Hello. After doing some research, it appears one of my computers, running Windows XP Service Pack 3 has been infected with Cryptowall 3.0. Doing a little more research...I figured I would try this first:
http://www.geekstogo...ove-cryptowall/
After downloading/installing/running MWB, nothing has changed. If anything, it has become worse. During the scan (I ran a full scan with MWB), the desktop background was changed; what it looks like now: White lines surrounding the edges, with a little red X in the top left corner. Also, during the scan, MWB continuously displayed hat it was blocking outbound threats to random IP addresses. This has since stopped.
If I right click and select Properties, the box is only displayed for a few seconds before disappearing on its own, not allowing me to select anything. When I shut down/restart the computer, the box disappears and I see my desktop background image again.
Worst case scenario, I am OK with reformatting the computer as there aren't many files at all on the hard drive. I have back-ups of any important files.
The only thing that has changed since running MWB and removing any threats is that I no longer get the pop-ups at start-up, telling me that my files are encrypted . Here's the log file from the scan:
<date>2015/03/24 20:52:35 -0500</date>
<logfile>mbam-log-2015-03-24 (20-52-32).xml</logfile>
</header>
<version>2.01.4.1018</version>
<malware-database>v2015.03.24.09</malware-database>
<rootkit-database>v2015.02.25.01</rootkit-database>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<osversion>Windows XP Service Pack 3</osversion>
<username>Norton</username>
</system>
<result>completed</result>
<objects>665955</objects>
</summary>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
</options>
<path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409}</path>
<vendor>Adware.OneStepSearch</vendor>
<hash>530641080f7b2c0af8b334120df6b54b</hash>
</key>
<path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409}</path>
<vendor>Adware.OneStepSearch</vendor>
<hash>530641080f7b2c0af8b334120df6b54b</hash>
</key>
<path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}</path>
<vendor>Search.Hijacker</vendor>
<hash>0d4cf059e4a6bd79f16c60edf50e6c94</hash>
</key>
<path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{9034A523-D068-4BE8-A284-9DF278BE776E}</path>
<vendor>Trojan.Zlob</vendor>
<hash>bb9e72d71773d462c1a69fbd798ac739</hash>
</key>
<path>HKLM\SOFTWARE\MICROSOFT\ESENT\PROCESS\Adparatus</path>
<vendor>Adware.Adparatus</vendor>
<hash>77e2d07999f12d095d0a513148bc8977</hash>
</key>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\RelevantKnowledge</path>
<vendor>PUP.Optional.RelevantKnowledge</vendor>
<hash>5009ae9b612983b37814d4dda1631de3</hash>
</key>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>{20d82918-b7f5-9324-df1e-546846476ac2}</valuename>
<vendor>Trojan.Agent.ED</vendor>
<valuedata>"C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe"</valuedata>
<hash>1f3afb4e3e4cbc7a30668986a65c2dd3</hash>
</value>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>
<valuename>{20d82918-b7f5-9324-df1e-546846476ac2}</valuename>
<vendor>Trojan.Agent.ED</vendor>
<valuedata>"C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe"</valuedata>
<hash>1f3afb4e3e4cbc7a30668986a65c2dd3</hash>
</value>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>
<valuename>1622466268</valuename>
<vendor>Trojan.Agent</vendor>
<valuedata>"C:\Documents and Settings\All Users.WINDOWS\mswhsrocj.exe"</valuedata>
<hash>1b3e45048cfe89adb0831310e51d46ba</hash>
</value>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>
<valuename>1070511867</valuename>
<vendor>Trojan.Agent</vendor>
<valuedata>"C:\Documents and Settings\All Users.WINDOWS\mstesrzb.exe"</valuedata>
<hash>64f585c48efc8fa742f181a24db54eb2</hash>
</value>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}</path>
<vendor>Trojan.BHO</vendor>
<hash>570282c7e7a30a2c034f5df7de2549b7</hash>
</value>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD</path>
<valuename>SSODL</valuename>
<vendor>Trojan.BHO</vendor>
<valuedata>{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}</valuedata>
<hash>570282c7e7a30a2c034f5df7de2549b7</hash>
</value>
<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER</path>
<valuename>{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}</valuename>
<vendor>Trojan.BHO</vendor>
<valuedata>STS</valuedata>
<hash>570282c7e7a30a2c034f5df7de2549b7</hash>
</value>
<path>HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE</path>
<valuename>DisableConfig</valuename>
<vendor>Windows.Tool.Disabled</vendor>
<action>replaced</action>
<hash>411880c946441c1ae816de14d233c53b</hash>
</data>
<path>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013</path>
<vendor>Trojan.Agent</vendor>
<hash>9cbd90b96b1f70c609bfe887dc27f709</hash>
</folder>
<path>C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe</path>
<vendor>Trojan.Agent.ED</vendor>
<action>delete-on-reboot</action>
<hash>1f3afb4e3e4cbc7a30668986a65c2dd3</hash>
</file>
<path>C:\Documents and Settings\All Users.WINDOWS\mswhsrocj.exe</path>
<vendor>Trojan.Agent</vendor>
<action>delete-on-reboot</action>
<hash>1b3e45048cfe89adb0831310e51d46ba</hash>
</file>
<path>C:\Documents and Settings\All Users.WINDOWS\mstesrzb.exe</path>
<vendor>Trojan.Agent</vendor>
<action>delete-on-reboot</action>
<hash>64f585c48efc8fa742f181a24db54eb2</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\My Documents\Downloads\WinRAR_3.71_Corporate_Edition.exe</path>
<vendor>Trojan.Dropper</vendor>
<hash>31282f1aacde290d589beab256ac8c74</hash>
</file>
<path>C:\WINDOWS\system32\H@tKeysH@@k.DLL</path>
<vendor>HackTool.HotKeyHook</vendor>
<hash>c39656f3642685b1a20d6864ce324bb5</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\fixutil.exe</path>
<vendor>Trojan.Crypt.NKN</vendor>
<hash>b7a2db6eeb9f9c9a4c6d9201728fa060</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\repfix.exe</path>
<vendor>Trojan.Crypt.NKN</vendor>
<hash>fa5fe6635b2f191d37828e05cf324bb5</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\urepair.exe</path>
<vendor>Trojan.Crypt.NKN</vendor>
<hash>fa5f56f3800ad0669119e3b0ea17827e</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\15A.tmp</path>
<vendor>Trojan.Ransom.ED</vendor>
<hash>e673a0a9d8b2bf77d160945ecf32f20e</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\KB02621203.exe</path>
<vendor>Trojan.Agent.DED</vendor>
<hash>f66344055733181e2e11886f20e127d9</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\errfix.exe</path>
<vendor>Trojan.Crypt.NKN</vendor>
<hash>76e3d178a0ead95d3872583bb74aab55</hash>
</file>
<path>C:\WINDOWS\Installer\2af0c69.msi</path>
<vendor>PUP.Optional.RelevantKnowledge</vendor>
<hash>14457ccdbad02f07c7b3619d5ea73fc1</hash>
</file>
<path>C:\WINDOWS\Installer\{FF0AF4F6-CD67-4109-B800-DCFF216342BA}\msiexec.exe</path>
<vendor>Trojan.Agent.ED</vendor>
<hash>045587c2addd7fb7de3b280f8b77a858</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.HTML</path>
<vendor>CryptoWall.Trace</vendor>
<hash>d782af9ac6c4a096bc3262e6e0254db3</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.PNG</path>
<vendor>CryptoWall.Trace</vendor>
<hash>2a2feb5e1e6c12249d51dd6b759056aa</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.TXT</path>
<vendor>CryptoWall.Trace</vendor>
<hash>e9702623bcce58de2ec03711ac59d42c</hash>
</file>
<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.URL</path>
<vendor>CryptoWall.Trace</vendor>
<hash>b5a4fe4b93f769cd787669df56aff50b</hash>
</file>
<path>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini</path>
<vendor>Trojan.Agent</vendor>
<hash>9cbd90b96b1f70c609bfe887dc27f709</hash>
</file>
</items>
</mbam-log>
Edited by BlazeHeatnix, 24 March 2015 - 10:54 PM.