dllhost.exe*32 problems Logs posted

**Juliet** · 2014-11-13, 23:35

My version of Spybot should have included antivirus...in fact it says live protection: on, Internet protection: full. So how did this ransomware get through?

How long was the computer without an antivirus and, no antivirus can protect against user's clicking on email attachments or open exploits for out of date applications.

Do you have these logs?
C:\AdwCleaner.txt
JRT.txt

**gurleygirl** · 2014-11-13, 23:52

I thought I was protected, but apparently not. An IT friend suggested Spybot. I purchased and installed on 11/6, but the ransonware didn't "Activate" (maybe that isn't the right word) until 11/11.

Please note I have to change my Internet Security settings back to default everytime I download one of the programs you ask me to run. Also, when I finished with the adware removal just now the computer rebooted. After turning back on, it immediately opened up IE and went to the ransomware payment page. Thought I would mention those. Here's the adware log...working on the last right now.

# AdwCleaner v4.101 - Report created 13/11/2014 at 16:31:58
# Updated 09/11/2014 by Xplode
# Database : 2014-11-12.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Melissa - LAPTOP
# Running from : C:\Users\Melissa\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : CltMngSvc
Service Deleted : SPPD

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\374311380
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Browser Enhancements
Folder Deleted : C:\Program Files (x86)\Browser Enhancements
Folder Deleted : C:\Users\Melissa\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage

***** [ Scheduled Tasks ] *****

Task Deleted : LaunchSignup

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\UpdateFiles
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\deltavacations.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\durable-tech.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\sweetadditions.net
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.sweetadditions.net

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Google Chrome v

[C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
[C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M3D70D438-989F-4ECB-BA82-CCA300550E22&SearchSource=58&CUI=&UM=6&UP=SPD3324CD6-0783-4263-9C08-267860FCEFE1&q={searchTerms}&SSPV=
[C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M3D70D438-989F-4ECB-BA82-CCA300550E22&SearchSource=58&CUI=&UM=6&UP=SPD3324CD6-0783-4263-9C08-267860FCEFE1&q={searchTerms}&SSPV=
[C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Startup_URLs] : hxxp://www.trovi.com/?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M3D70D438-989F-4ECB-BA82-CCA300550E22&SearchSource=55&CUI=&UM=6&UP=SPD3324CD6-0783-4263-9C08-267860FCEFE1&SSPV=
[C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Startup_URLs] : hxxp://www.trovi.com/?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M3D70D438-989F-4ECB-BA82-CCA300550E22&SearchSource=55&CUI=&UM=6&UP=SPD3324CD6-0783-4263-9C08-267860FCEFE1&SSPV=

*************************

AdwCleaner[R0].txt - [5103 octets] - [13/11/2014 16:29:41]
AdwCleaner[S0].txt - [5004 octets] - [13/11/2014 16:31:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5064 octets] ##########

**gurleygirl** · 2014-11-14, 00:04

Youre going to think I'm a moron, but I have no idea how to disable Spybot before I run the last scan! Instruction please!

**Juliet** · 2014-11-14, 00:12

http://www.safer-networking.org/shop/
Can you tell me which version of Spybot you installed?

I thought I was protected, but apparently not. An IT friend suggested Spybot. I purchased and installed on 11/6, but the ransonware didn't "Activate" (maybe that isn't the right word) until 11/11.

You were already infected by that time. Looking back over the logs, seriously.

You could disable or uninstall Live protection.
If you open Spybot start center,checkmark advanced mode,click Settings(saying Yes to UAC,if applicable),click the Live Protection tab,then you click Show Live Protection Advanced Control,you can see two options to deactivate Live Protection,or uninstall Live Protection.
That deactivates or uninstalls(depending on which you pick)real-time protection,

The system scan will still search using antivirus definitions when you scan after disabling Live Protection,but there isn't much chance of conflict that way,so that should be okay.

Also, when I finished with the adware removal just now the computer rebooted. After turning back on, it immediately opened up IE and went to the ransomware payment page. Thought I would mention those.

We can still run other scans and attempt to remove what we can but, early on I mentioned I cannot remove the damage done by the CryptoWall (variant) done to your machine.
cryptowall-ransomware <--can be removed but the encrypted files cannot
CryptoDefense <--can be removed but the encrypted files cannot

http://www.bleepingcomputer.com/viru...re-information

http://www.bleepingcomputer.com/foru...etails-inside/
CryptoDefense - Newest cryptolocker variant - Details inside, extensive reading about this infection.

**gurleygirl** · 2014-11-14, 18:41

I have Spybot + Antivirus Home Edition.

Also, let the JRT.exe run overnight but woke up this morning to it being still open. Restarted computer and am running again. No log was posted so I'm not sure what happened! Will post ASAP!

**gurleygirl** · 2014-11-14, 18:52

So, now what to venture onto? Thanks again for all your help!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.7 (11.08.2014:1)
OS: Windows 7 Home Premium x64
Ran by Melissa on Fri 11/14/2014 at 11:38:32.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 11/14/2014 at 11:49:24.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

**Juliet** · 2014-11-14, 20:55

Please download Malwarebytes AntiRootkit and save it to your desktop.

Full instructions how to use MBAR
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

• Unzip/unrar MBAR in a folder to your Desktop and MBAM shall run ...

• Click on Next > then on Update button to download fresh definitions.

• When database updates click Next

• In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"

• If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
Or if you are sure any entries should be kept, just untick them. A list of infected files will be listed.

• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

~~~~~~~~~~~~~~~~~~~~`

What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note:
For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
Click [b]Start[/b
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan.

*************************************

Please post
mbar logs
Eset logs

How is your computer now?

**gurleygirl** · 2014-11-14, 23:14

Malwarebytes Anti-Rootkit BETA 1.08.1.1001
www.malwarebytes.org

Database version: v2014.11.14.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16428
Melissa :: LAPTOP [administrator]

11/14/2014 3:22:56 PM
mbar-log-2014-11-14 (15-22-56).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 374966
Time elapsed: 25 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML (CryptoWall.Trace) -> Delete on reboot. [8e22a7946d0fdc5a83cf261b50b3c43c]
C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT (CryptoWall.Trace) -> Delete on reboot. [b4fc89b2e29ac175ce841e238e75cf31]
C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL (CryptoWall.Trace) -> Delete on reboot. [b5fb52e9067686b02032172a9a695ba5]
C:\Users\Melissa\Desktop\DECRYPT_INSTRUCTION.HTML (CryptoWall.Trace) -> Delete on reboot. [2e8253e8cab2af87e2711829ce35847c]
C:\Users\Melissa\Desktop\DECRYPT_INSTRUCTION.TXT (CryptoWall.Trace) -> Delete on reboot. [eac6a5961d5fa98d57fcd17041c21ce4]
C:\Users\Melissa\Desktop\DECRYPT_INSTRUCTION.URL (CryptoWall.Trace) -> Delete on reboot. [c6ea1823f88460d65df6023f4db6e719]
C:\Users\Melissa\AppData\Roaming\Microsoft\stor.cfg (Malware.Trace) -> Delete on reboot. [87297fbc136980b65264138e7c871de3]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.1.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16428

Java version: 1.6.0_35

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 4255502336, free: 2301657088

Downloaded database version: v2014.11.14.08
Downloaded database version: v2014.11.12.01
=======================================
Initializing...
------------ Kernel report ------------
11/14/2014 15:22:39
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\CtClsFlt.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\drivers\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800451b400
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa800411b050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800451b400, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800451c040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800451b400, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800411b050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 51ED4EC9

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 206848 Numsec = 30720000
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 30926848 Numsec = 945844272

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Infected: C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML --> [CryptoWall.Trace]
Infected: C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT --> [CryptoWall.Trace]
Infected: C:\Users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL --> [CryptoWall.Trace]
Infected: C:\Users\Melissa\Desktop\DECRYPT_INSTRUCTION.HTML --> [CryptoWall.Trace]
Infected: C:\Users\Melissa\Desktop\DECRYPT_INSTRUCTION.TXT --> [CryptoWall.Trace]
Infected: C:\Users\Melissa\Desktop\DECRYPT_INSTRUCTION.URL --> [CryptoWall.Trace]
Infected: C:\Users\Melissa\AppData\Roaming\Microsoft\stor.cfg --> [Malware.Trace]
Scan finished
Creating System Restore point...
Cleaning up...
Removal successful. No system shutdown is required.
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-206848-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

**Juliet** · 2014-11-14, 23:51

I see you let it delete what was found.

online scan with Eset?

I expect to see several infected files, lines saying
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.URL

**gurleygirl** · 2014-11-15, 01:52

Eset is still scanning and working properly...going on 2 hr 27 minutes, 831 threats found. Problem is I have to leave to go on a short trip but will be back Sunday. I didn't mean to delete those threats...It didn't give me a pop up to do a scheduled deletion. I will let you know Sunday how it goes! Thanks again for everything, have a great weekend!

Melissa

Thread: dllhost.exe*32 problems Logs posted

Thread Tools

Display

Posting Permissions