Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advertisement Powered by Provider removal required


  • This topic is locked This topic is locked
7 replies to this topic

#1 Gozoman

Gozoman

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 03 August 2016 - 12:34 PM

Over a week ago I got infected by something that was opening windows on my computer mostly to dating sites and porn sites. My first thought was to use System Restore to revert back to a time before the infection but whatever it was had got to my system restore and wiped all my restore points! I ran programs such as Malwarebytes and Superantispywarearrow-10x10.png but they didn't have any effect. I ran these in safe mode by the way. Then I got what I assume was ransomware. Basically a window opened on my screen with a red border and a voice said something along the lines of, Warning, your files have been locked. You must ring the number below for instructions on how to unlock your computer. Something like that anyway. Well obviously I didn't ring any number. I cut my internet connection immediately and then started my computer at a command prompt and ran sfc /scannow. After that I restarted in safe mode and ran Malwarebytes and then restarted in safe mode and ran Superantispyware. When I finally rebooted into Windows 7 everything appeared to be back to normal but the next day I got a little window appearing in the bottom left of my screen with a countdown from 5 seconds after which a large window opened with the words, Advertisement. Powered by Provider, at the top. These are popping up all the time now, even when I tried to register on this site all sorts of windows popped up. I was adviced to run TDSS killer which I did followed by ADWcleaner but they have had no effect as the ads and windows porn sites etc. keep opening. I have now ran Farbar Recovery Scan Toolarrow-10x10.png and I have attached the files below in the hope that someone can find a fix for this. Many thanks for any help.

Attached Files



BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 3,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 03 August 2016 - 09:18 PM

Hi Gozoman :)

 

My name is polskamachina and I would like to welcome you back to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-7 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.

 

polskamachina



#3 polskamachina

polskamachina

  • Malware Response Team
  • 3,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 06 August 2016 - 12:24 AM

Hi Gozoman,

 

I am busy working on a fix for you and should be able to post it here tomorrow. :busy:

 

polskamachina



#4 Gozoman

Gozoman
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 August 2016 - 06:16 AM

Thanks for that. The problem however seems to have cleared. I ran Hitman Pro and it found and removed a Trojan and a pile of other miner things. Ever since that I've had no pop-ups. Having said that whatever you have in mind would be great to keep in reserve in case it happens again.



#5 polskamachina

polskamachina

  • Malware Response Team
  • 3,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 07 August 2016 - 12:17 AM

Hi Gozoman,
 
That's good news that the problems have cleared up. :thumbup2:

Having said that whatever you have in mind would be great to keep in reserve in case it happens again.

Before you leave, there are couple of points I'd like to make:

  • It would be very beneficial for me to review the current state of your computer because automated programs do not always catch everything.
  • I would like to help you complete your system inspection however there is evidence of illegal software on your computer. Before I can proceed, I am going to request that you completely uninstall Adobe Photoshop CS5 and all other products for which you do not have a valid Product Key. If you are willing to do that, please rerun FRST and scan with the Addition.txt box checked. Please copy and paste both logs into your next reply to me. If you prefer to leave the program(s) on your computer, let me know and the topic will be closed.

If you decide to remove the program(s) we will continue with the following:

  • Download CKScanner and save it to your Desktop
  • Double click CKScanner
  • Select Search For Files
  • Once completed select, Save List to File
  • A ckfiles.txt document will be placed on your Desktop
  • Copy and paste the results of that report in your next reply to me

In summary, I will need the following logs:

  • CKScanner log
  • FRST log
  • Addition log

Let me know if you have any questions.
 
polskamachina



#6 polskamachina

polskamachina

  • Malware Response Team
  • 3,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 10 August 2016 - 04:23 PM

Hi Gozoman :)

 

It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina



#7 Gozoman

Gozoman
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 10 August 2016 - 04:27 PM

Hi Gozoman :)

 

It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina

Hi,

 

Sorry I've been tied up with other stuff and forgot to get back to you. Everything seems to be fine now so I'm going to leave well enough alone and not play with it any more. Thanks a lot for all the help guys.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 10 August 2016 - 07:28 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users