Malicious Website blocked messages

Viruses and worms
1

Hello, I’m getting the messages pretty regularly. They started about a week ago and the next day docs, pics, etc. were encrypted by someone demanding money. (I didn’t respond to them.) I’ve attached the logs, however, the aswMBR scan is still running and it’s been over 2 hours. Thank you!

2

Hello,

You may stop aswMBR scan.

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

[*]Enter the IDTool directory, right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree.
[*]Wait patiently until the tool will collect necessary data.
[*]Once the main console is loaded, please press Rescan Computer and Generate a New Report.
[*]When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
[*]Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience.

Please include that contents in your next reply.

3

Thanks magna,

The scan still hasn’t shown completed as my computer is running pretty slow. Here’s what the results show so far:

Infection Detection Tool v1.6 - Nathan Scott

Date/Time: 11/15/2014 7:51:44 PM
Operating System: Windows 7
Service Pack: Service Pack 1
Version Number: 6.1
Product Type: Workstation

[Detected Flags]
1.| Possible CryptoWall Flag , HKCU\Software\40FD5585E5931FDC5E10156FDF458FBE\011455568BDEEFFF
2.| Possible CryptoWall Flag , C:\Users\Misty\Documents\DECRYPT_INSTRUCTION.HTML

I went ahead and restarted my computer…would you like me to try running the scan again?

4

Hi,

I have bad news for you. The tools has confirmed the former existence of CryptoWall 2.0. His loading points are gone, malware is no more but consequences behind it unfortunately remain.

Please read this info provided here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Take a peek into C:\Users\Misty\Downloads for files and delete all decrypt txt/html documents and please take a peek into C:\40fd558 folder. This ‘40fd558’ folder should contain 0 bytes (aka empty folder) but it has the same timestamps.

As for files itself, they are decrypted and I can’t do much unfortunately.
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#decrypt

But I can remove the malware. The following FixList shall tell FRST tool to target the malware leftovers.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-813805069-2741577078-3852799619-1000\...\MountPoints2: {2ecd4783-a6c3-11e2-93b2-003067e51687} - J:\setup.exe -a
HKU\S-1-5-21-813805069-2741577078-3852799619-1000\...\MountPoints2: {7085c6ad-56f8-11e4-a005-003067e51687} - J:\VZW_Software_upgrade_assistant.exe
CHR HKU\S-1-5-21-813805069-2741577078-3852799619-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Hosts:
CustomCLSID: HKU\S-1-5-21-813805069-2741577078-3852799619-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-813805069-2741577078-3852799619-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
EmptyTemp:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Next I would like you to run RogueKiller, the powerfull app that shall re-check all what we done with FRST and with Malwarebytes as initial strike tool.

Please download RogueKiller from one of the following links and save it to your desktop:
http://www.bleepingcomputer.com/download/roguekiller/
http://www.geekstogo.com/forum/files/file/413-roguekiller/

[*]Close all programs and disconnect any USB or external drives before running the tool.
[*]Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
[*]Once the Prescan has finished, click Scan.
[*]Once the Status box shows “Scan Finished”, click the Delete button.
[*]When the Status box shows “Deleting Finished”, click the “Report” button to show the log.
[*]Copy and paste the report that opens into your next reply.
[list]
The log can also be found in the following location: C:\ProgramData\RogueKiller\Logs[b]RKreport_DEL_mmddyyyy_hhmmss.log

[/list]

5

Thank you very much for all of your help and the information on CryptoWall 2. I was able to recover 99% of the pictures as I had a backup from earlier in the day and it looks like from the info you gave me I can recover the dropbox documents. I looked in C:\40fd558 folder and didn’t see anything and attached the fixlog text document.

Here’s what was in the RogueKiller report:

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Misty [Administrator]
Mode : Delete – Date : 11/16/2014 14:12:10

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 26 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID{19D2F415-D58B-46BC-9390-C03DCBC21EB2} → ERROR [2]
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID{6E45F3E8-2683-4824-A6BE-08108022FB36} → ERROR [2]
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID{744E0E81-BC79-4719-A58B-C98F7E78EE5D} → ERROR [2]
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID{9F0F16DD-4E76-4049-A9B1-7A91E48F0323} → ERROR [2]
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID{F4288797-CB12-49CE-9DF8-7CDFA1143BEA} → ERROR [2]
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{6E45F3E8-2683-4824-A6BE-08108022FB36} → Deleted
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4efb-9B51-7695ECA05670} → Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO → Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO → Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO → Deleted
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-813805069-2741577078-3852799619-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 → Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-813805069-2741577078-3852799619-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01 → Replaced (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)] → Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)] → Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)] → Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{18CF9E34-5B43-429E-9FB9-C6A7384496BC} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)] → Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces{18CF9E34-5B43-429E-9FB9-C6A7384496BC} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)] → Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces{18CF9E34-5B43-429E-9FB9-C6A7384496BC} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)] → Replaced ()
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-813805069-2741577078-3852799619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 → Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-813805069-2741577078-3852799619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 → Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 → Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 → Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 → Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 → Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-813805069-2741577078-3852799619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 → Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-813805069-2741577078-3852799619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 → Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1001FALS-00Y6A0 ATA Device +++++
— User —
[MBR] 5dfcff06730721d5c766e8abe6879ac3
[BSP] d0498c5d7d0669c7cda187cef46bd809 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 … OK
User = LL2 … OK

+++++ PhysicalDrive1: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_11162014_140822.log

There’s been no blocked website popups since the restart!

Thank you again for you time and expertise and getting my computer clean!

6

Very good. I’m glad you’ve successfully recovered photos, many do not pass so great as you. :slight_smile:

Although everything indicates that there is no need for additional strike, still we shall do so with ComboFix.

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

7

Hello,

I’ve run Combofix and attached both logs.

8

Hello,

ComboFix confirms the clean PC. I shall remove used tools now. :slight_smile:

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

.

How to protect yourself?
I recommend that you use one of the fantastic opportunities provided by
http://www.mcshield.net/pg/images/avast5.png
avast! 2014.

To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.