Requesting help with Virus

Over the weekend I noticed my computer running very slow and it looked like a lot of processes were running in the background. I ran Malwarebytes to remove whatever malware I had and it a day later it seemed like some additional malware has infected my computer. It seems like whatever is infecting my computer is installing different kinds of malware. One of them is the paytordmbdekmizq ransom virus that has encrypted some of my folders on my desktop.

I don’t have enough experience to figure out what is causing all of this. Could this be the Poweliks virus? Any help would be appreciated. Attached are my logs

Edit: I forgot to turn the rootkit option on in MBAM. I ran it again with it on but it did not detect anything. Hopefully this is a non issue

Attached is the FRST log

A lot of junk there
First could you manually delete this folder C:\Users\Mike\AppData\Roaming\麽鎒駓覜

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-4241252734-2862292364-1283218576-1000\...\Run: [ChromeUpdate] => C:\Users\Mike\AppData\Roaming\ChromeUpdate.exe HKU\S-1-5-21-4241252734-2862292364-1283218576-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Startup: C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Check for TWS Updates.lnk ShortcutTarget: Check for TWS Updates.lnk -> C:\Jts\WiseUpdt.exe () SearchScopes: HKLM - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {CF739809-1C6C-47C0-85B9-569DBB141420} URL = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q={searchTerms}&crm=1&toolbar=OT SearchScopes: HKCU - {D5F550C9-2F02-4F26-BD23-D011ED656B59} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_44_ch&cd=2XzuyEtN2Y1L1Qzu0F0E0DtCtCtCyCtA0DtAyDtAyEzzzyyBtN0D0Tzu0StCtDtAtAtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0AyDtB0CyCtAyDtGtByBtDtAtG0EtD0B0FtG0DyCtDtBtGtAtCyEyD0FyCtBtAyByCyCzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0E0EyByCyE0FtDtGtCyC0B0DtGyEtC0EyBtG0B0B0AtAtG0FtA0DtC0Czy0CtByByCyCzy2Q&cr=1938152772&ir= BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File BHO-x32: AskBar BHO -> {201f27d4-3704-41d6-89c1-aa35e39143ed} -> C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com) Toolbar: HKLM-x32 - Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com) Toolbar: HKCU - No Name - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File FF Extension: vShare Plugin - C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\4hj1f9zy.default\Extensions\vshare@toolbar [2010-10-10] CHR StartupUrls: Default -> "hxxp://www.google.com/", "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_44_ch&cd=2XzuyEtN2Y1L1Qzu0F0E0DtCtCtCyCtA0DtAyDtAyEzzzyyBtN0D0Tzu0StCtDtAtAtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0AyDtB0CyCtAyDtGtByBtDtAtG0EtD0B0FtG0DyCtDtBtGtAtCyEyD0FyCtBtAyByCyCzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0E0EyByCyE0FtDtGtCyC0B0DtGyEtC0EyBtG0B0B0AtAtG0FtA0DtC0Czy0CtByByCyCzy2Q&cr=1938152772&ir=" 2014-10-29 09:59 - 2014-10-29 19:40 - 00008538 _____ () C:\Users\Mike\Downloads\DECRYPT_INSTRUCTION.HTML 2014-10-29 09:59 - 2014-10-29 19:40 - 00004210 _____ () C:\Users\Mike\Downloads\DECRYPT_INSTRUCTION.TXT 2014-10-29 09:59 - 2014-10-29 19:40 - 00000274 _____ () C:\Users\Mike\Downloads\INSTALL_TOR.URL 2014-10-29 09:52 - 2014-10-29 09:52 - 00008538 _____ () C:\Users\Mike\Documents\DECRYPT_INSTRUCTION.HTML 2014-10-29 09:52 - 2014-10-29 09:52 - 00004210 _____ () C:\Users\Mike\Documents\DECRYPT_INSTRUCTION.TXT 2014-10-29 09:52 - 2014-10-29 09:52 - 00000274 _____ () C:\Users\Mike\Documents\INSTALL_TOR.URL 2014-10-29 09:50 - 2014-10-29 09:50 - 00003140 _____ () C:\Windows\System32\Tasks\{E100A7EA-0F26-418C-842C-2EF53E449472} 2014-10-29 09:47 - 2014-10-29 09:47 - 50905024 _____ () C:\Users\Mike\Downloads\tws40_install_latest.exe 2014-10-28 22:06 - 2014-10-28 22:06 - 00008536 _____ () C:\Users\Mike\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-28 22:06 - 2014-10-28 22:06 - 00008536 _____ () C:\Users\Mike\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-28 22:06 - 2014-10-28 22:06 - 00004208 _____ () C:\Users\Mike\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-28 22:06 - 2014-10-28 22:06 - 00004208 _____ () C:\Users\Mike\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-28 22:06 - 2014-10-28 22:06 - 00000272 _____ () C:\Users\Mike\AppData\Roaming\INSTALL_TOR.URL 2014-10-28 22:06 - 2014-10-28 22:06 - 00000272 _____ () C:\Users\Mike\AppData\INSTALL_TOR.URL 2014-10-28 21:57 - 2014-10-28 21:57 - 00008536 _____ () C:\Users\Mike\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:57 - 2014-10-28 21:57 - 00004208 _____ () C:\Users\Mike\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:57 - 2014-10-28 21:57 - 00000272 _____ () C:\Users\Mike\AppData\Local\INSTALL_TOR.URL 2014-10-28 21:47 - 2014-10-28 21:47 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:47 - 2014-10-28 21:47 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:47 - 2014-10-28 21:47 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-28 20:57 - 2014-10-29 20:31 - 00000000 ___HD () C:\5b8859e 2014-10-28 20:57 - 2014-10-28 21:20 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp 2014-10-28 20:57 - 2014-10-28 20:58 - 00001104 ____H () C:\ProgramData\@system2.att 2014-10-28 20:57 - 2014-10-28 20:57 - 00001368 _____ () C:\ProgramData\@system.att 2014-10-25 18:18 - 2014-10-25 21:25 - 00000000 ____D () C:\Users\Mike\AppData\Roaming\Teloak 2014-10-25 18:18 - 2014-10-25 21:22 - 00000000 ____D () C:\Users\Mike\AppData\Roaming\Pekuaxy 2014-10-25 18:12 - 2014-10-25 18:12 - 00070656 _____ () C:\Windows\system32\gqyjr.dll 2014-10-25 18:12 - 2014-10-25 18:12 - 00003856 _____ () C:\Windows\System32\Tasks\{A9870513-3ABA-A725-78EF-9EB4DAFE0DF6} 2014-10-25 18:12 - 2014-10-25 18:12 - 00000000 _____ () C:\Windows\system32\hzxcvep.dll 2014-10-15 17:56 - 2014-10-15 17:57 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 2014-10-25 21:22 - 2013-08-21 20:49 - 00000000 ____D () C:\Users\Mike\AppData\Roaming\DSite CustomCLSID: HKU\S-1-5-21-4241252734-2862292364-1283218576-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Mike\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-4241252734-2862292364-1283218576-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? CustomCLSID: HKU\S-1-5-21-4241252734-2862292364-1283218576-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Mike\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File Task: {2F618DDA-EEC5-4495-8850-0FABE269B78F} - System32\Tasks\{A9870513-3ABA-A725-78EF-9EB4DAFE0DF6} => C:\Windows\system32\gqyjr.dll [2014-10-25] () Task: {863BECDE-91F0-4482-9803-14093330826A} - System32\Tasks\DSite => C:\Users\Mike\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: C:\Windows\Tasks\DSite.job => C:\Users\Mike\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION C:\Users\Mike\ts.reg C:\Users\Mike\tsMS.reg EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

Thanks for the help. Attached are the log files.

Could you run a fresh FRST scan now please and let me know how the computer is behaving

Everything seems back to normal. Attached are the log from the FRST scan I ran today. Thanks again for the help :slight_smile:

Could you manually delete this file/folder C:\Users\Mike\AppData\Roaming\麽鎒駓覜

Follow these steps to display hidden files and folders.

:black_medium_small_square:Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
:black_medium_small_square:Click the View tab.
:black_medium_small_square:Under Advanced settings, click Show hidden files and folders, and then click OK.

THEN

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: