Hello all, Im having the same problem as a lot of others seem to be having on here. Multiple URLs showing as blocked by Avast every time I get on. I’ve tried all the fixes I could find on my own but need help now. I’ve included all the logs I’ve seen you ask for in other posts except for Aswmbr. When I run that scan it closes Windows and produces a blue screen that says something about a program or file that is essential to Windows has been stopped or terminated and Widows has shut down to prevent damage to my computer. Thanks in advance for any help.
I let this get to page 7 after 4 days and I’m worried it may have slipped through the cracks. Thanks
if 1 week old you may need to attach fresh FRST log
malware removers are now notified
You may have some encrypted files on you system
Display hidden files and folders:
Right-click the Windows Logo button and choose Open Windows Explorer.
Click Organize and choose Folder and Search Options.
Click the View tab, select Show hidden files and folders and then clear the checkbox for Hide protected system operating files.
Then delete the following file/folder :
C:\Users\Sharon\AppData\Roaming\麽鎒駓覜
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKU\S-1-5-21-3204268726-1404570672-3809501329-1006\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! 2014-10-28 21:30 - 2014-10-28 21:30 - 00008562 _____ () C:\Users\Sharon\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:30 - 2014-10-28 21:30 - 00008562 _____ () C:\Users\Sharon\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:30 - 2014-10-28 21:30 - 00004224 _____ () C:\Users\Sharon\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:30 - 2014-10-28 21:30 - 00004224 _____ () C:\Users\Sharon\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:30 - 2014-10-28 21:30 - 00000276 _____ () C:\Users\Sharon\AppData\Roaming\INSTALL_TOR.URL 2014-10-28 21:30 - 2014-10-28 21:30 - 00000276 _____ () C:\Users\Sharon\AppData\INSTALL_TOR.URL 2014-10-28 21:29 - 2014-10-28 21:29 - 00008562 _____ () C:\Users\Sharon\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:29 - 2014-10-28 21:29 - 00004224 _____ () C:\Users\Sharon\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:29 - 2014-10-28 21:29 - 00000276 _____ () C:\Users\Sharon\AppData\Local\INSTALL_TOR.URL 2014-10-28 21:28 - 2014-10-28 21:28 - 00008562 _____ () C:\Users\Nathan\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:28 - 2014-10-28 21:28 - 00008562 _____ () C:\Users\Nathan\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:28 - 2014-10-28 21:28 - 00008562 _____ () C:\Users\Nathan\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:28 - 2014-10-28 21:28 - 00004224 _____ () C:\Users\Nathan\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:28 - 2014-10-28 21:28 - 00004224 _____ () C:\Users\Nathan\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:28 - 2014-10-28 21:28 - 00004224 _____ () C:\Users\Nathan\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:28 - 2014-10-28 21:28 - 00000276 _____ () C:\Users\Nathan\INSTALL_TOR.URL 2014-10-28 21:28 - 2014-10-28 21:28 - 00000276 _____ () C:\Users\Nathan\AppData\Local\INSTALL_TOR.URL 2014-10-28 21:28 - 2014-10-28 21:28 - 00000276 _____ () C:\Users\Nathan\AppData\INSTALL_TOR.URL 2014-10-28 21:27 - 2014-10-28 21:27 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-28 21:27 - 2014-10-28 21:27 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-28 21:27 - 2014-10-28 21:27 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-28 20:03 - 2014-10-28 20:03 - 00000000 _____ () C:\Windows\system32\bvbsibr.dll 2014-10-28 20:01 - 2014-10-28 23:14 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp 2014-10-28 20:01 - 2014-10-28 23:04 - 00001368 _____ () C:\ProgramData\@system.att 2014-10-28 20:00 - 2014-10-29 00:44 - 00000000 ___HD () C:\20b8ee4 2014-10-28 20:00 - 2014-10-28 23:05 - 00001104 ____H () C:\ProgramData\@system2.att 2014-10-28 19:59 - 2014-10-28 19:59 - 00000000 _____ () C:\Windows\system32\lhpwgot.dll 2014-10-31 17:27 - 2012-06-17 22:56 - 00000408 _____ () C:\Windows\Tasks\PC Optimizer Pro startups.job CustomCLSID: HKU\S-1-5-21-3204268726-1404570672-3809501329-1006_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {6F5BA568-961B-4792-8B29-3946FA0EB6C3} - System32\Tasks\PC Optimizer Pro startups => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: {E11EA4CF-0646-4C63-BDC2-53521814B7BF} - System32\Tasks\PC Optimizer Pro Scan => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro Scan.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION Task: C:\Windows\Tasks\PC Optimizer Pro Updates.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION C:\Program Files\PC Optimizer Pro EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
FINALLY
Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run
https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG
Select the file type you wish to decrypt and then follow the instructions
Did all but the Anti-Cryptorbit. I downloaded it and started it up but I’m unsure what to do with it.
In your documents folder, try and open any pictures, videos, documents. If they fail or look like jibberish (Like staring at Chinese), upload them to the app essexboy gave you. Then redownload it, and try opening it again.
All popups have stopped. I still have encrypted files and the links/instructions on how I can pay for them to be decrypted in my folders. I’ve tried running anticryptorbit on some of the encrypted files but I have’t had any results. Also still not sure if I’m using it correctly. When using it I click on Office Files Fix/corrupt file/one of my encrypted docx files/start. After that runs it doesn’t show any options do proceed and my files are the same. I’m not completely computer illiterate but I’m not too far from it so thanks for your patience :).
Unfortunately it depends on whether or not the decryptor programme can determine the key
Do you have backups of the affected files ? If not this page may help http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
Could I have a fresh FRST scan please to see if anything remains
I do have a backup of most of the corrupted files so I don’t think it will be a problem. Fresh FRST scan log attached. I also just tried to open a word document and got a popup saying “Word cannot open the existing (Normal)”. When I click OK it goes on into the document and seems ok except it has some extra bullets that weren’t in these docs before. When I close the page it says “The file Normal already exists. Do you want to replace the existing file?” with the options of yes,no or cancel. I said no and it pulls up the save as screen with with the Word documents ~$Normal and Normal as options. Closing that brings the popup “Global changes have been made to document Normal. Do you want to save these changes?” Selecting no lets me close out of word finally.
Not sure about word as I do not use that, how is the computer otherwise ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> (No File) EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
Most everything else seems to be working fine. Only other thing I see is a couple icons on the desktop labeled desktop. They open in notepad and this is the contents:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
and
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
File type: Configuration settings (.ini) under properties
That is a system file and will be rehidden on completion
In that case methinks I will send you on your merry way
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe