Virus and Malware.. after clean up of Ransomware... what next?

I have been using Avast free anti-virus and Malwarebytes paid version (as I found that Avast did not pick up some things that MWB did.)
Prior to using Avast free I had used AVG paid but found that AVG was getting very bloated with add-ons and becoming a nuisance.

For 4 years this new PC and security seemed to keep me free of problems. I also had Windows Firewall and Defender running.

2 days ago I was suddenly blocked by ‘UK Police/Interpol’ with the usual demand pay £100 to unlock the PC.
The PC would not even run in Safe Mode with Networking… as soon as Windows desktop opened the Bad Page filled the screen.

Once or twice previously a similar threat had shown but I was able to Ctrl Alt Del, use Task Master to end the offending IE pages.
This time it was a full hijack.

With my laptop I was able to download AVG Rescue Disk and Kaspersky Rescue Disk. AVG said it found some bits but nothing that looked related to ransomeware. Kaspersky allowed me to start the PC and look at files but not start Windows or use the internet. Kaspersky did not indicate that it had found anything.

After contacting Avast Tech Support http://www.avast.com/en-gb/total-support and paying $179.99 for 1 year support, I was given a number to call Avast Tech Support. The guys I spoke with all said AVAST many times so I assume were indeed employed by Avast, or on behalf of Avast.

After many attempts I was able to get Safe Mode with Networking running and the Techie could get into the PC… he seemed to do a good job as the PC is running well now and, according to Avast and Malwarebytes, is free of problems. Having said that neither software had detected any problems in the last few weeks… Avast and MWB run scans every second day as does Windows Defender and none of them alerted a problem.

So what are my problems/questions now?

  1. Should I have Windows Defender running or should I disable it (as I was told by Avast Techie that it might conflict with Avast)?

  2. Should Windows Security Centre service be running? it is alerted as ‘turned off’ and when I try to ‘Turn on now’ it shows ‘Windows Security Centre service can’t be started’. I have tried some Microsoft advice to restart Windows Security Centre service but without success.

  3. Should I trust that the Avast Techie has done/cleaned all possible or should I run any other test?

Thanks for looking.

  1. disable it as it is useless and a waste of resources.

  2. yes the security centre should be running so the malware guys here should be able to help sort that out for you when some logs are supplied.

  3. obviously not since your security centre is not working

I have been using Avast free anti-virus and Malwarebytes paid version (as I found that Avast did not pick up some things that MWB did.)
There is no product in the world that can detect everything. Unfortunatly(?) you will have to use multiple applications. MBAM + avast is a good combination.

For the ransomware, I have to make a guess here, but you are using your system as a user with admin rights or even as a real admin wich is always a really bad idea. Always use a system with a limited user account, that (almost) always prevent this type of malware to infect the (user-) admin account. Meaning you can still boot the system and remove the crap.

After contacting Avast Tech Support...
It is third party that handles it, not avast itself. There are many complains about it.

1]
http://usa.kaspersky.com/internet-security-center/internet-safety/multiple-antivirus-products

2]
Yes, it should be running. Since it doesn’t your system still has one (or more) problem(s).
Please provide the logs as stated in the sticky of this webboard.

3]
It was not a tech from avast.
See 2]

Thanks CraigB and EDDY.

EDDY…

  1. The Kaspersky link was useful reading. I will kill Defender.

  2. What/which/how logs to post (see I really am a Newbie in distress when it comes to hands on management of PC bugs).

  3. ‘Not a Tech from Avast’ but it must be with the knowledge of Avast? and therefore a responsibility of Avast? I realise that Digital River, who use email address avast@digitalriver.com, are involved with many companies (including MS, Logitech, Kespersky and it seems Avast). As the ransomeware was apparently cleared but I now have a problem with Security Centre should I not either go back to ‘Avast Technical Support’ or just cry and ask for a refund?

Waiting with hated breath… well a bit miffed.

