Leef_me

The original link I tried was hxxps://www.sunfounder.com/learn/lesson-12-dot-matrix-led-display-super-kit.html

Hi MrCharlie, I believe MWB has cleared the virus after all. Please close this topic.

I am requesting help for the following. I've started getting this pop-up from MWB. malicious website blocked c:\windows\syswow64\svchost.exe I scanned with MWB and it did not find any problems. But the pop-up persists. Btw, It seems strange that MWB can intercept the outgoing connection, but not use that information to kill the rogue application. Thanks in advance.

You registered for <10 minutes before posting. I cannot rely on your suggestion.

I just notice the note about "service pack out of date" Btw, I have chosen to update my computer with windows updates because on 2 occassions the update caused a loss of work ability. The reasons related to 1. disabling an older software that I have used 2. disabling multiple monitor drivers for USB->VGA adapters. FYI, I have 16 important updates and 3 optional updates pending. ****************************************************************************** I have a shared dropbox that I disabled just after learning I had this virus. I use a logmein account for a shared computer, I have not after learning I had this virus. Can you confirm that our method will not allow the virus to propigate(sp?) after we are done?

Results of screen317's Security Check version 0.99.87 Windows 7 x64 (UAC is enabled) Out of date service pack!! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! McAfee Anti-Virus and Anti-Spyware WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` IE HTML Element Spy 1.10 Java 7 Update 7 Java version out of Date! Adobe Flash Player 14.0.0.145 Adobe Reader 9 Adobe Reader XI Mozilla Firefox (27.0) ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C: 10% ````````````````````End of Log``````````````````````

>>All of these are your encrypted files: >>DECRYPT_INSTRUCTION.HTML >>DECRYPT_INSTRUCTION.URL >>DECRYPT_INSTRUCTION.TXT Those are files added by the virus, placed in directories where it encrypted files, approx 1600 locations. I choose not to pay a ransom or run them. I can manually delete the other files you listed. I will recovery the encrypted data I need by other means. *********************** What other instructions do you have for me?

FRST done ESET done Fixlog.txt eset scan.txt

Done. FRST.txt Addition.txt

Here are the logs FRST.txt Addition.txt

Here are the (3)TDSS logs, had a little trouble with getting it to take the "loaded modules" setting, Had to start tdds 2X and set the flag for it to 'take' had trouble disabling McAfee, the link @ 'bleeping' is outdated (inaccurate) for "Macfee security " I told COmbofix to "go ahead" when it found macafee took >5 min to write combofix log & 2 more to show it. here the combofix log What's next? Btw, thanks much. TDSSKiller.3.0.0.40_29.09.2014_10.10.20_log.txt TDSSKiller.3.0.0.40_29.09.2014_10.17.35_log.txt TDSSKiller.3.0.0.40_29.09.2014_10.21.03_log.txt ComboFix.txt

the virus corrupts files, so I am running "safe mode with networking" is that ok??? PUM does not have quarantten, I used "treat as malware" is that ok??? Before posting I already installed 'cryptoprevent' to limit write permissions. https://www.foolishit.com/vb6-projects/cryptoprevent/ It does not seem to help. How do I set a system restore when In 'safe mode'? othewise the virus continues to corrupts files? Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/29/2014 Scan Time: 5:54:01 AM Logfile: first_mbam log.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.03.04.09 Rootkit Database: v2014.02.20.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 CPU: x64 File System: NTFS User: Lee Scan Type: Threat Scan Result: Completed Objects Scanned: 261515 Time Elapsed: 10 min, 52 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) RogueKiller V9.2.13.0 (x64) [sep 25 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600 ) 64 bits version Started in : Safe mode with network support User : Lee [Admin rights] Mode : Scan -- Date : 09/29/2014 06:30:25 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 35 ¤¤¤ [suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Run | DisplaySwitch : "C:\ProgramData\DisplaySwitch.exe" -> FOUND [suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Run | DisplaySwitch : "C:\ProgramData\DisplaySwitch.exe" -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 191.168.1.1 -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 191.168.1.1 -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0CCFEC-9776-4264-A5F5-6C02F1819AA1} | DhcpNameServer : 191.168.1.1 -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7D0CCFEC-9776-4264-A5F5-6C02F1819AA1} | DhcpNameServer : 191.168.1.1 -> FOUND [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7D0CCFEC-9776-4264-A5F5-6C02F1819AA1} | DhcpNameServer : 191.168.1.1 -> FOUND [PUM.Policies] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | disableregistrytools : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | disableregistrytools : 0 -> FOUND [PUM.Policies] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> FOUND [PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> FOUND [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> FOUND [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> FOUND [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> FOUND [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 3 ¤¤¤ [C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost [C:\windows\System32\drivers\etc\hosts] 0.0.0.0 vube.com [C:\windows\System32\drivers\etc\hosts] 0.0.0.0 doubleclick.net ¤¤¤ Antirootkit : 4 (Driver: NOT LOADED [0xc000035f]) ¤¤¤ [EAT:Addr] (explorer.exe) hcproviders.dll - DllCanUnloadNow : C:\Windows\system32\imapi2.dll @ 0x7fef9616edc [EAT:Addr] (explorer.exe) hcproviders.dll - DllGetClassObject : C:\Windows\system32\imapi2.dll @ 0x7fef9612164 [EAT:Addr] (explorer.exe) hcproviders.dll - DllRegisterServer : C:\Windows\system32\imapi2.dll @ 0x7fef96512e0 [EAT:Addr] (explorer.exe) hcproviders.dll - DllUnregisterServer : C:\Windows\system32\imapi2.dll @ 0x7fef965146c ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BEVT-16A0RT0 +++++ --- User --- [MBR] 33e713f218b215df8858c35b4b893cd9 [bSP] b1a2fdd7f89727dad4bccfe7d2564807 : Windows Vista/7/8 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 33556480 | Size: 200 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 33966080 | Size: 230178 MB 3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 505370624 | Size: 230176 MB User = LL1 ... OK User = LL2 ... OK FRST.txt Addition.txt

Btw, I have already tried to run MBAM. Tried various methods and finally had to MBAM CLEAN and then reinstall. It just finished a "threat" scan, saying that No malicious items were detected.

I got the crypto wall virus. Can someone help me remove it? Thanks in advance