I received some help on here a few days ago regarding a zeroacess trojan that was filling my webhistory with links to malicious websites- and I’m sorry to say that something is going wrong with my computer again.

My internet connection started acting up, which isn’t unusual considering my awful ISP, but then I noticed something odd- even when I had nothing running sound was playing out of my speaker (An advertisement is what it sounded like) My speakers do pick up radio transmissions at random times, but this was playing on the sound mixer. I opened up the task manager and found eight applications of internet explorer running without my knowledge or consent. I immediately disconnected myself from the internet, though the tabs kept opening (Though they said that I wasn’t connect to a network) The only way I could close these tabs was through the processes section, though they came up as fast as I could end the process.

I ran a Malwarebytes scan (Which was pretty lucrative finding things) and restarted my computer. The problem doesn’t seem to be continuing, but I just want to be sure that I have removed this threat.

On an unrelated note, I am unable to activate any sort of firewall on my computer, though this has persisted for some time. I’m also unable to install windows updates properly, though this, again has persisted longer than my computer ghosting like this.

I’ve attached the Malwarebytes log.

https://forum.avast.com/index.php?topic=53253.0

Here are the requested logs.

Follow these steps to display hidden files and folders.

Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
Click the View tab.
Under Advanced settings, click Show hidden files and folders, and then click OK.

The infection looks to have been downloaded yesterday at 1900

Locate and delete the following file/folder C:\Users\Josh\AppData\Roaming\麽鎒駓覜

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3991511301-474424968-620522679-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-11-08 19:00 - 2014-11-08 19:00 - 00000160 ____H () C:\ProgramData\@system3.att 2014-11-08 18:59 - 2014-11-08 19:38 - 00000000 ____D () C:\Users\Josh\AppData\Roaming\FrameworkUpdate7 2014-11-08 18:59 - 2014-11-08 19:00 - 00000424 _____ () C:\ProgramData\@system.temp 2014-10-28 19:18 - 2014-10-28 19:18 - 00000944 ____H () C:\ProgramData\@system2.att 2014-10-28 18:56 - 2014-10-28 18:56 - 00004034 _____ () C:\Windows\System32\Tasks\{1BAF1FEB-88C0-7799-BDD4-5CE84BAEF211} 2014-10-25 17:49 - 2014-10-25 17:49 - 00000028 _____ () C:\Windows\SysWOW64\u 2014-10-25 17:48 - 2014-10-25 17:48 - 00000000 _____ () C:\Windows\system32\nahqur.dll 2014-10-25 17:47 - 2014-11-08 18:58 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage Task: {9629557F-098B-45EE-B84C-901E3C056B94} - System32\Tasks\{1BAF1FEB-88C0-7799-BDD4-5CE84BAEF211} => C:\Users\Josh\AppData\Roaming\xhfznct.dll/s "C:\Users\Josh\AppData\Roaming\xhfznct.dll" <==== ATTENTION C:\Users\Josh\AppData\Roaming\xhfznct.dll EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Here are the requested logs, and the requested file has been deleted.

Download bfe.reg from here https://dl.dropboxusercontent.com/u/73555776/BFE.reg to your desktop
Double click the file and allow it to merge with the registry

Once done could you re-run FSS and attach the log

What problems are you now experiencing ?

When I click on the link you have given me I’m lead to a wall of code/text.

Am I supposed to copy this to notepad, or am I simply doing something wrong?

Are you using FF or IE to download it ? When you click the link it should download a reg file. If it does not then right click the link and select save target as

I’m receiving an error message saying that the registry cannot be accessed.

Also, when I tried to download it with IE I was told my security settings would not allow me to download it.

Essex…

http://i.imgur.com/EZJ7Pqv.png

That’s what happens if you Left Click the Dropbox link you put in. (Chrome)

Hmm downloads quite nicely with my IE

OK lets try ESET service repair

Download this programme to your desktop http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
Run the programme and allow it to do the repairs

Alright, I’ve run the program, and here is the log it produced.

Hmm I guess that tool will save me writing reg fixes now

How is the computer behaving now ?

I Still can’t turn on firewalls, and I’m in the process of trying to install windows updates and seeing if they will configure on my computer.
Whenever Windows tries to configure updates at the startup screen, it will always get to about 14 percent and then claim it has failed, afterwards it restarts. (Most all of the updates seem to be security related…)

Upon trying to activate windows firewall I am given an error message stating the firewall cannot be turned on automatically, and prompts me to do it manually. If I attempt to do it manually, however, I am give the following error message: Windows Firewall can’t change some of your settings. Error Code 0x80070433
Avast’s firewall will not turn on either.

Outside of this everything is running normally.

Something possessed me to do another malwarebytes scan as IE was acting up with me still being connected to the internet.

Everything that was detected was labled as a Ransom Trojan.

I was requested to update malwarebytes and did so, though I have not been to any suspicious websites between the two scans, nor have done anything out of the ordinary. I have literally no idea where this came from. (Also I was greeted with a microsoft visual c++ error on start up- this has never happened before.)

I’ve attached the malwarebytes scan.

I’m wondering if I should take this computer to a repair place concerning all of the issues it is currently having. All of these issues seem to have come up within the past 2-3 weeks, though I’ve gone without a firewall sense July is what it seems like. According to Windows, I last successfully installed updates around that time. I get the feeling something is really messed up due to that. (I apologize if I come off as a bit paranoid- All of this has been a bit jarring.)

Alright, so the ransomware in my computer was cryptowall, according to ransom note in my picture’s file that is written in beautifully composed engrish.

On the bright side, it seems I’ve managed to contain it before it encrypted every form of media on my PC. (Half of my videos and downloads still exist)

EDIT: I’ve looked though some information on this, and was able to restore my pictures and music, but the biggest problem I am having is all of my games on my computer are unplayable due to this. (I’ve fixed this without having to restore my program files, so everything’s good from this aspect.)

Could you run a fresh FRST scan please

Here are the logs from the FRST scan.

OK lets now clear the rest … Once done could you let me know what problems remain

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-11-09 21:11 - 2014-11-09 21:11 - 00008516 _____ () C:\Users\Josh\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-11-09 21:11 - 2014-11-09 21:11 - 00004198 _____ () C:\Users\Josh\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-11-09 21:09 - 2014-11-09 21:09 - 00008516 _____ () C:\Users\Josh\AppData\Local\Apps\DECRYPT_INSTRUCTION.HTML 2014-11-09 21:09 - 2014-11-09 21:09 - 00008516 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-11-09 21:09 - 2014-11-09 21:09 - 00004198 _____ () C:\Users\Josh\AppData\Local\Apps\DECRYPT_INSTRUCTION.TXT 2014-11-09 21:09 - 2014-11-09 21:09 - 00004198 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-11-09 21:07 - 2014-11-09 22:09 - 00000000 ___HD () C:\dd5841f 2014-11-09 21:06 - 2014-11-09 21:06 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage 2014-10-28 21:48 - 2014-10-28 21:48 - 00000000 ____D () C:\ProgramData\IatozIyuqi EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Here are the requested logs.

Just to let you know, I ran a program similar to adwarecleaner when I first found the ransom text file- I’ve attached a log it has produced.
I understand this probably wasn’t advisable, and I apologize if this creates an inconvenience for you.

Avast still cannot activate its firewall.
Windows update is acting odder than usual.

The only sign of the ransomware are the copies of the text file it has left in my folders. I delete them as I come across them. All of my files have been decrypted or deleted (Deleted by me, not by the malware).