Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my infection of Mandiant Ransomware REALLY dead?


  • Please log in to reply
14 replies to this topic

#1 Old Guy in Stanton

Old Guy in Stanton

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 08 October 2013 - 04:14 PM

Sunday morning I got infected with the Mandiant Ransomware virus. Got it by stupidly clicking a comments link on YouTube of all places! But my computer was NOT totally locked up.

 

My computer: a Dell Latitude laptop, running XP Home Version, with Office 2003. I surf using Firefox, exclusively.

 

I surf the net with a limited authority User account, and have separate Administrator (unlimited) and Guest (also limited) accounts. The virus did NOT activate on boot; it only activated and froze the screen when I accessed my User account. So I was able to go into my Guest account and research the problem.

 

I found many solutions, both written out step-by-step and on YouTube.

 

Most of them involved booting in Safe Mode with Command Prompt and deleting two files under the "Users" directory. I could not find a Users directory. My system has "All Users" instead. I think these fixes were designed for Windows 7 systems.

 

Also, I could NOT find the two suspicious files, anywhere (using Administrator with setting for showing ALL files. They were probably named something else. (???)

 

I also found a piece of software called Hitman.  I downloaded Hitman on my wife's laptop, created a boot thumbdrive, and booted my system from it. The computer started normally. Then I activated my User account, and the virus activated, freezing the screen. The Hitman screen did NOT come up.

 

I got the impression that Hitman is designed to work with systems that do NOT have various accounts.

 

So I said what the hell, copied the few data files I had in my User directories, and deleted the whole freaking User account. I then created a new User account.

 

Voila! No screen freeze,

 

I then updated and ran Security Essentials, Malwarebytes, and Hitman. All came up clean.

 

So, did I get rid of the damned virus, or not?

 

Curious (and fearful) minds want to know.

 

BTW, all of my Office software now has to be reconfigured to the way I like them, and I lost all of my Firefox bookmarks. I did NOT lose my current emails, since I use Webmail to filter all email prior to downloading into Outlook. I did, unfortunately, lose several years of archived Outlook email (AFAIAC not too much of a problem, actually).

 

Best,

 

Old Guy in Stanton (Steve)

 

Here's what happened


Edited by Old Guy in Stanton, 08 October 2013 - 04:15 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:53 AM

Posted 08 October 2013 - 05:44 PM

Can you post the logs of Malwarebytes and the other tools you used?

#3 Old Guy in Stanton

Old Guy in Stanton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 09 October 2013 - 01:01 PM

Can you post the logs of Malwarebytes and the other tools you used?

 

I don't find any logs for Security Essentials.

 

Here are the ones for Malwarebytes and Hitman:

 

MALWAREBYTES:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.07.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jjh :: USER2-AFD3EAE2E [administrator]

10/6/2013 8:12:10 PM
mbam-log-2013-10-06 (20-12-10).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 359166
Time elapsed: 55 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)
 

 

AND  

 

2013/10/06 20:11:33 -0700    USER2-AFD3EAE2E    jjh    MESSAGE    Starting database refresh
2013/10/06 20:11:42 -0700    USER2-AFD3EAE2E    jjh    MESSAGE    Database refreshed successfully

 

HITMAN:

 

HitmanPro 3.7.7.205
www.hitmanpro.com

   Computer name . . . . : USER2-AFD3EAE2E
   Windows . . . . . . . : 5.1.3.2600.X86/2
   User name . . . . . . : USER2-AFD3EAE2E\Guest
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-10-06 12:31:34
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 48s
   Disk access mode  . . : Direct disk access (API)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 160

   Objects scanned . . . : 305,029
   Files scanned . . . . : 4,661
   Remnants scanned  . . : 0 files / 300,368 keys

Miniport ____________________________________________________________________

Failed

Cookies _____________________________________________________________________

   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:ad.auditude.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:ad.yieldmanager.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:ads.nj.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:ads.pubmatic.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:advertising.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:apmebf.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:at.atwola.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:atdmt.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:casalemedia.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:chitika.net
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:collective-media.net
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:doubleclick.net
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:invitemedia.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:kontera.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:media6degrees.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:mediaplex.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:mm.chitika.net
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:revsci.net
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:ru4.com
   C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\k578rwus.default\cookies.sqlite:zedo.com

 AND

 

HitmanPro 3.7.7.205
www.hitmanpro.com

   Computer name . . . . : USER2-AFD3EAE2E
   Windows . . . . . . . : 5.1.3.2600.X86/2
   User name . . . . . . : USER2-AFD3EAE2E\jjh
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-10-06 21:16:07
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 33s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 840

   Objects scanned . . . : 442,250
   Files scanned . . . . : 21,493
   Remnants scanned  . . : 73,651 files / 347,106 keys

Cookies _____________________________________________________________________

   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:247realmedia.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:a1.interclick.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ad.360yield.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ad.yieldmanager.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:adbrite.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:adinterax.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ads.jiwire.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ads.mlive.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ads.pointroll.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ads.pubmatic.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ads.theawl.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ads.undertone.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:adserver.adtechus.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:adtech.de
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:advertising.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:aei.122.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:allbritton.122.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:apmebf.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ar.atwola.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:at.atwola.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:atdmt.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:atwola.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:burstnet.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:c.atdmt.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:c1.atdmt.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:casalemedia.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:collective-media.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:dmtracker.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:doubleclick.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:earthlink.122.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:fastclick.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:fim.122.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:idgenterprise.112.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:interclick.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:invitemedia.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:media6degrees.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:mediaplex.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:msnbc.112.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:mtvn.112.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:network.realmedia.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:overture.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:pointroll.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:premiumtv.122.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:questionmarket.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:realmedia.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:revsci.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:ru4.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:serving-sys.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:specificclick.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:stats.talkingpointsmemo.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:statse.webtrendslive.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:survey.g.doubleclick.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:t.pointroll.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:tacoda.at.atwola.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:trafficmp.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:tribalfusion.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:trinitymirror.112.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:usatoday1.112.2o7.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:www.burstnet.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:www.etracker.de
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:www.googleadservices.com
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:yieldmanager.net
   C:\Documents and Settings\jjh\Application Data\Mozilla\Firefox\Profiles\9j83261x.default\cookies.sqlite:zedo.com
   C:\Documents and Settings\jjh\Cookies\698KQFLG.txt
   C:\Documents and Settings\jjh\Cookies\86E3MBBH.txt
   C:\Documents and Settings\jjh\Cookies\DM42VVR1.txt
   C:\Documents and Settings\jjh\Cookies\J9X8Q58R.txt
   C:\Documents and Settings\jjh\Cookies\KWCHHWW2.txt
   C:\Documents and Settings\jjh\Cookies\NKSD7GPD.txt
   C:\Documents and Settings\jjh\Cookies\V0TEQUIB.txt
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:2o7.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:a1.interclick.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:ad.mlnadvertising.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:ad.yieldmanager.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:ads.p161.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:ads.pointroll.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:ads.stickyadstv.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:adtechus.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:advertising.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:apmebf.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:at.atwola.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:atdmt.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:burstnet.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:casalemedia.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:collective-media.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:doubleclick.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:earthlink.122.2o7.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:fastclick.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:interclick.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:invitemedia.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:media6degrees.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:mediaplex.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:pointroll.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:pool-eu-ie.creative-serving.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:revsci.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:ru4.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:serving-sys.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:specificclick.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:stats.adotube.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:tacoda.at.atwola.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:track.adform.net
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:tribalfusion.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:www.burstnet.com
   C:\Documents and Settings\NEW STEVE USER ACCT\Application Data\Mozilla\Firefox\Profiles\opa4vobc.default\cookies.sqlite:zedo.com
 

 

Best,

 

OGIS



#4 Ogeron

Ogeron

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The RWC
  • Local time:06:53 PM

Posted 10 October 2013 - 12:12 PM

If you have doubts, download one of these, I use Kasperky's (a bit slow), F-secure, and a few others regularly in killing off infected user PC's and boot your pc from it and do a scan?

 

http://www.raymond.cc/blog/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/

 

You can make a bootable usb or cd/dvd, which ever you prefer.

 

Here is a solid freeware ISO file burner that you would use since you have XP.

 

http://www.freeisoburner.com/

 

 

 

 



#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:53 AM

Posted 10 October 2013 - 02:52 PM

Your guest account should be off and disabled as that exposes a huge security risk, and what happens when you try logging into your regular account?

Also your administrator level account should only be used within Safe Mode for troubleshooting issues.

Do any of your accounts work in Safe Mode?

#6 dsxtech

dsxtech

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 10 October 2013 - 03:40 PM

If the mandiant ransomware is anything like the most of the FBI ransomware, once you remove your user account that was infected, that should have cleaned off the actual "malware" files.

A clean Hitman Pro scan (cookies not withstanding) would lead me to believe your ok. If you still have any doubt, an AV boot cd should really be run on the computer in question. (I prefer Kaspersky's version).

#7 Old Guy in Stanton

Old Guy in Stanton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 10 October 2013 - 05:48 PM

If you have doubts, download one of these, I use Kasperky's (a bit slow), F-secure, and a few others regularly in killing off infected user PC's and boot your pc from it and do a scan?

 

http://www.raymond.cc/blog/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/

 

You can make a bootable usb or cd/dvd, which ever you prefer.

 

Here is a solid freeware ISO file burner that you would use since you have XP.

 

http://www.freeisoburner.com/

 

 

Thanks. I'll look into those.

 



#8 Old Guy in Stanton

Old Guy in Stanton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 10 October 2013 - 05:52 PM

Your guest account should be off and disabled as that exposes a huge security risk, and what happens when you try logging into your regular account?

Also your administrator level account should only be used within Safe Mode for troubleshooting issues.

Do any of your accounts work in Safe Mode?

 

Yeah, I think I've been thinking about that. I never use is, so I should just delete it.

 

I use Administrator (1) when I am NOT on the Internet, to run anti-virus programs, and (2) to download and install previously checked-out programs (User acct won't let me save).

 

Yes, everything works in safe mode..



#9 Old Guy in Stanton

Old Guy in Stanton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 10 October 2013 - 05:53 PM

If the mandiant ransomware is anything like the most of the FBI ransomware, once you remove your user account that was infected, that should have cleaned off the actual "malware" files.

A clean Hitman Pro scan (cookies not withstanding) would lead me to believe your ok. If you still have any doubt, an AV boot cd should really be run on the computer in question. (I prefer Kaspersky's version).

Thanks.



#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:53 AM

Posted 10 October 2013 - 10:25 PM

Login to your user account that you use for everyday things and go to start then run type in cmd hit enter.

 

In the black box type in

 

net user

 

and post the results back.

 

The first user created on all windows XP Machines during install is automatically part of the administrator group and made a power or super user allowing that user to perform most administrative tasks to include installation and removal of software and drivers.



#11 Old Guy in Stanton

Old Guy in Stanton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 11 October 2013 - 10:14 AM

Login to your user account that you use for everyday things and go to start then run type in cmd hit enter.

 

In the black box type in

 

net user

 

and post the results back.

 

The first user created on all windows XP Machines during install is automatically part of the administrator group and made a power or super user allowing that user to perform most administrative tasks to include installation and removal of software and drivers.

 

Correction of previous info: I'm using XP Professional, not Home edition.

 

Here it is. Hmmmm.... who are those other users?

 

"jjh" I know about; it is the guy who helped install my software. Likewise, "Guest" amd "Lea's User Account" are OK.

 

"HelpAssistant"? I have no idea.

 

Ditto "SUPPORT_388945a0"

 

cmdnetuser_zpsad9da01e.png


Edited by Old Guy in Stanton, 11 October 2013 - 10:36 AM.


#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:53 AM

Posted 11 October 2013 - 07:24 PM

Now for each of those user accounts can you do a net user jjh

 

You will get a listing of what groups they are part of on the very bottom, just post that information with each associated user name.

 

Support and Help Assistant are both system generated, Administrator is the main admin account with full rights to the system, Guest should be disabled, and the other should be power users or regular users depending on their groups.  If they are part of the Administrators group they are admins and have near full admin rights of the Administrator and can save and run files from various directories.



#13 Old Guy in Stanton

Old Guy in Stanton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 12 October 2013 - 04:58 PM

Now for each of those user accounts can you do a net user jjh

 

You will get a listing of what groups they are part of on the very bottom, just post that information with each associated user name.

 

Support and Help Assistant are both system generated, Administrator is the main admin account with full rights to the system, Guest should be disabled, and the other should be power users or regular users depending on their groups.  If they are part of the Administrators group they are admins and have near full admin rights of the Administrator and can save and run files from various directories.

 

 

cmdnetuserjjhforLeaUser_zpsaf84776b.png

 

cmdnetuserjjhforSteveUser_zpsc7016097.pn



#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:53 AM

Posted 12 October 2013 - 06:08 PM

As you can clearly see, the jjh account is part of the administrator group so any folder or file that needs administrator rights to be open or accessed the user JJH can.

#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:53 AM

Posted 12 October 2013 - 06:18 PM

Please download TDSSKiller exe version to your desktop.
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

Click on Change Parameters and click Detect TDLFS File System.
    Click the Start Scan button.
    Do not use the computer during the scan
    If the scan completes with nothing found, click Close to exit.
    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    A TDSSKiller text file would be saved in Local Disk C.
    Copy and paste the contents of that file in your next reply.


ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Edited by cryptodan, 12 October 2013 - 06:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users