Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ransomeware


  • This topic is locked This topic is locked
17 replies to this topic

#1 jamie k

jamie k

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 10 July 2013 - 05:44 PM

I have been infected with ransomeware, your help files say to download Hitman Pro and make a bootable USB flash drive. But everytime I try it says " #5,lock " what does this mean and what can I do about it. Im using windows 7, x32.



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:41 AM

Posted 10 July 2013 - 07:36 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:41 AM

Posted 10 July 2013 - 09:13 PM

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 12 July 2013 - 10:50 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-07-2013 02
Ran by SYSTEM on 12-07-2013 22:38:13
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [173592 2009-09-23] (Intel Corporation)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM\...\Run: [Adobe ARM] - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [BingDesktop] - C:\Program Files\Microsoft\BingDesktop\BingDesktop.exe /fromkey [2249352 2013-06-27] (Microsoft Corp.)
HKLM\...\Run: [TkBellExe] - "c:\program files\real\realplayer\Update\realsched.exe" -osboot [295512 2013-06-18] (RealNetworks, Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$5535a5b626057fb86ada6e305d5e36ee\n. ATTENTION! ====> ZeroAccess
HKU\Computer User\...\Run: [Facebook Update] - "C:\Users\Computer User\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [ 2013-04-24] (Facebook Inc.)
HKU\Computer User\...\Run: [Internet Security] - C:\ProgramData\mwdefender.exe [ 2013-07-08] (Dexpot GbR)
HKU\Computer User\...\Winlogon: [Shell] explorer.exe,C:\Users\Computer User\AppData\Roaming\skype.dat <==== ATTENTION
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-13] (Microsoft Corporation)
Startup: C:\Users\Computer User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 BingDesktopUpdate; C:\Program Files\Microsoft\BingDesktop\BingDesktopUpdater.exe [173192 2013-06-27] (Microsoft Corp.)
S2 Macromed; C:\Windows\Macromed.exe [461824 2013-07-08] ()
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()
S3 SophosVirusRemovalTool; C:\Program Files\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [153080 2013-05-17] (Sophos Limited)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()

==================== Drivers (Whitelisted) ====================

S3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [41752 2008-07-26] (Logitech Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 pepifilter; C:\Windows\System32\DRIVERS\lv302af.sys [13848 2008-07-26] (Logitech Inc.)
S3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2570520 2008-07-26] (Logitech Inc.)
S1 SCT_SKMScan; C:\Windows\System32\DRIVERS\sct_skmscan.sys [33096 2012-10-12] (Sophos Limited)
S2 adfs; No ImagePath

