Greetings,
Avast has been reporting a URL:Mal threat every few minutes (though sometimes it’s quiet for an hour or so). The objects reported are websites like 7508.sindelclick.com, go.wvydeo.com, and cdn.movieroomreviews1.com . The Task Manager shows several COM surrogate processes running; these are unusual for me to see in that list. They seem to be related to the threat messages, and when I end those they return after a short while.
When I first began noticing problems, there was also a file called INSTALL_TOR that had attached itself to almost every directory and folder on my machine. I found and deleted those, as well as some uninstall files that were related to them.
I have run scans with MBAM, FRST64, and aswMBR as suggested in the information guide I found on the forum. The scan logs for those are attached.
My machine is running Windows 7 Home Premium (with Service Pack 1) on a 64-bit OS; computer is an HP s5-1020 model.
I’m very appreciative of any help or further suggestions to deal with this threat.
OK, I followed the steps for running the FRST fix. The log file for that process is attached.
I will also work on using Anti-CryptorBit, which I’m guessing will help me get back some files which have been corrupted or encrypted. If so, thanks very much for the tip, because indeed there are some messed up files to rescue!
Thanks for this support, which I felt was provided in a personable and respectful manner. I’ve seen some forums for other software in which the experts are a bit snarky with us poor users who are just trying to get by.
If there are other steps, I will gladly follow further instructions. If not, thanks again.
Some info for you too read up on… ==>
2014-10-28 22:02 - 2014-10-28 22:02 - 00000448 ____H () C:\Users\Campbells\AppData\Roaming\麽鎒駓覜
The H part means it’s hidden. Since you’re using windows 7…
Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
Click the View tab.
Under Advanced settings, click Show hidden files and folders, and then click OK.
You may also need to check the System Files.Folders/Drives… That should allow you too see the randomly named folder
The computer is running very smoothly now, with no threat announcements from Avast and no COM surrogate indications in Task Manager. All seems fine on that score.
On the other hand, I am not having any success with Anti-CryptorBit. The files I have tried it on so far-- text files, Office documents, jpegs, and PDFs-- have all been unrecoverable. Anti-CryptorBit has reported that some cannot be repaired and that others have been recovered; but those that have been recovered cannot be opened by, say, Microsoft Word. When I tried to open a recovered .doc file after applying Anti-CryptorBit, MS-Word said the file was still corrupted. Word suggested using “Open and repair” and also suggested a “Recover text from any type of file” option with its installed File Recover tool. However, those attempts only returned gibberish instead of real information. Fortunately, about 3/4 of my files were not affected by the virus, so I’m not totally wiped out.
If you have any other recovery options to suggest, that would be great. Still, I’m thankful that there is no ongoing threat. If some files are lost forever, I will just have to deal with that. Some are backed up on an external hard drive, but it’s been too long since I did that, so I’m sure not all are there. Lesson learned about back-ups!
WARNING:Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disableJava in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
Thank you for those notes. The Delfix log is attached, just for info. I will come back if there are issues later on, but otherwise all seems to be the best it can be at the moment.
Well, I wonder if something leftover is going on now. The hard disk started running non-stop, and a check of Task Manager showed about six or eight processes called qmmhklzi.exe *32 running, with Google Chrome as the description-- even though Google Chrome was closed at the time. I ended those processes, but they returned on their own.
The file location for all these processes seemed to be found in
c:\programdata\microsoft\playready\rtxqdjgq\fytivwmy
which had three files all installed on November 1 at 7:11 pm (about 4-1/2 hours after I first noticed the strange behavior). I tried to delete one file named qmmhklzi.exe found there, but I was not able to do that because the process was active. (It sure was!) There was also a subfolder named 36.0.1985.143 , if that turns out to be a relevant IP address or something.
I ran a scan with MBAM, and it found several Trojan items. I quarantined all of them, and the strange processes stopped running. The file folder mentioned above still exists, but the program qmmhklzi.exe had its name changed to 000000000000000004.0x0 . I have attached the MBAM log here.
After all of that, I also ran another scan with FRST64. I have attached the relevant logs here as well.
I am in the midst of running a scan with aswMBR, too, but that will take a while, so I am going to bed now and will post that log in the morning here.
No, there were no additional downloads, but my wife remembers checking email around that time, and then she said about a half-hour later Avast reported blocking something (though she didn’t remember exactly what was blocked).
Maybe this is just an unrelated occurrence that only coincidentally happened soon after the previous one. In any case, the family had a conversation at breakfast about being careful where you click.
Regardless of the cause, there have been no repeated threats or strange processes after my most recent report and MBAM cleanse.
God’s blessings on this Sunday, and thanks for your help again.