just a man asking for some directions toward freedom

Hi and welcome. There's alot more to do than run Hitman, take a look here:

READ & RUN ME FIRST - Malware Removal Guide

 

Well if you want me to check for malware it's going to take more than a HJT log.

I need logs from you running:

• TDSSKiller
• Malware Bytes
• Hitman Pro
• RogueKiller
• MGTools

Fair bit more than you were expecting I guess, but that's what I need.

 

Try this:

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

• cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
• nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Attach the MGlogs.zip

 

Forgot to say: I think that's wonderful that you wish to donate.

 

Where did you download this from?

C:\Users\kiddo\Downloads\FRST64.exe

 

Hi there.

There's no way to donate to me directly. The website as a whole would very much appreciate it though.



Do this instead of MGTools then:

Now please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

Also answer me about where you downloaded FRST64.exe from, please.

 

Good morning.

We need to run an OTL Fix

• Right-click OTL.exe to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:otl
[2014/11/02 02:21:03 | 000,000,000 | ---D | C] -- C:\ProgramData\EeyoKuvlu
[2014/11/01 12:49:01 | 000,000,000 | ---D | C] -- C:\ProgramData\JirxIradp
[2014/10/28 22:23:02 | 000,001,104 | -H-- | M] () -- C:\ProgramData\@system2.att
[2014/10/28 22:22:46 | 000,001,368 | ---- | M] () -- C:\ProgramData\@system.att
[2014/10/26 16:03:06 | 000,000,028 | ---- | M] () -- C:\Windows\SysWow64\u
[2014/10/26 16:01:43 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\yiqvnim.dll
[2013/12/23 22:55:57 | 000,000,308 | ---- | M] () -- C:\Windows\tasks\Digital Sites.job
[2014/10/28 20:40:14 | 000,001,368 | ---- | C] () -- C:\ProgramData\@system.att
[2014/10/28 20:39:19 | 000,001,104 | -H-- | C] () -- C:\ProgramData\@system2.att
[2014/10/26 16:03:06 | 000,000,028 | ---- | C] () -- C:\Windows\SysWow64\u
[2014/10/26 16:01:43 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\yiqvnim.dll
@Alternate Data Stream - 205 bytes -> C:\ProgramData\Temp:E6E3D650
@Alternate Data Stream - 163 bytes -> C:\ProgramData\Temp:FB1B13D8
  
:commands

[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Attach the logfile to your next next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

• Now re run OTL like you did the very first time, and attach log.
• Explain how things are running.

 

Good afternoon.

Where? I'm not seeing these at all. Can you give an exact file path or zip a file or two up for me and attach it here for me to look at?



Please let Adwcleaner remove what it finds on a re-run.


Delete this, let me know if it deletes okay.

• C:\Windows\tasks\Security Center Update - 608556496.job

SystemLook

Please download SystemLook from the FIRST link below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  SecurityCenterServer

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt




Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

 

I'm afraid it sounds like you have been infected by a ransomeware infection called cryptowall. There is nothing that can currently be done to reverse the effects of this. I am so sorry we spent days on this without me noticing.

Please see this article.

 

@Kestrel13!, The initial logs showed signs of Poweliks. I suggest that you run a scan with FRST in normal boot mode and get the FRST.txt and Addition.txt logs.

 

Thanks Chas, you're right, I some some similar files which seem to be connected to poweliks. I also neglected to get them fixed with RogueKiller.

 

No Kestrel13! That is the wrong way to run FRST for Poweliks. See my threads. Also I sated in my last message " in normal boot mode ".

 

I know how to run it, I don't know why I laid that boiler plate down!

Sorry Loblues... do this instead please and disregard my previous FRST instructions.

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.