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-12 22:37 - 2013-07-12 22:37 - 00000000 ____D C:\FRST
2013-07-09 02:48 - 2013-07-09 02:48 - 00145256 _____ C:\Windows\Minidump\070913-33406-01.dmp
2013-07-08 22:39 - 2013-07-08 22:39 - 00145216 _____ C:\Windows\Minidump\070913-38468-01.dmp
2013-07-08 19:42 - 2013-07-08 19:42 - 00000000 __SHD C:\$$PendingFiles
2013-07-08 17:33 - 2013-07-08 17:33 - 00145200 _____ C:\Windows\Minidump\070813-40640-01.dmp
2013-07-08 14:15 - 2013-07-08 14:16 - 00145248 _____ C:\Windows\Minidump\070813-46656-01.dmp
2013-07-08 12:09 - 2013-07-08 12:09 - 00145248 _____ C:\Windows\Minidump\070813-45109-01.dmp
2013-07-08 12:03 - 2013-07-09 03:00 - 00000004 _____ C:\Users\Computer User\AppData\Roaming\skype.ini
2013-07-08 12:03 - 2013-07-09 02:47 - 283708671 _____ C:\Windows\MEMORY.DMP
2013-07-08 12:03 - 2013-07-08 12:03 - 00145248 _____ C:\Windows\Minidump\070813-59203-01.dmp
2013-07-08 03:43 - 2013-07-08 03:43 - 00461824 _____ () C:\Windows\Macromed.exe
2013-07-08 03:41 - 2013-07-08 03:42 - 00196096 _____ C:\opera.exe
2013-07-08 03:41 - 2013-07-08 03:41 - 00856064 _____ (Dexpot GbR) C:\Users\All Users\mwdefender.exe
2013-07-08 03:41 - 2013-07-08 03:41 - 00136192 _____ (Intro-Software Lab.) C:\conhost.exe
2013-07-06 21:06 - 2013-07-06 21:06 - 00003229 _____ C:\Users\Computer User\Desktop\Sophos Virus Removal Tool.lnk
2013-07-06 21:06 - 2013-07-06 21:06 - 00000000 ____D C:\Users\All Users\Sophos
2013-07-06 21:06 - 2013-07-06 21:06 - 00000000 ____D C:\Program Files\Sophos
2013-07-06 20:01 - 2013-07-06 20:01 - 01097665 _____ C:\Users\All Users\2433f433
2013-07-05 20:57 - 2013-07-05 20:57 - 00000000 ____D C:\Windows\Sun
2013-06-30 08:38 - 2013-06-30 08:38 - 00131072 _____ C:\Windows\Minidump\063013-25218-01.dmp
2013-06-30 08:23 - 2013-06-30 08:23 - 00131072 _____ C:\Windows\Minidump\063013-25453-01.dmp
2013-06-27 13:00 - 2013-06-27 13:01 - 00151440 _____ C:\Windows\Minidump\062713-32656-01.dmp
2013-06-27 06:19 - 2013-06-27 06:19 - 07392264 _____ (Acresso Software Inc.) C:\Users\Computer User\Downloads\InstallPirate101.exe
2013-06-18 16:20 - 2013-06-18 16:20 - 00000000 ____D C:\Users\Computer User\AppData\Roaming\RealNetworks
2013-06-18 16:19 - 2013-06-18 16:19 - 00001016 _____ C:\Users\Public\Desktop\RealPlayer.lnk
2013-06-18 16:19 - 2013-06-18 16:19 - 00000000 ____D C:\Users\All Users\RealNetworks
2013-06-18 16:19 - 2013-06-18 16:19 - 00000000 ____D C:\Program Files\RealNetworks
2013-06-18 16:18 - 2013-06-18 16:18 - 00000000 ____D C:\Program Files\Common Files\xing shared
2013-06-14 12:42 - 2013-06-14 12:42 - 00145216 _____ C:\Windows\Minidump\061413-28921-01.dmp
2013-06-12 09:19 - 2013-06-08 03:42 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-12 09:19 - 2013-06-08 03:40 - 14327808 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-12 09:19 - 2013-06-08 03:40 - 13760512 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-12 09:19 - 2013-06-08 03:40 - 02046976 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-12 09:19 - 2013-06-08 03:40 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-12 09:19 - 2013-06-08 03:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-12 09:15 - 2013-05-16 17:26 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 09:15 - 2013-05-16 17:25 - 02877440 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 01767936 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 00039424 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 09:15 - 2013-05-16 17:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 09:15 - 2013-05-14 00:40 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

==================== One Month Modified Files and Folders =======

2013-07-12 22:37 - 2013-07-12 22:37 - 00000000 ____D C:\FRST
2013-07-12 19:28 - 2013-03-20 13:41 - 00011025 _____ C:\Windows\setupact.log
2013-07-09 03:00 - 2013-07-08 12:03 - 00000004 _____ C:\Users\Computer User\AppData\Roaming\skype.ini
2013-07-09 02:57 - 2012-06-04 10:03 - 01132174 _____ C:\Windows\WindowsUpdate.log
2013-07-09 02:57 - 2009-07-13 20:34 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-09 02:57 - 2009-07-13 20:34 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-09 02:48 - 2013-07-09 02:48 - 00145256 _____ C:\Windows\Minidump\070913-33406-01.dmp
2013-07-09 02:48 - 2013-03-25 15:27 - 00000000 ____D C:\Windows\Minidump
2013-07-09 02:47 - 2013-07-08 12:03 - 283708671 _____ C:\Windows\MEMORY.DMP
2013-07-08 22:39 - 2013-07-08 22:39 - 00145216 _____ C:\Windows\Minidump\070913-38468-01.dmp
2013-07-08 19:42 - 2013-07-08 19:42 - 00000000 __SHD C:\$$PendingFiles
2013-07-08 19:03 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-07-08 17:33 - 2013-07-08 17:33 - 00145200 _____ C:\Windows\Minidump\070813-40640-01.dmp
2013-07-08 14:16 - 2013-07-08 14:15 - 00145248 _____ C:\Windows\Minidump\070813-46656-01.dmp
2013-07-08 12:09 - 2013-07-08 12:09 - 00145248 _____ C:\Windows\Minidump\070813-45109-01.dmp
2013-07-08 12:03 - 2013-07-08 12:03 - 00145248 _____ C:\Windows\Minidump\070813-59203-01.dmp
2013-07-08 03:43 - 2013-07-08 03:43 - 00461824 _____ () C:\Windows\Macromed.exe
2013-07-08 03:42 - 2013-07-08 03:41 - 00196096 _____ C:\opera.exe
2013-07-08 03:41 - 2013-07-08 03:41 - 00856064 _____ (Dexpot GbR) C:\Users\All Users\mwdefender.exe
2013-07-08 03:41 - 2013-07-08 03:41 - 00136192 _____ (Intro-Software Lab.) C:\conhost.exe
2013-07-06 23:04 - 2013-02-25 09:52 - 00000000 ____D C:\Users\All Users\FEE1B7AB9EBBCBFB0000FEE0B8D2D3E9
2013-07-06 21:06 - 2013-07-06 21:06 - 00003229 _____ C:\Users\Computer User\Desktop\Sophos Virus Removal Tool.lnk
2013-07-06 21:06 - 2013-07-06 21:06 - 00000000 ____D C:\Users\All Users\Sophos
2013-07-06 21:06 - 2013-07-06 21:06 - 00000000 ____D C:\Program Files\Sophos
2013-07-06 21:06 - 2012-05-30 19:02 - 00726316 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-06 21:00 - 2012-05-31 10:02 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-07-06 21:00 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-06 21:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-07-06 21:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-07-06 21:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-07-06 21:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-07-06 20:59 - 2013-03-29 20:06 - 00000000 ____D C:\Users\All Users\Real
2013-07-06 20:01 - 2013-07-06 20:01 - 01097665 _____ C:\Users\All Users\2433f433
2013-07-05 20:57 - 2013-07-05 20:57 - 00000000 ____D C:\Windows\Sun
2013-06-30 08:38 - 2013-06-30 08:38 - 00131072 _____ C:\Windows\Minidump\063013-25218-01.dmp
2013-06-30 08:23 - 2013-06-30 08:23 - 00131072 _____ C:\Windows\Minidump\063013-25453-01.dmp
2013-06-27 13:01 - 2013-06-27 13:00 - 00151440 _____ C:\Windows\Minidump\062713-32656-01.dmp
2013-06-27 06:19 - 2013-06-27 06:19 - 07392264 _____ (Acresso Software Inc.) C:\Users\Computer User\Downloads\InstallPirate101.exe
2013-06-20 10:59 - 2013-03-25 15:37 - 00002136 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-06-18 16:20 - 2013-06-18 16:20 - 00000000 ____D C:\Users\Computer User\AppData\Roaming\RealNetworks
2013-06-18 16:19 - 2013-06-18 16:19 - 00001016 _____ C:\Users\Public\Desktop\RealPlayer.lnk
2013-06-18 16:19 - 2013-06-18 16:19 - 00000000 ____D C:\Users\All Users\RealNetworks
2013-06-18 16:19 - 2013-06-18 16:19 - 00000000 ____D C:\Program Files\RealNetworks
2013-06-18 16:18 - 2013-06-18 16:18 - 00000000 ____D C:\Program Files\Common Files\xing shared
2013-06-18 16:18 - 2013-03-29 20:08 - 00201872 _____ (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
2013-06-18 16:17 - 2013-03-29 20:08 - 00006656 _____ (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
2013-06-18 16:17 - 2013-03-29 20:08 - 00005632 _____ (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
2013-06-18 16:17 - 2013-03-29 20:07 - 00272896 _____ (Progressive Networks) C:\Windows\System32\pncrt.dll
2013-06-18 16:16 - 2003-10-17 10:44 - 00499712 _____ (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
2013-06-18 16:16 - 2003-10-17 10:44 - 00348160 _____ (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
2013-06-14 12:42 - 2013-06-14 12:42 - 00145216 _____ C:\Windows\Minidump\061413-28921-01.dmp
2013-06-13 12:59 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-06-12 10:29 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-06-12 09:16 - 2012-05-30 19:30 - 73381792 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
C:\Users\All Users\mwdefender.exe
C:\Users\Computer User\AppData\Roaming\skype.dat
C:\Users\Computer User\AppData\Roaming\skype.ini
C:\Users\Computer User\Application Data\skype.dat
C:\Users\Computer User\Application Data\skype.ini

