LocalService
 C:\Windows \  ServiceProfiles \    NetworkService
C:\ Windows \ System32 \ config \ RegBack
  C:\ Windows \ System32 \ config \  Systemprofile
C:\ Windows \ System32 \ LogFiles \ Firewall
C:\ Windows \ System32 \ LogFiles \ WMI
C:\ Windows \ System32 \ MsDtc
C:\ Windows \ System32 \ LogFiles \ networklist
C:\Windows\System32\spool\Printers
C:\ Windows \ System32 \  Tasks
C:\Windows\System32\wbem\MOF\Bad
C:\Windows\System32\wbem\MOF\Good
C:\ Windows \ System32 \  wdi
C:\ Windows \ System32 \  wfp
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\config
C:\Windows\SysWOW64\MsDtc
C:\Windows\SysWOW64\N360_Backup
C:\Windows\SysWOW64\NNetworklist
C:\Windows\SysWOW64\Tasks
I did not test on folders in WinSxS because it contains 81.120 files and 29.889 folders its most AMD64 then Msil, WOW64 and x86
In the middle of Msil and WOW64 there are a folder who contains lot's of amd64 folders
In the middle of amd64 and msil there are a Backup folder who contains 2343 files from amd64 WOW64 and x86
There are also a folder called FileMaps contain 1508 files mostly files who start with $$ then there is 1 file called $recycle.bin.cdf-ms and there is some program_files_common_files_microsoft_shared and a few users default appdata..
Iwill like to add a few weird folders, under Amd64 you find
Acer
Emaschines
Founder
Gateway
Packard
the same for x86 and under Sys32-OEM-factory-sysrepxml..
I have never seen this before
C:\Windows\assembly
GAC_32  (39 FILES 50 FOLDERS)
GAC_64 (41FILES 54 FOLDERS)
GAC_MSIL (416 FILES 1218 FOLDERS)


What i worried about- v and more
My old pc was named  RomPc and I have never used Cathrine on this pc.. I saw a doc where this pc plus 2 or 3 older was talked about. I will find but I was so tired and dont remember where
There is another doc with a lot about me (as Cathrine) and mediaplayer

   C : \ U s e r s \ C a t h r i n e \ A p p D a t a \ L o c a l \ M i c r o s o f t \ I n t e r n e t   E x p l o r e r \ b r n d l o g . t x t                                                                                                                                                                                                                                                                                                                                                                                             ÐZí"eR o m P c                         ´   O : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 G : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 5 1 3 D : ( A ; ; F A ; ; ; S Y ) ( A ; ; F A ; ; ; B A ) ( A ; ; F A ; ; ; S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 )             rGjÍpÏj0ÎpÏj0ÎpÏ\  brndlog.txt        ¼^˜ºÍñJËÕ/i \                                                    Êþ        ×£ÉpÏø‚—ÍpÏø‚—ÍpÏ    MEDIAP~1     


C : \ U s e r s \ C a t h r i n e \ A p p D a t a \ L o c a l \ P a c k a g e s \ M i c r o s o f t . B i n g F i n a n c e _ 8 w e k y b 3 d 8 b b w e \ A C \ T e m p \ E r r o r I n f o . 3 8 2 0 . 3 1 7 2 . t x t                                                                                                                                                                                                                                                                                                                   ÐZí"eR o m P c                         !  O : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 G : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 5 1 3 D : A I ( A ; I D ; F A ; ; ; S - 1 - 1 5 - 2 - 3 4 9 2 5 9 8 6 3 3 - 4 1 1 2 7 6 0 4 6 2 - 2 1 3 4 8 7 8 1 8 5 - 2 4 3 0 5 6 7 7 3 0 - 3 3 4 5 5 3 9 2 3 8 - 3 0 7 2 4 1 5 2 8 8 - 2 1 7 2 6 4 4 7 2 ) ( A ; I D ; F A ; ; ; S Y ) ( A ; I D ; F A ; ; ; B A ) ( A ; I D ; F A ; ; ; S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 ) S : A I               [#ápÏ[#ápÏ[#ápϤ                     ErrorInfo.3820.3172.txt \œêr±Žªð•½6þ¤                                                    Êþ        ”¨ð¸pσjõ¸pσjõ¸pÏ                  & microsoft.windowsphotos_8wekyb3d8bbwe                           Êþ        ”¨ð¸pÏ:…ÍïOÏ:…ÍïOÏ    LOCALS~1  

C : \ U s e r s \ C a t h r i n e \ A p p D a t a \ L o c a l \ P a c k a g e s \ m i c r o s o f t . w i n d o w s p h o t o s _ 8 w e k y b 3 d 8 b b w e \ L o c a l S t a t e \ L a r g e T i l e 1 . j p g                                                                                                                                                                                                                                                                                                                           ÐZí"eR o m P c                           O : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 G : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 5 1 3 D : A I ( A ; I D ; F A ; ; ; S - 1 - 1 5 - 2 - 4 3 6 6 4 3 9 4 - 2 6 8 5 6 7 7 5 0 2 - 3 9 4 0 8 0 3 9 1 - 3 9 3 3 3 0 5 9 5 8 - 4 1 6 7 2 7 3 9 7 7 - 1 5 1 0 9 5 9 7 8 2 - 2 1 0 2 2 7 0 7 2 3 ) ( A ; I D ; F A ; ; ; S Y ) ( A ; I D ; F A ; ; ; B A ) ( A ; I D ; F A ; ; ; S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 ) S : A I               EVïOÏQ"4øOÏQ"4øOÏMŒ                LargeTile1.jpg [d${Tß—b^+N•¡ÖG MŒ                                                        Q"4øOÏMŒ      Êþ   €      |     

C : \ U s e r s \ C a t h r i n e \ A p p D a t a \ L o c a l \ P a c k a g e s \ m i c r o s o f t . w i n d o w s p h o t o s _ 8 w e k y b 3 d 8 b b w e \ L o c a l S t a t e \ S m a l l T i l e 1 . j p g                                                                                                                                                                                                                                                                                                                           ÐZí"eR o m P c                           O : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 G : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 5 1 3 D : A I ( A ; I D ; F A ; ; ; S - 1 - 1 5 - 2 - 4 3 6 6 4 3 9 4 - 2 6 8 5 6 7 7 5 0 2 - 3 9 4 0 8 0 3 9 1 - 3 9 3 3 3 0 5 9 5 8 - 4 1 6 7 2 7 3 9 7 7 - 1 5 1 0 9 5 9 7 8 2 - 2 1 0 2 2 7 0 7 2 3 ) ( A ; I D ; F A ; ; ; S Y ) ( A ; I D ; F A ; ; ; B A ) ( A ; I D ; F A ; ; ; S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 ) S : A I               ú‰QïOÏ9g/øOÏ9g/øOÏ
@                SmallTile1.jpg

C : \ U s e r s \ C a t h r i n e \ D o c u m e n t s \ S y m a n t e c \ N o r t o n   3 6 0 _ N ø k k e l . t x t                                                                                                                                                                                     ÐZí"eR o m P c                         ´   O : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 G : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 5 1 3 D : ( A ; ; F A ; ; ; S Y ) ( A ; ; F A ; ; ; B A ) ( A ; ; F A ; ; ; S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 )             9¿ŸÏ]>¿ŸÏ]>¿ŸÏl                Norton 360_Nøkkel.txt AÉPJ™ô•Ç\ÈOo~†l                                                    Êþ        Td
    
C : \ U s e r s \ C a t h r i n e \ P i c t u r e s \ n r 1 . j p g   
                                                                
                               Why Public??

J    C : \ U s e r s \ P u b l i c \ D o w n l o a d s \ N o r t o n \ { N 3 6 0 2 1 3 0 1 2 - S                           
                                                                                                                                                                                                                       ÐZí"eR o m P c                           O : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 G : S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 5 1 3 D : A I ( A ; I D ; F A ; ; ; B A ) ( A ; I D ; F A ; ; ; S - 1 - 5 - 2 1 - 3 6 0 4 9 1 5 4 6 4 - 1 7 5 6 8 0 7 7 6 2 - 4 2 0 2 8 9 2 4 2 9 - 1 0 0 1 ) ( A ; I D ; F A ; ; ; S Y ) ( A ; I D ; 0 x 1 3 0 1 f f ; ; ; I U ) ( A ; I D ; 0 x 1 3 0 1 f f ; ; ; S U ) ( A ; I D ; 0 x 1 3 0 1 f f ; ; ; S - 1 - 5 - 3 )                               '†¯AwÏ'†¯AwÏ'†¯AwϦ                downloadinfo.txt —HàÐÓ\%ö-Gžøÿe¦                                                    þï        \                                                                                              


I just wonder what the text below is ?
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
# Copyright © 2008, Microsoft Corporation. All rights reserved.
# Get parameter from troubleshooting script
Param($originalSize)
trap { break }
# Include common library
. .\CL_Utility.ps1
Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData
# Delete admin troubleshooting history
Write-DiagProgress -Activity $localizationString.DeleteAdminTSHistory
[string]$adminTSHistoryPath = Get-AdminTSHistoryPath
Delete-OldFolders (Get-Item $adminTSHistoryPath)
[double]$adminTSHistorySize = Get-FolderSize $adminTSHistoryPath
[double]$reclaimedSpace = ($originalSize - $adminTSHistorySize)
if($reclaimedSpace -gt 0.0) {
    @{Name=$adminTSHistoryPath;ReclaimedSpace=$reclaimedSpace} | Select-Object -Property @{Name=$localizationString.adminTSHistoryPath;Expression={$_.Name}},@{Name=$localizationString.reclaimedAdminTSHistorySize;Expression={(Format-DiskSpaceMB $_.ReclaimedSpace) + "MB"}} | ConvertTo-Xml | Update-DiagReport -id ReclaimedAdminTSHistoryInfo -Name $localizationString.ReclaimedAdminTSHistroyInfo_name -Description $localizationString.ReclaimedAdminTSHistroyInfo_description}
 



#23 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 14 August 2014 - 05:10 AM

Under services
HYPER-V VOLUME SHADOW COPY REQESTOR
DESCRIPTION:
Coordinates the communications that are required to use Volume Shadow Copy Service
to back up applications and data on THIS VIRTUAL machine from the operatingsystem
on the physical computer-
**************************************************************************************''
I have seen I have previously seen that this computer is referred to as the virtual machine I'm afraid that antivirus or other help should believe that this is not the physical computer. I do not know how such signals are sent in the system, possible it is not dangerous at all but you never know-all this gives me a matrix feeling

 

This aint all I was tired and have to check if I put it in the bin.. I'm ready for more jobs



#24 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 14 August 2014 - 05:37 AM

Okay, thank you for the information, Catherine.

Allow me to go through your posts, and I will return with instructions later.

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#25 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 14 August 2014 - 06:41 AM

Thats great :)

 

What do you think, could I have got this via modem from my ISP? As the two other machines have had problems too. And, I have tried to connect directly to the modem without it had any meaning I have thought that it could come from the router but I've switched router several times and it has not made ​​any difference. A friend thought it might be a virus that had come in to the modem and opened a back door .. And when I switched pc so have the virus installed something there that makes it infects everything I connect to it. I will go and replace it now. However, with the new modem and infected computer, can the computer infect the modem? I must have it online until we have got it clean.


Edited by Hespetreet, 14 August 2014 - 11:54 AM.

    Advertisements

Register to Remove


#26 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 14 August 2014 - 05:51 PM

Hi Catherine,
 
Please read through my post line by line, and answer any questions asked. 
 

I have been paranoid sometimes when the mouse did live it's own life

Do you have a spare USB mouse that you can plug into your computer?
 

I also found denied folders (below)

These folders are all created by the Operating System. Files changing on their own within these folders is perfectly normal. 
 
When you attempt to open the folder, is this what you see?
 
Y1p71QM.png
 

Iwill like to add a few weird folders, under Amd64 you find

All normal. 
 

C:\Windows\assembly

Normal.
 

GAC_32  (39 FILES 50 FOLDERS)
GAC_64 (41FILES 54 FOLDERS)
GAC_MSIL (416 FILES 1218 FOLDERS)

Normal. 
 

My old pc was named  RomPc and I have never used Cathrine on this pc

Are you sure you didn't create a user account called Catherine?

  • Move your cursor to the top-right corner of the screen. 
  • Click Settings, followed by Control Panel.
  • Click User Accounts and Family Safety
  • Click User Accounts.
  • Click Manage another account
  • Do you see an account called Catherine? Do you recognise it? 

Why Public??

Norton's installer is download to this folder. It's of no concern. See links below. 
http://community.nor...ler/td-p/173333
https://community.no...ton/td-p/862722
 

I just wonder what the text below is ?

The files are all normal. 
 

HYPER-V VOLUME SHADOW COPY REQESTOR

Where exactly did you read this? 
Which Windows 8 edition do you have (Basic, Pro or Enterprise)?
 

A friend thought it might be a virus that had come in to the modem and opened a back door

I don't think your computer is infected. We'll run a few more scans in due course to confirm this.


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#27 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 14 August 2014 - 09:20 PM

Yes, I have a spare usb mouse that I tried, but it does not matter what mouse I use when the cursor is not doing what I want, I have to use TouchPad then I have control over the pointer. But other times, it may help to use a different USB port


Yes there is often such a message that comes up and when you press continue then there usually appears the access denied


I have an account called Hespetreet and a guest account that is disabled

~Hyper-V Data Exchange Service
~Hyper-V Guest Shutdown Service
~Hyper-V Heartbeat Service
~Hyper-V Remote Desktop Virtualization Service
~Hyper-V Time Synchronization Service
~Hyper-V Volum Shadow Copy Requestor

They are all  services on win 8 basic
right now the cursor wont go outside the notpad it's like there are walls but the touchpad is doing the same it last for about 5 min

 

 

UOzFr3X.jpg


Edited by Hespetreet, 14 August 2014 - 09:21 PM.


#28 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 15 August 2014 - 06:00 AM

Hi Catherine,
 

They are all  services on win 8 basic

These are normal. I have the same services on my Win8 machine. You will find none of the services are running. 

 
-----
 
Rather than continue to troubleshoot issues I do not believe to be caused by malware, I would like to pass you over to the Techs who are far more experienced with non-malware related issues. Before doing so, we'll run a few routine scans. 
 
STEP 1
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Please download Malwarebytes Anti-Malware Free to your desktop.
  • Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
  • Launch the programme and select Update.
  • Once updated, click the Settings tab and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

======================================================

STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • AdwCleaner[S0].txt
  • JRT.txt
  • MBAM log

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#29 Hespetreet

Hespetreet

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 16 August 2014 - 12:09 PM

Hi Adam

I wrote this before I saw what you wrote about transferring this to the tech forum but I post it. I hope they can figure out if something is technically wrong, but since 3 machines have had a similar problem, it is a little difficult for me to believe it but I have to give it a change for i can't have it like this forever.

After living with the net here for a long time i've been tired of it, so i have been looking for a answer to what's going on and since I don't know what all files do I just had to ask and hope that something could tell.

As i see it, or feel it is that i'm not alone to use this pc and broadband.
It has nothing to do with money no one have asked me for that. Just use all my space and do as "they" like with my stuff.

If i play a game or use more memory and cpu than i would have done if i was reading news on net
i would be surprised if i could do that without trouble. It's always the same- It hang, it freeze the mouse are going nuts or just dont do what i need it to do. Or I get a msg about ~the page dont answere  ~a script has stopped working or maybe the little flashplayerbox show up and ask for a site to store something on my pc even though I already have set a limit for both visited and unvisided sites.


If I write about stuff like this and use names like remote, backdoor, bugs etc there will be a reaction, not when i write in notepad but if i do in chat or mail and things like that. Sometimes it acts more aggressive than other times.  


It sounds so crazy when you say someone had an opportunity to move into my pc cause of a bug. And this someone just use my ip, ram, control my printer, is in need of communication capabilities etc

 

Here is the logs

 

# AdwCleaner v3.305 - Report created 15/08/2014 at 20:45:24
# Updated 14/08/2014 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : Hespetreet - NOKRNOK
# Running from : C:\Users\Hespetreet\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Deleted : HKCU\Software\torch

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17054


-\\ Mozilla Firefox v31.0 (x86 nb-NO)

[ File : C:\Users\Hespetreet\AppData\Roaming\Mozilla\Firefox\Profiles\79n48bde.default\prefs.js ]


-\\ Google Chrome v36.0.1985.143

[ File : C:\Users\Hespetreet\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1120 octets] - [15/08/2014 20:43:07]
AdwCleaner[S0].txt - [1007 octets] - [15/08/2014 20:45:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1067 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8 x64
Ran by Hespetreet on 15/08/2014 at 20:56:18.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"



~~~ FireFox

Emptied folder: C:\Users\Hespetreet\AppData\Roaming\mozilla\firefox                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \profiles\79n48bde.default\minidumps [4 files]

 

Here is mbam log -I'm sorry if this is wrong, i have been all arond after vh,m   # AdwCleaner v3.305 - Report created 15/08/2014 at 20:45:24
# Updated 14/08/2014 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : Hespetreet - NOKRNOK
# Running from : C:\Users\Hespetreet\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Deleted : HKCU\Software\torch

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17054


-\\ Mozilla Firefox v31.0 (x86 nb-NO)

[ File : C:\Users\Hespetreet\AppData\Roaming\Mozilla\Firefox\Profiles\79n48bde.default\prefs.js ]


-\\ Google Chrome v36.0.1985.143

[ File : C:\Users\Hespetreet\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1120 octets] - [15/08/2014 20:43:07]
AdwCleaner[S0].txt - [1007 octets] - [15/08/2014 20:45:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1067 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8 x64
Ran by Hespetreet on 15/08/2014 at 20:56:18.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"



