Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 25, 2015 14:39:44 GMT -8
I have found the running process, there are others, including the wallpaper set to s .bmp file
() C:\Users\One\AppData\Local\Temp\oynpyai.exe
The personal files encrypted have ivwmxpf on the end for an example
C:\Users\One\Desktop\JrZooRegistrationSpring2015.PDF.ivwmxpf
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 26, 2015 14:04:30 GMT -8
Hmmm
Are you still able to open the FRST.txt and addition.txt log files?? .txt files are or can be seen as a personal file type so the Ransomcrypt may have already encrypted the log files, Seeing as the fixlist is also a .txt file it could be interesting to be able to get and use the fixlist.txt before it gets encrypted so that FRST cannot use it.
Quads
|
|
|
Post by htgawm on Feb 26, 2015 21:11:10 GMT -8
once the two files were created they opened for viewing and I haven't closed either one yet, therefor can still access them. should I close them and try to open them again?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 26, 2015 21:23:56 GMT -8
Yes thanks
Quads
|
|
|
Post by htgawm on Feb 27, 2015 20:06:00 GMT -8
I closed both and was able to open both again
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 27, 2015 20:20:58 GMT -8
Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start (Lift Seller) C:\Users\One\AppData\Local\YgPack\01423089035499.exe C:\Users\One\AppData\Local\YgPack\01423089035499.exe () C:\Users\One\AppData\Local\Temp\oynpyai.exe C:\Users\One\AppData\Local\Temp\oynpyai.exe HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [YgPack] => C:\Users\One\AppData\Local\YgPack\01423089035499.exe [434176 2015-02-04] (Lift Seller) HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [Ozzics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\One\AppData\Local\YgPack\Compare.dll HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [Ilcsoft] => regsvr32.exe C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll <===== ATTENTION HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [FlashPlayerUpdate] => C:\Users\One\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [262144 2015-02-24] () HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [] => C:\Users\One\AppData\Local\Temp\oynpyai.exe [755131 2015-02-23] () <===== ATTENTION Toolbar: HKLM-x32 - ShopAtHome.com Toolbar - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Users\One\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (ShopAtHome.com) 2015-02-23 21:43 - 2015-02-23 22:24 - 00001266 _____ () C:\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.txt 2015-02-23 21:43 - 2015-02-23 21:43 - 04320054 _____ () C:\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.bmp 2015-02-23 17:38 - 2015-02-23 17:38 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage C:\Users\One\AppData\Local\Temp\01423089035499.exe C:\Users\One\AppData\Local\Temp\oynpyai.exe Reboot: end Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
|
Post by htgawm on Feb 27, 2015 20:34:31 GMT -8
fixlog
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01 Ran by One at 2015-02-27 20:26:25 Run:1 Running from C:\Users\One\Desktop Loaded Profiles: One (Available profiles: One) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start (Lift Seller) C:\Users\One\AppData\Local\YgPack\01423089035499.exe
C:\Users\One\AppData\Local\YgPack\01423089035499.exe
() C:\Users\One\AppData\Local\Temp\oynpyai.exe C:\Users\One\AppData\Local\Temp\oynpyai.exe HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [YgPack] => C:\Users\One\AppData\Local\YgPack\01423089035499.exe [434176 2015-02-04] (Lift Seller)
HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [Ozzics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\One\AppData\Local\YgPack\Compare.dll
HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [Ilcsoft] => regsvr32.exe C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll <===== ATTENTION HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [FlashPlayerUpdate] => C:\Users\One\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [262144 2015-02-24] ()
HKU\S-1-5-21-2242490449-405659501-1643814704-1000\...\Run: [] => C:\Users\One\AppData\Local\Temp\oynpyai.exe [755131 2015-02-23] () <===== ATTENTION Toolbar: HKLM-x32 - ShopAtHome.com Toolbar - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Users\One\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (ShopAtHome.com) 2015-02-23 21:43 - 2015-02-23 22:24 - 00001266 _____ () C:\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.txt
2015-02-23 21:43 - 2015-02-23 21:43 - 04320054 _____ () C:\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.bmp 2015-02-23 17:38 - 2015-02-23 17:38 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage C:\Users\One\AppData\Local\Temp\01423089035499.exe
C:\Users\One\AppData\Local\Temp\oynpyai.exe Reboot: end *****************
[5912] C:\Users\One\AppData\Local\YgPack\01423089035499.exe => Process closed successfully. C:\Users\One\AppData\Local\YgPack\01423089035499.exe => Moved successfully. [5960] C:\Users\One\AppData\Local\Temp\oynpyai.exe => Process closed successfully. C:\Users\One\AppData\Local\Temp\oynpyai.exe => Moved successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully. HKU\S-1-5-21-2242490449-405659501-1643814704-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully. HKU\S-1-5-21-2242490449-405659501-1643814704-1000\Software\Microsoft\Windows\CurrentVersion\Run\\YgPack => value deleted successfully. HKU\S-1-5-21-2242490449-405659501-1643814704-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ozzics => value deleted successfully. HKU\S-1-5-21-2242490449-405659501-1643814704-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ilcsoft => value deleted successfully. HKU\S-1-5-21-2242490449-405659501-1643814704-1000\Software\Microsoft\Windows\CurrentVersion\Run\\FlashPlayerUpdate => value deleted successfully. HKU\S-1-5-21-2242490449-405659501-1643814704-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{311B58DC-A4DC-4B04-B1B5-60299AD3D803} => value deleted successfully. "HKCR\Wow6432Node\CLSID\{311B58DC-A4DC-4B04-B1B5-60299AD3D803}" => Key deleted successfully. C:\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.bmp => Moved successfully. C:\ProgramData\Windows Genuine Advantage => Moved successfully. C:\Users\One\AppData\Local\Temp\01423089035499.exe => Moved successfully. "C:\Users\One\AppData\Local\Temp\oynpyai.exe" => File/Directory not found.
