Hello guys and gals.

[ecash]

Working on customers machine, and it now has my record Virus/bots and recover record.

Im getting random Avast warnings of mal:..they get blocked.
Im setting Chrome as main browser.
I am using avast free and MWB.. and spybot 1.6..

thanks in advance.

[REDACTED]

Hi ecash.

Don' t see essexboy connected. It is very late in the UK right now. I am afraid you will have to wait until tomorrow for help.

[mikaelrask]

hey a small tips remove Spybot its no good anymore, it can't keep up with the malware out there today. plus it may create some problem for the expert how will help you, so please remove it.

Thanks 

[Eddy]

Also remove everything form those thief's of IObit.
https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/

[essexboy]

Unfortunately this one was hit by ransomware.  Have you been able to recover any documents ?

 CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3018225747-99246241-2890599244-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
Toolbar: HKLM - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
2015-03-16 02:45 - 2015-03-16 14:53 - 00000000 ____D () C:\ProgramData\10756059261015101918UL
2015-03-18 04:40 - 2010-10-11 19:32 - 00000000 ____D () C:\2eb768383a0da5998fb385d27bdbfa
2015-03-18 04:39 - 2010-09-27 22:12 - 00000000 ____D () C:\fc0639012eda485d7bb6ce300b
2015-03-18 04:38 - 2009-11-09 23:28 - 00000000 ____D () C:\df30ff8bcf3746ab72f05871089a9cb5
2015-03-18 02:58 - 2011-11-01 21:36 - 00000000 ____D () C:\Users\Sally\AppData\Roaming\PC Unleashed Online
Task: {2BCD5C0A-16F1-4A23-951F-B5CD460D6E0C} - System32\Tasks\Bomgar Task 1383494 => Iexplore.exe http://remote.iyogi.net/session_complete.ns?lsid=h%3D30b56f5418ba98ad8bdbe2d9345759b821d0b039%3Bl%3D0d35ca19dd2d4fd5916eae0ec9ffcb99%3Bm%3Dsdcust%3Bt%3Dsd
Task: {6EE3A775-FFE5-4ADA-9FBE-0153D1757356} - \TrustedInstaller Update 2 No Task File <==== ATTENTION
Task: {A13F5D1C-D7A0-4645-87CC-77CA64F15328} - \Adobe Flash Player Updater No Task File <==== ATTENTION
Task: {C893A463-B92A-4303-B3CC-4D180C06AC01} - \AdobeFlashPlayerUpdate 2 No Task File <==== ATTENTION
Task: {CF0A43B2-436A-4EBE-92AA-FC12573ACBAF} - \TrustedInstaller Update No Task File <==== ATTENTION
Task: {CF3953FB-1106-45D1-9791-A6E331AA712C} - \AdobeFlashPlayerUpdate No Task File <==== ATTENTION
Task: {D48CD0F2-54C1-45C2-AF03-47A6C34BEA0D} - \The Bluetooth service discovery No Task File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"
R2 mfevtp; C:\Windows\system32\mfevtps.exe [167344 2012-10-29] (McAfee, Inc.)
R0 McPvDrv; C:\Windows\system32\Drivers\McPvDrv.sys [61688 2008-05-28] (McAfee)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [132912 2012-10-29] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565352 2012-10-29] (McAfee, Inc.)
2015-03-26 19:25 - 2007-10-18 02:21 - 00000000 ____D () C:\ProgramData\Symantec
2015-03-26 19:25 - 2007-10-18 02:21 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2015-03-18 02:45 - 2008-11-19 14:18 - 00000000 ____D () C:\ProgramData\McAfee
2015-03-18 02:26 - 2014-06-15 22:04 - 00000000 ____D () C:\Program Files\pcmax
2015-03-15 04:51 - 2010-01-02 00:39 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2015-03-15 04:51 - 2008-12-27 18:55 - 00000000 ____D () C:\Program Files\McAfee
CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML"
CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG"
CMD: del /F /Q /S "C:\HELP_DECRYPT.URL"
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Scan with IDTool
 
Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

• Enter the IDTool directory, right-click on icon and select Run as Administrator to start the tool.
  
• IDTool needs Microsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
• Wait patiently until the tool will collect necessary data
• Once the main console is loaded, please press Rescan Computer and Generate a New Report.
  
• When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
  
• Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience

Please include that contents in your next reply.

[ecash]

hey a small tips remove Spybot its no good anymore, it can't keep up with the malware out there today. plus it may create some problem for the expert how will help you, so please remove it.

Thanks 

I use the old version for the tools.  It also finds a few things others have forgotten.
It also looks at startup, and can find invisible inserts.(most times)

As for IOBit..I agree.  it spamware..

[ecash]

Logs..

IDTOOL,

Infection Detection Tool v1.6 - Nathan Scott
--------------------------------------------
Date/Time: 3/28/2015 3:18:06 PM
Operating System: Windows Vista
Service Pack: Service Pack 2
Version Number: 6.0
Product Type: Workstation
--------------------------------------------
[Detected Flags]
1.|  Possible CryptoWall Flag , HKCU\Software\DAE69208913ED8FC59075A05C93A5256\0023555556799AAC

[essexboy]

How is the computer behaving at the moment ?

I would like to run a quick check on the services

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
Reg: reg delete HKCU\Software\DAE69208913ED8FC59075A05C93A5256 /f

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[ecash]

Running FAIR...
still getting popup note from avast, blocking about 4 locations...
First time, after fix, loaded chrome, and 4 tabs came up, to locations no longer available..

will reset..try again..

[ecash]

After reset, still getting the popups..
Could take a few pics..

would be nice if Avast would let me Click and copy it..

Or a program to capture program activation..and tell me what brought it up.
its interesting that its using primary browser, but not secondary..
will look up Chrome reset..

[essexboy]

Is this just in Chrome ?  If so then it has been corrupted

Re-install Chrome

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome. Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

[ecash]

I will try 2 things..
It has never had a google account set up..

I will swap the Primary to FF..
See what happens.
Then erase chrome..
reset and see if FF gets infected.

This was a full cleaning there isnt much on this machine...anymore.
There is a backup DIR, but it looks like it might be corrupted..as there are all those Ransom ware Titles inside it..

[essexboy]

Alas there is no help for the encrypted files

[ecash]

OK...
tried something..

When I added chrome, there had been an older version on...
I looked at ext...
There was a strange adblock program..  PIC ADDED..

I turn it off and 1 I recently added..
no more notices, so far...
Dont know if it KILLEd the main problem, but no more notices from avast..

[Eddy]

Ok, so there is progress in the right direction.
Good to hear ofcourse.
But please run Farbar again and attach then new logs so we can have a look at how things are now.