~~~ FireFox

Emptied folder: C:\Users\Hespetreet\AppData\Roaming\mozilla\firefox\profiles\79n48bde.default\minidumps [4 files]


# AdwCleaner v3.305 - Report created 15/08/2014 at 20:45:24
# Updated 14/08/2014 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : Hespetreet - NOKRNOK
# Running from : C:\Users\Hespetreet\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Deleted : HKCU\Software\torch

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17054


-\\ Mozilla Firefox v31.0 (x86 nb-NO)

[ File : C:\Users\Hespetreet\AppData\Roaming\Mozilla\Firefox\Profiles\79n48bde.default\prefs.js ]


-\\ Google Chrome v36.0.1985.143

[ File : C:\Users\Hespetreet\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1120 octets] - [15/08/2014 20:43:07]
AdwCleaner[S0].txt - [1007 octets] - [15/08/2014 20:45:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1067 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8 x64
Ran by Hespetreet on 15/08/2014 at 20:56:18.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"



~~~ FireFox

Emptied folder: C:\Users\Hespetreet\AppData\Roaming\mozilla\firefox\profiles\79n48bde.default\minidumps [4 files]
 

 

Sorry I saved to clipboard but I dont think this is the the mbam log you will have, I have been looking for another log all over and I have also searched for clipboard on the computer with no result. This was on my desktop

 

<?xml version="1.0" encoding="UTF-16"?>
-<mbam-log>-<header><date>2014/08/15 22:30:59 +0200</date><logfile>mbam-log-2014-08-15 (22-30-58).xml</logfile><isadmin>yes</isadmin></header>-<engine><version>2.00.2.1012</version><malware-database>v2014.08.15.10</malware-database><rootkit-database>v2014.08.04.01</rootkit-database><license>free</license><file-protection>disabled</file-protection><web-protection>disabled</web-protection><self-protection>disabled</self-protection></engine>-<system><osversion>Windows 8</osversion><arch>x64</arch><username>Hespetreet</username><filesys>NTFS</filesys></system>-<summary><type>threat</type><result>completed</result><objects>286118</objects><time>1088</time><processes>0</processes><modules>0</modules><keys>0</keys><values>0</values><datas>0</datas><folders>0</folders><files>0</files><sectors>0</sectors></summary>-<options><memory>enabled</memory><startup>enabled</startup><filesystem>enabled</filesystem><archives>enabled</archives><rootkits>enabled</rootkits><deeprootkit>disabled</deeprootkit><heuristics>enabled</heuristics><pup>enabled</pup><pum>enabled</pum></options><items> </items></mbam-log>
 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

My Hyper-V post was just a answer to your question <Where exactly did you read this? 
Which
Windows 8 edition do you have (Basic, Pro or Enterprise)?>

 

I hope this 3 is normal too: js.  j.micron. jason ?

 



#30 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 16 August 2014 - 01:37 PM

Hi Catherine,
 

My Hyper-V post was just a answer to your question

Yep, I understood that. My response was to reassure you that what you were seeing is perfectly normal.
 
Lets run these last two scans. If they come up clean, I will direct you to the Techs who are better equipped at dealing with non-malware related issues. 
 
STEP 1
MgeHyNE.png Batch File

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    rd /s /q "C:\ProgramData\boost_interprocess"
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file batch.bat
  • Select All Files as the Save as type.
  • Save the file to your desktop
     
  • Locate batch.bat iKKSwsh.png (W8/7/Vista)  on your desktopDouble-click the icon. 
     

STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan will take a significant amount of time to complete. Please do not browse the Internet whilst your resident protection is disabled.

  • Please download ESET Online Scan and save the file to your desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then press Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settingsPlace a checkmark next to Scan archivesScan for potentially unsafe applications and Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your desktop, naming it something unique such as MyEsetScan.
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

STEP 3
A50erAh.png Sophos Virus Removal Tool

  • Please download Sophos Virus Removal Tool and save the file to your desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click the icon and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Next.
  • Select I accept the terms in this license agreement, then click Next twice.
  • Click Install.
  • Click Finish to launch the programme.
  • Once the virus database has been updated click Start scanning
  • If threats are found click Details, followed by View log file.
  • Copy the contents of the log and paste in your next reply.
  • Close the Notepad document, close the Threat Details screen, and click Start cleanup.
  • Click Exit to close the programme. 
  • Re-enable your anti-virus software. 
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • ESET Online Scan log
  • Sophos Virus Removal Tool log

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users