Digital River only handles the payment, the support you received was via a 3rd party company “not avast”.

imo you can get better support here, supplying logs are explained in the stickies at the top of this board https://forum.avast.com/index.php?topic=53253.0

Am working on logs… well, Farbar is… will post soon.

But… ‘not Avast’ Yet it is sold as Avast on Avast website … http://www.avast.com/en-gb/total-support. Do you still feel that Avast have no responsibility for it… note it is en-gb. Maybe not global? not US?

Farbar logs… FRST and Addition

fingers crossed that I’ve done this correctly…

aswMBR result attached

Thanks for providing the logs.
One of the experts will have a look at them soon and guide you.
Most are in Europe and it is around dinner time, so have patience please and do not change anything on that system.

Thanks EDDY.

OK// I’ll wait but I was about to run this this set of cmd entries in Windows\system32…

You may follow these steps and check if the issue persists.

a. Click Start → Type CMD → Right click on CMD from the result → Click Run as Administrator

b. Run the following command one at a time and press enter to execute

• cd /d %windir%\system32\wbem

• for %i in (*.dll) do regsvr32 -s %i

• for %i in (*.exe) do %i /regserver

c. Close all windows and reboot the computer and now try opening the system information

Why? because in the Addition log System error reported " The Windows Management Instrumentation service terminated with the following error:
%%126" a Google search revealed this fix that has worked for others …

http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_programs/windows-management-instrumentation-error-code-126/1202e348-5964-e011-8dfc-68b599b31bf5

the result was offered by …

Debleena S replied on April 12, 2011 Microsoft

Anyway, I’ll do as you say and hold off meddling.

Thanks again.

Only a few minor elements left

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks essexboy for your help.

I have done as you said and have a fixlog.xtx with a message to RESTART, close all windows.
Should I do that before going on adwcleaner ? or what?

oops here is fixlog.txt attached…

Continue to AdwCleaner please :slight_smile:

Thanks but do I follow the fixlog instruction to RESTART?

My earlier question>>>>>>>>>>

I have done as you said and have a fixlog.xtx with a message to RESTART, close all windows.
Should I do that before going on adwcleaner ? or what?

Yes allow a reboot as it will need to finish prior to windows loading

OK – did Restart then ran AdwCleaner and all seems to be back to normal… THANKS!

Is there any final scan/check that will confirm all is now OK?

Are you able to explain briefly what was wrong and what has been corrected?

The remnant was a change to Chrome that would allow unsigned files to run otherwise it was just a matter of clearing the junk files :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

DOUBLE BRILLIANT THANKS essexboy… I will run all that and post confirmation.

Over and OUT for today :slight_smile:

OK, finally I think it’s all done.

The repair of Action Centre Security worked until a reboot then the problem returned. I then used this fix from MS Community (because the error code I saw was 126):

http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_programs/windows-management-instrumentation-error-code-126/1202e348-5964-e011-8dfc-68b599b31bf5

Method 1

You may follow these steps and check if the issue persists.

a. Click Start → Type CMD → Right click on CMD from the result → Click Run as Administrator

b. Run the following command one at a time and press enter to execute (without the dot before the code and take care of spaces)

• cd /d %windir%\system32\wbem

• for %i in (*.dll) do regsvr32 -s %i

• for %i in (*.exe) do %i /regserver

c. Close all windows and reboot the computer and now try opening the system information

This above fix Method 1 worked and has stayed fixed.

I ran DELFIX exactly as you advised.

I completely uninstalled Java

I have also set my account as Standard User and set a new Aministrator account.

CryptoPrevent is downloaded and installed but it seemed to need installing in both my User account and in the Admin account… is that right? Also I can not find it anywhere in Programmes or Task manager under Processes or Services unless CryptSvc - Cryptographic Services - Network Service is CryptoPrevent? Also, I suppose it makes sense to purchase the Premium to get updates?

Windows Defender and Windows Firewall are no longer running … Does MalwareBytes and/or Avast provide a Firewall?

I look forward to receiving clarification of the above points please.

After so many years using PCs this episode has once again shown me how little expertise I really have… THANKS AGAIN!!!