I have a Police Malware asking for money Ukask

[Steca]

Hi,

Can someone please help with this problem?

I have tried loads of things to try and remove it system restore does not get rid of it.
I can log in on my computer under my wife's name but not mine keep Getting the same screen.
I can restart with safe mode with command prompt only.
or start normally and log in as another user.
I have run both OTL and aswMBR see results
please help im going out of my mind?
Thanks
[attachment=4591]
[attachment=4592]

 

[Steca]

Hi,

Can someone please help with this problem?

I have tried loads of things to try and remove it system restore does not get rid of it.
I can log in on my computer under my wife's name but not mine keep Getting the same screen.
I can restart with safe mode with command prompt only.
or start normally and log in as another user.
I have run both OTL and aswMBR see results
please help im going out of my mind?
Thanks

hi,

I have managed to do a frst scan here are the results
[attachment=4597]

 

[Fiery]

Hi Steca and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open notepad and copy & paste the following:

HKCU\...\Winlogon: [Shell] explorer.exe
2013-05-27 07:55 - 2013-05-27 07:58 - 00000000 ____D C:\Windows\E89498D814304A2BA76A4A71326981E9.TMP
2013-05-26 17:03 - 2013-05-26 17:03 - 00116854 ____A C:\ProgramData\2433f433
2013-05-26 17:03 - 2013-05-26 17:03 - 00116784 ____A C:\Users\Steve\AppData\Local\2433f433
2013-05-26 17:03 - 2013-05-26 17:03 - 00040448 ____A (Adobe Systems Incorporated) C:\Users\Steve\Documents\5f0811c.dll
ZeroAccess:
C:\Users\Steve\AppData\Local\{66e67a30-785d-9aec-9e8a-9007b49c85ca}
C:\Users\Steve\AppData\Local\{66e67a30-785d-9aec-9e8a-9007b49c85ca}\@
C:\Users\Steve\AppData\Local\{66e67a30-785d-9aec-9e8a-9007b49c85ca}\L
C:\Users\Steve\AppData\Local\{66e67a30-785d-9aec-9e8a-9007b49c85ca}\U
C:\Users\Steve\AppData\Local\{66e67a30-785d-9aec-9e8a-9007b49c85ca}\L\00000004.@

folder: C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1

and save it as fixlist.txt onto your flash drive.

Then, boot to safe mode, plug in your flash drive, open FRST and click fix. Post the generated log.

Then attempt to boot normally. If successful,

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[Steca]

[attachment=4599]Hi,

Thanks very much for helping with this.
i have run the fix and have now managed to log in,the report down below.
i have downloaded theMbar.exe but when i run it it keeps saying Error During a scan has occured scan cant continue.report below.
plus windows security wont turn on.
Do i try TDSSkiller?

[attachment=4598]
[attachment=4599]

 

[Fiery]

Ok, give TDSSkiller a try first.

 

[Steca]

HI,

I have run TDSSKiller but have not deleted report below.
[attachment=4602]

 

[Fiery]

All the suspicious items found by TDSSKiller are ok, do not delete them.

Open OTL. Under custom scan/fixes, copy and paste the following:

C:\ProgramData\v4pt6gr18h144ig60b2b7o17qt8q6qf8ro2k44i06\*.*
C:\Users\Steve\AppData\Local\v4pt6gr18h144ig60b2b7o17qt8q6qf8ro2k44i06\*.*
C:\Users\Steve\AppData\Local\qxsxf67l435so7e67w35t648\*.*
C:\ProgramData\qxsxf67l435so7e67w35t648\*.*

Click the None button on the top. Then click Run Scan. Please post the generated log.

 

[Steca]

HI,

here you go
[attachment=4604]

 

[Fiery]

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
[2011/05/14 16:03:24 | 000,009,236 | -HS- | C] () -- C:\Users\Steve\AppData\Local\v4pt6gr18h144ig60b2b7o17qt8q6qf8ro2k44i06
[2011/05/14 16:03:24 | 000,009,236 | -HS- | C] () -- C:\ProgramData\v4pt6gr18h144ig60b2b7o17qt8q6qf8ro2k44i06
[2011/04/10 16:17:21 | 000,001,538 | -HS- | C] () -- C:\Users\Steve\AppData\Local\qxsxf67l435so7e67w35t648
[2011/04/10 16:17:21 | 000,001,538 | -HS- | C] () -- C:\ProgramData\qxsxf67l435so7e67w35t648

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 

[Steca]

Hi,

I have tried 3 times to run OTL with you code and each time it freezes and says not responding.
So no log

What shall I try next?

 

[Steca]

HI,

I have just done a Malwarebytes scan and it found nothing.
report below.
[attachment=4622]

 

[Fiery]

Ok, we will use FRST to do the job.

Open notepad and copy & paste the following:

C:\Users\Steve\AppData\Local\v4pt6gr18h144ig60b2b7o17qt8q6qf8ro2k44i06
C:\ProgramData\v4pt6gr18h144ig60b2b7o17qt8q6qf8ro2k44i06
C:\Users\Steve\AppData\Local\qxsxf67l435so7e67w35t648
C:\ProgramData\qxsxf67l435so7e67w35t648

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Boot normally and Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[Steca]

HI,

here is the report from FRST
[attachment=4651]

 

[Steca]

HI,

I have done what you have asked and the reports are below.
[attachment=4653]
[attachment=4654]
[attachment=4655]

 

[Fiery]

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
</ul>

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[Steca]

HI,

I have scanned the result below.
I did turn off AVG but i think it might have come on again.
[attachment=4673]

 

[Steca]

Hi,

Thanks I have managed to do a windows update and have now got back the security center I.e windows defender no red shield in the system tray[/i]

 

[Fiery]

Good to hear We are almost done.

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post the contents of that document in your next reply. Please do not attach it!

 

[Steca]

HI,
Here are the result for ESET scan

C:\Users\Rachel\Downloads\cbsidlm-tr1_13-HitmanPro_3_32bit-ORG-10895604 (1).exe Win32/DownloadAdmin.G application
C:\Users\Rachel\Downloads\cbsidlm-tr1_13-HitmanPro_3_32bit-ORG-10895604.exe Win32/DownloadAdmin.G application
C:\Users\Rachel\Downloads\cbsidlm-tr1_13-HitmanPro_3_64bit-ORG-75110395.exe Win32/DownloadAdmin.G application
C:\Users\Steve\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\4e2d6d53-25a25cf2 a variant of Java/TrojanDownloader.OpenStream.NCC trojan
C:\Users\Steve\Downloads\Setup-SopCast-3.3.2-2010-12-15.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56V5FNUU\WECPSetup[1].exe a variant of Win32/InstallCore.AZ application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8QV12155\WECPSetup[1].exe a variant of Win32/InstallCore.AZ application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A13RU2ND\WECPSetup[1].exe a variant of Win32/InstallCore.AZ application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YJ37FO1H\WECPSetup[1].exe a variant of Win32/InstallCore.AZ application

Cant download Security Check .exe as both links are no good.
could you give me another link?
Thanks

 

[Fiery]

Please try this one: http://www.bleepingcomputer.com/download/securitycheck/dl/123/

How is your PC now?