Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Encrypted Files, blackmail letter [Solved]


  • This topic is locked This topic is locked

#16
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

How are things working now? Are you still getting that persistant pop-up?


  • 0

Advertisements


#17
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
The pop-up is gone.

Explorer still does not work correctly. Explorer does open but it is totally blank. No preference opening page is set. I can navigate to some sites by typing the address directly in the bar but not all pages or sites load and the links on some pages won't work. After typing in a password the page doesn't change. Geekstogo is working fine though.

I have gotten a pop-up notification messages from Dell saying that I haven't set up Automatic backup and recovery schedules and haven't signed up for automatic updates. I am wondering if I should do so? Please advise.

Thanks Holly
  • 0

#18
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

The pop-up is gone.

Good news!

Explorer still does not work correctly. Explorer does open but it is totally blank. No preference opening page is set. I can navigate to some sites by typing the address directly in the bar but not all pages or sites load and the links on some pages won't work. After typing in a password the page doesn't change. Geekstogo is working fine though.

 

Let's try resetting IE. The instructions below show work for your version of IE. If they are not exact, then they should be fairly close.


To reset Internet Explorer settings
  1. Close all Internet Explorer and Windows Explorer windows that are currently open.

  2. Open Internet Explorer by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_818. In the search box, type Internet Explorer, and then, in the list of results, click Internet Explorer.

  3. Click the Tools button 448ef968-d58a-43a2-b0cc-f396f4024f2c_14., and then click Internet options.
  4. Click the Advanced tab, and then click Reset.

    Select the Delete personal settings check box if you would also like to remove browsing history, search providers, Accelerators, home pages, Tracking Protection, and ActiveX Filtering data.

  5. In the Reset Internet Explorer Settings dialog box, click Reset.

  6. When Internet Explorer finishes applying default settings, click Close, and then click OK.

  7. Close Internet Explorer.

    Your changes will take effect the next time you open Internet Explorer.

I have gotten a pop-up notification messages from Dell saying that I haven't set up Automatic backup and recovery schedules and haven't signed up for automatic updates. I am wondering if I should do so? Please advise.

You should have a backup and restore plan. I can't speak to Dell's plan as I've not used it. For Windows systems I usually just buy an external disk (USB connect disk) and use that for backup. That doesn't mean Dell is bad, I just don't know about it.

 

Yes, you should signup for Automatic Updates.

 

Navigate this way and select Start (Button in Lower Left), Control Panel, All Control Panel Items, Windows Update, Change Settings. Then you'll find a pull down to set up Automatic Updates.

 

Once you have reset IE, give it a try and let me know how it works.


  • 0

#19
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Everything seems to be working fine thanks to you. No glitches yet. Next steps?
Holly
  • 0

#20
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Most excellent news!!

 

Ok, although I don't expect there to be too much, let's clean out the junk and low level stuff.

 

adwcleaner_new.png Scan with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your desktop.
 
  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and click Scan.
  • Upon completion, click Report. A log (AdwCleaner[R*].txt) will open.
 
Please include the contents of that file in your reply.
 

JRTbythisisu.png Fix with Junkware Removal Tool
 
Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
 
  • Right-click on JRTbythisisu.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and let this process run uninterrupted.
  • This scan can take a while, depending on your System specs.
  • Upon completion, a log (JRT.txt) will open on your desktop.
 
Please include the contents of that file in your reply.
 
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.
 

We'll search for some remnants that might be hiding.
 
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Install the progam and select update
 
  • Once it has updated select Settings > Detection and Protection >Tick Scan for rootkits

MBAMsettings.JPG

 
  • Go back to the Dashboard and select Scan Now

MBAMScan.JPG

 
  • If threats are detected, click the Apply Actions button, MBAM will ask for a reboot

MBAMReboot.JPG

  
  • On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop.

MBAMLog.JPG

 
 
Please post that log for my review.

 


  • 0

#21
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Ok here are the logs:

Adwcleaner:
# AdwCleaner v3.311 - Report created 31/10/2014 at 10:28:51
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Holly - HOLLY-PC
# Running from : C:\Users\Holly\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Public\Desktop\eBay.lnk

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Google Chrome v38.0.2125.111

[ File : C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [987 octets] - [31/10/2014 09:51:16]
AdwCleaner[R1].txt - [908 octets] - [31/10/2014 10:28:51]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [967 octets] ##########


Jrt log:
unkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Professional x64
Ran by Holly on Fri 10/31/2014 at 9:57:06.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-534934637-3198636804-1178557441-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/31/2014 at 9:59:19.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Malware log:
unkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Professional x64
Ran by Holly on Fri 10/31/2014 at 9:57:06.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-534934637-3198636804-1178557441-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/31/2014 at 9:59:19.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Regarding AdwCleaner, I only scanned per your instructions. Should I have also cleaned? Thanks Holly
  • 0

#22
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts

The Malware log was left off so here it is.

 

Malware:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/31/2014
Scan Time: 10:14:35 AM
Logfile: scan log malware.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.31.09
Rootkit Database: v2014.10.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Holly

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 317401
Time Elapsed: 6 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

Thanks Holly


  • 0

#23
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

You did everything perfectly! :)

 

One last scan and one preventative program. Although you had a particularly nasty ransomeware program on your machine, there are others that are even worse (if you can imagine). CryptoPrevent will protect your computer from many flavors of Ransomeware. 

 

I am also going to have you scan you computer with ESET. Sometimes ESET takes a long time to run, so maybe set it up to run overnight while you're sleeping. Last, I want to recheck all your products for versioning.

