Jump to content

LiquidTension

Honorary Members
  • Posts

    4,182
  • Joined

  • Last visited

Posts posted by LiquidTension

  1. Hello pcemkr, welcome to Malwarebytes' Malware Removal forum!
     
    My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
    If you would allow me to call you by your first name I would prefer that. :)
     
    General P2P/Piracy Notice: 
     

    If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
    Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
    If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

     
    ======================================================
     
    Please read through the points below to ensure this process moves as quickly and efficiently as possible.

    • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
    • If you are unable to copy/paste your logs directly into your post, please attach the file. 
    • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
    • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
    • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
    • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
    • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
       

    ======================================================
     
    STEP 1

    6JO0hXH.png Revo Uninstaller

    • Please download and install Revo Uninstaller Free.
    • Double-click Revo Uninstaller to run the programme. 
    • From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.
      • Ask Toolbar
      • att.net Toolbar
      • GamingWonderland Toolbar
      • Social Privacy DNS
      • Yahoo! Software Update
    • Double-click the programme. 
    • When prompted if you want to uninstall click Yes.
    • Ensure the Moderate option is selected and click Next.
    • The programme uninstaller will run. If prompted again click Yes.
    • Work your way through the uninstaller, ensuring you read each page thoroughly.
    • Note: Ensure you decline offers of additional software if applicable. 
    • Once the built-in uninstaller is finished click Next.
    • Once the programme has searched for leftovers click Next.
    • Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.
    • When prompted click Yes, followed by Next.
    • Click Select all, followed by Delete.
    • When prompted click Yes, followed by Next.
    • Once done click Finish.
       

    STEP 2
    xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

    • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
    • Copy the entire contents of the codebox below and paste into the Notepad document.
      start(APN LLC.) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe(sendori) C:\Program Files (x86)\Sendori\Sendori.Service.exe(APN) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe(Sendori, Inc.) C:\Program Files (x86)\Sendori\SendoriTray.exeHKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1541584 2013-06-06] (APN)HKLM-x32\...\Run: [] => [X]HKLM-x32\...\Run: [Sendori Tray] => C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2014-06-26] (Sendori, Inc.)HKLM-x32\...\Run: [dnsshield] => C:\Program Files (x86)\Social Privacy  DNS\dnswatch.exeC:\Program Files (x86)\Social Privacy  DNSHKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/URLSearchHook: HKCU - SearchHook Class - {D8278076-BC68-4484-9233-6E7F1628B56C} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\searchhook.dll (APN LLC.)URLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)SearchScopes: HKLM - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.live.c...ferrer:source?}SearchScopes: HKCU - DefaultScope {B4D27414-50CC-44FA-926C-2808E380E19B} URL = http://search.yahoo....p={searchTerms}SearchScopes: HKCU - {23E8B459-E5B7-4B98-AAD8-C19423899B97} URL = http://www.mysearchr...q={searchTerms}SearchScopes: HKCU - {540F27A1-D734-448E-84ED-791B6A68D982} URL = http://delicious.com...p={searchTerms}SearchScopes: HKCU - {92250D91-B6A4-4018-B595-83C9E7648517} URL = http://www.search.as...archTerms}&psv=SearchScopes: HKCU - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.tb.ask...r={searchTerms}SearchScopes: HKCU - {B3B83059-AFF8-4C05-9D6F-AA29688C0C2C} URL = http://www.flickr.co...q={searchTerms}SearchScopes: HKCU - {B4D27414-50CC-44FA-926C-2808E380E19B} URL = http://search.yahoo....p={searchTerms}BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)BHO-x32: Ask Toolbar -> {4F524A2D-5637-006A-76A7-7A786E7484D7} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7\Passport.dll (APN LLC.)BHO-x32: Toolbar BHO -> {7c8f8fe5-9785-4f74-bcf8-895ef9752d97} -> C:\PROGRA~2\GAMING~2\bar\1.bin\gtbar.dll No FileToolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)Toolbar: HKLM-x32 - Ask Toolbar - {4F524A2D-5637-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7\Passport.dll (APN LLC.)Winsock: Catalog9-x64 01 C:\Windows\system32\Sendori64.dll File Not found ()Winsock: Catalog9-x64 02 C:\Windows\system32\Sendori64.dll File Not found ()Winsock: Catalog9-x64 03 C:\Windows\system32\Sendori64.dll File Not found ()Winsock: Catalog9-x64 04 C:\Windows\system32\Sendori64.dll File Not found ()Winsock: Catalog9-x64 15 C:\Windows\system32\Sendori64.dll File Not found ()CHR HomePage: Default -> hxxp://www.yahoo.com/CHR StartupUrls: Default -> "hxxp://www.yahoo.com/"CHR HKLM-x32\...\Chrome\Extension: [mmddbcpechilpapallpbdpcekmgibofi] - C:\Users\Celeste\AppData\Local\Installation Assistant\Chrome\Installation Assistant.crx [2014-01-30]R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [169632 2013-06-06] (APN LLC.)C:\Program Files (x86)\AskPartnerNetworkR2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22816 2014-06-26] (sendori)C:\Program Files (x86)\SendoriS2 MapsGalaxy_39Service; C:\PROGRA~2\MAPSGA~2\bar\1.bin\39barsvc.exe [X]C:\PROGRA~2\MAPSGA~2S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [X] <==== ATTENTIONU0 SR; No ImagePathU2 srservice; No ImagePath2014-10-25 11:37 - 2014-10-25 11:37 - 00638888 _____ (Oracle Corporation) C:\Users\Celeste\Downloads\chromeinstall-8u25.exe2014-10-29 08:51 - 2013-06-03 12:54 - 00000000 ____D () C:\ProgramData\ATTYToolbarC:\Users\Celeste\AppData\Local\Temp\CmdLineExt02.dllC:\Users\Celeste\AppData\Local\Temp\contentDATs.exeC:\Users\Celeste\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exeC:\Users\Celeste\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exeC:\Users\Celeste\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exeC:\Users\Celeste\AppData\Local\Temp\mssinstaller.exeC:\Users\Celeste\AppData\Local\Temp\OptimizerPro.exeC:\Users\Celeste\AppData\Local\Temp\SecurityScan_Release.exeC:\Users\Celeste\AppData\Local\Temp\SIntf16.dllC:\Users\Celeste\AppData\Local\Temp\SIntf32.dllC:\Users\Celeste\AppData\Local\Temp\SIntfNT.dllC:\Users\Celeste\AppData\Local\Temp\SocPriv_adk9.exeC:\Users\Celeste\AppData\Local\Temp\System.Data.SQLite.dllC:\Users\Celeste\AppData\Local\Temp\vcredist_x64.exeC:\Users\Celeste\AppData\Local\Temp\WRupdate326151.exeTask: {5B25D6E8-152E-4C5D-899F-589A520C0329} - \ArcadeFrontier No Task File <==== ATTENTIONTask: {C212FEDA-5AB3-4A18-B715-0B94CB0D2751} - System32\Tasks\4890 => Wscript.exe C:\Users\Celeste\AppData\Local\Temp\launchie.vbs //B <==== ATTENTIONTask: {FDF7AA18-51C2-43A6-9D03-20A73CBC0138} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTIONAlternateDataStreams: C:\ProgramData\Temp:2CB9631FHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service"CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
    • Click FileSave As and type fixlist.txt as the File Name
    • Important: The file must be saved in the same location as FRST64.exe. 

    NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

    • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Click Fix.
    • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
       

    STEP 3
    GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

    • Open Malwarebytes Anti-Malware and click Update Now.
    • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
    • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
    • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
    • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
    • Upon completion of the scan (or after the reboot), click the History tab.
    • Click Application Logs and double-click the Scan Log.
    • Click Copy to Clipboard and paste the log in your next reply. 
       

    STEP 4
    BY4dvz9.png AdwCleaner

    • Please download AdwCleaner and save the file to your Desktop.
    • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Follow the prompts. 
    • Click Scan
    • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
    • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
    • Follow the prompts and allow your computer to reboot
    • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
     
     
    STEP 5
    E3feWj5.png Junkware Removal Tool (JRT)

    • Please download Junkware Removal Tool and save the file to your Desktop.
    • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Follow the prompts and allow the scan to run uninterrupted. 
    • Upon completion, a log (JRT.txt) will open on your desktop.
    • Re-enable your anti-virus software.
    • Copy the contents of JRT.txt and paste in your next reply.

     
    ======================================================
     
    STEP 6
    pfNZP4A.png Logs
    In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

    • Did the programmes uninstall OK?
    • Fixlog.txt
    • MBAM log
    • AdwCleaner[s0].txt
    • JRT.txt
  2. Hello, 
     
    Thank you for the logs. 
     

    Additionally, after following the link to deactivate the anitvirus scanning; kaspersky said that nortons anti spyware was still running but only gave me the option to continue to run with an ok button.

    I assume you mean ComboFix? And that's OK, it doesn't matter. 
     

    Since running the fixlist.txt, i stopped getting the block ips and my internet has not crashed.

    Very good. 
     
    Please provide an update on your computer after completing the steps below. 
     
    STEP 1
    BY4dvz9.png AdwCleaner

    • Please download AdwCleaner and save the file to your Desktop.
    • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Follow the prompts. 
    • Click Scan
    • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
    • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
    • Follow the prompts and allow your computer to reboot
    • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
     

    STEP 2
    E3feWj5.png Junkware Removal Tool (JRT)

    • Please download Junkware Removal Tool and save the file to your Desktop.
    • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Follow the prompts and allow the scan to run uninterrupted. 
    • Upon completion, a log (JRT.txt) will open on your desktop.
    • Re-enable your anti-virus software.
    • Copy the contents of JRT.txt and paste in your next reply.
       

    STEP 3
    GzlsbnV.png ESET Online Scan
    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

    • Please download ESET Online Scan and save the file to your Desktop.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Double-click esetsmartinstaller_enu.exe to run the programme. 
    • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
    • Agree to the Terms of Use once more and click Start. Allow components to download.
    • Place a checkmark next to Enable detection of potentially unwanted applications.
    • Click Hide advanced settings. Place a checkmark next to:
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    • Ensure Remove found threats is unchecked.
    • Click Start.
    • Wait for the scan to finish. Please be patient as this can take some time.
    • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
    • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
    • Push the Back button.
    • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
    • Re-enable your anti-virus software.
    • Copy the contents of the log and paste in your next reply.
       

    STEP 4
    xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

    • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
       

    ======================================================

    STEP 5
    pfNZP4A.png Logs
    In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

    • AdwCleaner[s0].txt
    • JRT.txt
    • ESET log
    • FRST.txt
    • Addition.txt
    • Update on computer
  3. Hi Todd, 

     

    If the software does not function correctly, uninstalling and reinstalling the programmes should be OK. 

     

    Now for the good news. 

     

    All Clean!
    Congratulations, your computer appears clean! :)
    I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
     
    My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
     
     
    STEP 1
    9SN2ePL.png ComboFix Uninstall

    • Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
      ComboFix /Uninstall
    • Click OK.
    • Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
       

    STEP 2
    AFZxnZc.jpg DelFix

    • Please download DelFix and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
      • Activate UAC
      • Remove disinfection tools
      • Create registry backup
      • Purge system restore
      • Reset system settings
    • Click the Run button.

    -- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
     
    ======================================================
     
    I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

    The following programmes come highly recommended in the security community.

    • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
    • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
    • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
    • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
    • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
    • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
    • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
    • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
    • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

    -- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
     
    ======================================================
     
    Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
     
    Thank you for using Malwarebytes.
     
    Safe Surfing. :)    
    Adam

  4. Hi Todd, 

     

    That's good. :)

    If no important files have been encrypted, we can move onto the final stages of this process.

     

    We now need to update your vulnerable software to reduce the risk of reinfection.  
     
    STEP 1
    CXrghb6.png Update Outdated Software

    Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

    STEP 2
    EtQetiM.png Remove Outdated Software

    • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
    • Search for the following programmes, right-click and click Uninstall one at a time.
    • Note: The programmes below may not be present. If this is the case, please skip to the next step.
      • Adobe Flash Player 11 ActiveX

      • Adobe Flash Player 11 Plugin

      • Adobe Reader 9.5.5 MUI

      • Java 7 Update 60

    • Follow the prompts, and reboot if necessary.
       

    STEP 3
    oxliOQk.png Security Check

    • Please download SecurityCheck and save the file to your Desktop.
    • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
    • A log (checkup.txt) will automatically open on your Desktop.
    • Copy the contents of the log and paste in your next reply.
       

    ======================================================
     
    STEP 4
    pfNZP4A.png Logs
    In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

    • checkup.txt
    • How is your computer performing? Are there any outstanding issues?
  5. Very good. That log looks fine. 
     
    All Clean!
    Congratulations, your computer appears clean! :)
    I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
     
    My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
     
     
    STEP 1
    9SN2ePL.png ComboFix Uninstall

    • Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
      ComboFix /Uninstall
    • Click OK.
    • Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
       

    STEP 2
    AFZxnZc.jpg DelFix

    • Please download DelFix and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
      • Activate UAC
      • Remove disinfection tools
      • Create registry backup
      • Purge system restore
      • Reset system settings
    • Click the Run button.

    -- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
     
    ======================================================
     
    I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

    The following programmes come highly recommended in the security community.

    • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
    • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
    • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
    • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
    • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
    • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
    • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
    • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
    • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

    -- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
     
    ======================================================
     
    Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
     
    Thank you for using Malwarebytes.
     
    Safe Surfing. :)    
    Adam

  6. You're more than welcome, Vance. It's been a pleasure, and I'm glad things worked out. :)
     
    My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
     
    I will now mark this topic as solved. 
     
    All the best, 
    Adam

  7. That isn't a symptom common with the infections present. But Internet-related issues on the computer are. 

     

    Once we have removed the malware, we can assess the situation with your router/modem, and act accordingly. 

     

    In your next reply, please include confirmation the programmes uninstalled OK, and Fixlog.txt generated by FRST. Then proceed with STEP 3 and 4.

    Ensure you attach the TDSSKiller log in STEP 4.

  8. Hello Todd, 
     

    First, when I use Internet Explorer, I consistently get two pop up windows. 

    This is normal. ComboFix resets certain IE settings, causing these pop-ups. 
    You can safely check the "In the future, do not show this warning" box. 
     

    Second, I went out to youtube and tried to play a couple of videos.  I don't get any sound.  I have turned up the volume on the computer and in the youtube window.  But still no sound.  I can hear the typical windows sounds such as a "bing" sound when I click on something incorrectly.  So I don't think it is the speakers. 

    Can you try using an alternative browser, and let me know if you experience the same issue.
    Please avoid browsing too much, as you still have vulnerable software installed, which makes your computer susceptible to malware infection.
     
    -----------------------
     
    Please locate an encrypted file, and let me know if the following works. 
    To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
     

    previous-versions.jpg

     
    To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on theOpen button to see the contents of the file before you restore it.
    This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.

  9. Hi Vance, 
     
    I'm very glad to hear things went OK (albeit, time-consuming). 
     

    Question:  If I can successfully network to my wife's computer in order to access the printers that are attached to it, should she remove AVG and install what I'm running, or is that unnecessary?

    I am not an advocate of AVG, and regard the company as dubious and untrustworthy.

    • The programme requires numerous running processes and is a resource hog.
    • In 2010, AVG partnered with LimeWire, a P2P filesharing network. P2P filesharing is one of the largest infection vectors. 
    • AVG bundles registry/optimization software such as PCTuneup, which is potentially harmful and dangerous. 
    • AVG bundles AVG Secure Search; software no better than than the adware and browser hijackers removed from users' machines on a daily basis.
    • AVG's detection ratio, classification of malware and number of false-positive detections are poor. Results are often confusing, and leave the user in doubt. 
    • The support offered by AVG is considered by many to be unsatisfactory. 
       

    I would suggest replacing AVG on your Wife's machine.
     
    ======================================================
     
    I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

    The following programmes come highly recommended in the security community.

    • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
    • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
    • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
    • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
    • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. 
    • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you. 
    • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
    • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
    • xsHjS79L.png.pagespeed.ic.n4Sk8_GzZn.jpg Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs. 
    • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website. 
       

    My Windows 8.1 machine setup:

    • ESET NOD32
    • Malwarebytes Premium 
    • Windows Firewall
    • Sandboxie
    • SpywareBlaster
    • Secuina 
    • WOT, NoScript and AdBlock
  10. Hi Shanon, 

     

    That sounds good. 
    Lets update your outdated software. 

     

    STEP 1
    CXrghb6.png Update Outdated Software

    Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

    STEP 2
    EtQetiM.png Remove Outdated Software

    • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
    • Search for the following programmes, right-click and click Uninstall one at a time.
    • Note: The programmes below may not be present. If this is the case, please skip to the next step.
      • Java 7 Update 45 
      • Java SE Development Kit 6 Update 26 (64-bit) 
      • JavaFX 2.1.1 
    • Follow the prompts, and reboot if necessary.
    • I do not recommend installing the latest version of Java unless you have a specific purpose for the programme. 
       

    STEP 3
    oxliOQk.png Security Check

    • Please download SecurityCheck and save the file to your Desktop.
    • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
    • A log (checkup.txt) will automatically open on your Desktop.
    • Copy the contents of the log and paste in your next reply.
       

    ======================================================
     
    STEP 4
    pfNZP4A.png Logs
    In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

    • checkup.txt
  11. Hello Slimpickens, welcome to Malwarebytes' Malware Removal forum!
     
    My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
    If you would allow me to call you by your first name I would prefer that. :)
     
    General P2P/Piracy Notice: 
     

    If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
    Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
    If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

     
    ======================================================
     
    Please read through the points below to ensure this process moves as quickly and efficiently as possible.

    • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
    • If you are unable to copy/paste your logs directly into your post, please attach the file. 
    • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
    • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
    • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
    • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
    • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
       

    ======================================================

    • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type inetcpl.cpl and click OK.
    • Click Security
    • Click Custom level....
    • Scroll down to Downloads.
    • Under File download, place a checkmark next to Enable.
    • Click OK.
       

    STEP 1
    6JO0hXH.png Revo Uninstaller

    • Please download and install Revo Uninstaller Free.
    • Double-click Revo Uninstaller to run the programme. 
    • From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.
      • Brand Thunder Theme Manager for Internet Explorer
      • Coupon Printer for Windows
      • Download Updater (AOL LLC)
      • New York Mets Browser Theme
      • Office Depot PC Support Agent
      • Yahoo! Software Update
    • Double-click the programme. 
    • When prompted if you want to uninstall click Yes.
    • Ensure the Moderate option is selected and click Next.
    • The programme uninstaller will run. If prompted again click Yes.
    • Work your way through the uninstaller, ensuring you read each page thoroughly.
    • Note: Ensure you decline offers of additional software if applicable. 
    • Once the built-in uninstaller is finished click Next.
    • Once the programme has searched for leftovers click Next.
    • Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.
    • When prompted click Yes, followed by Next.
    • Click Select all, followed by Delete.
    • When prompted click Yes, followed by Next.
    • Once done click Finish.
       

    STEP 2
    xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

    • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
    • Copy the entire contents of the codebox below and paste into the Notepad document.
      startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-3638440759-2899467885-459236283-1000\...\MountPoints2: {7afb07d1-37ac-11e1-9121-806e6f6e6963} - F:\VZAccess_Manager.exe /z detectHKU\S-1-5-21-3638440759-2899467885-459236283-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1URLSearchHook: HKCU - (No Name) - {08f9937e-0a4f-48cf-94e7-827223daec1d} - C:\Program Files (x86)\HeadlineAlley_29\bar\1.bin\29SrcAs.dll No FileC:\Program Files (x86)\HeadlineAlley_29SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =SearchScopes: HKLM - {0E7DDDBB-2DB4-4EA9-A623-69FD5E2AD019} URL = http://search.yahoo....psg&type=HPNTDFSearchScopes: HKLM - {48CAA187-36BB-429F-B283-9A3BE1583E3C} URL = http://www.ask.com/w...}&l=dis&o=ushplSearchScopes: HKLM-x32 - DefaultScope {E15E2F0D-9664-4FCE-B823-CBB0E51B441E} URL =SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =SearchScopes: HKLM-x32 - {0E7DDDBB-2DB4-4EA9-A623-69FD5E2AD019} URL = http://search.yahoo....psg&type=HPNTDFSearchScopes: HKLM-x32 - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect...hromesbox-en-usSearchScopes: HKLM-x32 - {48CAA187-36BB-429F-B283-9A3BE1583E3C} URL = http://www.ask.com/w...}&l=dis&o=ushplSearchScopes: HKLM-x32 - {9a2d7aa7-c5a9-4eb1-9e08-c6aaa7538b55} URL = http://search.tb.ask...r={searchTerms}SearchScopes: HKCU - {0E7DDDBB-2DB4-4EA9-A623-69FD5E2AD019} URL =SearchScopes: HKCU - {24E44D12-92CC-43A5-8BFE-6152A920DBE5} URL =SearchScopes: HKCU - {48CAA187-36BB-429F-B283-9A3BE1583E3C} URL =SearchScopes: HKCU - {666DD8F7-14CA-4F4F-A42F-B62A859B80E2} URL = http://search.yahoo....ms}&fr=chr-tyc8SearchScopes: HKCU - {CB4BFE92-0399-4D19-B8CB-FECE80FEF69B} URL =BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No FileBHO-x32: Brand Thunder Theme Manager for Internet Explorer -> {0B5DEE95-C164-4E3E-B4C7-15E852BDE5BC} -> C:\Program Files (x86)\Brand Thunder\Cortez\bt-thememanager.dll (Brand Thunder, L.L.C.)BHO-x32: No Name -> {18c5b277-4df2-4fb5-9bf5-ccaa5eabc30b} ->  No FileC:\Program Files (x86)\Brand ThunderC:\Users\Burgess\AppData\Roaming\MaxwebsearchBHO-x32: Max Websearch BHO -> {B3DC64DB-1E83-415F-B449-7C97E32477B5} -> C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)Toolbar: HKLM-x32 - Max Websearch Toolbar - {AC86B16E-C46B-40B0-8328-765521ED682E} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)Toolbar: HKU\S-1-5-21-3638440759-2899467885-459236283-1000 -> No Name - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} -  No FileFF Homepage: yahoo.comCHR Extension: (Unfriend Checker) - C:\Users\Burgess\AppData\Local\Google\Chrome\User Data\Default\Extensions\biiponhbbifajapmbggbgaepiedinifm [2013-03-13]CHR HKLM-x32\...\Chrome\Extension: [biiponhbbifajapmbggbgaepiedinifm] - C:\Program Files (x86)\Unfriend Checker\Chrome.crx [2014-11-03]C:\Program Files (x86)\Unfriend CheckerCHR HKLM-x32\...\Chrome\Extension: [kkabaopkffpacmehggafknpnenokiofp] - C:\Users\Burgess\AppData\LocalLow\Playbryte\Chrome.crx [2014-11-03]C:\Users\Burgess\AppData\LocalLow\Playbryte2014-11-03 20:35 - 2013-01-01 16:26 - 00000000 ____D () C:\Program Files (x86)\PlaybryteC:\Users\Burgess\AppData\Local\Temp\{59AB6093-252C-461A-B034-EC85A4E6DBB8}-38.0.2125.111_chrome_installer.exeS3 CpqDfw; system32\drivers\CpqDfw.sys [X]2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00032391.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00030537.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00028703.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00028145.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00026994.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00026323.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00026299.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00025667.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00024898.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00024152.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00023281.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00021726.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00021170.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00021164.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00019912.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00019895.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00019718.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00019145.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00018716.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00017421.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00017035.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00016827.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00016001.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00015976.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00015832.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00015154.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00014771.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00014621.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00014604.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00014470.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00013916.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00013650.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00013092.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00012382.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00012204.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00011942.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00011538.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00009961.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00009894.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00009145.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00009081.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00008937.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00008634.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00007445.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00006549.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00005447.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00005436.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00005365.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00004827.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00003902.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00003779.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00002995.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00002040.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00001869.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00001657.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00001130.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00000491.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00000292.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00000153.tmp2014-11-13 09:50 - 2014-11-13 09:50 - 01176168 ____T () C:\Windows\SysWOW64\00000083.tmp2014-11-13 09:49 - 2014-11-13 09:49 - 01176168 ____T () C:\Windows\SysWOW64\00030406.tmp2014-11-13 09:49 - 2014-11-13 09:49 - 01176168 ____T () C:\Windows\SysWOW64\00005705.tmp2014-11-13 09:48 - 2014-11-13 09:48 - 40034920 ____T () C:\Windows\SysWOW64\00029132.tmp2014-11-13 09:48 - 2014-11-13 09:48 - 40034920 ____T () C:\Windows\SysWOW64\00026500.tmp2014-11-13 09:48 - 2014-11-13 09:48 - 40034920 ____T () C:\Windows\SysWOW64\00019169.tmp2014-11-13 09:48 - 2014-11-13 09:48 - 40034920 ____T () C:\Windows\SysWOW64\00018528.tmp2014-11-13 09:48 - 2014-11-13 09:48 - 40034920 ____T () C:\Windows\SysWOW64\00009794.tmp2014-11-13 09:48 - 2014-11-13 09:48 - 40034920 ____T () C:\Windows\SysWOW64\00006334.tmpCustomCLSID: HKU\S-1-5-21-3638440759-2899467885-459236283-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
    • Click FileSave As and type fixlist.txt as the File Name.
    • Important: The file must be saved in the same location as FRST64.exe.

    NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

    • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Click Fix.
    • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
       

    STEP 3
    9SN2ePL.png ComboFix

    • Note: Please read through these instructions before running ComboFix. 
    • Please download ComboFix and save the file to your Desktop. << Important!
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Right-Click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Follow the prompts. 
       
    • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
    • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
    • Re-enable your anti-virus software.
       

    Important Notes:

    • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
    • Do NOT use your computer whilst ComboFix is running.
    • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
       
    • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
    • ComboFix will disconnect your machine from the Internet as soon as it starts.
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If you are unable to access the Internet after running ComboFix, please reboot your computer. 
       

    STEP 4
    YARWD1t.png TDSSKiller Scan

    • Please download TDSSKiller and save the file to your Desktop.
    • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Click Change parameters. Place a checkmark next to:
      • Loaded Modules
      • Detect TDLFS file system
      • Verify file digital signatures
    • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
    • ​Click Start Scan. Do not use the computer during the scan.
    • If objects are found, change the action to skip.
    • Click Continue and close the window.
    • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
       

    ======================================================
     
    STEP 5
    pfNZP4A.png Logs
    In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

    • Did the programmes uninstall OK?
    • Fixlog.txt
    • ComboFix.txt
    • TDSSKiller log (attached!)
  12. Hello CJN853, welcome to Malwarebytes' Malware Removal forum!
     
    My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
    If you would allow me to call you by your first name I would prefer that. :)
     
    General P2P/Piracy Notice: 
     

    If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
    Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
    If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

     
    ======================================================
     
    Please read through the points below to ensure this process moves as quickly and efficiently as possible.

    • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
    • If you are unable to copy/paste your logs directly into your post, please attach the file. 
    • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
    • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
    • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
    • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
    • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
       

    ======================================================
     

    Please help if you think this might be salvageable.

    Yes, we can clear up the malware. 
    Depending on the variant of CryptoWall, your encrypted files may be recoverable without the need of restoring from a backup. Once the malware has been removed, we can look into this.
     

    • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type inetcpl.cpl and click OK.
    • Click Security
    • Click Custom level....
    • Scroll down to Downloads.
    • Under File download, place a checkmark next to Enable.
    • Click OK.
       

