Jump to content

cryptowall 2.0, Install_Tor, black screen after window start


beener7
 Share

Recommended Posts

Hi!

 

I am having some major issues with my husband's laptop:

 

1) I get a black screen after the window's start-up

2) Infected with Cryptowall 2.0

3) Install_Tor has replaced all of my photos, documents, CAD files etc

4) I am unable to download anything

5) There are no back-ups of years of photos, documents etc - need to recover

 

 

FRST.txt

Addition.txt

mbam-log-2014-11-07 (16-21-59).xml

mbam-log-2014-11-12 (01-40-11).xml

mbam-log-2014-11-12 (10-22-10).xml

mbam-log-2014-11-12 (13-38-06).xml

mbam-log-2014-11-12 (19-19-03).xml

mbam-log-2014-11-13 (17-58-59).xml

protection-log-2014-11-07.xml

protection-log-2014-11-08.xml

protection-log-2014-11-09.xml

protection-log-2014-11-10.xml

protection-log-2014-11-12.xml

protection-log-2014-11-13.xml

Link to post
Share on other sites

Thank you for your reply. are you going to be advising me on the removal of the cryptowall and fixing the black screen after the windows log in (I cannot see my desktop) as well as figure out why I am unable to download anything to my laptop or are you a random reader posting a comment?

 

Ideally I would love some help in cleaning up any ransomware and/or viruses that are impacting the security and performance of my computer and then possibly seeing if I am lucky enough to utilize Shadow Volume Copies to restore my data prior to cryptowall.

 

I attached FRST files, Addition notes and maleware bytes information in my original request for help.

 

Thank you! - Aileen

Link to post
Share on other sites

  • Staff

Hello, 
 
As you mentioned the need to recover years of photos and documents, I felt it best we discuss this prior to beginning the malware removal process. 
CryptoWall 2.0 deletes all shadow volume copies on the machine. 
 

or are you a random reader posting a comment?

See, "Trusted Advisors" under my username. 

 

This machine is heavily infected. Moreso than most that post on this forum. Due to the nature of multiple infections present, I suggest changing passwords and details for accounts recently used.

