Threat has been detected every minute

Hi,

I have a Dell laptop with Windows 8. I have run Avast! scan and found no threats, but after booting the popups stating threat detected happens about every minute. Task Manager shows that after just a minute or two after a fresh reboot, CPU, Memory and hardrive near 100% used. MANY SOM Surrogate processes are open. Also an error pops up saying IE Explorer has stopped working even though the program is not open. I have run MBAM and am attaching the log file. Please help! Thanks,

we also need Farbar recovery scan tool log https://forum.avast.com/index.php?topic=53253.0

guys from removal team will be online and assist you tomorrow…

Thanks. Here are the two additional files from FRST.

second file

This is a poweliks infection and as such there is no file associated with it. Avast is blocking it from downloading an encryptor programme

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-4078936671-275576934-2248569212-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-08-25 09:35 - 2014-08-25 09:35 - 00008172 _____ () C:\Users\Ed\Downloads\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:35 - 2014-08-25 09:35 - 00004130 _____ () C:\Users\Ed\Downloads\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:35 - 2014-08-25 09:35 - 00000252 _____ () C:\Users\Ed\Downloads\DECRYPT_INSTRUCTION.URL 2014-08-25 09:34 - 2014-08-25 09:34 - 00008172 _____ () C:\Users\Ed\Documents\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:34 - 2014-08-25 09:34 - 00004130 _____ () C:\Users\Ed\Documents\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:34 - 2014-08-25 09:34 - 00000252 _____ () C:\Users\Ed\Documents\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL 2014-08-25 09:11 - 2014-08-25 13:03 - 00000000 ___HD () C:\3d8e3e7 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00008172 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00004130 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\Users\Ed\AppData\Roaming\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\Users\Ed\AppData\Local\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\Users\Ed\AppData\DECRYPT_INSTRUCTION.URL 2014-08-25 09:12 - 2014-08-25 09:12 - 00000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL CustomCLSID: HKU\S-1-5-21-4078936671-275576934-2248569212-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Thanks for the next steps. I copied all the info in the box as you suggested. When I hit the fix button an error box opened.
Script error
Line 1
Char 1
Error: invalid root in registry key "HKCU\software\classes\clsid{ab8902b4-09ca-4bb6-b78d-a8f590079a8d5}\localserver32\a
Do you want to continue running scripts on this page?

As I was typing this error, the fix concluded without me saying yes or no to the error box.

I have attached the fixlog here. Please let me know next steps.

That was the infection trying to run again, could you confirm the alerts have ceased

Could I now have afresh FRST scan please

The warning of a threat every minute has stopped. Even with IE open, I do not get the messages right away like I used to. Also, taskmanager does not show all resources used up.

It does seem like all of the files on my hard drive have been corrupted in some way. I can’t open word documents, excel sheets, even pictures no longer open. Does this infection typically cause these kinds of issues? Is there an easy way to get them to work again, or is restore from backup the best option?

Attached are the new log files.

If you have a backup then restore them. It looks as though power shell ran for a period before it was blocked

Without the encryptor name it could be hard to determine the decryption

You could upload one of the files to here https://www.decryptcryptolocker.com/ and if they can decrypt it they will e-mail you a key and a small programme to run the decryption

Thanks so much for the help. Is there something I should do to prevent this from happening again? I will restore my files from my backup.

Yes, this small programme will lock down the areas that it runs from. It is fire and forget (well update manually weekly)

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Hi,

I have the same problem. I read the instructions and scanned my computer. Can somebody help me with this, please, as it is so annoying to listen to it all the time.

Thanks.

I read the instructions and scanned my computer.
Not all of it, as it say start your own topic