system
November 7, 2014, 5:12pm
1
Hello,
I read the other threads on this topic with replies by essexboy. I have attached my logs from Farbar. Would someone please help me with a fixlist.txt file. I see the entries I need to resolve the group policy problem, but I wonder if there are other entries in the logs that should be included in the fixlist that I’m unaware of.
Thank you so much.
You have encryptor malware as well, do you have a backup of your data ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [11c08d] => C:\11c08dd\11c08dd.exe [258432 2014-11-06] (Company name goes here)
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [JozcUqawo] => regsvr32.exe "C:\ProgramData\JozcUqawo\JozcUqawo.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evdtion] => C:\Users\Barbie\AppData\Local\Evdtion\msiexec.exe [163232 2014-11-06] ()
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Esxgtion] => regsvr32.exe C:\Users\Barbie\AppData\Local\Esxgtion\wxMaindll32.dll <===== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evzftion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Barbie\AppData\Local\Evdtion\DRMGLWeb16.dll
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [BayoRyomi] => regsvr32.exe "C:\ProgramData\BayoRyomi\BayoRyomi.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [PakuPutpi] => regsvr32.exe "C:\ProgramData\PakuPutpi\PakuPutpi.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\RunOnce: [*1c08dd] => C:\Users\Barbie\AppData\Roaming\11c08dd.exe
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
2014-11-06 18:52 - 2014-11-06 18:52 - 00008536 _____ () C:\Users\Barbie\Downloads\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:52 - 2014-11-06 18:52 - 00008536 _____ () C:\Users\Barbie\Documents\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:52 - 2014-11-06 18:52 - 00004208 _____ () C:\Users\Barbie\Downloads\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:52 - 2014-11-06 18:52 - 00004208 _____ () C:\Users\Barbie\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:52 - 2014-11-06 18:52 - 00000272 _____ () C:\Users\Barbie\Downloads\INSTALL_TOR.URL
2014-11-06 18:52 - 2014-11-06 18:52 - 00000272 _____ () C:\Users\Barbie\Documents\INSTALL_TOR.URL
2014-11-06 18:48 - 2014-11-06 18:48 - 00008536 _____ () C:\Users\Barbie\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:48 - 2014-11-06 18:48 - 00008536 _____ () C:\Users\Barbie\AppData\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:48 - 2014-11-06 18:48 - 00004208 _____ () C:\Users\Barbie\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:48 - 2014-11-06 18:48 - 00004208 _____ () C:\Users\Barbie\AppData\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:48 - 2014-11-06 18:48 - 00000272 _____ () C:\Users\Barbie\AppData\Roaming\INSTALL_TOR.URL
2014-11-06 18:48 - 2014-11-06 18:48 - 00000272 _____ () C:\Users\Barbie\AppData\INSTALL_TOR.URL
2014-11-06 18:47 - 2014-11-06 18:47 - 00008536 _____ () C:\Users\Barbie\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:47 - 2014-11-06 18:47 - 00004208 _____ () C:\Users\Barbie\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:47 - 2014-11-06 18:47 - 00000272 _____ () C:\Users\Barbie\AppData\Local\INSTALL_TOR.URL
2014-11-06 18:10 - 2014-11-06 18:10 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-11-06 18:10 - 2014-11-06 18:10 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-11-06 18:10 - 2014-11-06 18:10 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-11-06 17:58 - 2014-11-06 17:58 - 00000000 ____D () C:\ProgramData\PakuPutpi
2014-11-06 17:58 - 2014-11-06 17:58 - 00000000 ____D () C:\ProgramData\BayoRyomi
2014-11-06 17:45 - 2014-11-06 17:45 - 00000000 ____D () C:\Users\Barbie\AppData\Local\Evdtion
2014-11-06 17:45 - 2014-11-06 17:45 - 00000000 ____D () C:\Users\Barbie\AppData\Local\Esxgtion
2014-11-06 17:44 - 2014-11-06 17:44 - 00000000 ____D () C:\ProgramData\JozcUqawo
2014-11-06 17:44 - 2014-11-06 17:44 - 00000000 ____D () C:\ProgramData\ForpEzuze
2014-11-06 17:41 - 2014-11-06 17:41 - 00000000 ___HD () C:\11c08dd
2014-11-06 17:41 - 2014-11-06 17:41 - 00000000 ____D () C:\Users\Barbie\AppData\Roaming\FrameworkUpdate7
CustomCLSID: HKU\S-1-5-21-124788536-2644335351-2029234871-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run
https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG
Select the file type you wish to decrypt and then follow the instructions
FINALLY
Download and run farbar service scanner
https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG
Tick “All ” options.
Press “Scan ”.
It will create a log (FSS.txt ) in the same directory the tool is run.
Please copy and paste the log to your reply.
system
November 7, 2014, 7:20pm
3
The computer in question is my mother’s and I’m helping her via phone get it un-malware’d. She does have a backup of all of her data that is offline on an external hard drive from before this problem showed up (yesterday).
I’ll relay your instructions to her and get the new logs and an update back to you.
Thank you so much for the prompt reply.
I am glad she has a backup as the encrypted files can not always be decrypted, it affects pictures and documents
system
November 7, 2014, 8:37pm
5
I had her look around in Windows Explorer for any HOWDECRYPT.* files in her documents folder and in her Windows folder (and on her external hard drive) and didn’t see any such files. I did not have her try to open any of her documents yet. Does the lack of HOWDECRYPT.* files suggest that it didn’t get far enough to “encrypt” or muck with her files?
I had her run the FRST fixfile (log attached)
I didn’t have her run Anti-CryptorBitV2 because I wasn’t sure she had any encrypted files (but she has it downloaded if you tell me to have her run it anyhow).
I had her run FSS (log attached)
Of note, when she ran FRST with the fixfile, the computer rebooted and when it finished, the was at least one windows dialog that it couldn’t find some file. I had her close it and didn’t think to write down what the actual message was. Sorry.
I have not had her reboot since running FSS, so I don’t know if the problem will still be there. I didn’t want to take any steps that might hamper the recovery you are directing.
Go for a reboot now and then let me know how the computer is behaving
Once rebooted download this small programme from tweaking.com http://www.tweaking.com/content/page/set_windows_services_to_default_startup.html to the desktop
Run the programme and on completion reboot and then run one further FSS scan please
system
November 7, 2014, 9:54pm
8
The error dialog boxes in Windows continue to show up after the first boot and after running the tweaking.com program and rebooting. Same errors before and currently. The error dialogs are:
[u]RegSvr32[/u]
The module
C:\Users\Barbie\AppData\Local\...\DRMGLWeb16.dll
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.
The specified module could not be found.
[u]RegSvr32[/u]
The module
C:\ProgramData\JozcUqaweo.dat
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.
The specified module could not be found.
[u]RegSvr32[/u]
The module
C:\ProgramData\BayoRyomi\BayoRyomi.dat
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.
The specified module could not be found.
[u]RegSvr32[/u]
The module
C:\ProgramData\PakuPutpi\PakuPutpi.dat
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.
The specified module could not be found.
[u]RegSvr32[/u]
The module
C:\Users\Barbie\AppData\Local\Es...\wsMaindll32.dll
failed to load.
Make sue the binary is stored at thye specified path or debug it to check for problems with the binary or dependent.DDL files.
The specified module could not be found.
Also, I have attached the latest FSS.txt file
OK could I have a fresh FRST log and I will kill those
EDIT: Just realised what is causing that spybot is replacing the run keys, could you temporarily uninstall before we run the next fix
system
November 7, 2014, 10:09pm
10
Here is the latest FRST logs
Whoops you forgot the main FRST.txt Did you see my note about spybot in my last post
system
November 7, 2014, 10:19pm
12
Sorry, grabbed the wrong file to attach.
Will do with SpyBot.
Teatimer also replaced the restrictions on Avast and MBAM
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Malwarebytes' Anti-Malware <====== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-12-13] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [JozcUqawo] => regsvr32.exe "C:\ProgramData\JozcUqawo\JozcUqawo.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [ForpEzuze] => regsvr32.exe "C:\ProgramData\ForpEzuze\ForpEzuze.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Esxgtion] => regsvr32.exe C:\Users\Barbie\AppData\Local\Esxgtion\wxMaindll32.dll <===== ATTENTION
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [Evzftion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Barbie\AppData\Local\Evdtion\DRMGLWeb16.dll
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [BayoRyomi] => regsvr32.exe "C:\ProgramData\BayoRyomi\BayoRyomi.dat"
HKU\S-1-5-21-124788536-2644335351-2029234871-1000\...\Run: [PakuPutpi] => regsvr32.exe "C:\ProgramData\PakuPutpi\PakuPutpi.dat"
2014-11-07 11:43 - 2014-11-07 11:43 - 00000000 ____D () C:\ProgramData\ForpEzuze
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
system
November 7, 2014, 10:25pm
14
Before I run this fix, can I ask why you are killing off:
HKU\S-1-5-21-124788536-2644335351-2029234871-1000.…\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
and
HKU\S-1-5-21-124788536-2644335351-2029234871-1000.…\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1095000 2013-12-13] (Garmin Ltd or its subsidiaries)
I can understand TeaTimer, although it should go away with uninstalling Spybot, but why the Garmin tray app? That is for my mom’s GPS synch features.
My apologies delete the garmin line only, the teatimer one is just to be doubly sure
system
November 7, 2014, 10:33pm
16
No apology necessary. I am VERY grateful for your help in getting this resolved. New logs to follow…
Ta, the removal of that line would not have affected the programme in any way, just that the taskbar icon would not appear and would need to be reset
system
November 7, 2014, 11:15pm
18
We uninstalled Spybot, rebooted, ran the fixlist, and it rebooted again. The dialogs are still popping up on boot and here is the latest fixlog.txt
That is intriguing as FRST is reporting the keys not found
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications , usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
system
November 9, 2014, 5:05am
20
I may not be able to get the latest instructions carried out for another 1-2 days. I have not given up on your help and I will report back when I get a chance to run ComboFix.