Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware surviving mbam, spybot, and avg several times


  • This topic is locked This topic is locked
5 replies to this topic

#1 planesdean

planesdean

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 July 2013 - 03:58 PM

The computer in question was originally infected wth a department of justice ransomware. the computer was locked subject to a payment of $300 per moneypak.

i was unable to enter through safemode, but was able to get in with safemode with networking when i downloaded mbam and ran it.

 

I was able to get in normally at that point so i ran mbam again and downloaded avg free

 

since then every scan with mbam still comes up with infections and avg pops up repeatedly with trojan horse threats.

 

I then ran malwarebytes again, removed threats, downloaded spybot, ran it, removed threats, ran avg still found threats, removed them, then next restart encountered a windows\system32\command.com parameter incorrect error

ctrl+alt+dlt end explore.exe process, opened spybot and unchecked the spybotdeleteing from startup log and parameters were fixed

 

i am still infected and continue to scan with mbam

 

just now i ran dds here are the reports from that those are all the logs i have at the moment.

pls help!

Attached Files



BC AdBot (Login to Remove)

 


#2 planesdean

planesdean
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 July 2013 - 04:06 PM

also on start up i am getting a rundll error



#3 planesdean

planesdean
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 July 2013 - 04:48 PM

i have tried to search for the file C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Program\Startup\ctfmon.lnk

in safemode but cannot find it. the windows folder inside microsoft in appdata only contains themes with one theme in it.

manual guides say this is the file i need to delete but i can not find it anywhere!



#4 planesdean

planesdean
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 03 July 2013 - 07:54 PM

i ran autoruns and tried to delete files i thought were malicious by checking them in the startup database her but i think i might have deleted a couple wrng files and now i cant even login at all it immedeatley logs back out no matter what. safe mode or not.



:(



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 04 July 2013 - 08:29 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 PM

Posted 08 July 2013 - 03:52 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users