Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popup Ransomware Disabled all Security On My Computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby seasun » July 29th, 2017, 2:55 pm

The previous versions I had of FRST64.exe in my download folder are no longer there.
seasun
Active Member
 
Posts: 13
Joined: July 18th, 2017, 9:49 pm
Advertisement
Register to Remove

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 1st, 2017, 10:00 pm

Hello season :)

Apologies for the delay, I thought I had responded earlier. Please follow steps two and three from my previous post to run FRST from Safe Mode.

Regards,
capnkrunch
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby seasun » August 3rd, 2017, 10:35 am

The computer seems to be working OK, I had no problem downloading and running Farbar in safe mode.
You do not have the required permissions to view the files attached to this post.
seasun
Active Member
 
Posts: 13
Joined: July 18th, 2017, 9:49 pm

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 3rd, 2017, 2:37 pm

Hello seasun :)

Step one...

Please answer the following questions:
    ConsentPromptBehaviorUser: 1

  • This is a non-default UAC setting. Have you modified the UAC settings on your computer?
  • Do you recognize the following Firefox extensions? Were they installed by you?
    Ebates: The Free Cash Back Shopping Assistant, CouponNetwork.com/CMDUniversalCouponPrintActivator
  • Do you recognize the following Chrome extensions? Were they installed by you?
    Web Boost - Wait Less, Browse Faster!, Ebates: The Free Cash Back Shopping Assistant, Wikibuy, Adsrental.com
  • Do you recognize the following program? It appears to be a bitcoin miner. Was it installed intentionally by you?
    C:\lc\mining_proxy.exe

Step two...

Show Hidden Files and Folders
  • Click Start and then click File Explorer.
  • Click on the View tab and then click Options.
  • In the Folder Options window click on the View tab.
  • Check Show hidden files and folders and uncheck Hide extensions for known file types.
  • Click OK.

Step three...

Upload Files to VirusTotal
  • Please go to VirusTotal.
  • Click the Choose File button.
  • Navigate to one of the following files:
    C:\lc\mining_proxy.exe
    C:\Program Files (x86)\GUT13E6.tmp
    C:\Program Files (x86)\GUTD4D6.tmp
    C:\Users\Sylvia\AppData\Local\a.zip
    C:\WINDOWS\system32\㩃坜义佄南呜䵅屐浸䉬䕁⸰浴p翹
    C:\WINDOWS\system32\㩃坜义佄南呜䵅屐浸䅬㐶⸳浴p翹
    C:\WINDOWS\system32\㩃坜义佄南呜䵅屐浸䉬䕁⸱浴p翹

    If you sort files by name, the ones with the Chinese characters should either be at the very top or very bottom.
  • Click the Scan it! button.
  • You might see a message saying File already analysed, if you do click Reanalyse.
  • Wait for all the scans to finish then copy and paste the web address from your browser's address bar.
  • Include the link in your next reply.
  • Repeat for the remaining files. You should have one link for each file.

Step three...

FRST Fix
  • You should still have FRST64.exe in your Downloads folder. If not please download it HERE.
  • Download the attached fixlist.txt and save it to your Downloads folder.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  • Right click on FRST64.exe and select Run as administrator.
  • Press the Fix button one time only and wait.
  • When FRST finishes you will be prompted to reboot your computer. Click OK.
  • Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step four...

AdwCleaner - Scan Only
  • Please download AdwCleaner by MalwareBytes save it to your Desktop.
  • Close all open programs and windows so that you are at your Desktop.
  • Right click on adwcleaner.exe and click Run as administrator.
  • Click on the Scan button.
    When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
  • Do not attempt to clean anything at this point.
  • Click on the Logfile button.
  • This will open a file, AdwCleaner[Sx].txt where x is the number of times it has been run. Copy and paste the contents of that logfile in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Answers to my questions
  • VirusTotal links
  • Fixlog.txt
  • AdwCleaner[Sx].txt
  • Are there any changes in computer behavior?
You do not have the required permissions to view the files attached to this post.
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby seasun » August 7th, 2017, 7:10 pm

OK, each of those folders contains a lot of files. Should I upload and scan each file separately?. That's really a lot of files.
seasun
Active Member
 
Posts: 13
Joined: July 18th, 2017, 9:49 pm

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 7th, 2017, 8:57 pm

Hello season :)