 
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTIONHKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTIONHKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTIONHKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTIONHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {18b84321-c0ea-11e0-90f1-00038a000015} - F:\setup.exe -aHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {289dbd87-1b1b-11e3-a2db-00038a000015} - E:\HTC_Sync_Manager_PC.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {289dbd8a-1b1b-11e3-a2db-00038a000015} - F:\TL-Bootstrap.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {289dbd9d-1b1b-11e3-a2db-00038a000015} - F:\TL-Bootstrap.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {289dbdb5-1b1b-11e3-a2db-00038a000015} - F:\TL-Bootstrap.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {7790173d-bfac-11e2-bb9b-00038a000015} - E:\TL-Bootstrap.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {7790174e-bfac-11e2-bb9b-00038a000015} - E:\TL-Bootstrap.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {9013158a-7eef-11e0-97e4-00038a000015} - E:\setup.exe -aHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {9d1e7d4f-db15-11e0-96e9-00038a000015} - E:\LaunchU3.exe -aHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {bfc739bb-288a-11e4-bc72-00038a000015} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\start.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {d7a264b8-c14f-11e0-9090-00038a000015} - E:\setup.exe -aHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {e5c8b40c-bdc9-11e2-84a7-00038a000015} - E:\HTC_Sync_Manager_PC.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...\MountPoints2: {e5c8b40d-bdc9-11e2-84a7-00038a000015} - G:\TL-Bootstrap.exeHKU\S-1-5-21-1040828958-109840045-445669881-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!AppInit_DLLs: c:\progra~1\optimi~1\optpro~1.dll => c:\Program Files\Optimizer Pro\OptProCrash.dll [2961368 2014-03-17] ()CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONc:\Program Files\Optimizer ProSearchScopes: HKLM - {1A21FD4B-E350-40B8-ADE4-27B5502C5D35} URL = http://search.aol.com/aolcom/search?query={searchTerms}&invocationType=msie70aSearchScopes: HKCU - {1A21FD4B-E350-40B8-ADE4-27B5502C5D35} URL = SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=419A7FD075538B44CE347C4FDFE1E2BF&q={searchTerms}SearchScopes: HKCU - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://web.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=aolTB50CL-ie&s_qt=sb&tb_uuid=20110217030922842&tb_oid=17-02-2011&tb_mrud=28-07-2014SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =SearchScopes: HKCU - {D8AF95C2-9259-442F-828F-F3943EA636DE} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3227982SearchScopes: HKCU - {EAE48DA8-5E47-4F68-9B18-0F58F92AC02C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106777BHO: JetMP3 -> {134DA043-566E-4572-82E6-8978D0ED03D8} -> C:\Users\James\AppData\Local\jetmp3\ie\jetmp3.dll ()C:\Users\James\AppData\Local\jetmp3BHO: AOL Toolbar Loader -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} -> C:\Program Files\AOL Toolbar\aoltb.dll No FileFF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()C:\Program Files\ViewpointTask: {670AD0AA-7760-4BB9-925E-F5F8E0C96C3C} - System32\Tasks\{C64C7C1A-D9C1-4697-4A6D-73B2F5BCFD50} => C:\Windows\system32\kcqwos.dll/s "C:\Windows\system32\kcqwos.dll"C:\Windows\system32\kcqwos.dllFolder: C:\Users\James\AppData\Local\EmieBrowserModeList2014-11-07 08:39 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\UewuFpozi2014-11-07 