Infection by ransomware Zepto extension on Windows 10

[dbrisendine]

Glad to hear that you have control of your system once more; the malware had looped some of the controls back into themselves so that was the first order of business.  It also looks like Malwarebytes cleaned a lot of the remainders out; let's see what AdwCleaner finds and we will then check for any left overs before letting you restore anything.


AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it will ask to reboot, allow this

• On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt
  
  Optional:
  
  NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

[REDACTED]

Ok, here is the log attached.

[dbrisendine]

Mostly remnants in that log so let us see what FRST shows as active (if anything).

If you still have a Addition.txt log file on your desktop, please delete it now.

Start FRST64 that is on your Desktop by right clicking and selecting "Run as Administrator".

The tool will start to run.  When the tool opens click Yes to the UAC prompt.

Select Additional.txt in the Optional Scans section of FRST64.

Press the Scan button.

It will make two logs (FRST.txt and addition.txt) on your Desktop. Please attach the logs in your next reply.

[REDACTED]

Here attached the requested files; I did not receive a UAC prompt though.

[dbrisendine]

Yes; your UAC has been turned off.  I was going to fix this in the final cleanup of removing our tools but it looks as though something tried to sneak in recently, so let's see if we can turn the UAC back on.  You can read about the UAC and how to change the levels here.  Basically, you go to the Control Panel, User Accounts, Change User Account Control settings.  There you can move a slider to select the level of notification you would like; the default level is the second one (the level marker is enhanced to show default).  Once this is done and active, please continue with the script below.


Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the Code box below.  To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy.  Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
C:\Users\pduval\AppData\Local\Temp\libeay32.dll
C:\Users\pduval\AppData\Local\Temp\msvcr120.dll
C:\Users\pduval\AppData\Local\Temp\sqlite3.dll
Task: {60CA1986-25F3-44EF-9CFB-6B3769605CE0} - \eycurkh -> No File <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by double clicking on the FRST64.exe file.  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load. 

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.  Also, tell me how your system is running now.

[REDACTED]

Ok, followed your instruction, but got a crash with: FRST64 when it tried to update, I suspect this is because the network dropped.
So I deleted the partially upgraded application and restore the original from its initial folder: FRST-OlderVersion.

Got the the UAC to work now.

Ran it again and this time got succesful.

Find the requested file attached.

Btw, the Laptop seems to run slower now, other than that all fine.

Thanks,

[dbrisendine]

Your logs look clean.  If everything else if fine for you (Avast is running / scanning with no warnings, etc.) then I will remove our tools and get you on your way ...


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

• Download Delfix from here to your desktop and double click it to start the program
  
• Ensure Remove disinfection tools is ticked
  Also tick:
  
• Activate UAC
• Create registry backup
• Purge system restore
• Reset system settings

• Click Run
  
• The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system.  Please attach the log in your next reply.
  

You can delete any log files left on your desktop as these are no longer needed.

==Some Tools to consider to help keep your system safe ==

Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing.  By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system.  You can read the details about this program here.

Also, consider keeping MalwareBytes Antimalware in your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
 How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online

I'll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!