Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomeware blocks safe mode blocks Hitman kick start


  • Please log in to reply
66 replies to this topic

#1 Wachman48

Wachman48

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 08 May 2014 - 09:37 AM

Randsomeware has everything is being blocked from the "normal" removal process. this one happens to Department Of Justice moneypak. on an XP Pro 32 bit.

 

I have attempted so far:

 

hitman kick start from USB but it is blocked as well attempted from cd no go

 

kaspersky recovery disk 10.0 boots up can update and scan found java exploit virus x4 however Doj returns on reboot

 

ran through terminal in kaspersky recvovery the windowsunlocker step. doj returns on reboot

 

maby good news is that kaspersky can brows filed and registry but have not made any changes as of yet.

 

Attempt to run Norton bootable revovery after press any key to boot from CD is hit black screen and no activity at all

 

 

 

Not sure of next step....

 

Any help is greatly appreciated



BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 12 May 2014 - 09:10 PM

Wachman48, welcome to the BC Forums!!

 

Please run the Kaspersky WindowsUnlocker tool and then follow up by running the Kaspersky Rescue Disk scan.

 

Using the following link:

http://support.kaspersky.com/us/viruses/disinfection/8005#block4

 

Follow Step #2 to boot the computer from the Kaspersky Rescue Disk with Kaspersky WindowsUnlocker.

Next, use...
Step #3 with the following command: Unblock Windows
Step #4 to scan computer using Kaspersky Rescue Disk
Step #6 to obtain a report of Kaspersky WindowsUnlocker

Note that the Kaspersky WindowsUnlocker utility is designed to disinfect Registry entries of the operating systems, and disinfect user Registry trees.
Kaspersky WindowsUnlocker does not  perform any actions with files!

 

In order to disinfect the files, use the Kaspersky Rescue Disk Graphic Mode, and load the graphic subsystem.

 

If there is an option to obtain a report, please do so. If not, please take note of the Detected Malicious Software, and provide it in your reply.

 

 

If you have any questions, do not hesitate to ask.

 

When done, please provide feedback as to whether the computer boots normally.


Edited by Aaflac, 13 May 2014 - 05:14 PM.
Typo

Old duck...


#3 Wachman48

Wachman48
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 13 May 2014 - 08:25 AM

Thank You for the reply!

 

Here are the files after running as described.

 

Pc currently still boots to DOJ in full conrtol

 

Attached File  WUnlocker.1.2.2_06.01.2002_20.54.16_log.txt   1.42KB   5 downloads

 

Attached File  ScanObject.txt   8.21KB   8 downloads



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 13 May 2014 - 02:16 PM

Thanks for the info.
 
The scan appears to be 5 days old, and WindowsUnlocker did not specify any file to unlock.
 
 
Let's try the following...
 
Please use Kaspersky again, and look for its File Manager. It will allow you to browse partitions. Find the partition with the Windows folder and see if you can find the following files:
 
Department of Justice ransomware files:
C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe
C:\Documents and Settings\<Current User>\Templates\syssecurity.exe

 
Also, see if you can find the following Registry entries using Kaspersky Registry Editor:
Info > http://support.kaspersky.com/8110

Department of Justice ransomware Registry information:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MigAutoPlay" = C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "DisplaySwitch" = C:\Documents and Settings\<Current User>\Templates\syssecurity.exe
 
If you find the Registry entries or files, please remove.
 
 
If no luck, see if you can create a DrWeb Live CD:
http://download.geo.drweb.com/pub/drweb/livecd/drweb-livecd-602.iso
 
Instructions on How it works:
http://www.freedrweb.com/livecd/how_it_works/
 
It's an image file (.iso), so you need to use software such as ImgBurn in order to create the CD.
Additional info: How to write an image file to a disc using ImgBurn

Edited by Aaflac, 13 May 2014 - 03:22 PM.

Old duck...


#5 Wachman48

Wachman48
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 13 May 2014 - 07:00 PM

Done,

 

Using file manager I found no files as listed in registry or user accounts

 

have made a Dr web live cd booted it up and am in a current scan. will post the log.