Everything I listed were files, not folders. For example, navigate to C:\Program Files (x86) and upload the file named GUT13E6.tmp.
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby seasun » August 8th, 2017, 12:23 pm

Where do I find fixlist.txt?
seasun
Active Member
 
Posts: 13
Joined: July 18th, 2017, 9:49 pm

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 8th, 2017, 12:27 pm

Hello seasun :)

You will find fixlist.txt at the bottom of my post with the instructions. There is a section called Attachments. If you click fixlist.text it will probably ask if you want to open or save the file. Choose save and save it to your Downloads folder.
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby seasun » August 8th, 2017, 2:50 pm

I apologize, I go through your instructions step by step so, I have not gotten to the bottom of it.
seasun
Active Member
 
Posts: 13
Joined: July 18th, 2017, 9:49 pm

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 8th, 2017, 4:50 pm

Hello seasun :)

No worries. It is a good idea to read through all the instructions once before beginning them. In the future I will also try to have fewer steps.
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby seasun » August 8th, 2017, 5:12 pm

OK, I have finished all the steps,; however, I can't copy AdwCleaner[Sx].txt because right clk and save options are not available.
I've attached a screenshot of the file that pops up when I click on Adwcleaner's "logfiles"

This is a non-default UAC setting. Have you modified the UAC settings on your computer?
No, I don't know what UAC setting is.

Do you recognize the following Firefox extensions? Were they installed by you? Yes
Ebates: The Free Cash Back Shopping Assistant, CouponNetwork.com/CMDUniversalCouponPrintActivator Yes, I use it frequently
Do you recognize the following Chrome extensions? Were they installed by you?
Web Boost - Wait Less, Browse Faster!, Ebates: The Free Cash Back Shopping Assistant, Wikibuy, Adsrental.com Yes, extensions were added by me

Do you recognize the following program? It appears to be a bitcoin miner. Was it installed intentionally by you?
C:\lc\mining_proxy.exe
No, I saw in the Task Manager start up menu a few months ago but I was unable to locate it on my computer
You do not have the required permissions to view the files attached to this post.
seasun
Active Member
 
Posts: 13
Joined: July 18th, 2017, 9:49 pm

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 9th, 2017, 12:10 am

Hello seasun :)

Thanks for getting all those scans for me. There's something I'd like to discuss with my colleagues before I give you the next set of instructions. I will reply as soon as possible; it should be sometime tomorrow.

Regards,
capnkrunch
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby capnkrunch » August 9th, 2017, 6:33 pm

Hello seasun :)

As I suspected, you have been infected with a Bitcoin miner. This is a kind of malware that uses your computer's processing power to generate Bitcoins for the attacker. Because this is a very resource intensive process, it can cause severe lag and unresponsiveness.

Source: Cybercriminals Unleash Bitcoin-Mining Malware

This software could have gotten onto your computer in a couple different ways: a drive-by download or as a result of an attacker having remote access to your computer. If it is the later then there is a very high likelihood that your computer's security has been tampered with to allow the attacker remote access in the future which can be done in ways that are undetectable to us. This would allow them to reinfect your computer easily. Unfortunately, there is no way for us to know which one it was.

We have a couple options for how to proceed:
  • Remove the Bitcoin miner and be done with it. This has the highest risk of reinfection and if you do any kind of online banking or shopping the risk that your banking or credit card information gets stolen is too high for me to be comfortable suggesting this. I strongly recommend against this option.
  • Perform a Reset with the Keep my files option (also called a System Refresh). This will reset Windows and remove any installed programs but will keep any personal files, documents, PDFs, etc. This will likely remove any hidden malware or backdoors. Because some files are not deleted this is still some risk that malware could slip by but I think in this case the risk is small enough to be acceptable. This is the option that I would recommend.
  • Backup your files and perform a Reset with the Remove everything option (also called System Reset). Because you would need to back up files manually this option practically guarantees a clean computer. It is the most time consuming option but also the most secure. In this case, I believe that it is probably overkill.

Please let me know how you would like to proceed. There is 3 days before this topic gets closed so you have some time to think it through. If you need additional time just reply within that time period and let me know.

Regards,
capnkrunch
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Popup Ransomware Disabled all Security On My Computer

Unread postby Gary R » August 13th, 2017, 1:05 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 107 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware