LiquidTension

Hello, Open Task Manager and look for the following ComboFix related processes (some have a .3XE extension): - PEV.exe - NirCmd.3XE - PEV.3XE - SEDGREP - any file that has the extension *.3XE except CF*****.3XE <- do not end this process One at a time, right-click and select End Process. If doing that did not free ComboFix and allow it to continue, then you will need to reboot the computer manually. Let me know how you get on.

Hi Gloria, If you plan on resetting your router, I would do so first. As for backing up data, there's no reason why you can't safely backup your personal files. Instructions on how to do so can be found below. You require a USB drive or External Hard Drive with enough storage capacity to hold all your files. STEP 1 requires the use of a clean PC. STEP 1 Panda USB Vaccine Please download Panda USB Vaccine and save the file to your Desktop of a clean PC.Double-click USBVaccineSetup.exe to install the programme.Read and accept the license agreement, then click Next.Upon completion of the setup, ensure Launch Panda USB Vaccine is checked and click Finish.Click the Vaccinate Computer button. It should now show a green checkmark and confirm Computer vaccinated.Hold down the Shift key on your keyboard and insert your USB drive into the clean PC.Follow these instructions on how to reformat your USB drive (this will remove all files on the device). This is to ensure the drive is clean. Return to Panda USB Vaccine. When the name of the drive appears in the Panda USB Vaccine dialog box, click the Vaccinate USB drive(s)button.Exit the programme when done.-- Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process. STEP 2 Folder Options Press the Windows Key + r on your keyboard at the same time. Type Control Folders and click OK.Click View. Under Hidden files and folders:Place a checkmark next to Show hidden files, folders and drives.Remove the checkmark next to Hide extensions for known file types.Click Apply followed by OK. STEP 3 Backup Data The safest practice is not to backup any executable files (.exe), screensavers (.scr), dynamic link library (.dll), autorun (.ini) or script files (.php,.asp, .htm, .html, .xml) files because they may be infected by malware. You should also avoid backing up compressed files (.zip, .cab, .rar) that have executables inside as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may disguise itself by hiding a file extension or by adding double file extensions (hence why STEP 2 is important) and/or space(s) in the file's name to hide the real extension, so be sure you look closely at the full file name. Backing up documents, image, music and video is fine.Specially crafted Word/Excel/PDF can be used for malicious intent, so please ensure you do not backup any documents you do not recognise.To repeat, do not backup up files with the following extensions:.exe, .scr, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cabOnce you have decided which files you wish to backup, copy the files over to the USB drive.

Hi Eric, Thanks for the update. Let me know how you get on in the next couple of days. If all appears well, we can run a couple of scans to confirm there are no malware remnants, and finish up. Adam.

Hello, Do you still require assistance?

Hi Aaron, For passwords to be at risk, they do not need to be explicitly saved to the machine; only typed. I would suggest changing passwords using a clean machine as soon as possible. Whilst your accounts may not be compromised, I don't think it's worth taking the risk. Are you experiencing issues with other devices connected to the same router? If not, you should be OK. But I can provide instructions on resetting your router if you so wish. Please start with the following. STEP 1 ComboFix Note: Please read through these instructions before running ComboFix. Please download ComboFix and save the file to your Desktop. << Important!Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click ComboFix.exe and select Run as administrator to run the programme.Follow the prompts. Allow ComboFix to complete it's removal routine (please refer to Important Notes:).Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.Re-enable your anti-virus software. Important Notes: Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.Do NOT use your computer whilst ComboFix is running.Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal. If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.ComboFix will disconnect your machine from the Internet as soon as it starts.Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.If you are unable to access the Internet after running ComboFix, please reboot your computer. STEP 2 TDSSKiller Scan Please download TDSSKiller and save the file to your Desktop.Right-Click TDSSKiller.exe and select Run as administrator to run the programme.Click Change parameters. Place a checkmark next to:Loaded ModulesDetect TDLFS file systemVerify file digital signaturesNote: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.​Click Start Scan. Do not use the computer during the scan.If objects are found, change the action to skip.Click Continue and close the window.A log will be created and saved to the root directory (usually C:\). Copy the contents of the log and paste in your next reply. ====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. ComboFix.txtTDSSKiller log

Hello Penguin19, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions. ====================================================== Unfortunately, I must issue the following warning. Please let me know what you think, and how you wish to proceed.

Hello Tom, Did you run recimg.exe to generate a new refresh image at the date and time listed? http://blogs.msdn.com/b/matt-harrington/archive/2012/04/01/create-a-windows-8-refresh-image-with-recimg-exe.aspx If not, is System Restore monitoring the Recovery Partition, and did you perform a System Restore on that date? Did you reinstall on 8/13/2013 2:24:00?

Hello Ibflunkie, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions. ====================================================== Unfortunately, I must issue the following warning. Please let me know what you think, and how you wish to proceed.

No problem. And you're welcome. This computer is heavily infected. ZeroAccess, Poweliks, Zbot, Kovter and Sathurbot/Boaxxe (all of which open a backdoor) are/were all present, with the possibility of others yet to reveal themselves - making this process require numerous steps.

Hi Tom, Thanks for the information, and your continued patience. I will get back to you as soon as possible.

Sounds good. Let me know how you get on. FYI, Windows Defender does not require installation. You need only enable the programme.

Hello, OK. Lets move on. Regarding the Windows Updates, please hold back until the end. STEP 1 Farbar Recovery Scan Tool (FRST) Script Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. startHKU\S-1-5-21-639415932-1215857684-1316868989-1003\...\Run: [CryptoUpdate] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Sacred Heart\AppData\Roaming\Microsoft\Crypto\RSA\cert_v65_0.tpl"C:\Users\Sacred Heart\AppData\Roaming\Microsoft\Crypto\RSA\cert_v65_0.tplHKU\S-1-5-21-639415932-1215857684-1316868989-1003\...\Policies\Explorer: [Run] "C:\Users\Sacred Heart\AppData\Roaming\Microsoft\Windows\IEUpdate\xwizard.exe"C:\Users\Sacred Heart\AppData\Roaming\Microsoft\Windows\IEUpdate\xwizard.exeHKU\S-1-5-21-639415932-1215857684-1316868989-1003\...A8F59079A8D5}\localserver32: <==== ATTENTION!HKU\S-1-5-18\...\MountPoints2: D - D:\Programs\nu2menu\nu2menu.exeHKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?...kusaolp00000051BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No FileBHO-x32: No Name -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> No File2014-09-05 12:03 - 2012-07-31 15:00 - 00000000 ____D () C:\Windows\AutoKMSC:\Users\Sacred Heart\acrobat.exeC:\Users\Sacred Heart\chrome935539.exeC:\Users\Sacred Heart\ctfmon132343.exeC:\Users\Sacred Heart\flashplayer560745.exeC:\Users\Sacred Heart\googleupdate.exeC:\Users\Sacred Heart\googleupdate27226.exeC:\Users\Sacred Heart\msconfig464447.exeC:\Users\Sacred Heart\mstsc524057.exeC:\Users\Sacred Heart\rundll3238542.exeC:\Users\Sacred Heart\rundll32826958.exeC:\Users\Sacred Heart\spoolsv35736.exeC:\Users\Sacred Heart\vlcplayer.exeC:\Users\Sacred Heart\vlcplayer566390.exeC:\Users\Sacred Heart\AppData\Roaming\麽鎒駓覜Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"Folder: C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}Folder: C:\ProgramData\EvitpUseywFolder: C:\Users\Sacred Heart\AppData\Roaming\dteivvbhCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetCMD: bitsadmin /reset /allusersEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name.Important: The file must be saved in the same location as FRST64.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System. Right-Click FRST64.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 2 ComboFix Script Note: Please read through these instructions before running ComboFix.Close any open programmes and windows.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. RegNull: [HKEY_USERS\S-1-5-21-639415932-1215857684-1316868989-1003_Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]Click File, Save As and type CFScript.txt as the File Name.Important: The file must be saved to your Desktop.​NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System. Referring to the animation below, drag CFScript.txt into ComboFix.exe. Allow ComboFix to complete it's removal routine (please refer to Important Notes:)Once finished, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.Re-enable your anti-virus software. ​Important Notes: Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.Do NOT use your computer whilst ComboFix is running.Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal. If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.ComboFix will disconnect your machine from the Internet as soon as it starts.Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.If you are unable to access the Internet after running ComboFix, please reboot your computer. STEP 3 VirusTotal Upload Please go to VirusTotal.com.Click Choose File and locate the following file:C:\Windows\system32\PuzzlePort64.dll​Click Scan it!.If you receive the following notification: File already analysed click Reanalyse.Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. STEP 4 SystemLook Please download SystemLook (x64) and save the file to your Desktop.Right-Click SystemLook_x64.exe and select Run as administrator to run the programme.Copy the entire contents of the codebox below and paste into the textfield. :filefind*xwizard**39srchmn**39brmon**f55de818-9e4d-43d0-0b46-54c71f088e85*:folderfind*xwizard**39srchmn**39brmon**f55de818-9e4d-43d0-0b46-54c71f088e85*:regfindxwizard39srchmn39brmonf55de818-9e4d-43d0-0b46-54c71f088e85Click the button to start the scan.Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.Click the button. ====================================================== STEP 5 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Fixlog.txtComboFix.txtVirusTotal ResultsSystemLook.txt

Hello, What are these? Task: {70B14C0D-C1D5-4F0C-A0AA-4312FA676299} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2012-07-31] ()2014-09-28 08:31 - 2012-07-31 15:00 - 00003510 _____ () C:\Windows\System32\Tasks\AutoKMS

OK. Please do the following. STEP 1 ComboFix Note: Please read through these instructions before running ComboFix.Please download ComboFix and save the file to your Desktop. << Important!Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click ComboFix.exe and select Run as administrator to run the programme.Follow the prompts. Allow ComboFix to complete it's removal routine (please refer to Important Notes:).Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.Re-enable your anti-virus software. Important Notes: Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.Do NOT use your computer whilst ComboFix is running.Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal. If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.ComboFix will disconnect your machine from the Internet as soon as it starts.Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.If you are unable to access the Internet after running ComboFix, please reboot your computer. STEP 2 Farbar Recovery Scan Tool (FRST) Scan Please download Farbar Recovery Scan Tool (x64) and save the file to your Desktop.Right-Click FRST64.exe and select Run as administrator to run the programme.Click Yes to the disclaimer.Ensure the Addition.txt box is checked.Click the Scan button and let the programme run.Upon completion, click OK, then OK on the Addition.txt pop up screen.Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. ====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. ComboFix.txtFRST.txtAddition.txt

Hello, Your computer is heavily infected. Unfortunately, I must issue the following warning. Please have a read, and let me know how you wish to proceed.

Hi Tom, What is the make and model of the machine?

Hello a97virago, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== STEP 1 Malwarebytes Anti-Malware (MBAM) If you have not downloaded and installed the updated Malwarebytes Anti-Malware 2.0 please do so now.Open Malwarebytes Anti-Malware and click Update Now.Once updated, click the Settings tab and tick Scan for rootkits.Click the Scan tab, ensure Threat Scan is checked and click Scan Now.Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.Click Copy to Clipboard and paste the log in your next reply. STEP 2 TDSSKiller Scan Please download TDSSKiller and save the file to your Desktop.Right-Click TDSSKiller.exe and select Run as administrator to run the programme.Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.​Click Start Scan. Do not use the computer during the scan.If objects are found, change the action to skip.Click Continue and close the window.A log will be created and saved to the root directory (usually C:\). Copy the contents of the log and paste in your next reply. ====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. MBAM logTDSSKiller log

Hello aagah, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions. ====================================================== Your machine is heavily infected. As such, I must unfortunately issue you the following warning. Please let me know how you wish to proceed.

Holding shift prevents execution of files when the device is attached. It's not particularly relevant for Windows 8, but good practice nevertheless. No, I don't think so. But it isn't uncommon for this process to take a long time.

BleepingComputer is probably the best place to share experiences with ransomware. The site was one of the first to report Cryptolocker, and has detailed articles and discussion topics on all types of file-encrypting ransomware. I don't know. This is the sort of question best asked in the BC discussion topic I linked earlier. To take additional precuations have a look at installing Sandboxie. You'll be able to open your USB drive in an isolated environment. No data can be written to your HDD unless you specifically allow it. There's no special procedure as such, but you may wish to do the following. Install and run Panda USB Vaccine after reformatting. This will vaccinate your machine against autorun infections. Install MCShield and Sandboxie. Hold shift and insert your USB drive. Run a scan with MCShield, avast! and MBAM, ensuring you select the option to scan external drives. Open the USB drive in Sandboxie, and hand-pick each file to move onto your HDD.

Hello, Have you added a new Network card, or updated Network drivers recently? Please do the following. STEP 1 CHKDSK (Alternative Method) Press the Windows Key + s on your keyboard at the same time. Type CMD. Right-Click CMD.exe and select Run as administrator.In the command window type the following and press Enter on your keyboard. chkdsk c: /rIf you are prompted to schedule CHKDSK to run the next time the computer restarts, type y and press Enter on your keyboard.Type Exit and press Enter on your keyboard.Restart your computer. CHKDSK will automatically run.Note: This process can take up to an hour.Press the Windows Key + r on your keyboard at the same time. Type eventvwr.msc and click OK.Click Windows Logs.Right-click Application and click Find.If CHKDSK ran within Windows (you didn't have to restart the computer), type Chkdsk into the text field and click Find Next. The log should appear. Highlight the text, copy and paste in your next reply.If CHKDSK ran after a restart, type Winlogon (XP) / Wininit (Vista/7) / Chkdsk (8) into the text field and click Find Next. The log should appear. Highlight the text, copy and paste in your next reply.​For instructions accompanied by screenshots, please refer to the following article. STEP 2 Uninstall McAfee Anti-Virus Download the McAfee Removal Tool, but do not run the programme. Disconnect from the Internet. Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.Search for any McAfee programmes, right-click and click Uninstall.Follow the prompts, and reboot. Run the McAfee Removal Tool. Press the Windows Key + s on your keyboard at the same time. Type Windows Defender and click the programme.Enable Windows Defender. Reconnect to the Internet.

OK, thank you aharonov. I didn't realise the user requested assistance at a different forum. The post was a little unclear, and sounded as if the user had copied a script written for another user. Thanks again for bringing this to my attention.

Microsoft only provides Updates for MS software. Windows Operating System, IE, IE Flash Player (Adobe Flash Player incorporated into IE for Windows 8), MS Office, etc. Third-party software is not affiliated with MS or Windows Updates. If you are referring to MS software, the updates you receive will be relevant for your OS and the software you have installed. For example, a Windows 8 user without MS Office installed will not receive Windows Vista updates or MS Office updates.

Hello, I answered your first Windows Updates question in my previous post. I have Updates to download only. I like to review the list of Updates before installing. There have been cases where an Update has rendered a machine unbootable, so I would rather check first. If you set Updates to download and install, you will be prompted to reboot within 24 hours, otherwise your machine will reboot itself.

Sorry, there appears to be a slight misunderstanding on my part. We have another option you may be interested in. Download and install MCShield onto the infected machine. Backup your data, and run a scan to confirm the external drive is clean. Reformat/restore. Install MCShield again, insert your external drive and run a scan. MCShield is specifically designed to catch infections known to propagate via USB drives. http://www.mcshield.net/ Let me know how you get on. ------------------------- Regarding Windows Updates, you may find it more beneficial to break the Updates into segments, and install one segment at a time. You can start with the security updates, but the majority of Windows Updates are security patches in any case.