http://cdn1.movieroomreviews.com

[REDACTED]

Helping a friend who had a badly infected machine.  Have run a number of cleaning tools - revouninstaller, avast, ccleaner, adwcleaner, malwarebytes.......  I have been able to clean out the majority of the mess.  Am left with one, possibly two, little devils.

The website URL in the subject of this post tells much of the story, but the URL might change.  In the meantime, when I get the taskmanager up, normal Windows processes that reside in the WOW64 folder load up and hog memory, to the tune of half gigs of memory.  And, there is always a wextract.exe *32 (self extracting cab file) involved, eventually, in task manager. 

I am including my required scan logs.  I saved the logs to a new folder and at the end of aswMBR, there was also a MBR.dat file in that folder.  Let me know if you want that too.

[Michael (alan1998)]

MBR.Dat is just a backup of the MBR, very rarely needed.

Remover notified.

Question, is IE Working? Or google?

Both have restrictions. You also have Poweliks, which all the tools mentioned above won't find.

[magna86]

Hello lanesharon and welcome to avast!. I will be working on your Malware issues. 

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper


---     ---     ---     ---     ---


1. Please download ComboFix by sUBs () from here and save it to your Desktop.
If you are unsure how ComboFix works, read this guide.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note:  Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Then, on disclaimer window, click I Agree! button.

- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
- If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
=> Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

[REDACTED]

Had to hunt around for the text file.  It was inside a combofix folder.  In the Qoobox folder, I just have a 'catchme' log and that just has today's date in it. 

Thank You.

[REDACTED]

Hoping Magna or someone else will tell me if I have to go any further with this.  Thanks.

[Michael (alan1998)]

At least 1 more step too remove tools. However, wait. He probab;y had a busy day, as were he lives, it's almost 10:45PM

[magna86]

Hi lanesharon,

Malware is disinfected. Please run FRST tool again, make sure box for Addition is ticked and press [ Scan ] button.

The fresh FRST and Addition log report shall be created. Please post both logs back to topic for reanalysis.

[REDACTED]

Magna,  Thank you so much for replying.  I am leaving town and want to get this computer back to my friend before I go.  Otherwise, she will have to wait for 2 weeks.

I have included the FRST scan results.

[magna86]

Hello lanesharon,

Please go to your ControlPanel via Start meny and access to Programs an Features. From there, try to find the ShopAtHome.com Helper program and try to uninstall/remove it.

In any case, feel free to continue with following steps.






1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

CloseProcesses:
REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHome.com Helper" /f
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,SearchAssistant = http://inboxtoolbar.com/search/ie.aspx?tbid=80105
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,CustomizeSearch = http://inboxtoolbar.com/help/sa_customize.aspx?tbid=80105
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0BC6E3FA-78EF-4886-842C-5A1258C4455A} URL = http://search.imgag.com/?appid=wsdt&component=&c=GNWSO38311&sbs=2&sc=2&f=web&vernum=3.1.5.7619&uid=0&did=%7bbab1f605-608d-45a2-be09-696fbb4bad69%7d&q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0BC6E3FA-78EF-4886-842C-5A1258C4455A} URL = http://search.imgag.com/?appid=wsdt&component=&c=GNWSO38311&sbs=2&sc=2&f=web&vernum=3.1.5.7619&uid=0&did=%7bbab1f605-608d-45a2-be09-696fbb4bad69%7d&q={searchTerms}
Hosts:
AlternateDataStreams: C:\Users\linedanceraz\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_0news-1751121550
AlternateDataStreams: C:\Users\linedanceraz\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_1messages-431041656
AlternateDataStreams: C:\Users\linedanceraz\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_2events-250898981
AlternateDataStreams: C:\Users\linedanceraz\AppData\Roaming\Microsoft\Windows\Start Menu\Facebook.website:TASKICON_3friends-215113587
EmptyTemp:
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[REDACTED]

Thank you for responding.  Attached is the fixlog.  Forgot to tell you that I could not find ShopAtHome in Program uninstall, CCleaner, or revouninstaller.  I could backup the registry and remove the entries manually, if necessary.

[magna86]

Hi lanesharon,

Don't worry. I have remove the leftovers via FixList. 

All looks good. Tell me, how is the computer behavior now? 

[REDACTED]

The computer's behavior has been fine since we ran combofix.  Glad you stuck with me through this entire process.  This computer was so infected when I first got it.  Most of it I was able to clean out in safe mode and taskmanager (stopping processes), but that last bit of mess I could not do alone. 

Magna - Thank you so much for all of your help., 

[magna86]

Glad I could help. Posted logs appear cleans and show no signs of active infection. You should be good to go ...   

We're gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I'll give you a few tips for reading. 



• The following will implement some post-cleanup procedures:



---     ---     ---     ---     ---



It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete. This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.


---     ---     ---     ---     ---
In any case ...

Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.




Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.



---     ---     ---     ---     ---



• Learn how to protect yourself:



=>  In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It's vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader



=>  I recommend that you use one of the fantastic opportunities provided by avast! AntiVirus.

For security protection, an active AntiVirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes' Anti-Malware and perform 'Threat Scan' from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.



• Extra text for reading:

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.




• The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ ; 
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ










Stay safe. 


Best Regards,
magna86