08:39 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\JakbiFnonc2014-11-06 12:43 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Pouxona2014-11-06 12:43 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Ibxuryu2014-11-06 12:42 - 2014-11-07 08:40 - 00000000 ____D () C:\Users\James\AppData\Local\Ujxmedia2014-11-06 12:41 - 2014-11-12 02:12 - 00000000 ____D () C:\ProgramData\NunqeMciyf2014-11-06 12:41 - 2014-11-12 02:12 - 00000000 ____D () C:\ProgramData\KoduYfut2014-11-06 10:19 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Bylybah2014-11-06 09:49 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Quismo2014-11-06 09:39 - 2014-11-12 02:12 - 00000000 ____D () C:\ProgramData\ZahozUqfux2014-11-06 09:39 - 2014-11-12 02:12 - 00000000 ____D () C:\ProgramData\SapoRatfe2014-11-06 09:14 - 2014-11-06 09:14 - 00000028 _____ () C:\Windows\system32\u2014-11-06 09:08 - 2014-11-06 09:08 - 00000000 _____ () C:\Windows\system32\jsjoebt.dll2014-11-05 12:00 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\MeyxOlno2014-11-05 12:00 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\BevoZqoba2014-11-05 09:59 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\SacqaCadum2014-11-05 09:59 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\RusxOyex2014-11-05 08:01 - 2014-11-05 08:01 - 00000144 _____ () C:\Windows\system32\12014-11-04 15:59 - 2014-11-04 15:59 - 00008564 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML2014-11-04 15:59 - 2014-11-04 15:59 - 00008564 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML2014-11-04 15:59 - 2014-11-04 15:59 - 00004226 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT2014-11-04 15:59 - 2014-11-04 15:59 - 00004226 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT2014-11-04 15:59 - 2014-11-04 15:59 - 00000278 _____ () C:\Users\Public\INSTALL_TOR.URL2014-11-04 15:59 - 2014-11-04 15:59 - 00000278 _____ () C:\Users\Public\Documents\INSTALL_TOR.URL2014-11-04 15:58 - 2014-11-04 15:58 - 00008564 _____ () C:\Users\James\DECRYPT_INSTRUCTION.HTML2014-11-04 15:58 - 2014-11-04 15:58 - 00004226 _____ () C:\Users\James\DECRYPT_INSTRUCTION.TXT2014-11-04 15:58 - 2014-11-04 15:58 - 00000278 _____ () C:\Users\James\INSTALL_TOR.URL2014-11-04 14:50 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\HadeZozo2014-11-04 14:50 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\BahoyOveff2014-11-04 11:01 - 2014-11-04 11:01 - 00008564 _____ () C:\Users\James\Downloads\DECRYPT_INSTRUCTION.HTML2014-11-04 11:01 - 2014-11-04 11:01 - 00004226 _____ () C:\Users\James\Downloads\DECRYPT_INSTRUCTION.TXT2014-11-04 11:01 - 2014-11-04 11:01 - 00000278 _____ () C:\Users\James\Downloads\INSTALL_TOR.URL2014-11-04 11:00 - 2014-11-04 11:00 - 00008564 _____ () C:\Users\James\Documents\DECRYPT_INSTRUCTION.HTML2014-11-04 11:00 - 2014-11-04 11:00 - 00004226 _____ () C:\Users\James\Documents\DECRYPT_INSTRUCTION.TXT2014-11-04 11:00 - 2014-11-04 11:00 - 00000278 _____ () C:\Users\James\Documents\INSTALL_TOR.URL2014-11-04 10:00 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\JobamYuxum2014-11-04 10:00 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\CaqkiMvagn2014-11-03 14:57 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Ehkasoe2014-11-03 14:46 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\XeklIgtu2014-11-03 14:46 - 2014-11-07 15:08 - 00000000 ____D () C:\ProgramData\JujkUkeba2014-11-01 16:32 - 2014-11-03 15:58 - 00000000 ____D () C:\Users\James\AppData\Roaming\Pouvrau2014-11-01 16:31 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Cyexem2014-11-01 16:17 - 2014-11-03 14:47 - 00000000 ____D () C:\Users\James\AppData\Roaming\FrameworkUpdate72014-11-01 16:17 - 2014-11-02 20:04 - 00000424 _____ () C:\ProgramData\@system.temp2014-11-01 16:17 - 2014-11-02 20:04 - 00000160 ____H () C:\ProgramData\@system3.att2014-11-01 16:17 - 2014-11-01 16:17 - 00000448 ____H () C:\Users\James\AppData\Roaming\麽鎒駓覜2014-10-31 14:57 - 2014-10-31 14:57 - 00008562 _____ () C:\Users\James\AppData\Roaming\DECRYPT_INSTRUCTION.HTML2014-10-31 14:57 - 2014-10-31 14:57 - 00008562 _____ () C:\Users\James\AppData\DECRYPT_INSTRUCTION.HTML2014-10-31 14:57 - 2014-10-31 14:57 - 00004224 _____ () C:\Users\James\AppData\Roaming\DECRYPT_INSTRUCTION.TXT2014-10-31 14:57 - 2014-10-31 14:57 - 00004224 _____ () C:\Users\James\AppData\DECRYPT_INSTRUCTION.TXT2014-10-31 14:57 - 2014-10-31 14:57 - 00000276 _____ () C:\Users\James\AppData\Roaming\INSTALL_TOR.URL2014-10-31 14:57 - 2014-10-31 14:57 - 00000276 _____ () C:\Users\James\AppData\INSTALL_TOR.URL2014-10-31 14:55 - 2014-10-31 14:55 - 00008562 _____ () C:\Users\James\AppData\Local\DECRYPT_INSTRUCTION.HTML2014-10-31 14:55 - 2014-10-31 14:55 - 00004224 _____ () C:\Users\James\AppData\Local\DECRYPT_INSTRUCTION.TXT2014-10-31 14:55 - 2014-10-31 14:55 - 00000276 _____ () C:\Users\James\AppData\Local\INSTALL_TOR.URL2014-10-31 14:35 - 2014-10-31 14:35 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML2014-10-31 14:35 - 2014-10-31 14:35 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT2014-10-31 14:35 - 2014-10-31 14:35 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL2014-10-31 08:21 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Local\{02235421-4baf-e634-800c-70fcdc04a033}2014-10-30 09:50 - 2014-11-07 15:08 - 00000000 ____D () C:\Users\James\AppData\Roaming\Zyopaw2014-10-30 09:46 - 2014-11-04 14:50 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage2014-11-12 17:18 - 2012-06-18 21:20 - 00000000 ____D () C:\Program Files\blekkotb_0312014-11-04 10:58 - 2014-03-17 18:54 - 00000000 ____D () C:\Users\James\Documents\Optimizer Pro2014-10-31 14:35 - 2011-02-16 22:09 - 00000000 ____D () C:\ProgramData\ViewpointFolder: C:\Users\James\AppData\Local\AZworksC:\Users\James\AppData\Local\Temp\7z.dllC:\Users\James\AppData\Local\Temp\7z.exeC:\Users\James\AppData\Local\Temp\7za.exeC:\Users\James\AppData\Local\Temp\Abspdf.exeC:\Users\James\AppData\Local\Temp\AcDeltree.exeC:\Users\James\AppData\Local\Temp\acfpdfu.dllC:\Users\James\AppData\Local\Temp\acfpdfuamd64.dllC:\Users\James\AppData\Local\Temp\acfpdfui.dllC:\Users\James\AppData\Local\Temp\acfpdfuia64.dllC:\Users\James\AppData\Local\Temp\acfpdfuiamd64.dllC:\Users\James\AppData\Local\Temp\acfpdfuiia64.dllC:\Users\James\AppData\Local\Temp\AcsInstall.dllC:\Users\James\AppData\Local\Temp\aol_trio144C.exeC:\Users\James\AppData\Local\Temp\aol_trio197.exeC:\Users\James\AppData\Local\Temp\aol_trio2E41.exeC:\Users\James\AppData\Local\Temp\aol_trio7927.exeC:\Users\James\AppData\Local\Temp\aol_trio9195.exeC:\Users\James\AppData\Local\Temp\aol_trio9242.exeC:\Users\James\AppData\Local\Temp\aol_trio9270.exeC:\Users\James\AppData\Local\Temp\aol_trioF171.exeC:\Users\James\AppData\Local\Temp\cdintf.dllC:\Users\James\AppData\Local\Temp\dbfhide.exeC:\Users\James\AppData\Local\Temp\dblgen11.dllC:\Users\James\AppData\Local\Temp\dblib11.dllC:\Users\James\AppData\Local\Temp\dbtool11.dllC:\Users\James\AppData\Local\Temp\debutsetup.exeC:\Users\James\AppData\Local\Temp\dllnt_dump.dllC:\Users\James\AppData\Local\Temp\DropDownDeals-S-Setup_Suite1.exeC:\Users\James\AppData\Local\Temp\dtkill.exeC:\Users\James\AppData\Local\Temp\dvkmkeb.dllC:\Users\James\AppData\Local\Temp\Executor.exeC:\Users\James\AppData\Local\Temp\FsdRegistration.dllC:\Users\James\AppData\Local\Temp\GDSBLMgr.dllC:\Users\James\AppData\Local\Temp\GUR2F78.exeC:\Users\James\AppData\Local\Temp\GUR5E06.exeC:\Users\James\AppData\Local\Temp\GUR6038.exeC:\Users\James\AppData\Local\Temp\GUR6315.exeC:\Users\James\AppData\Local\Temp\GUR65F9.exeC:\Users\James\AppData\Local\Temp\GUR6CA.exeC:\Users\James\AppData\Local\Temp\GUR7158.exeC:\Users\James\AppData\Local\Temp\IEHistory.exeC:\Users\James\AppData\Local\Temp\infozip2.exeC:\Users\James\AppData\Local\Temp\InstalledPrograms.exeC:\Users\James\AppData\Local\Temp\Intuit.Spc.Map.EntitlementClient.Install.dllC:\Users\James\AppData\Local\Temp\l2cklk0q.2e3.exeC:\Users\James\AppData\Local\Temp\MotoHelper_2.0.24_Driver_4.7.1.exeC:\Users\James\AppData\Local\Temp\MotoHelper_2.0.45_Driver_5.0.0.exeC:\Users\James\AppData\Local\Temp\msvcp90.dllC:\Users\James\AppData\Local\Temp\msvcr90.dllC:\Users\James\AppData\Local\Temp\nvSCPAPI.dllC:\Users\James\AppData\Local\Temp\nvStereoApiI.dllC:\Users\James\AppData\Local\Temp\nvStInst.exeC:\Users\James\AppData\Local\Temp\ose00000.exeC:\Users\James\AppData\Local\Temp\PDFPRT400.exeC:\Users\James\AppData\Local\Temp\QBFirwal.dllC:\Users\James\AppData\Local\Temp\qbinstal.dllC:\Users\James\AppData\Local\Temp\QBNGEN.dllC:\Users\James\AppData\Local\Temp\rgezwqmn.pqn.exeC:\Users\James\AppData\Local\Temp\SetupAdmin.exeC:\Users\James\AppData\Local\Temp\SHFOLDER.DLLC:\Users\James\AppData\Local\Temp\Shortcut_bundlesweetimsetup.exeC:\Users\James\AppData\Local\Temp\SMUnInstaller.dllC:\Users\James\AppData\Local\Temp\SpotifyUninstall.exeC:\Users\James\AppData\Local\Temp\sqlite3.exeC:\Users\James\AppData\Local\Temp\StopQBServer.dllC:\Users\James\AppData\Local\Temp\switchsetup.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst3D7D.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst61A0.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst6883.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst6A38.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst7AEA.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst899A.exeC:\Users\James\AppData\Local\Temp\tbtriopreinst99B1.exeC:\Users\James\AppData\Local\Temp\tbtriopreinstCBF6.exeC:\Users\James\AppData\Local\Temp\tbtriopreinstCEE3.exeC:\Users\James\AppData\Local\Temp\tbtriopreinstD6EE.exeC:\Users\James\AppData\Local\Temp\tbtriopreinstDA67.exeC:\Users\James\AppData\Local\Temp\TB_C503.exeC:\Users\James\AppData\Local\Temp\TB_C7F0.exeC:\Users\James\AppData\Local\Temp\u3lrsjee.htx.exeC:\Users\James\AppData\Local\Temp\UtilDBSetup.dllC:\Users\James\AppData\Local\Temp\vcredist_vs2005_x86.exeC:\Users\James\AppData\Local\Temp\vpsetup.exeC:\Users\James\AppData\Local\Temp\WSSetup.exeC:\Users\James\AppData\Local\Temp\xmllite.dllC:\Users\James\AppData\Local\Temp\YontooIEClient.dllC:\Users\James\AppData\Local\Temp\zipsetup.exeTask: {0712C710-AF90-47F6-8EDE-68FA1B069DF3} - System32\Tasks\Sidekick Manager => Sc.exe start Sidekick ManagerTask: {C1A1F5AA-D15A-4D90-9C67-A9BAB63CB71F} - \BackgroundContainer Startup Task No Task File <==== ATTENTIONHosts:CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: In the Encoding: drop-down box, select Unicode.
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Run FRST.exe.
  • Click Fix.
  • A log (Fixlog.txt) will be saved to same location as FRST. Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

  • Staff

Hello, 
 
Please work your way through the following steps. 
This should take care of any remaining malware. 
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 2
9SN2ePL.png ComboFix

  • Note: Please read through these instructions before running ComboFix. 
  • Please download ComboFix and save the file to your Desktop. << Important!
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
     
  • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
  • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
  • Re-enable your anti-virus software.
     

Important Notes:

  • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
  • Do NOT use your computer whilst ComboFix is running.
  • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
     
  • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
  • ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If you are unable to access the Internet after running ComboFix, please reboot your computer. 
     

STEP 3
YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
    • Verify file digital signatures
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
     

STEP 4
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM log
  • ComboFix.txt
  • TDSSKiller log (attached!)
  • FRST.txt
  • Addition.txt
Link to post
Share on other sites

  • Staff

Hello Aileen, 
 
Please let me know how the PC is performing after completing the steps below. 
 
STEP 1
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
nSymGHK.png Folder Options 

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Control Folders and click OK.
  • Click View. Under Hidden files and folders
  • Place a checkmark next to Show hidden files, folders and drives.
  • Remove the checkmark next to Hide extensions for known file types.
  • Remove the checkmark next to Hide protected operating system Files (Recommended).
  • Click Apply followed by OK.
     

STEP 4
nWhGEI3.png VirusTotal Upload

  • Please go to VirusTotal.com.
  • Click Choose File and locate the following file:
    • C:\Users\James\AppData\Local\AZworks\CSERHelper.dll
  • Click Scan it!.
  • If you receive the following notification: File already analysed click Reanalyse.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. 
     

======================================================

STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • AdwCleaner[s0].txt
  • JRT.txt
  • VirusTotal Results
  • How is the PC performing? 
Link to post
Share on other sites

well I consolidated all of the information into a txt file in notepad. I was unable to paste anything into this message area. If you need it copied and pasted please let me know why I am unable to paste here. I could not locate anything in settings.

 

The computer seems to be working fast, some programs needed to go through a reinstall process. the only program that will not open is AOL.

 

As with each previous entry, thank you!

 

Aileen :)

 

 

Adwcleaner jrt virtual link.txt

Link to post
Share on other sites

  • Staff

Hi Aileen, 
 

I was unable to paste anything into this message area.

This is an issue with Internet Explorer. You're more than welcome to continue attaching your logs, but please do so individually. 
 
One thing we need to address is the ransom notes left by CryptoWall 2.0.
So we have a little more work to do, but should be done soon. 
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKLM - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = Toolbar: HKU\S-1-5-21-1040828958-109840045-445669881-1000 -> No Name - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} -  No FileHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\23697215.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\45611058.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\23697215.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\45611058.sys => ""="Driver"C:\Users\James\AppData\Local\Temp\{4574F1A1-98AD-408D-84E1-4C650785E1C3}.exe2014-11-06 12:46 - 2014-11-06 12:47 - 00000000 ____D () C:\Users\James\AppData\Local\AZworksEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Search

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Type the following text into the Search: textbox:
    DECRYPT_INSTRUCTION.*;INSTALL_TOR.*
  • Click on the Search File(s) button.
  • Upon completion, a log (Search.txt) will be open, and saved in the same location as FRST.exe.  
  • Attach the file in your next reply. 
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • Search.txt (attached!)
Link to post
Share on other sites

I opted to run it under Unicode as opposed to waiting for a reply that may come later than I will be awake for. Also, I started a second thread for a desktop exposed to the same potential issues as it was a mapped network drive. However all of the files, photos etc appear to be intact on the desktop. That posting was three days ago and has not yet had a reply. The instructions indicate I should notify a moderator if not reply is received within 48 hours. Would you be an appropriate contact?

 

Thank you!

 

Aileen

Fixlog.txt

Search.txt

Link to post
Share on other sites

  • Staff

Hi Aileen, 
 

I opted to run it under Unicode as opposed to waiting for a reply that may come later than I will be awake for.

Either way was fine. 
 

Would you be an appropriate contact?

I've put in a request for someone to take the topic on. I am unfortunately unable to do so myself. 
 
----------------
 
Step 1 will remove the ransom notes (all ~17,500 of them) from your computer. 
Do not be concerned by the number of detections in the ESET scan (Step 3). Most will be for the ransom notes we've already removed. 
 
Please let me know how your PC is performing after completing the steps below. 
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Please download fixlist.txt
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. This log will be very large. Ensure you attach the file in your next reply.
     