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-01 06:55:26
Restore point made on: 2013-07-06 21:05:53
Restore point made on: 2013-07-06 21:22:26
Restore point made on: 2013-07-07 20:28:47
Restore point made on: 2013-07-07 21:24:39

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 2038.05 MB
Available physical RAM: 1637.37 MB
Total Pagefile: 2038.05 MB
Available Pagefile: 1641.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1921.21 MB

==================== Drives ================================

Drive c: (JAMIE K) (Fixed) (Total:37.15 GB) (Free:5.51 GB) NTFS
Drive e: (Repair disc Windows 7 Profession) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
Drive f: (JKM'S (BLUE) (Removable) (Total:7.44 GB) (Free:7.42 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (ATTENTION: ===> MBR IS INFECTED. Use FixMbr command in Recovery Mode) (Size: 37 GB) (Disk ID: 680CDB46)
Partition 1: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=37 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-07-04 08:21

==================== End Of Log ============================



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:41 AM

Posted 13 July 2013 - 01:13 PM

Download the enclosed file. [attachment=139825:fixlist.txt]

Save it next to FRST.

Run FRST as you did before, excep that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply or rename it as it will be overwritten with the following process.

Attempt to boot in Normal Mode.

If successful, first post the fixlog.txt above on your reply or rename it.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as fixlist.txt
  • Change the Save as Type to All Files
  • and Save it next to FRST, overwriting the existing one.
  • Run FRST in Normal Mode and click once again on the Fix button and wait.
  • The tool will make another log in the flashdrive (Fixlog.txt) please post it to your reply 

Start
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
End

Let me know of any problems arising from these instructions.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 13 July 2013 - 01:23 PM

before I go forward It would seem I now have a blasterworm virus...



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:41 AM

Posted 13 July 2013 - 01:36 PM

We will take care of it. There are a few issues in the computer.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 13 July 2013 - 03:37 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-07-2013 02
Ran by SYSTEM at 2013-07-13 14:54:08 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\Computer User\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.
HKU\Computer User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin => Value deleted successfully.
HKU\Default User\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin => Value not found.
C:\Users\Computer User\AppData\Roaming\skype.ini => Moved successfully.
C:\Users\All Users\mwdefender.exe => Moved successfully.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
"C:\Users\All Users\mwdefender.exe" => File/Directory not found.
C:\Users\Computer User\AppData\Roaming\skype.dat => Moved successfully.
"C:\Users\Computer User\AppData\Roaming\skype.ini" => File/Directory not found.
"C:\Users\Computer User\Application Data\skype.dat" => File/Directory not found.
"C:\Users\Computer User\Application Data\skype.ini" => File/Directory not found.

========= Bootrec /fixmbr =========

��T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


=========== Control: ===========

The operation completed successfully.

==== End of Control: ====

==== End of Fixlog ====

#9 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 13 July 2013 - 03:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-07-2013 02
Ran by Computer User at 2013-07-13 15:27:24 Run:2
Running from E:\
Boot Mode: Normal

==============================================

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MSESysprep.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseoobe.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseooberes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisLog.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisSrv.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisWFP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SqmApi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.


