Page 1 of 4 1234 LastLast
Results 1 to 10 of 35

Thread: Ransomeware help

  1. #1
    Junior Member
    Join Date
    Jul 2017
    Posts
    19

    Default Ransomeware help

    A chatbox like IM box appeared on my screen and started chatting with me. Said they have been watching me for awhile and basically they want me to use Paypal to pay them money, they said they have seen me use it before. I did not reply when they asked for money and I shut everything down. I went back online last night for awhile and nothing came up. Everything seems to work fine on my laptop and I have not heard from them again. I have run spybot and malwarebytes and tried to clean with those two programs, but I don't know what to do now. How can I get rid of it and how can I ever be sure that they are gone and can't get back in so that I can use my laptop again and feel secure.

    Thanks

    MickD.

  2. #2
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Hi MickD
    If this is really ransomeware then there wont be much I can do to help other then supply you with links to read over with information regarding Ransomeware.
    https://www.bleepingcomputer.com/new...enis-and-more/
    https://www.bleepingcomputer.com/new...ana-decrypt0r/


    But, they asked you to use PayPal?....interesting.

    On the other hand it kinds resembles scam-ware.....just an idea because it could indeed be Ransomeware.

    ~~~~~
    Before continuing please create a restore point.

    ~~~~~~~~~~~~~~~`

    RogueKiller
    • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
    • Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
    • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
    • Wait for the scan to complete
    • On completion, the results will be displayed
    • Check every single entry (threat found), and click on the Remove Selected button
    • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
    • This will open the report in Notepad. Copy/paste its content in your next reply


    AdwCleaner - Fix Mode
    • Download AdwCleaner and move it to your Desktop
    • Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
    • Accept the EULA (I accept), then click on Scan
    • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
    • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Heres another link
    https://www.bleepingcomputer.com/vir...at/ransomware/

    What is the computer doing out of the ordinary?
    Is it showing symptoms of infection?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  4. #4
    Junior Member
    Join Date
    Jul 2017
    Posts
    19

    Default

    Thank you for the reply and I will go through the steps of things to do that you listed. I'm only calling it ransomware because I don't know what else to call it. It doesn't seem like ransomware that I have heard of. It was a chatbox or like an IM box that appeared onscreen while I was online doing nothing really, email, news. It started talking to me and at first I tried to shut it down anyway I could think of and then it said, "you can't close it". He said he wanted money and that I could use paypal to send it and that he knows I know how because he has watched me do it. I asked why me and all those questions and didn't get a straight answer and I cannot tell if it is someone local or foreign or anything. Please ask any other questions you have.

    Quote Originally Posted by Juliet View Post
    Heres another link
    https://www.bleepingcomputer.com/vir...at/ransomware/

    What is the computer doing out of the ordinary?
    Is it showing symptoms of infection?

  5. #5
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Yes, I'd like to see those logs.

    I'm not that good with remembering all the types and functions of ransomewares out there and new ones are created often, but I will ask around.
    But I was thinking it kinda locked down your computer and files?, you seen any signs of that?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #6
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Also, I'm going to need to see the logs created by the following tool


    Farbar Recovery Scan Tool (FRST) Scan
    • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) andsave the file to your Desktop.
    • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
    • Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    curious

    did you have your web browser open when that chatbox popped up?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #8
    Junior Member
    Join Date
    Jul 2017
    Posts
    19

    Default

    Quote Originally Posted by Juliet View Post
    curious

    did you have your web browser open when that chatbox popped up?

    Yes I had a FireFox broser open doing nothing really, checking email or reading news when it apeared. If you need the scan result sent another way let me know. Thank you!!





    Here is text of AdwCleaner report

    # AdwCleaner 7.0.8.0 - Logfile created on Sun Mar 25 22:57:19 2018
    # Updated on 2018/08/02 by Malwarebytes
    # Running on Windows 10 Home (X64)
    # Mode: clean
    # Support: https://www.malwarebytes.com/support

    ***** [ Services ] *****

    No malicious services deleted.

    ***** [ Folders ] *****

    Deleted: C:\Users\mikef\AppData\Local\WinSweeper


    ***** [ Files ] *****

    No malicious files deleted.

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****




    Here is RogueKiller scan



    RogueKiller V12.12.9.0 (x64) [Mar 19 2018] (Free) by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : https://forum.adlice.com
    Website : http://www.adlice.com/download/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 10 (10.0.16299) 64 bits version
    Started in : Normal mode
    User : mikef [Administrator]
    Started from : F:\Programs\RogueKiller_portable64.exe
    Mode : Scan -- Date : 03/25/2018 14:49:32 (Duration : 00:29:14)

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 17 ¤¤¤
    [PUP.BestBuy] (X64) HKEY_LOCAL_MACHINE\Software\Best Buy -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\OCS -> Found
    [PUP.Gen0|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Solvusoft -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\OCS -> Found
    [PUP.Gen0|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Solvusoft -> Found
    [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCO...G=ICO-cb508e63 -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BA44931F-63B5-490F-AA79-2C7E83E3A1CF} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=c:\users\mikef\appdata\local\temp\ffa.tmp.exe|Name=MAD| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DA58F8EB-A770-4F38-BD85-C5E4C7AF42CB} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS48E5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {06A8A719-BA82-43A2-9B28-D924584F2566} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS48E5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5E7DD3BF-690F-455C-B608-863EA52D1163} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\mikef\AppData\Local\Temp\UninstallTemp.exe|Name=AndyRemoveInTemp| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F53BEA4C-F9E5-4F6C-A560-7F003DABDA16} : v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\mikef\AppData\Local\Temp\UninstallTemp.exe|Name=AndyRemoveOutTemp| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {800EF007-BF0B-4005-B58B-418F1C8F2D07} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\mikef\AppData\Local\Temp\Andy_46.2_x64\Setup.exe|Name=AndySetupIn| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {18B8E56F-D848-41FA-B1E4-04F6671B0ECF} : v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\mikef\AppData\Local\Temp\Andy_46.2_x64\Setup.exe|Name=AndySetupOut| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D5CE597A-7BED-4144-ADD7-AC81F91F7114} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS5B0E\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E8EA8238-6868-49DA-90DE-BC339106D8F5} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS5B0E\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 4 ¤¤¤
    [PUM.HomePage][Firefox:Config] inyi5s32.default-1521871370978 : user_pref("browser.startup.homepage", "https://mail.yahoo.com/|https://www.facebook.com/|https://www.youtube.com/|https://mail.google.com/mail/u/0/#inbox"); -> Found
    [PUM.HomePage][Chrome:Config] Profile 3 [SecurePrefs] : session.startup_urls [https://mg.mail.yahoo.com/neo/launch.../youtube.com/] -> Found
    [PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.keyword [DuckDuckGo] -> Found
    [PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.suggestions_url [https://ac.duckduckgo.com/ac/?q={searchTerms}&type=list] -> Found

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: HFS256G39MND-2300A +++++
    --- User ---
    [MBR] df1863962a03673101c75437f6cfffc3
    [BSP] 7309b564c7154fdcd7ea26378ec14b1f : Empty|VT.Unknown MBR Code
    Partition table:
    0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
    1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
    2 - Basic data partition | Offset (sectors): 567296 | Size: 243422 MB
    3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 499095552 | Size: 499 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: WD My Passport 0827 USB Device +++++
    --- User ---
    [MBR] a6ef9e9e43ec973a4f6a66e765f7ccf7
    [BSP] 885814df319cc6e825466bdc3e388595 : Windows XP|VT.Unknown MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953836 MB [Windows XP Bootstrap | Windows XP Bootloader]
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )



    Here is a second scan from RogueKiller after the first.



    RogueKiller V12.12.9.0 (x64) [Mar 19 2018] (Free) by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : https://forum.adlice.com
    Website : http://www.adlice.com/download/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 10 (10.0.16299) 64 bits version
    Started in : Normal mode
    User : mikef [Administrator]
    Started from : F:\Programs\RogueKiller_portable64.exe
    Mode : Scan -- Date : 03/25/2018 14:49:32 (Duration : 00:29:14)

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 17 ¤¤¤
    [PUP.BestBuy] (X64) HKEY_LOCAL_MACHINE\Software\Best Buy -> Found
    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\OCS -> Found
    [PUP.Gen0|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Solvusoft -> Found
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\OCS -> Found
    [PUP.Gen0|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Solvusoft -> Found
    [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCO...G=ICO-cb508e63 -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BA44931F-63B5-490F-AA79-2C7E83E3A1CF} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=c:\users\mikef\appdata\local\temp\ffa.tmp.exe|Name=MAD| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DA58F8EB-A770-4F38-BD85-C5E4C7AF42CB} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS48E5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {06A8A719-BA82-43A2-9B28-D924584F2566} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS48E5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5E7DD3BF-690F-455C-B608-863EA52D1163} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\mikef\AppData\Local\Temp\UninstallTemp.exe|Name=AndyRemoveInTemp| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F53BEA4C-F9E5-4F6C-A560-7F003DABDA16} : v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\mikef\AppData\Local\Temp\UninstallTemp.exe|Name=AndyRemoveOutTemp| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {800EF007-BF0B-4005-B58B-418F1C8F2D07} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\mikef\AppData\Local\Temp\Andy_46.2_x64\Setup.exe|Name=AndySetupIn| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {18B8E56F-D848-41FA-B1E4-04F6671B0ECF} : v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\mikef\AppData\Local\Temp\Andy_46.2_x64\Setup.exe|Name=AndySetupOut| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D5CE597A-7BED-4144-ADD7-AC81F91F7114} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS5B0E\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E8EA8238-6868-49DA-90DE-BC339106D8F5} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\mikef\AppData\Local\Temp\7zS5B0E\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2844788878-880486787-4179794426-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 4 ¤¤¤
    [PUM.HomePage][Firefox:Config] inyi5s32.default-1521871370978 : user_pref("browser.startup.homepage", "https://mail.yahoo.com/|https://www.facebook.com/|https://www.youtube.com/|https://mail.google.com/mail/u/0/#inbox"); -> Found
    [PUM.HomePage][Chrome:Config] Profile 3 [SecurePrefs] : session.startup_urls [https://mg.mail.yahoo.com/neo/launch.../youtube.com/] -> Found
    [PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.keyword [DuckDuckGo] -> Found
    [PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.suggestions_url [https://ac.duckduckgo.com/ac/?q={searchTerms}&type=list] -> Found

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: HFS256G39MND-2300A +++++
    --- User ---
    [MBR] df1863962a03673101c75437f6cfffc3
    [BSP] 7309b564c7154fdcd7ea26378ec14b1f : Empty|VT.Unknown MBR Code
    Partition table:
    0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
    1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
    2 - Basic data partition | Offset (sectors): 567296 | Size: 243422 MB
    3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 499095552 | Size: 499 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: WD My Passport 0827 USB Device +++++
    --- User ---
    [MBR] a6ef9e9e43ec973a4f6a66e765f7ccf7
    [BSP] 885814df319cc6e825466bdc3e388595 : Windows XP|VT.Unknown MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953836 MB [Windows XP Bootstrap | Windows XP Bootloader]
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

  9. #9
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I think you posted the first RogueKiller log twice?

    I'd like to see the log from RogueKiller showing it had deleted those items found.
    Last edited by Juliet; 2018-03-26 at 03:37.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  10. #10
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I need to throw this out there before I probably have to leave for the night

    Malwarebytes - Clean Mode
    • Download and install the free version of Malwarebytes
      Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
    • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so

      Enable Rootkit Scan
    • Go in the Settings tab, and then under Protection. From there, scroll down a bit and make sure that the Scan for rootkits option is turned to On under Scan Options.
      SETTINGS.....PROTECTION make sure AUTOMATIC QUARANTINE is on.
    • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
    • Let the scan run, the time required to complete the scan depends of your system and computer specs
    • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
      • If it asks you to restart your computer to complete the removal, do so
    • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard.
    • Paste the content in your next reply


    Use the computer as little as possible till I can see the logs requested.
    Last edited by Juliet; 2018-03-26 at 03:47. Reason: typo
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •