Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 21:43:31 GMT -8
We can leave them for now as it does not appear to affect your system
Now the error messages you were getting with regserv should not be appearing either
Quads
|
|
|
Post by katrina on Nov 3, 2014 12:42:09 GMT -8
I am sorry- I thought I was supposed to get rid of them so I let RogueKiller delete them when the "Fix Proxy" button did not appear.
As of the turn on this morning I got no RegSvr or DLL errors. Norton still thinks it is dealing with Cidox. Pretty smooth here so far with Norton quiet other than the one already mentioned and no performance issues.
Let me know what you would like me to do next. Am I supposed to send another log?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 3, 2014 13:48:40 GMT -8
I am going to switch a couple of steps around On with step 4, Complete system check for any file and cleanup of items and tools used. Special attention to the different settings I have asked for below You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on Posted Image to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Under scan settings, check DON'T (NO)</font></b> check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following: Scan potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. Attach the resulting log in your next reply The scanner screen gives me the option of saving the results to a .txt file as part of the options after the scan has finished. Screenshot of part of the finished scan dialog box by ESET showing the options. List found threats and at the bottom of the listings is the options to save the list. Quads
|
|
|
Post by katrina on Nov 4, 2014 6:01:49 GMT -8
Oh, this is a big one, it came back over 6600 files. The forum said it was too many characters for a post so it is attached.
Just so you know, I am turning off the computer here in between tasks. It seems to replicate as we work. If I should ever not do that please let me know. Malwarebytes also chose to run and is finding new stuff too. I do not know why it ran since it is the free version and I did not tell it too. I did not let it act on anything.
Attachment Deleted
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 4, 2014 9:26:22 GMT -8
What replicates, dllhost is a legit file used for legit purposes by programs and files.
All the 3 DECRYPT_ files in each location detected is where the Ransomware encrypted personal files like .jpg, doc, .avi, html etc etc. Then it creates the instruction files in each of those locations where it encrypted files.
Quads
|
|
|
Post by katrina on Nov 4, 2014 14:15:36 GMT -8
I just was surprised by the # and with norton still pinging me occassionally it seemed busy.
Did one of these viruses create that c:archive folder or is it just that the damage is centered there? Are the encrpted things toast?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 4, 2014 14:30:23 GMT -8
The encrypted files are toast unless you want to pay the bad guys who should have the decrypt key $500 - $1,000 USD typically
For an example
Photos inside folder
C:\Archive\Katrina\Music\My Pictures\Family Photos\1999_09_11\
Get encrypted and the Ransomware like Cryptowall creates 2 or 3 files named DECRYPT_INSTRUCTION.HTML and DECRYPT_INSTRUCTION.TXT
So we get
C:\Archive\Katrina\Music\My Pictures\Family Photos\1999_09_11\DECRYPT_INSTRUCTION.HTML C:\Archive\Katrina\Music\My Pictures\Family Photos\1999_09_11\DECRYPT_INSTRUCTION.TXT
The C:\Archive folder looks like a backup set of personal data to some degree. but due to the data being on the same system or connected to the system at the time (while infected) the Ransomware searched and encrypted the personal file files it found.
That is why Users who also have a backup set for instance on a portable hard drive should have the drive connected to the system all the time, as if it was connected by USB the Ransomware would encrypt the data on the portable drive also.
Disconnect backup drives and place it in a safe place.
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 4, 2014 21:48:49 GMT -8
Ok
Disable Norton for awhile so we can do this
Can you find the folder C:\FRST folder right click it and choose from the menu Send To ==>> Compressed (Zipped) Folder
Then how big is the FRST.zip achive??
Quads
|
|
|
Post by katrina on Nov 4, 2014 22:14:23 GMT -8
When I try to send to compressed folder I get an error messages saying a directory cannot be compressed because it contains characters that canot be used in compressed folders. The characterslooks to be chinese characters are in the name and suggests I rename the file or directory.
When I turn off Norton do I disable the firewall too. I noticed it was a separate option.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 4, 2014 22:28:28 GMT -8
Don't worry about it
I an gong to remove files except the decryption instruction files from you computer for good, so basically splitting the file deletions
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|