The system needed a reboot.
==== End of Fixlog 20:26:30 ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 27, 2015 20:41:35 GMT -8
Download Malwarebytes Anti-Rootkit to your Desktop. Double-click "mbar.exe" to start the tool. Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.Click in the introduction screen "next" to continue. Click in the following screen "Update" to obtain the latest malware definitions. Once the update is complete select "Next" and click "Scan".When the scan is finished and no malware has been found select "Exit".Open the MBAR folder and paste or attach the content of the following files in your next reply: "mbar-log-{date} (xx-xx-xx).txt" "system-log.txt"
The below screenshot includes step 4 (cleanup) don't do that one yet Quads
|
|
|
Post by htgawm on Feb 27, 2015 22:43:14 GMT -8
malkware was detected so I left the program open i found this file, system log. but did not find one called "mbar-log 02 27 15.txt" where do I find this?
--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.1.1004
(c) Malwarebytes Corporation 2011-2012
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
Account is Administrative
Internet Explorer version: 11.0.9600.16663
File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.095000 GHz Memory total: 6287114240, free: 4306829312
Downloaded database version: v2015.02.28.02 Downloaded database version: v2015.02.25.01 Downloaded database version: v2014.12.06.01 ======================================= Initializing... ------------ Kernel report ------------ 02/27/2015 22:19:27 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\drivers\compbatt.sys \SystemRoot\system32\drivers\BATTC.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\iaStor.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\PxHlpa64.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\mwlPSDFilter.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys \SystemRoot\system32\DRIVERS\mwlPSDNServ.sys \SystemRoot\system32\drivers\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\drivers\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\igdkmd64.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\drivers\HECIx64.sys \SystemRoot\system32\drivers\usbehci.sys \SystemRoot\system32\drivers\USBPORT.SYS \SystemRoot\system32\drivers\HDAudBus.sys \SystemRoot\system32\DRIVERS\L1C62x64.sys \SystemRoot\system32\DRIVERS\athrx.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\drivers\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\SynTP.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\drivers\CmBatt.sys \??\C:\Windows\system32\drivers\UBHelper.sys \??\C:\Windows\system32\drivers\NTIDrvr.sys \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\drivers\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\drivers\swenum.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\RTKVHD64.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\IntcDAud.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_iaStor.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\monitor.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\psapi.dll \Windows\System32\lpk.dll \Windows\System32\shell32.dll \Windows\System32\iertutil.dll \Windows\System32\usp10.dll \Windows\System32\normaliz.dll \Windows\System32\kernel32.dll \Windows\System32\sechost.dll \Windows\System32\gdi32.dll \Windows\System32\msvcrt.dll \Windows\System32\ole32.dll \Windows\System32\shlwapi.dll \Windows\System32\clbcatq.dll \Windows\System32\user32.dll \Windows\System32\Wldap32.dll \Windows\System32\comdlg32.dll \Windows\System32\imagehlp.dll \Windows\System32\rpcrt4.dll \Windows\System32\nsi.dll \Windows\System32\setupapi.dll \Windows\System32\ws2_32.dll \Windows\System32\advapi32.dll \Windows\System32\imm32.dll \Windows\System32\oleaut32.dll \Windows\System32\difxapi.dll \Windows\System32\urlmon.dll \Windows\System32\wininet.dll \Windows\System32\msctf.dll \Windows\System32\comctl32.dll \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll \Windows\System32\devobj.dll \Windows\System32\cfgmgr32.dll \Windows\System32\wintrust.dll \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll \Windows\System32\KernelBase.dll \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll \Windows\System32\crypt32.dll \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll \Windows\System32\msasn1.dll ----------- End ----------- Done!
Scan started Database versions: main: v2015.02.28.02 rootkit: v2015.02.25.01
<<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa800813a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa800813ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa800813a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa80062b7050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... The directory C:\WINDOWS\SYSTEM32\drivers seems inaccessible or encrypted. Drivers scan is aborted. Done! Drive 0 This is a System drive Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 67F9F31A
Partition information:
Partition 0 type is Other (0x27) Partition is NOT ACTIVE. Partition starts at LBA: 2048 Numsec = 33554432
Partition 1 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 33556480 Numsec = 204800 Partition file system is NTFS Partition is bootable
Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 33761280 Numsec = 1431384064
Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0
Disk Size: 750156374016 bytes Sector size: 512 bytes
Done! Infected: C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll --> [Trojan.Agent.SPEGen] Infected: C:\Users\One\AppData\Local\YgPack\Compare.dll --> [Trojan.Agent.SPEGen] Scan finished
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 27, 2015 23:03:57 GMT -8
Ok you can just close MBAR The 2 files are now dead as I took its registry keys with FRST so that after the FRST restarted the system the files are no longer in use, I can get them as part of the Step 4 Cleanup process On with step 4, Complete system check for any file and cleanup of items and tools used. Special attention to the different settings I have asked for below You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Please download Online Scanner and save it to your Desktop. Start with administartor privileges. Select the option Yes, and click on . Choose the following settings: NO!! for Remove found threats (reason for this is we don't want something deleted and then Windows won't load). Click on Start. The virus signature database will begin to download. This may take some time. When completed the Online Scan will begin automatically. Note: This scan might take a long time! Please be patient.When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first! (List found Threats)Now click on Finish Quads
|
|