"READ TO DECRYPT!" infection

[LDTate]

I don't like that.

It shows them still there.

Let's try the following program which will help us figure out more of what's going on with your computer and go from there.

Combofix will scan the computer for various types of threats.

Vista and Windows 7 / 8 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from this link

Click the link and select Save.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

IMPORTANT !!! Save ComboFix.exe to your Desktop

Note: Be sure to select Save as Type > All Types

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216

Double click on ComboFix.exe & follow the prompts.

Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Note: If you have XP SP3, use the XP SP2 package.

Vista, Windows 7 or 8, skip the Recovery Console part

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Click on Yes, to continue scanning for malware.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

When the tool is finished, it will produce a report for you.

Please attach the C:\ComboFix.txt log on your next reply so that we can continue checking and cleaning the system.

Please save using the default Notepad format,

DO NOT USE WORD or any other office type of software.

DO NOT COPY & PASTE the log, send it as an attachment.

Reply to THIS ticket, DO NOT create a new one.

**Also please describe how your computer behaves at the moment.**

[ugetchiefster]

Before I run the new utility, I wanted to let you know that I have noticed a new startup program that runs all of the time since infection and I can't seem to stop it from running. It includes a blue star icon in the system tray next to my clock and when I run my mouse over it it displays the message "Unable to complete genuine Windows validation". When I click on it offers the choices of "Validation Failure details (online)", "Benefits of Genuine (Online)" and "Change Notification Settings (Online)". Each selection takes you to what looks like an official Microsoft Website, but I did not go any further into them than just looking. This seems very suspicious also.

[LDTate]

That does sound like a Windows Activation, but you can always ask Windows Support.

I'll be honest with you here.

If this were my pc, I'd cut my loses and do a clean reformat and re-install as I'd always doubt the pc is really clean / safe.

But that's your call.

[ugetchiefster]

Sorry for the delay, but I had started running another scan with the Anti-Rootkit program and am waiting for it to finish up. So far it has not found anything and it should be just about done. When iti is I will send the files then perform your last instructions.

[ugetchiefster]

Well thanks for that advice about the wipe and reinstall, but I need to try and limp along with this one until I can get my new company laptop which should be soon.

[LDTate]

Let see what happens then.

If any infections are still there we need to run Combofix.

[ugetchiefster]

Ok Larry, the last Anti-Rootkit scan finally finished and it found no malware (see attached screenshot and logs). Should I still run the ComboFix just to be thorough?system-log.txt

[LDTate]

Great.

Combofix isn't a tool you run just to run it but with the infections you had it would a good idea to run Combofix.

[ugetchiefster]

Ok, ran combofix and here is the logfile:

 

Combofix log.txt

[ugetchiefster]

So, is all ok?

[LDTate]

Looks like Combofix found some junk as well.

Check your FireFox extentions and delete sweetpacks if you don't use it.

Add this to your browsers

FireFox.

AdBlock and NoScript

https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

IE:

https://adblockplus.org/releases/adblock-plus-10-for-internet-explorer-released

Chrome:

https://adblockplus.org/category/adblock-plus-chrome/

We need to uninstall Combix to totally remove what it found.

This will cause combofix to run again just enough to uninstall itself.

Click START run

Now type **ComboFix /Uninstall** in the runbox and click OK. Note the space between the X and the / it needs to be there.

**Let me know how it's running now**

[ugetchiefster]

Ok, I uninstalled combofix, added adblockplus to my IE Firefox Mozilla would not open with a message that it was corrupted so I uninstalled it and I don't have Chrome installed on my computer. Everything seems to be fine now. Let's hope I am back to normal. Thanks so much for all of your help!

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.