 

should i fix anything if it finds something or wait?



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 13 May 2014 - 07:55 PM

Would probably be best to see what is sent to the DrWeb Quarantine, and then decide on what action to apply to the items identified.

 

We just want break the ransomware and get the computer to boot to XP, and from there we can remove whatever we need to.


Old duck...


#7 Wachman48

Wachman48
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 14 May 2014 - 01:07 AM

Finished scan

 

attached is the log of what was moved to quarantine.

 

these were noted by the scanner scan as a threat  but in order to get them to quarantine this was done by me not by the program

 

attempted boot normal Xp resulting in same DOJ in control

 

Dr web did find 712 files that it was unable to scan mostly residing from archive files. could not find where the log is to attach the file 

 

I did not touch thoes although the did have some odd enteries like doubleclick and clicker????'

 

 

Attached Files



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 14 May 2014 - 10:27 AM

Since you have worked with the Kaspersky RescueCD scan, WindowsUnlocker, and DrWeb, let's give HitmanPro KickStart another try.

 

[You may want to print these instructions, so they are available to follow.]

 

I am assuming it was correctly installed to USB...

 

 

 

With the ransomed computer shut down, plug the USB flash drive into a USB port, and turn on the power.

 

 

When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)

 

From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)

Info: How to Remove Ransomware - Select Real Security

 

 

Once you select the USB flash drive to boot from, press: Enter

 

 

A Kickstart prompt with USB boot options appears.

Select: 2 (Regular Boot Record)

 

The system continues to boot from the hard drive and starts Windows.

 

If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

 

When Windows boots, you either get a logon screen, or the Desktop is started.

If you see a logon screen with your User name, logon with it.

 

 

In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a: One-time scan to check the computer.

 

To start scanning for malware press: Next

 

If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:

 

hitmanpro-scan-results.jpg

 

Select Next to quarantine the malware into a secure storage where it can no longer start.

 

 

At the next screen, activate the 30-day free license:

 

hitmanpro-activation.jpg

 

After successful activation (30 days), press: Next

 

 

A screen indicating that the malware was successfully disabled or removed is presented.

Press: Next

 

 

To obtain a report of the scan results, press: Save log

>>Save the Notepad log to the Desktop<<

It has a name such as: HitmanPro_xxxxxxxx_xxxx

 

 

Remove the USB drive, and press: Reboot

If no malware is found, press: Close

 

 

After HitmanPro.Kickstart is done, you should be back into normal Windows.

 

 

Please post the HitmanPro log in your reply. <<Important!

 

 

If no luck, do you have a Windows XP installation CD for your computer?

We will need it to proceed to another option.


Old duck...


#9 Wachman48

Wachman48
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 14 May 2014 - 01:47 PM

Thanks for your help so far!

 

re formated USB drive and reinstalled hitman kickstart

 

This hitman boots to (See Attached File)

 

ystem Boot Block

 

Same issue that i had before

 

Have Xp disk ready

 

 

Attached Files



#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 14 May 2014 - 05:13 PM

Since you have the the XP installation CD, let's build a bootable CD using the Ultimate Boot CD for Windows (UBCD4WIN), and run a tool to hopefully fix some things, and get us into Windows.

 

(You may want to print this for easier reference, and also read it, so you have an idea of the process.)

 

Need the following:
1. clean computer with a CD Burner
2. Windows XP CD
3. blank CD
4. USB pen drive

 
Please follow the steps below. If you are unable to create the UBCD4WIN, please provide any error messages, and/or what step you cannot follow.
 
 

Phase I - Creating the ISO file
 
1. Please select a mirror and download the Ultimate Boot CD for Windows to the Desktop

  • Double-Click on the UBCD4Win.exe file downloaded to the Desktop.
  • Follow all of its instructions/prompts

Note: Do not install to a folder with spaces in it's name. It is best to use the default name C:\UBCD4Win

Note: Your Anti-Virus may report viruses or trojans when you extract UBCD4Win. These are False-Positives.

Read here for information regarding the files that normally trigger AV software.

