Remove ransomware?

For the past month or so, I’ve noticed an htm file called Install_Tor that is in every folder with files in it on my HD. The file links to: https://paytordmbdekmizq.torsona.com/1feQ52z
Also, when I attempt to go to a website, the site is often redirected to a random spam site. I have run MBAM and FRST to no avail. Attached are the logs from my most recent FRST scan. Any help would be appreciated

Please make the link not clickable!

This is a business computer is it not?
Loaded Profiles: Joey & MsDtsServer110 & MSSQLFDLauncher$ROOT & ReportServer$ROOT & MSOLAP$ROOT
(Available profiles: UpdatusUser & Joey & MsDtsServer110 & MSSQLFDLauncher$ROOT & MSSQL$ROOT & ReportServer$ROOT & MSOLAP$ROOT)

You also have myslq,

You ALSO have 3 different Anti-viruses. Anyone running myslqd should know that having 3 separate AV’s is very Bad.

McAfee, Avast! (Presumably) and Microsoft Security Essentaisl. You also have Blackboard which is a standard program for Schools. Can you confirm this?

Await my reply.

Hi, :slight_smile:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer’s time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
    • Please do not install any new software while we are working on this system as it may hinder our process.
    • Malware removal is a complicated process so don’t stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
    • Please do not try to fix anything without being ask.
    • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
    • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
    • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
    • If you are confused about any instruction, stop and ask. Do not keep on going.
    • Do not repeat the steps if you face any problems.
    • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
    • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
    • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Are you using avast! or McAfee?

  • Step #1 Uninstall Programs
    I want you to uninstall the following program(s) listed below due to poor reputation we receive about them. To uninstall a program, go to Start > Control Panel > Uninstall a program or Start > Control Panel > Programs and Features. Wait for the list to fill up and double-click on the items I have listed below and follow the on-screen instruction to remove/uninstall them.

[list][li]Ask Toolbar - Catalina Savings Printer- Internet Explorer Toolbar 4.8 by SweetPacks[/list][/li]


  • Step #2 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    [li]Open Notepad.exe. Do not use any other text editor software;
    - Copy and Paste the contents inside the code-box to your Notepad
    [/li]
Start
Closeprocesses:
Emptytemp:
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
2014-01-10 15:48 - 2014-01-10 15:47 - 00159768 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\
2014-01-10 15:48 - 2014-01-10 15:47 - 00519704 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\log4cplusU.dll
AlternateDataStreams: C:\Users\Joey\AppData\Local\8Zcly4cg:lp3nJazFDtMFsyRwk
AlternateDataStreams: C:\Users\Joey\AppData\Local\Temp:XjYmwX1fSt9LV5Npt
HKU\.DEFAULT\Software\Classes\.exe: exefile =>  <===== ATTENTION!
HKU\.DEFAULT\Software\Classes\exefile:  <===== ATTENTION!
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2552856 2014-02-04] ()
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4029046612-302350299-3837694173-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-4029046612-302350299-3837694173-1002 - (No Name) - {f15ff29f-85a1-43cd-9674-e5ba40016c97} - C:\Program Files (x86)\DailyBibleGuide\bar\1.bin\2vSrcAs.dll No File
C:\Program Files (x86)\DailyBibleGuide\
SearchScopes: HKU\S-1-5-21-4029046612-302350299-3837694173-1002 -> {34e26447-bf30-4c78-a5b9-61dfa8a55e67} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^XM^xdm002^YYA^us&si=CN_Lk5f19rsCFe3m7AodcGAAVQ&ptb=72CAA255-2864-4036-B9AF-CCC3B5E94ABB&psa=&ind=2014011115&st=sb&n=780b5eeb&searchfor={searchTerms}
BHO-x32: AVG SafeGuard toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG SafeGuard toolbar\17.3.2.101\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.3.2.101\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll (AVG Secure Search)
FF DefaultSearchEngine: Secure Search
FF DefaultSearchUrl: 
FF SearchEngineOrder.1: Secure Search
FF SelectedSearchEngine: Secure Search
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll (AVG Technologies)
FF Plugin-x32: @DailyBibleGuide.com/Plugin -> C:\Program Files (x86)\DailyBibleGuide\bar\1.bin\NP2vStub.dll No File
C:\Program Files (x86)\Common Files\AVG Secure Search\
FF Plugin HKU\S-1-5-21-4029046612-302350299-3837694173-1002: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\Joey\AppData\Roaming\CATALI~2\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF SearchPlugin: C:\Users\Joey\AppData\Roaming\Mozilla\Firefox\Profiles\5kbxo11c.default\searchplugins\ask-search.xml
FF SearchPlugin: C:\Users\Joey\AppData\Roaming\Mozilla\Firefox\Profiles\5kbxo11c.default\searchplugins\safeguard-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: Ask Toolbar - C:\Users\Joey\AppData\Roaming\Mozilla\Firefox\Profiles\5kbxo11c.default\Extensions\toolbar_ORJ-V7C@apn.ask.com.xpi [2013-11-08]
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.3.2.101 [2014-01-10]
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG SafeGuard toolbar\ChromeExt\17.3.2.101\avg.crx [2014-01-10]
2014-11-01 17:19 - 2014-11-01 20:05 - 00000278 _____ () C:\Users\Joey\AppData\Roaming\INSTALL_TOR.URL
2014-11-01 17:19 - 2014-11-01 20:05 - 00000278 _____ () C:\Users\Joey\AppData\INSTALL_TOR.URL
2014-11-01 17:15 - 2014-11-01 23:24 - 00000278 _____ () C:\Users\Joey\AppData\Local\INSTALL_TOR.URL
2014-11-01 17:13 - 2014-11-01 23:23 - 00000278 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-11-01 07:18 - 2014-11-02 01:55 - 00000000 ____D () C:\Users\Joey\AppData\Roaming\Fiotteg
2014-11-01 07:18 - 2014-11-02 01:51 - 00000000 ____D () C:\Users\Joey\AppData\Roaming\Ufubek
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
End
  •   [li]Click on [b]File[/b] > [b]Save as...[/b]
    

[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;

		[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
	[/li]
	- After the completion, a log will be produced;
	- Attach the log in your next reply.
[/list][/li]

  • Step #3 Fix with AdwCleaner

      [li]Download [b]AdwCleaner[/b] by [i][b]Xplode[/b][/i] to your [i]Desktop[/i] from the following link.
    

[list]
[li]Download Link #1
- Download Link #2
[/li]
- Right-click on AdwCleaner.exe and choose Run as administrator;
- Click on Scan and let the program run unhindered;
- When done, click on Clean and allow the system to reboot after it is done;
- A log will be opened automatically after the restart;
- Attach the log in your reply.
[/list][/li]


  • Step #4 Fix with Junkware Removal Tool
    Download Junkware Removal Tool by thisisu to your Desktop from the link below.
    Download Link 1
    Download Link 2

      [li]Disable your anti-virus to avoid potential conflicts. For more information please acknowledge yourself [url=http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/]this[/url] article;
      - Run the program either by double-clicking(Windows XP) or Right-clicking and choosing [i]Run as administrator[/i](Windows Vista and above);
      - Please be patient as the tool cleans your system;
      - After completion of the process a log named [b]JRT.txt[/b] will automatically open and is save to your Desktop;
      - Attach the log in your next reply.
    

    [/li]


  • Required Log(s):

      [li]FRST Fix Log
      - AdwCleaner Log
      - Junkware Removal Tool Log
    

    [/li]
    Regards,
    Valinorum