 

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

CryptoPrevent.JPG

 

51c9d14017fa0-SecurityCheck.PNG Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

  • Right-click on 51c9d14017fa0-SecurityCheck.PNG icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow onscreen instructions inside the black box. This scan won't take long.
  • Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

 

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:
  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

To perform the scan:
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!

 

Last, let me know if everything is still working properly.


  • 0

#24
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

We're you able to complete the last updates and scans?


  • 0

#25
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts

Been busy with work. Am working on last instructions now. Will send logs when finished. Thanks. Holly


  • 0

Advertisements


#26
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts

Here is the security check log:

 

 Results of screen317's Security Check version 0.99.89  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
McAfee Anti-Virus and Anti-Spyware   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Reader XI  
 Google Chrome 38.0.2125.104  
 Google Chrome 38.0.2125.111  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 6% 
````````````````````End of Log`````````````````````` 
 
 
Here is the eset log;
 

[email protected] as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=6c5cdf2a660f9c4ca372501295dab7de
# engine=20948
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-11-05 08:21:13
# local_time=2014-11-05 12:21:13 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='McAfee Anti-Virus and Anti-Spyware'
# compatibility_mode=5129 16777214 100 97 821433 100741089 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 13119301 166762323 0 0
# scanned=18928
# found=2
# cleaned=0
# scan_time=252
sh=C6A6622783DFBCD4F8CD89BA36576B56004FEEE8 ft=1 fh=b477ca9ccb0cf89a vn="a variant of Win32/ExpressDownloader.K potentially unwanted application" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-534934637-3198636804-1178557441-1001\$RZOU0ZK.exe"
sh=25B9F4013FB34153FFA27E460D4B8594C79FE337 ft=1 fh=15384691e6094ee0 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe"
[email protected] as downloader log:
all ok
[email protected] as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=6c5cdf2a660f9c4ca372501295dab7de
# engine=20948
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-11-05 09:17:29
# local_time=2014-11-05 01:17:29 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='McAfee Anti-Virus and Anti-Spyware'
# compatibility_mode=5129 16777214 100 97 824809 100744465 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 13122677 166765699 0 0
# scanned=194126
# found=6
# cleaned=0
# scan_time=3207
sh=C6A6622783DFBCD4F8CD89BA36576B56004FEEE8 ft=1 fh=b477ca9ccb0cf89a vn="a variant of Win32/ExpressDownloader.K potentially unwanted application" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-534934637-3198636804-1178557441-1001\$RZOU0ZK.exe"
sh=25B9F4013FB34153FFA27E460D4B8594C79FE337 ft=1 fh=15384691e6094ee0 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe"
sh=34FD53AE4E9C519AE2F7BB0DBE612FFD92C3EB33 ft=0 fh=0000000000000000 vn="Win32/Poweliks.C trojan" ac=I fn="C:\ProgramData\RogueKiller\Quarantine\CB01AAC080A7AB24.reg"
sh=5C89FA148B67F67756CDEC111C53CBC42E36B8EB ft=1 fh=461b819c6c3a0012 vn="Win64/Bedep.C trojan" ac=I fn="C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\neth.dll"
sh=34FD53AE4E9C519AE2F7BB0DBE612FFD92C3EB33 ft=0 fh=0000000000000000 vn="Win32/Poweliks.C trojan" ac=I fn="C:\Users\All Users\RogueKiller\Quarantine\CB01AAC080A7AB24.reg"
sh=5C89FA148B67F67756CDEC111C53CBC42E36B8EB ft=1 fh=461b819c6c3a0012 vn="Win64/Bedep.C trojan" ac=I fn="C:\Users\All Users\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\neth.dll"
 
 
 
Antimalwarebytes is popping up quite frequently with messages: blocked outbound malicious, the majority are from internet explorer. Would those be from one of the trojans eset found?  Thanks, Holly

  • 0

#27
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Hi Holly,
 

Antimalwarebytes is popping up quite frequently with messages: blocked outbound malicious, the majority are from internet explorer. Would those be from one of the trojans eset found? Thanks, Holly

First, I need to change my script for ESET (which I did do below), so please re-run.
 
So, two comments on MBAM (Anitmalwarebytes). I'm not a fan (although many others are) of having it installed and running as it frequently alarms on simple things (tracking cookies, etc.) that are not worth chasing. I am a fan of using MBAM as on "on demand" scanner.

 

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:
 

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

To perform the scan:
  • Make sure that Remove found threats is checked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!


  • 0

#28
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
When I ran eset this time it cleaned or quarantined 3 of 4 files. It did not save a log file though. I did notice that it found the same Trojans and files as the first scan. It only cleaned or quarantined 3 because poweliks was listed twice. Do you want me to run it again to get a log? Thanks, Holly
  • 0

#29
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

When I ran eset this time it cleaned or quarantined 3 of 4 files. It did not save a log file though. I did notice that it found the same Trojans and files as the first scan. It only cleaned or quarantined 3 because poweliks was listed twice. Do you want me to run it again to get a log?

ESET is sneaky that way as far as the log is concerned. However, no need to re-run as it did the clean up on the remaining Poweliks exploit.

 

How the machine running now? Any issues at all?


  • 0

#30
AuntieHolly

AuntieHolly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts

Had some time to run the computer. Seems to work fine except explorer (again). The free trial of McAfee is up and I don't want to purchase it. I've had the free Avast on prior computers. Thoughts on this?


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP