FBI/Moneypak Scam

Was hit, and locked up, by this twice:
09/07…Just rebooted, and it went away.
09/09…Persistant, had to reboot in safe mode. Avast ‘Behavior’ pop-up: Randll wgsdgsdgdsgsd.exe. Sent to Virus Chest, where it still is. Then ran full scans (with PUPS) via Avast free 7.0.1466, and Piriform SAS free 3.06.1433. No virus or threat found. Reran both 09/10 with same results.
But now, whenever I reboot I get pop-up saying, roughly: RANDLL…X Error loading wgsdgsdgdsgsd.exe…module not found (probably because it’s in the Virus Chest). I just X it out and all’s well. Ran Search for RANDLL; is pervasive, found 272 entries including 60 with RANDLL32 title, all the latter v short and dated 09/07-09/09…which seems suspicious to me. PC seems to run sl slower than usual, but not bad, may be my imagination.

I’m not concerned about that silly threat, but is that damn thing still on my PC? Would appreciate help (reassurance) on this. And what shd I do about those RANDLL32 entries?

PC is old (2004) Dell ON6381; OS XP Pro 32-bit SP3; Intel Pentium 4; RAM 512MB single DDR @ 166MHz per Speccy, but 2.80GHz (sic) per CCleaner; HD 78GB MaxtorGYO8OLO; I’m on BB. Speccy offers all (?) data if you need more.

Please help, Larry

I'm not concerned about that silly threat, but is that damn thing still on my PC? Would appreciate help (reassurance) on this. And what shd I do about those RANDLL32 entries?
start a new topic in the virus and worms section ......and in that topic you do this

follow this guide and attach (not copy and paste) the requested logs http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR

then help will arrive there later today :wink:

So atleast Avast Behaviour Shield is doing something :stuck_out_tongue: …glad to see it was able to get the ransomware :slight_smile:

:)PONDUS, don’t have these on my PC, so no logs to send.
And where do I find ‘virus and worms’? :slight_smile:

that is why my post had a link to all the info …click it …read it …download

somone her will help you…got to go to work :wink:

:)Hi again PONDUS…ty for your interest.

  1. I am usually v loath to dl all that stuff onto my PC, but will take and follow ur advice. This will take a while, but will get it done.
  2. I am like the avg guy behind the wheel: can drive well, but wd not contemplate taking the transmission apart. Also not used to navigating THIS site…eg, how do I ‘attach’ what to where , and how?
  3. Further, I am a v poor/slow typer. Don’t want to appear lazy, but is there someway I can move my post from Free/Pro/Suite to Virus/Worms? :-[

ok to make it easyer we dropp making a new post in the virus and worms section…
just attach the logs here to this…and i will notifie the malware remover of your post here

  1. when the malware remover is done he will remove all tools used

below the box where you write in here you find a “attachments and others options”
click that when attaching

Just in case a screenshot can help you understand what Pondus meant… ;D

true indian: TY but I cannot read that even blown up 4X :slight_smile:

Pondus:

  1. ADWCLEANER…GOT ‘WARNING, unsafe site’ so did NOT dl.
  2. Malewarebytes…successful. Acted much like CCleaner, but found a TROJAN.RANSOM, which CC did NOT. Also found, as CC always does, that my MS updates is turned off (I want it off). Nothing else. Now in quarantine. Unfortunately, this log did not show up in ‘my documents’, but in Notepad, and I do not know how to ‘attach’ from Notepad… log still available if I find out how :-[

Very encouraging…will continue with the other dls ;D

Hi again Pondus,
This is continuation from previous…
(2a: incorrectly refered to CCleaner…was actually SuperAntiSpyware that is my usual malware hunter, and which did NOT find that TROJAN!)
3. Got lost in navigating, but finally got OTL. Followed instructions carefully and got scan. Can see nothing bad in that. Should I look for anything specific? Unfortunately, I cannot send that log to you; contains some v confidential items. Please do not consider me uncooperative.

Will continue with last scan:aswMBR.exe after an interruption for some work…I DID tell you I am SLOW :frowning:

Dont blow it up, just click on the picture

You can attach the OTL log and as soon as I have analysed it you can remove it from the thread

1. ADWCLEANER...GOT 'WARNING, unsafe site' so did NOT dl.
what gave that warning?

you can copy and paste malwarebytes and aswMBR log

OTL is the most important log here, but this you must attach as it is so big that it may take 10 posts with copy and paste to do and will also complicate Essexboys work

OK, I’m about ready to quit this >:( These dls and scans are scattered all over my PC, and when I go to move one I lose something. Too complicated for me. This is like the farmer giving road instructions, but forgetting that the Big Oak was cut down :slight_smile:

craigb…TY I knew there must be a simple way to view that, so call me simple :slight_smile:

Pondus
(1a the ADWCLEANER gave the red WARNING when I pressed ‘run’.)
4. I managed to dl aswMBR.exe, and it scanned. Finally found log file in Doc&Set. Have attached it here, I think…will see when it is sent.

Can we make a guess with what you now have?

the AdwCleaner is not that important…Essexboy will see the same stuff in the OTL log …but depending on what it removed would make the OTL fix script smaller

so now we have aswMBR log

if you manage also attach or copy and paste Malwarebytes log …if the program does not find and remove anything then you can dropp that log

and the most important OTL.txt

Hi again Pondus
(3a found the OTL scan logs)
Am gaining some confidence in this; maybe I’m not so stupid :slight_smile:
If the fiiles come through, please be sure to DELETE them when you finish with them…they will still be here on my PC…somewhere :slight_smile:

Now another problem: ‘file is too large’…now what?

will try sending only the txt file

Tried sending ‘X-file’ :slight_smile: too large…limited to 190KB ???

OK lets now start to remove it… I will clear all tools once we are done

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
[2012/06/20 23:31:40 | 000,000,000 | ---D | M] (Web Assistant) -- C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
[2002/09/03 15:50:45 | 000,004,819 | ---- | M] () (No name found) -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\q2x3nuf8.default\extensions\pxrruksrrw@pxrruksrrw.org.xpi
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O3 - HKU\S-1-5-21-1085031214-1844237615-725345543-1003\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O33 - MountPoints2\{2d087c52-b052-11de-ae7a-fe820eab1ade}\Shell\AutoRun\command - "" = BOOTEX\thumbcache_131.exe
O33 - MountPoints2\{2d087c52-b052-11de-ae7a-fe820eab1ade}\Shell\explore\command - "" = BOOTEX/thumbcache_131.exe
O33 - MountPoints2\{2d087c52-b052-11de-ae7a-fe820eab1ade}\Shell\open\command - "" = .////BOOTEX/thumbcache_131.exe

:Files
C:\Program Files\Web Assistant

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Hi essexboy, welcome to my problems.

I gather that I (surprisingly) sent you enough info to analyze my problem, and hope you will not be underwhemed by my lack of expertise here. I’m over 80 but feel under 8 in this mix-up. But I’m learning. If you are careful to dot the t’s and cross the i’s in your instructions I wd be most appreciative. I’ll do my best.

  1. Are we just chasing down this virus or making more fixes to my PC? Shd I anticipate any major changes in my programs? And according to CCleaner my Registry is a mess, but I’m afraid to ‘fix’ it.
  2. OTL seems clear, but to be certain: a) does ‘shut down all processes’ include Avast,etc? b) I gather I’m not to change anything in the initial set-up, but I shd copy/paste the entire (bluish) box at bottom from :OTL through [reboot]; c) after quick scan, where will this log show up?
  1. RogueKiller: a) To get it on my DT, is that an option while dling?; b) I am on IE8…where is this Smartscreen Filter, and how do I disable it?; c) two reports after Scan, one before and one after ‘delete’?; d) and a third after ShortcutsFix, correct?

I realize these questions are basic (infantile) but I’d rather not be as embarrassed as I was after the first go-around :slight_smile: :-[ Will start, and await your answers anxiously.