  • At the very end, uncheck: Run UBCD4WinBuilder.exe when installation is complete
  • Click: Finish

 

2. Insert your XP CD with SP1/SP2/SP3 into a CD ROM drive

  • Open My Computer, and navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Select No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, press OK
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)

Note: Leave the default file name and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso). If you change it make sure it is
 a folder without spaces in the name.

  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Click on each option, then click Enable/Disable so the correct value is displayed.
 
Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

 

3. Click on the Build button.

  • When you see the Windows EULA message. Click on I Agree
  • At the Build Screen, let it run its course.
  • When the Build is finished, click close, then exit.

 

4. Burn your ISO file to CD

 
Phase II - Downloading Farbar's Recovery Scan Tool (FRST)
 
From the clean computer, download Farbar Recovery Scan Tool and save it to the USB pen drive.
 
Note: You need the 32-bit version to run with UBCD4Win
 
Now, plug the USB pen drive back into the ransomed computer and move on to the next step.
 

 

Phase III - Booting to the UBCD4Win CD
 
Restart the ransomed Computer Using the UBCD4Win disc created.

  • Insert the UBCD4Win disc into a CD/DVD drive
  • Restart the computer. It should boot from the UBCD4Win CD automatically
  • If it doesn't, and you are asked if you want to boot from CD, then, select that option

Note: Information on booting from CD > here

  • In the window that appears select Launch The Ultimate Boot CD For Windows, and press: Enter
  • It may take a longer for the Desktop to appear than it does when you start the computer normally, but, just let the process run itself until the Desktop appears
  • Once the Desktop appears, a message appers asking: Do you want to start Network support?, click Yes
  • You should now have a Desktop that looks like this:

Main.jpg
 
 

 

 
Phase IV - Running the FRST scan

  • Single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer

Note: If prompted to download the latest version, please do so from the link in Phase II

  • Click on the Scan button
  • When done scanning, the tool makes a log, FRST.txt on the pen drive. You can now close the pen drive, and safely remove it.
  • Insert the USB pen drive into your clean computer, and post the FRST.txt in your reply

Edited by Aaflac, 14 May 2014 - 05:27 PM.

Old duck...


#11 Wachman48

Wachman48
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 14 May 2014 - 05:51 PM

Here is the Log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:14-05-2014

Ran by SYSTEM on BARTPE-27251 on 14-05-2014 18:38:38

Running from D:\

Platform: Microsoft Windows XP Service Pack 2 (X86) OS Language: Georgian

Internet Explorer Version 8

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

 

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Smapp] => C:\Program Files\Analog Devices\SoundMAX\Smtray.exe [90112 2002-06-26] (Analog Devices, Inc.)

HKLM\...\Run: [IMONTRAY] => C:\Program Files\Intel\Intel® Active Monitor\imontray.exe [32768 2002-09-19] ()

HKLM\...\Run: [NeroCheck] => C:\WINDOWS\System32\\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)

HKLM\...\Run: [HP Component Manager] => C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [241664 2004-05-12] (Hewlett-Packard Company)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [vProt] => C:\Program Files\AVG SafeGuard toolbar\vprot.exe [2557976 2014-04-27] ()

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)

HKLM\...\Run: [InboxToolbar] => "C:\Program Files\Inbox Toolbar\Inbox.exe" /STARTUP

HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)

HKLM\...\Run: [] => [X]

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxsrvc.dll (Intel Corporation)

HKU\Administrator\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-10-01] (Google Inc.)

HKU\Administrator\...\Run: [DriverUpdate] => "C:\Program Files\DriverUpdate\DriverUpdate.exe" -boot

Lsa: [Authentication Packages] msv1_0 nwprovau

 

========================== Services (Whitelisted) =================

 

S2 imonNT; C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe [102400 2002-09-19] (Intel Corp.)

S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)

S2 NWCWorkstation; C:\Windows\System32\nwwks.dll [65536 2008-04-14] (Microsoft Corporation)

S2 SoundMAX Agent Service (default); C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [45056 2002-07-15] (Analog Devices, Inc.)

S2 vToolbarUpdater18.1.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe [1801240 2014-04-27] (AVG Secure Search)

S2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [X]

==================== Drivers (Whitelisted) ====================

S1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [42272 2014-04-27] (AVG Technologies)

S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)

S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)

S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)

S3 HSFHWBS2; C:\Windows\System32\DRIVERS\USR_BSC2.sys [231168 2005-08-08] (Conexant Systems, Inc.)

S3 HSF_DPV; C:\Windows\System32\DRIVERS\USR_MDMV.sys [1035008 2005-08-08] (Conexant Systems, Inc.)

S0 IdeBusDr; C:\Windows\System32\DRIVERS\IdeBusDr.sys [13782 2002-08-14] (Intel Corporation)

S0 IdeChnDr; C:\Windows\System32\DRIVERS\IdeChnDr.sys [93594 2002-08-14] (Intel Corporation)

S2 iSMBIOS; C:\WINDOWS\System32\drivers\iSMBIOS.SYS [16480 2002-09-19] (Intel Corporation)

S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)

S2 NwlnkIpx; C:\Windows\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-13] (Microsoft Corporation)

S2 NwlnkNb; C:\Windows\System32\DRIVERS\nwlnknb.sys [63232 2003-03-31] (Microsoft Corporation)

S2 NwlnkSpx; C:\Windows\System32\DRIVERS\nwlnkspx.sys [55936 2003-03-31] (Microsoft Corporation)

S3 NWRDR; C:\Windows\System32\DRIVERS\nwrdr.sys [163584 2008-04-13] (Microsoft Corporation)

S2 SIODRV; C:\WINDOWS\System32\drivers\SIODRV.SYS [7424 2002-09-19] (Intel Corporation)

S3 smbusp; C:\Windows\System32\DRIVERS\smb.sys [21963 2002-02-28] (Intel Corporation)

S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2002-01-01] ()

S3 winachsf; C:\Windows\System32\DRIVERS\HSF_USR.sys [729728 2005-08-08] (Conexant Systems, Inc.)

S1 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\Windows\System32\drivers\ialmsbw.sys [91678 2002-09-16] (Intel Corporation)

S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\Windows\System32\drivers\ialmkchw.sys [71514 2002-09-16] (Intel Corporation)

S1 MpKsle97f4565; \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4E82B72-4F44-4273-AAC0-9C75C815BB67}\MpKsle97f4565.sys [X]

S1 NDISRD; No ImagePath

S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

NETSVC: Ip6FwHlp -> No Registry Path.

==================== One Month Created Files and Folders ========

2014-05-14 18:38 - 2014-05-14 18:38 - 00000000 ____D () C:\FRST

2014-05-14 00:10 - 2014-05-14 00:10 - 00001649 _____ () C:\Dr Web 1

2014-05-14 00:08 - 2014-05-14 00:08 - 17305616 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Administrator\Desktop\mbam-setup-2.0.1.1004.exe

2014-05-13 23:52 - 2014-05-13 23:52 - 00000321 _____ () C:\dr web

2014-05-07 00:51 - 2014-05-07 00:51 - 03077584 ____N (Symantec Corporation) C:\Documents and Settings\Administrator\Desktop\NPE.exe

2014-05-06 22:21 - 2008-04-13 23:11 - 00021504 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll

2014-05-06 22:21 - 2008-04-13 23:11 - 00021504 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll

2014-05-06 22:21 - 2008-04-13 23:11 - 00021504 _____ (Microsoft Corporation) C:\Windows\System32\hidserv.dll

2014-05-06 16:41 - 2008-04-13 17:39 - 00014592 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\kbdhid.sys

2014-05-06 16:41 - 2008-04-13 17:39 - 00014592 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\kbdhid.sys

2014-05-06 16:41 - 2008-04-13 17:39 - 00014592 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\kbdhid.sys

2014-05-04 15:30 - 2002-01-01 16:42 - 00013464 _____ () C:\Windows\System32\Drivers\SWDUMon.sys

 

==================== One Month Modified Files and Folders =======

 

2014-05-14 18:38 - 2014-05-14 18:38 - 00000000 ____D () C:\FRST

2014-05-14 14:20 - 2001-12-31 23:41 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0

2014-05-14 12:58 - 2005-04-01 21:14 - 01228027 _____ () C:\Windows\WindowsUpdate.log

2014-05-14 12:58 - 2003-09-19 11:22 - 00032602 _____ () C:\Windows\SchedLgU.Txt

2014-05-14 12:58 - 2003-09-19 11:22 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini

2014-05-14 12:58 - 2003-09-19 05:55 - 00000216 _____ () C:\Windows\wiadebug.log

2014-05-14 12:58 - 2003-09-19 05:55 - 00000049 _____ () C:\Windows\wiaservc.log

2014-05-14 12:57 - 2003-03-31 12:00 - 00013646 _____ () C:\Windows\System32\wpa.dbl

2014-05-14 00:10 - 2014-05-14 00:10 - 00001649 _____ () C:\Dr Web 1

2014-05-14 00:08 - 2014-05-14 00:08 - 17305616 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Administrator\Desktop\mbam-setup-2.0.1.1004.exe

2014-05-13 23:52 - 2014-05-13 23:52 - 00000321 _____ () C:\dr web

2014-05-13 23:33 - 2014-03-21 19:43 - 00000000 ____D () C:\Program Files\DriverUpdate

2014-05-13 04:02 - 2013-11-07 02:02 - 00000000 ____D () C:\Program Files\Inbox Toolbar

2014-05-07 00:51 - 2014-05-07 00:51 - 03077584 ____N (Symantec Corporation) C:\Documents and Settings\Administrator\Desktop\NPE.exe

2014-05-01 21:06 - 2003-09-19 11:11 - 00000000 ____D () C:\Windows\System32\Restore

2014-04-29 04:23 - 2012-04-08 14:46 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2014-04-29 04:23 - 2011-08-09 20:31 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2014-04-27 22:33 - 2014-03-21 21:59 - 00000000 ____D () C:\Program Files\AVG SafeGuard toolbar

2014-04-27 22:33 - 2011-11-09 19:47 - 00000000 ____D () C:\Windows\System32\cache

2014-04-27 22:32 - 2013-02-23 20:03 - 00042272 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys

2014-04-25 23:20 - 2013-11-14 16:13 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

 

Files to move or delete:

====================

C:\Windows\Tasks\At1.job

C:\Windows\Tasks\At2.job

C:\Windows\Tasks\At3.job

C:\Windows\Tasks\At4.job

 

==================== Known DLLs (Whitelisted) ============

 

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll

[2003-03-31 12:00] - [2012-10-03 04:58] - 0617984 ____A (Microsoft Corporation) ab683c1285e5a4aa66a4fc510c211d0e

 

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== Restore Points (XP) =====================

 

RP: -> 2014-05-02 23:01 - 028672 _restore{7CDBFFD4-56A1-403D-97D1-77AA5B261692}\RP2

 

RP: -> 2014-05-01 21:06 - 028672 _restore{7CDBFFD4-56A1-403D-97D1-77AA5B261692}\RP1

 

==================== Memory info ===========================

Percentage of memory in use: 42%

Total physical RAM: 1277.8 MB

Available physical RAM: 733.94 MB

Total Pagefile: 1112.93 MB

Available Pagefile: 751.95 MB

Total Virtual: 2047.88 MB

Available Virtual: 1999.9 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.31 GB) (Free:0.31 GB) FAT

Drive c: () (Fixed) (Total:37.26 GB) (Free:7.04 GB) NTFS ==>[Drive with boot components (Windows XP)]

Drive d: (AMANDAS) (Removable) (Total:7.46 GB) (Free:7.46 GB) FAT32

Drive x: (UBCD4Windows) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: 4C6E4C6E)

Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS)

 

========================================================

Disk: 1 (Size: 7 GB) (Disk ID: 6690A4B4)

Partition 1: (Active) - (Size=7 GB) - (Type=0B)

 

==================== End Of Log ============================

 

something I found odd...

 

With the usb drive in the pc that was intended to run the frst.exe file on boot the system came up with the same error that I got with the hitman kickstart above.

 

blocking all usb exes?

Attached Files

  • Attached File  FRST.txt   10.88KB   3 downloads

Edited by Wachman48, 14 May 2014 - 06:31 PM.


#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 14 May 2014 - 09:04 PM

Did you try the Safe Mode with Command Prompt option at some point?

Even if you did, since we have run a few programs, and there may be some changes, will you try Safe Mode with Command Prompt once again? Maybe we'll get lucky.

If it does work, please run FRST in Safe Mode with Command Prompt from the USB pen drive, as well as RogueKiller.

To do so, once you get to the Command Prompt in Safe Mode, type in the following commands (bold), and press Enter after each:

diskpart
(Now at DISKPART)
list volume
(Gives you the drives, including the USB pen drive)

cd \
(Now, at C:\>)

x:
(Substitue x: with the letter of the pen drive)
(Now at x:)

first.exe

When FRST comes on the screen, press: Scan
The FRST.txt is placed on the USB pen drive. Please post it in your reply.

Do the same for RogueKiller, and also provide its RKresults.txt


:( If no luck, while I look at the FRST results and figure out a few things, please use RogueKiller, which works in PE:
  • Plug the USB pen drive back into the ransomed computer.
  • Restart the ransomed Computer Using the UBCD4Win disc
  • Select Launch The Ultimate Boot CD For Windows, and press: Enter
  • It may take a longer for the Desktop to appear than it does when you start the computer normally, but, just let the process run itself until the Desktop appears
  • At the UBCD4Win Desktop...
    • Single-click My computer from the UBCD4Win Desktop, and navigate to the RogueKiller.exe) saved to the pen drive.
    • Double-click on RogueKiller.exe to begin running the tool
    • Wait for the PreScan to finish. (Under Status, it says: Prescan finished.)
  • Click on: Scan
  • When done scanning, the tool makes a report, RKreport.txt on the pen drive.
  • Remove the pen drive fron the ransomed computer, and insert the USB pen drive into the clean computer to post the RKreport.txt
in your reply

Edited by Aaflac, 14 May 2014 - 09:04 PM.
Typo

Old duck...


#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 14 May 2014 - 09:40 PM

Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the pen drive where FRST is located, and name it: fixlist.txt

start
HKLM\...\Run: [] => [X]
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job
C:/program files/driverupdate/duold.exe
C:/Documents and Settings/All Users/Documents/Downloaded Installers/{2B353DA2-A8FD-4238-B207-62A1921158D7}/setup.msi
C:/WINDOWS/TEMP/avg_a01356/Installer.7z
C:/WINDOWS/TEMP/{EB50092D-AC9C-47D5-B7C6-5014B336C96B}.exe
C:/WINDOWS/TEMP/avg_a01356/ProgFiles/AVG SafeGuard toolbar/BundleInstall/passwordbox_1.14.0.1911.exe
end

 
Now, if you cannot go into Safe Mode with Command Prompt, please enter the PE as done before. 
Run FRST, and this time press the Fix button, just once, and wait.
 
When done, the tool creates a report on the pen drive called: Fixlog.txt

 

>>  Please post the Fixlog.txt in your reply.

 

Restart the computer.

 

Does it return to the DOJ block, or to Windows?


Old duck...


#14 Wachman48

Wachman48
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 14 May 2014 - 10:12 PM

no go on safe mode with command prompt

 

went to UBCD to run as requested

 

looks like no luck at all rogue killer is not working double click and nothing frst.exe runs but looks like this has blocked rouge killer

 

just saw your post will run fix ASAP


Edited by Wachman48, 14 May 2014 - 10:14 PM.


#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:08:44 PM

Posted 14 May 2014 - 10:21 PM

When you get done with Post #13, please give this new fixlist.txt a whirl:

start
cmd: reg query HKLM\SYSTEM\ControlSet001\Control\SafeBoot
cmd: reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
cmd: reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
end

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users