malwarebytes.org and others redirecting to hotmail

[journo]

Hi,

I have a computer that had a virus. The virus changed the winlogon from userinit.exe to something else so that i couldnt log in. I sorted that out by correcting the registry.

The virus also caused the redirect from www.malwarebytes.org to www.hotmail.com, so I had to downloaded and installed malwarebytes via usb key.

Malwarebytes Free is now reporting that the computer is clean but the redirect is still in place. The free trial of Malwarebytes Pro has stopped reporting suspicious traffic so i believe its removed properly.

I've checked the hosts file and its empty apart from the default settings.

Ive also run kaspersky tdds and deleted what it found.

attach.txt

dds.txt

Many thanks

Dan

[D-FRED-BROWN]

Hello journo and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

While you've run TDSSKiller once already, let's run it again to verify that the previous suspicious items have not reappeared :

Please download to your Desktop:

• TDSSKiller.zip from here and extract it (right click on it => "Extract here").
  

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
  
• If an infected file is detected, the default action will be Cure, click on Continue
  
• If a suspicious file is detected, the default action will be Skip, click on Continue
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

In your next reply, please include the following (you may need to use two posts to get it all in):

• TDSSKiller_log.txt
  

how the PC is running now?

-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

-------------

In your next reply, please include:

• TDSSKiller logfile
  
• C:\ComboFix.txt
  
• Security Check checkup.txt
  

How is your computer running now?

[journo]

windows crashed when running ComboFix. Trying again.

Please find the other files attached.

TDSSKiller.2.7.36.0_21.05.2012_21.11.22_log.txt

TDSSKiller.2.7.36.0_21.05.2012_23.17.11_log.txt

Thanks

Dan

[D-FRED-BROWN]

If ComboFix crashes again, try running it in Safe Mode (reboot, press the F8 button until you can select Safe Mode). Let me know how things go.

[journo]

It crashed again. It takes a while for it to restart and LogMeIn to reconnect so I'll have to continue tomorrow.

Thanks for your help so far.

[D-FRED-BROWN]

Sounds good, let me know how it goes tomorrow.

In the meantime, did you happen to see what error code you receieved during the crash? That may give us some insight as to what went wrong.

[journo]

No. i'm working on the PC remotely so lost the connection before it displayed the error.

I'll try to take a look at Windows Events in the morning to see if i can spot anything.

Thanks

Dan

[D-FRED-BROWN]

I understand. Keep me posted .

[journo]

Hi D-FRED-BROWN,

I believe it completed successfully, but the PC did restart when I wasnt watching so I dont know if that was a planned restart as part of the combofix routine.

However, it seems to have resolved the problem.

Please find the combofix.txt file attached.

ComboFix.txt

Thanks for your help.

Dan

[D-FRED-BROWN]

Glad to hear you were successful. We've got a lot more to clean up, however, there's some things I'd like to clear up first:

First, have you intentionally installed any BitCoin-mining software on your computer? While this is indeed legitimate software, it's often installed by cybercriminals alongside their malware... if you aren't familiar with it, we should erase it from your system.

--------

Second, Did you knowingly install this application:

Covenant Eyes "internet accountability" software

It is Surveillance software that tracks all activities, logs keystrokes, etc.

More information can be found here http://www.covenanteyes.com/about/

If you aren't familiar with it, please let me know immediately.

--------

Next, do you recognize the following folders (in bold)?

• c:\documents and settings\az.SEEDLONDON\Application Data\Security
  
• c:\documents and settings\az.SEEDLONDON\Application Data\System

Please let me know .

--------

Let's run a scan with Malwarebytes:

If you don't already have it, download and install it from the site

Next, please Launch Malwarebytes' Anti-Malware.

• Please click Check for Updates to see if any updates are found. If so, please allow MBAM to download and install them.
  
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a location you will remember.
  
• Copy and Paste that log into your next reply.
  

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

Let me know how things go .

[journo]

First, have you intentionally installed any BitCoin-mining software on your computer? While this is indeed legitimate software, it's often installed by cybercriminals alongside their malware... if you aren't familiar with it, we should erase it from your system.

Never heard of BitCoin. The user may have installed it, but if its suspicious, i'd rather remove it. They can always reinstall. Could it be part of Covenant Eyes?

Second, Did you knowingly install this application:

Covenant Eyes "internet accountability" software

Yes, that was knowingly installed.

Next, do you recognize the following folders (in bold)?

• c:\documents and settings\az.SEEDLONDON\Application Data\Security
  
• c:\documents and settings\az.SEEDLONDON\Application Data\System
  

Please let me know .

No i dont. And I dont recognise the files within those folders either. Only system\cg has files in it:-

Directory of C:\Documents and Settings\az.SEEDLONDON\Application Data\System\CG

17/05/2012 18:32 <DIR> .

17/05/2012 18:32 <DIR> ..

17/05/2012 18:30 249,344 libcurl-4.dll

17/05/2012 18:31 87,054 libpdcurses.dll

17/05/2012 18:31 177,207 libusb-1.0.dll

17/05/2012 18:31 57,960 OpenCL.dll

17/05/2012 18:32 13,648 phatk120223.cl

17/05/2012 18:32 44,730 poclbm120327.cl

17/05/2012 18:32 68,096 pthreadGC2-w32.dll

17/05/2012 18:32 68,096 pthreadGC2.dll

17/05/2012 18:30 124,928 winapi.exe

9 File(s) 891,063 bytes

2 Dir(s) 69,349,888,000 bytes free

Let's run a scan with Malwarebytes:

Running scan. I'll post the results when it completes.

[journo]

Hi,

Please find the malware bytes log attached.

I have removed the items it found.

malwarebyteslog.txt

Thanks

Dan

[D-FRED-BROWN]

Never heard of BitCoin. The user may have installed it, but if its suspicious, i'd rather remove it. They can always reinstall. Could it be part of Covenant Eyes?

It shouldn't be part of Covenant Eyes. We'll go ahead and remove it .

First,

BackupYour Registry with ERUNT

• Please go here, scroll down to ERUNT, and download.
  
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
  
• For the zipped version:
  Unzip all the files into a folder of your choice.
  

Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

------------

Next, let's create a new system restore point.

See these instructions provided by Microsoft: http://support.microsoft.com/kb/948247

------------

After backing up the registry and making a new restore point, let's take care of all that mess:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::

c:\windows\system32\lNLolnfK.exe

c:\documents and settings\All Users\baapkbve.exe

c:\documents and settings\az.SEEDLONDON\Application Data\Gerichtsdokumente.exe

c:\documents and settings\az.SEEDLONDON\Local Settings\Temp\name.exe

c:\documents and settings\az.SEEDLONDON\Application Data\2 3\l3.lnk

C:\Program Files\Common Files\lsmass.exe

C:\Documents and Settings\All Users\Application Data\wscntfy.exe

c:\documents and settings\az.SEEDLONDON\Local Settings\Temp\javaw.exe

c:\Documents and Settings\az.SEEDLONDON\Local Settings\Temp\svchost.exe

c:\documents and settings\az.SEEDLONDON\Local Settings\Temp\MsMpEng.exe

c:\docume~1\AZ1D36~1.SEE\LOCALS~1\Temp\left.exe

c:\documents and settings\az.seedlondon\local settings\application data\taskhost.exe

c:\documents and settings\az.SEEDLONDON\Application Data\Driver.exe

c:\documents and settings\az.SEEDLONDON\Application Data\Ykkuw\uvdiw.exe

c:\documents and settings\az.SEEDLONDON\Local Settings\Temp\mine.exe

C:\windows\system32\drivers\37570626.sys

c:\windows\pss\Miner.exeStartup

c:\documents and settings\az.SEEDLONDON\Start Menu\Programs\Startup\Miner.exe

c:\windows\pss\cwcwer.lnkStartup

c:\documents and settings\az.SEEDLONDON\Start Menu\Programs\Startup\cwcwer.lnk

c:\documents and settings\az.SEEDLONDON\Start Menu\Programs\Startup\cfe.lnk

c:\windows\pss\cfe.lnkStartup

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lCxZVLYHETLqLDa4IHCcIceV4]

Folder::

c:\documents and settings\az.SEEDLONDON\Application Data\Security

c:\documents and settings\az.SEEDLONDON\Application Data\System

c:\documents and settings\az.SEEDLONDON\Application Data\WinDefender

c:\documents and settings\az.SEEDLONDON\My Documents\MSDCSC

c:\documents and settings\az.SEEDLONDON\Application Data\2 3

c:\documents and settings\az.SEEDLONDON\Application Data\6 5

Driver::

37570626

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

[journo]

Sorry for the delay.

I lost remote access to the computer when I ran combofix.

The local user had to sort it out.

There is no combofix.txt file in c:\ so I assume that Windows crashed while trying to run it.

Thanks

Dan

[D-FRED-BROWN]

Try to run it again. If it fails this time, try running it in Safe Mode. Let me know how things go.

[journo]

Ok, that time it finished.

Here is the log:-

ComboFix.txt

Thanks

Dan

[D-FRED-BROWN]

Your logs are looking much better!

Before moving on to the next step, are you still encountering any issues? How is the computer running? Please let me know .

Let's run an online scan to verify that there's no traces left that we may have missed:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Please post that log in your next reply, and let me know how things go .

[journo]

Hi,

Sorry for the delay.

Here are the results:-

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=9008ce58ac188f4d9a6ef5f36fc5dad2

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-05-29 08:58:46

# local_time=2012-05-29 09:58:46 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 117 117 0 0

# scanned=117647

# found=85

# cleaned=85

# scan_time=6582

C:\Documents and Settings\az\Local Settings\Temp\ICReinstall\cnet2_swfflv_player_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\az.SEEDLONDON\Application Data\MediaWmplay\FlashPlugin\FlashUtil192_ActiveX.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\az.SEEDLONDON\Application Data\Sun\Java\Deployment\cache\6.0\55\25e91f37-78bea34a multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\az.SEEDLONDON\My Documents\Windows\NTdZMGTHzjoD\taskhost.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\0FB177C9.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\4Z7DPS8WE8M2test1.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\bzvqex.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\C4BBZhkcmdX.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Driver.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\evdfes.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\fvrhs.exe.vir a variant of Win32/Kryptik.AEFU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hglphv.exe.vir a variant of Win32/TrojanDownloader.Zurgop.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hptlyz.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hxafcl.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jdjkwl.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jljter.exe.vir a variant of Win32/Injector.RET trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jpcwmb.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\kfoczt.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\kzmlbp.exe.vir a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\luqmrt.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\pbgulj.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\qlhlyi.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\swmbst.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\VV0IYPGKU6TI7MhkcmdX.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\wtapbx.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\xbgfcn.exe.vir a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Winupdate\windefender.exe.vir a variant of MSIL/Injector.AAT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Ykkuw\uvdiw.exe.vir a variant of Win32/Kryptik.AFTN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Local Settings\Application Data\184181752012Gerichtsdokumente.exe.vir a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Local Settings\Application Data\2056191752012t123.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\taskhost.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\Shield.exe.vir a variant of Win32/Injector.RNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP227\A0036381.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP235\A0037863.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP239\A0039968.exe a variant of Win32/Kryptik.ADUH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP247\A0042221.exe probably a variant of Win32/CoinMiner.L trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP248\A0042243.exe Win32/Spy.Zbot.AAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP254\A0043558.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP255\A0043592.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP261\A0043875.exe a variant of Win32/Kryptik.AFHB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043910.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043911.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043925.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043926.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043942.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043943.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043944.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP264\A0043949.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP264\A0043950.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044915.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044916.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044917.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP267\A0044927.exe a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046863.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046864.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046865.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047139.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047151.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047168.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047169.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047170.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047171.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047173.exe a variant of Win32/Kryptik.AEFU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047175.exe a variant of Win32/TrojanDownloader.Zurgop.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047176.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047177.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047178.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047179.exe a variant of Win32/Injector.RET trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047180.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047182.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047183.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047184.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047187.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047190.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047191.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047193.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047194.exe a variant of MSIL/Injector.AAT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047195.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047196.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047197.exe a variant of Win32/Kryptik.AFTN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047198.exe a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047199.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047205.exe a variant of Win32/Injector.RNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047207.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP274\A0050980.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Thanks

Dan

[D-FRED-BROWN]

Looks like that's the last of it. Let's see what programs of yours we need to update to keep you more secure in the future:

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[journo]

Hi,

I just wanted to update you that the user was using it today, installed Google drive which asked him to perform a reboot.

Then there were a series of messages that mentioned the words 'deleting files' and indexes.

Then the PC stopped booting and continuously showed the blue screen, even safe mode and last known good config.

Running Recuva on it to rescue the data, then i'll reinstall windows.

Not sure what the cause was. Could it have been the viruses?

Thanks

Dan

[D-FRED-BROWN]

It's tough to tell- quite possibly it was due to viruses, but it could also be due to anything else, like the Google Drive install. The messages you've described makes me thing something else may have happened (eg. failed hard drive, etc.), as things were working smoothly not long before that.

[journo]

Thanks for all your hard work. Hopefully after the reinstall, all will be fine!

I'll be sure to run a scan disk to check it for errors.

[D-FRED-BROWN]

Sounds good. I'll leave the thread open in case you need anything.

[D-FRED-BROWN]

Any luck?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!