Hi gcdi
Yes the fies that indicate CryptoWall are present. It's very possible that your security programs crippled the infection enough so it did not execute completely.
I see what happened to the OTL fix. The forum software scrambled it a bit.
Let's go about it this then. First run the corrected OTL fix then procede to the next part which will involve using Combofix.
Next, Double click on
OTL.exe
:Services
:OTL
MOD - C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll ()
DRV - (gfmnidzs) -- C:\WINDOWS\system32\drivers\gfmnidzs.sys File not found
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKCU\..\SearchScopes\{67D06BCF-9EF0-4D55-A736-5DBD0B58BABB}: "URL" = http://search.condui...8601233467&UM=2
IE - HKLM\..\SearchScopes,DefaultScope = {1D0C0448-EB8B-4bc6-943B-AAC32A1C7BFC}
IE - HKCU\..\SearchScopes,DefaultScope = {3906D159-82FC-450d-A57A-92D10437A2F5}
[2013/06/26 12:40:28 | 000,228,503 | ---- | M] () (No name found) -- C:\Documents and Settings\MIKE\Application Data\Mozilla\Firefox\Profiles\sywhhfyw.default-1368204256093\extensions\ftd@ftd.com.xpi
O20 - Winlogon\Notify\rckonne: DllName - (C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll) - C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\rckonne.dll ()
[2014/08/04 00:44:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EderMevif
[2014/08/04 00:08:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EnaqVawci
[2014/08/02 15:04:39 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/08/02 15:04:39 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/02 23:54:43 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\MIKE\Application Data\1233740586
[2014/08/02 23:54:07 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\MIKE\Application Data\2302247755
[2014/07/31 09:49:07 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML
[2014/07/31 09:49:07 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.URL
[2014/07/31 09:49:06 | 000,008,198 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML
[2014 /07/31 09:49:06 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/02 15:04:39 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/08/02 15:04:39 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\MIKE\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/02 14:50:27 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/08/02 14:50:27 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\DECRYPT_INSTRUCTION.URL
[2014/08/01 00:33:50 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\MIKE\Application Data\2302247755
[2014/07/31 09:49:12 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/07/31 09:49:12 | 000,008,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.HTML
[2014/07/31 09:49:12 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL
[2014/07/31 09:49:12 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\DECRYPT_INSTRUCTION.URL
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UhocMimp"=-
:Files
ipconfig /flushdns /c
:Commands
[emptytemp]
[createrestorepoint]
- Then click the Run Fix button at the top
- Let the program run unhindered
- Please save the resulting log to be posted in your next reply.
- Reboot your computer
Please post the OTL log.
NEXT
Please read through these instructions to familarize yourself with what to expect when this tool runs
Download ComboFix from one of this locations:
Link 1
* IMPORTANT !!! Save ComboFix.exe to your Desktop- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post back with - OTL fix log
- Cmbofix log
Any better?