STEP 2
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • This log will be very large. Ensure you attach the file in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt (attached!)
  • MBAM Scan log
  • ESET Online Scan log (attached!)
  • Update on computer
Link to post
Share on other sites

  • Staff

Hello Aileen, 
 

except quickbooks is not working.

The programme may need to be uninstalled/reinstalled. CryptoWall could have encrypted files necessary the for operation of this software. 
 
Please rerun ESET using the same set of instructions; only this time, ensure Remove found threats is checked. Attach the log in your next reply.
 
------------------------------
 

goGMWSt.gifNo Anti-Virus Installed
 
------------------------------
 
Connecting to the Internet without an Anti-Virus is a risk to you, and to everyone as well. Your computer is susceptible to malware infections involving Botnets and Zombie Computers . Using Anti-Virus software will help minimize the risk and help prevent your computer from being used to pass on infections to other machines. When infected and compromised, malware spreads faster and more extensively, distributed denial-of-service (DDoS) attacks are easier to launch, spammers have more platforms from which to send E-mails and more zombies are created to perpetuate the cycle.
 
Nowadays, a multi-layed approach to security that incorporates Anti-Virus software is required to protect your computer from the latest threats. Many of attackers today employ advanced techniques which involve sophisticated Backdoor Trojans and Rootkits to hide their presence on a computer. Without an Anti-Virus, your computer is not only more susceptible to infection, but also means you are less likely to realise your computer is infected - sometimes the only symptom is an alert from your Anti-Virus. Please refer to the following articles for more information.

Please download and install ONE of the Anti-Virus' listed below.For a paid solution, my choice of Anti-Virus is ESET NOD32, and for a free solution, my choice of Anti-Virus is avast!. Please be aware that there is no universal "one size fits all" solution that works for everyone and there is no single best anti-virus. What works for one person may not work for another.

 
STEP 1
CXrghb6.png Update Outdated Software

Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

STEP 2
oxliOQk.png Security Check

  • Please download SecurityCheck and save the file to your Desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your Desktop.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • ESET log
  • Did you install an Anti-Virus?
  • checkup.txt
  • How is your computer performing?
Link to post
Share on other sites

  • Staff

Hello, 
 
Please run this programme, and then attempt the scan again.

rzqZvBe.png MiniToolBox

  • Please download MiniToolBox and save the file to your Desktop.
  • Close any open windows.
  • Right-Click MiniToolBox.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Check the following items:
    • njvAG80.png
    • 6N6QY9z.png
    • zmWTIXg.png
    • VAFn5gg.png
    • AtULTyM.png
    • kLju9nY.png
    • chxHkm0.png
  • Click 9Z8u2SR.png.
  • A log (Result.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

Hi!

 

Attached please find the log for the minitool. I tried the eset once again and received the same error. I rebooted the machine, tried eset again and received the same error. what should I do next?

 

As for your subsequent question regarding MBAM and cryptowall, I came into the infection after my husband was stymied. I found the cryptowall when looking to back-up some files before potentially wiping the laptop clean. He only used MBAM in the past and I included some logs in my initial dialog to you. Since I do not know exactly when the computer was infected I am not sure which log to send you. Are you able to narrow down the time frame so I can send you that data?

 

Thank you!

 

Aileen

eset issures 11-26.txt

Result11-26.txt

Link to post
Share on other sites

  • Staff
Hi Aileen, 
 
Don't worry about the MBAM log. :)
 
Please let me know how your PC is performing after running the script below. 
 
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script
  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startC:\Program Files\WinZip\Utils\WzSysScanC:\Users\James\Desktop\cnet2_SetupDWGTrueView_exe.exC:\Users\James\Music\Foster_The_People\Torches\DECRYPT_INSTRUCTION.HTMLC:\Users\James\Music\Foster_The_People\Torches\DECRYPT_INSTRUCTION.TXTC:\Windows\Installer\1d1586.msiEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.