The system needs a manual reboot.

==== End of Fixlog ====

#10 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 13 July 2013 - 03:52 PM

I've never posted anything before so I hope this is all correct..Everything seems to be working. All I can say is thank you a million times over. I could never afford to have it fixed at a shop, you were my only hope. You also gave great instruction. I have never even pasted before. Once again thank you, maybe later I can do more to help.Forever Grateful

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:41 AM

Posted 13 July 2013 - 07:16 PM

Lets make sure all is gone.

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

 

bf_new.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 19 July 2013 - 12:14 AM

Sorry reply took so long was on vacation. here are the logs you asked for.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.1.6 (07.17.2013:4)
OS: Windows 7 Professional x86
Ran by Computer User on Thu 07/18/2013 at 23:05:34.69
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\interface\{79fb5fc8-44b9-4af5-badd-cce547f953e5}
Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"
Successfully deleted: [Registry Key] "hkey_local_machine\software\pip"



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\big fish games"
Successfully deleted: [Folder] "C:\Users\Computer User\AppData\Roaming\iwin"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/18/2013 at 23:07:07.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#13 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 19 July 2013 - 12:15 AM

# AdwCleaner v2.305 - Logfile created 07/18/2013 at 23:14:38
# Updated 11/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Computer User - M255SSD1
# Boot Mode : Normal
# Running from : E:\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [504 octets] - [18/07/2013 23:14:38]

########## EOF - C:\AdwCleaner[S1].txt - [563 octets] ##########



#14 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 19 July 2013 - 12:17 AM

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.19.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16635
Computer User :: M255SSD1 [administrator]

Protection: Enabled

7/18/2013 11:31:24 PM
mbam-log-2013-07-18 (23-31-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198861
Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\conhost.exe (Trojan.Ransom.LS) -> Quarantined and deleted successfully.
C:\Windows\Temp\~mkf3197294695774654337.tmp (Trojan.Ransom.LS) -> Quarantined and deleted successfully.
C:\Windows\Temp\oxmekubcccbutbrsq.dll (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\ProgramData\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.

(end)



2013/07/18 23:29:51 -0500 M255SSD1 Computer User MESSAGE Executing scheduled update:  Daily
2013/07/18 23:29:56 -0500 M255SSD1 Computer User MESSAGE Starting protection
2013/07/18 23:29:56 -0500 M255SSD1 Computer User MESSAGE Protection started successfully
2013/07/18 23:29:56 -0500 M255SSD1 Computer User MESSAGE Starting IP protection
2013/07/18 23:30:17 -0500 M255SSD1 Computer User MESSAGE IP Protection started successfully
2013/07/18 23:30:23 -0500 M255SSD1 Computer User MESSAGE Starting database refresh
2013/07/18 23:30:23 -0500 M255SSD1 Computer User MESSAGE Stopping IP protection
2013/07/18 23:30:28 -0500 M255SSD1 Computer User MESSAGE IP Protection stopped successfully
2013/07/18 23:30:29 -0500 M255SSD1 Computer User MESSAGE Scheduled update executed successfully:  database updated from version v2013.04.04.07 to version v2013.07.19.02
2013/07/18 23:30:32 -0500 M255SSD1 Computer User MESSAGE Database refreshed successfully
2013/07/18 23:30:32 -0500 M255SSD1 Computer User MESSAGE Starting IP protection
2013/07/18 23:30:34 -0500 M255SSD1 Computer User MESSAGE IP Protection started successfully
2013/07/18 23:44:40 -0500 M255SSD1 Computer User MESSAGE Starting protection
2013/07/18 23:44:40 -0500 M255SSD1 Computer User MESSAGE Protection started successfully
2013/07/18 23:44:40 -0500 M255SSD1 Computer User MESSAGE Starting IP protection
2013/07/18 23:44:43 -0500 M255SSD1 Computer User MESSAGE IP Protection started successfully
 



#15 jamie k

jamie k
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:nebraska
  • Local time:03:41 AM

Posted 19 July 2013 - 12:20 AM

I believe I covered everything let me know,and thank you again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users