I hope someone can help me. Attached are the required logs to assist.

i see no attached logs. ???

3 files

last file

removal team is notified…it may take some hours before they are online

Hi initially we will clean with this

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ComboFix.txt attached. Thank you.

I still have multiple DLLHosts in my task manager.

Could you provide a screenshot please

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder:: c:\users\bjuckett\AppData\Roaming\Itufahs c:\programdata\UbaxAffu c:\users\bjuckett\AppData\Local\Urqgmedia

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix.txt attached. However the file date did not change from when I ran it yesterday. Did I need to delete it first?

You also should note that I think the computer was/is infected by this RansomWare:
http://www.pcrisk.com/removal-guides/7844-cryptowall-virus

I wondered why you had all the crypto html’s on the system

Did you drag and drop the CFScript onto combofix ?

yes and it ran. However, the file date/time stamp did not change.

OK lets use FRST

Do you have a screenshot of the dll’s

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

c:\users\bjuckett\AppData\Roaming\Itufahs c:\programdata\UbaxAffu c:\users\bjuckett\AppData\Local\Urqgmedia CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

screenshot. Sorry. I forgot that last time.

working on FRST now

OK I think I know what this is however, it is very new and it will take some work on your part to isolate the miscreant

But first I need to confirm my analysis

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Reg: reg query "HKEY_USERS\S-1-5-21-1226673482-1910924574-995669957-1149_Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" Reg: reg query "HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

fixlog.txt

On completion of this let me know if the host.dll goes back to normal

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

DeleteKey: HKEY_USERS\S-1-5-21-1226673482-1910924574-995669957-1149_Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

log cannot be attached. It is too large. 7 MB
I will let you know if the dllhost issue subsides. Thank you.

You should notice after the reboot

look like it is resolved. Thank you very much.