Hello guys and gals.

Working on customers machine, and it now has my record Virus/bots and recover record.

Im getting random Avast warnings of mal:…they get blocked.
Im setting Chrome as main browser.
I am using avast free and MWB… and spybot 1.6…

thanks in advance.

Hi ecash.

Don’ t see essexboy connected. It is very late in the UK right now. I am afraid you will have to wait until tomorrow for help.

hey a small tips remove Spybot its no good anymore, it can’t keep up with the malware out there today. plus it may create some problem for the expert how will help you, so please remove it.

Thanks :wink:

Also remove everything form those thief’s of IObit.
https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/

Unfortunately this one was hit by ransomware. Have you been able to recover any documents ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: GroupPolicy: Group Policy on Chrome detected <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3018225747-99246241-2890599244-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File Toolbar: HKLM - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File 2015-03-16 02:45 - 2015-03-16 14:53 - 00000000 ____D () C:\ProgramData\10756059261015101918UL 2015-03-18 04:40 - 2010-10-11 19:32 - 00000000 ____D () C:\2eb768383a0da5998fb385d27bdbfa 2015-03-18 04:39 - 2010-09-27 22:12 - 00000000 ____D () C:\fc0639012eda485d7bb6ce300b 2015-03-18 04:38 - 2009-11-09 23:28 - 00000000 ____D () C:\df30ff8bcf3746ab72f05871089a9cb5 2015-03-18 02:58 - 2011-11-01 21:36 - 00000000 ____D () C:\Users\Sally\AppData\Roaming\PC Unleashed Online Task: {2BCD5C0A-16F1-4A23-951F-B5CD460D6E0C} - System32\Tasks\Bomgar Task 1383494 => Iexplore.exe http://remote.iyogi.net/session_complete.ns?lsid=h%3D30b56f5418ba98ad8bdbe2d9345759b821d0b039%3Bl%3D0d35ca19dd2d4fd5916eae0ec9ffcb99%3Bm%3Dsdcust%3Bt%3Dsd Task: {6EE3A775-FFE5-4ADA-9FBE-0153D1757356} - \TrustedInstaller Update 2 No Task File <==== ATTENTION Task: {A13F5D1C-D7A0-4645-87CC-77CA64F15328} - \Adobe Flash Player Updater No Task File <==== ATTENTION Task: {C893A463-B92A-4303-B3CC-4D180C06AC01} - \AdobeFlashPlayerUpdate 2 No Task File <==== ATTENTION Task: {CF0A43B2-436A-4EBE-92AA-FC12573ACBAF} - \TrustedInstaller Update No Task File <==== ATTENTION Task: {CF3953FB-1106-45D1-9791-A6E331AA712C} - \AdobeFlashPlayerUpdate No Task File <==== ATTENTION Task: {D48CD0F2-54C1-45C2-AF03-47A6C34BEA0D} - \The Bluetooth service discovery No Task File <==== ATTENTION HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver" R2 mfevtp; C:\Windows\system32\mfevtps.exe [167344 2012-10-29] (McAfee, Inc.) R0 McPvDrv; C:\Windows\system32\Drivers\McPvDrv.sys [61688 2008-05-28] (McAfee) S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [132912 2012-10-29] (McAfee, Inc.) R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565352 2012-10-29] (McAfee, Inc.) 2015-03-26 19:25 - 2007-10-18 02:21 - 00000000 ____D () C:\ProgramData\Symantec 2015-03-26 19:25 - 2007-10-18 02:21 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared 2015-03-18 02:45 - 2008-11-19 14:18 - 00000000 ____D () C:\ProgramData\McAfee 2015-03-18 02:26 - 2014-06-15 22:04 - 00000000 ____D () C:\Program Files\pcmax 2015-03-15 04:51 - 2010-01-02 00:39 - 00000000 ____D () C:\Program Files\Common Files\McAfee 2015-03-15 04:51 - 2008-12-27 18:55 - 00000000 ____D () C:\Program Files\McAfee CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML" CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG" CMD: del /F /Q /S "C:\HELP_DECRYPT.URL" Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
Scan with IDTool

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

[*]Enter the IDTool directory, right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]IDTool needs Microsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
[*]Wait patiently until the tool will collect necessary data
[*]Once the main console is loaded, please press Rescan Computer and Generate a New Report.
[*]When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
[*]Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience

Please include that contents in your next reply.

I use the old version for the tools. It also finds a few things others have forgotten.
It also looks at startup, and can find invisible inserts.(most times)

As for IOBit…I agree. it spamware…

Logs…

IDTOOL,

Infection Detection Tool v1.6 - Nathan Scott

Date/Time: 3/28/2015 3:18:06 PM
Operating System: Windows Vista
Service Pack: Service Pack 2
Version Number: 6.0
Product Type: Workstation

[Detected Flags]
1.| Possible CryptoWall Flag , HKCU\Software\DAE69208913ED8FC59075A05C93A5256\0023555556799AAC

How is the computer behaving at the moment ?

I would like to run a quick check on the services

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete HKCU\Software\DAE69208913ED8FC59075A05C93A5256 /f

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Running FAIR…
still getting popup note from avast, blocking about 4 locations…
First time, after fix, loaded chrome, and 4 tabs came up, to locations no longer available…

will reset…try again…

After reset, still getting the popups…
Could take a few pics…

would be nice if Avast would let me Click and copy it…

Or a program to capture program activation…and tell me what brought it up.
its interesting that its using primary browser, but not secondary…
will look up Chrome reset…

Is this just in Chrome ? If so then it has been corrupted

Re-install Chrome

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Then I need you to go Google Sync and sign into your account
  3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
  4. Now we need to uninstall chrome. Note: When asked about user data or settings you must remove this also so please check the box.
  5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
  6. Import your bookmarks back into Chrome
  7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

I will try 2 things…
It has never had a google account set up…

I will swap the Primary to FF…
See what happens.
Then erase chrome…
reset and see if FF gets infected.

This was a full cleaning there isnt much on this machine…anymore.
There is a backup DIR, but it looks like it might be corrupted…as there are all those Ransom ware Titles inside it…

Alas there is no help for the encrypted files

OK…
tried something…

When I added chrome, there had been an older version on…
I looked at ext…
There was a strange adblock program… PIC ADDED…

I turn it off and 1 I recently added…
no more notices, so far…
Dont know if it KILLEd the main problem, but no more notices from avast…

Ok, so there is progress in the right direction.
Good to hear ofcourse.
But please run Farbar again and attach then new logs so we can have a look at how things are now.

file attached

I and a few others were doing this stuff about 10 years ago…
HJT and a few other programs at the time…
On design technica, when they had forums…

I learned to hate ONLINE tech support.
People thinking we had all the answers…for most windows problems…
Then trying to get a Fair description of what was happening with the computers.

Good luck guys, you will need it.

Ah it was the FRST needed not FSS :slight_smile:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Attached

This will get the last, Adblock plus is a legitimate adblocker :slight_smile:

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3018225747-99246241-2890599244-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File [] Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File [] CMD: del /F /Q /S "C:\HELP_DECRYPT.TXT" Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that