    STEP 1
    xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

    • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
    • Copy the entire contents of the codebox below and paste into the Notepad document.
      startHKU\S-1-5-21-2396288121-3525874122-1808719847-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!Startup: C:\Users\Mom and Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKLM - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =U2 TMAgent; No ImagePathFolder: C:\Users\Mom and Dad\AppData\Local\EmieBrowserModeList2014-11-11 18:07 - 2014-11-11 18:07 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{FAC3652E-2396-4926-ADC1-1B92C7079871}2014-11-11 05:40 - 2014-11-11 05:40 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{9DE7D7DF-F82C-481A-BC8C-9D706E099B3A}2014-11-10 11:04 - 2014-11-10 20:01 - 00000064 _____ () C:\Users\Mom and Dad\AppData\Roaming\svc-cmkf.exe.bat2014-11-10 09:33 - 2014-11-10 09:33 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{46A51C6F-F5D4-4867-BB24-9DCD160F478D}2014-11-09 16:56 - 2014-11-09 16:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{E79AF4D6-4DD7-4760-B5F2-14D1FE1F6531}2014-11-09 10:56 - 2014-11-10 10:43 - 00000160 ____H () C:\ProgramData\@system3.att2014-11-09 10:55 - 2014-11-10 20:37 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Roaming\FrameworkUpdate72014-11-09 10:55 - 2014-11-10 11:54 - 00000424 _____ () C:\ProgramData\@system.temp2014-11-09 10:54 - 2014-11-10 20:37 - 00000000 ___HD () C:\4ab75cf2014-11-09 10:54 - 2014-11-10 11:04 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage2014-11-08 11:00 - 2014-11-08 11:00 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{204B6AAF-9BB9-400E-A047-5CC726B3B745}2014-11-07 06:56 - 2014-11-07 06:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{7F31197E-F2C9-4AFB-A85E-683455E48736}2014-11-06 11:32 - 2014-11-06 11:32 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{05A0B7F0-4B81-4D51-8CAA-FECFA405F8FC}2014-11-05 22:14 - 2014-11-05 22:14 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{E0A208BD-5D90-4D12-9440-5E7C57B8C45F}2014-11-05 09:56 - 2014-11-05 09:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{4FCAB811-DA8D-4A70-8CDC-84E8BCA3DB58}2014-11-04 21:46 - 2014-11-04 21:46 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{B0D244A4-2694-4E25-B05E-A57AD4888EE7}2014-11-04 09:36 - 2014-11-04 09:36 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{B333DCAC-C7C7-4ABD-8E21-8948C8CCFFD8}2014-11-03 10:00 - 2014-11-03 10:00 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{DE9365F6-9775-4ACE-8C4C-C77C3317E678}2014-11-02 12:52 - 2014-11-02 12:52 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{1F5E55AD-0F14-40A6-8271-FA7A83B86084}2014-11-07 21:45 - 2014-11-07 21:45 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{6E2FED2B-1A67-4686-B599-5C2AE5047D5D}2014-11-01 23:03 - 2014-11-01 23:03 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{55CC58EB-DBE5-4866-B697-4CD70363A04B}2014-11-01 08:44 - 2014-11-01 08:44 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{9F0FBC11-96DD-4825-A2E6-D87CD26B2FDE}2014-10-31 07:35 - 2014-10-31 07:35 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{02DDB402-9617-40D7-8BA6-24262E926182}2014-10-30 19:26 - 2014-10-30 19:26 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{40DBE95E-9958-489A-91F7-721859F2CA36}2014-10-30 07:16 - 2014-10-30 07:16 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{F2A78929-CF74-4C2E-A880-866F7168CB69}2014-10-29 11:18 - 2014-10-29 11:18 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{0B8F622B-EE15-42AE-BE6E-74424339C720}2014-10-28 22:51 - 2014-10-28 22:51 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{AD79057D-BCC6-4F41-B9CF-3D78179B71F8}2014-10-28 22:27 - 2014-10-28 22:27 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{31C1C2C6-EC68-4D93-B7F4-93AC8D695F9F}2014-10-28 19:48 - 2014-10-28 19:49 - 00001829 _____ () C:\Users\Mom and Dad\AppData\Roaming\c006d3e12014-10-28 19:48 - 2014-10-28 19:49 - 00000048 _____ () C:\Users\Mom and Dad\AppData\Roaming\c006d3e22014-10-28 19:48 - 2014-10-28 19:48 - 00000944 ____H () C:\ProgramData\@system2.att2014-10-28 19:48 - 2014-10-28 19:48 - 00000448 ____H () C:\Users\Mom and Dad\AppData\Roaming\麽鎒駓覜2014-10-28 07:30 - 2014-10-28 07:30 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{434246B6-A7CA-47C9-AB53-05A8B9A01000}2014-10-27 13:56 - 2014-10-27 13:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{25F3A586-4CDE-46CC-B4F4-0E035E5D4606}2014-10-26 20:48 - 2014-10-26 20:48 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{5A144CE8-B7D9-46FF-87C6-56729C7D9CD5}2014-10-26 08:41 - 2014-10-26 08:41 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{DE9EB159-FC16-4323-8D63-EB8804318680}2014-10-25 10:48 - 2014-10-25 10:48 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{F31DCCB5-1D89-4306-8683-9C6053F44DD9}2014-10-24 21:54 - 2014-10-24 21:54 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{C0863BE8-CCC1-49DF-9693-8DBA11977919}2014-10-24 09:06 - 2014-10-24 09:06 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{6223EC97-8E75-4F83-9970-B346E7855782}2014-10-23 10:23 - 2014-10-23 10:23 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{68CC3DC6-A2BB-468A-AC8E-135385101685}2014-10-22 21:34 - 2014-10-22 21:34 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{78B561E0-F39E-4773-92D3-CC310559CB28}2014-10-22 06:33 - 2014-10-22 06:33 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{475760E4-BC31-4881-A757-661575830867}2014-10-21 08:21 - 2014-10-21 08:21 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{7AFF3E34-9F81-4CF1-8BA3-6C19CF3E2ADC}2014-10-20 10:24 - 2014-10-20 10:24 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{3B5B6225-B669-436A-A08A-64D94FB71BB6}2014-10-20 10:05 - 2014-10-20 10:05 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{9194EA7B-F3AB-4323-B32C-C910A5B9162C}2014-10-20 08:01 - 2014-10-20 08:01 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{08C5FA6F-07A4-4D19-912B-C3064ABFCCFA}2014-10-19 12:23 - 2014-10-19 12:23 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{426AE19E-5198-4047-A22A-62361F078927}2014-10-19 00:22 - 2014-10-19 00:22 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{B763FAE8-02F9-40DD-B726-D3DFD9CA7944}2014-10-18 11:02 - 2014-10-18 11:02 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{5EB17C21-1CA5-4C87-A06E-4C80F532D7B6}2014-10-17 19:19 - 2014-10-17 19:19 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{BC428FE6-4D1E-4111-846F-ABE0E2FD06C9}2014-10-17 07:18 - 2014-10-17 07:18 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{256B339C-4233-4C80-A938-23322F3124B4}2014-10-16 09:13 - 2014-10-16 09:13 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{0D7C6D29-8770-48E0-8408-8448943AA2DE}2014-10-15 12:07 - 2014-10-15 12:07 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{C0A2C253-FA5C-437C-9C99-0E7125E265BF}2014-10-15 11:03 - 2014-10-15 11:03 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{5B194868-C8DF-43BA-9115-42D5D50D1A0F}2014-10-14 22:34 - 2014-10-14 22:34 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{6CF0831F-6AE3-4908-A440-CFA2B0491500}2014-10-14 10:34 - 2014-10-14 10:34 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{4D9F816D-245B-4576-A788-AA51A960E6CE}C:\Users\Public\dcmsvcsetup.exeC:\Users\Public\invokesi.exeCustomCLSID: HKU\S-1-5-21-2396288121-3525874122-1808719847-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
    • Click FileSave As and type fixlist.txt as the File Name.
    • Important: In the Encoding: drop-down box, select Unicode.
    • Important: The file must be saved in the same location as FRST64.exe.

    NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

    • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Click Fix.
    • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
       

    STEP 2
    GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

    • Open Malwarebytes Anti-Malware and click Update Now.
    • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
    • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
    • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
    • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
    • Upon completion of the scan (or after the reboot), click the History tab.
    • Click Application Logs and double-click the Scan Log.
    • Click Copy to Clipboard and paste the log in your next reply. 
       

    STEP 3
    9SN2ePL.png ComboFix

    • Note: Please read through these instructions before running ComboFix. 
    • Please download ComboFix and save the file to your Desktop. << Important!
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Right-Click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
    • Follow the prompts. 
       
    • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
    • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
    • Re-enable your anti-virus software.
       

    Important Notes:

    • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
    • Do NOT use your computer whilst ComboFix is running.
    • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
       
    • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
    • ComboFix will disconnect your machine from the Internet as soon as it starts.
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If you are unable to access the Internet after running ComboFix, please reboot your computer. 
       

    STEP 4
    YARWD1t.png TDSSKiller Scan

    • Please download TDSSKiller and save the file to your Desktop.
    • Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
    • Click Change parameters. Place a checkmark next to:
      • Loaded Modules
      • Detect TDLFS file system
      • Verify file digital signatures
    • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
    • ​Click Start Scan. Do not use the computer during the scan.
    • If objects are found, change the action to skip.
    • Click Continue and close the window.
    • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
       

    STEP 5
    xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

    • Right-Click FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
       

    ======================================================
     
    STEP 6
    pfNZP4A.png Logs
    In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

    • Fixlog.txt
    • MBAM log
    • ComboFix.txt
    • TDSSKiller log (attached!)
    • FRST.txt
    • Addition.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.