Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant Remove Department of Justice Ransomware


  • This topic is locked This topic is locked
13 replies to this topic

#1 ChrisHorn

ChrisHorn

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 31 October 2014 - 02:09 PM

Have an Dell Laptop infected with Department of Justice ransomware. Tried to run Hitman Pro, but will not run.

I have installed Hitman Pro v3.7 to USB, gone into F12 - run fro USB. Only option3 will load OS, but ransomware warning comes up and Hitman Pro flashed several times. After several minutes, Hitman displays a message at top saying can't connect to internet then aborts.

 

I was able to remove drive from laptop and connect to another PC. I can see my files (and made backup of the important ones). Ran Malwarebytes on drive but comes up clean.

 

And ideas of what I can do to remove the ransomware.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 31 October 2014 - 02:10 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi ChrisHorn,
 
What operating system is infected computer running?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 ChrisHorn

ChrisHorn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 31 October 2014 - 02:15 PM

XP



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 31 October 2014 - 02:18 PM

Hi ChrisHorn,

 

Do you have a windows CD?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 ChrisHorn

ChrisHorn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 31 October 2014 - 02:22 PM

Not the one that came with laptop, but I do have a XP SP2 cd



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 31 October 2014 - 02:26 PM

Hi ChrisHorn,
 
That should work fine for what we need to do :)
 
You will need the following:
1. A Clean computer with a CD Burner
2. Windows XP CD
3. Blank CD
4. USB pen drive
 
Please follow the steps below. If you are unable to create the UBCD4WIN, please provide any error messages, and/or what step you cannot follow.
 
Phase I - Creating the ISO file
 
1. Please select a mirror and download the Ultimate Boot CD for Windows to the Desktop

  • Double-Click on the UBCD4Win.exe file downloaded to the Desktop.
  • Follow all of its instructions/prompts

Note: Do not install to a folder with spaces in it's name. It is best to use the default name C:\UBCD4Win
Note: Your Antivirus may report viruses or trojans when you extract UBCD4Win. These are False-Positives.
Read here for information regarding the files that normally trigger AV software.

  • At the very end, uncheck: Run UBCD4WinBuilder.exe when installation is complete
  • Click: Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD ROM drive

  • Open My Computer, and navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Select No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, press OK
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)

Note: Leave the default filename and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso). If you change it make sure it is
 a folder without spaces in the name.

  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Click on each option, then click Enable/Disable so the correct value is displayed.
 
Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

3. Click on the Build button.

  • When you see the Windows EULA message. Click on I Agree
  • At the Build Screen, let it run its course.
  • When the Build is finished, click close, then exit.

4. Burn your ISO file to CD

Phase II - Download Farbar's Recovery Scan Tool (FRST)
 
From the clean computer, download Farbar Recovery Scan Tool and save it to the USB pen drive.
 
Note: You need the 32-bit version to run with UBCD4Win
 
Now, plug the USB pen drive back into the ransomed computer and move on to the next step.
 
Phase III - Booting to the UBCD4Win CD
 
Restart the ransomed Computer Using the UBCD4Win disc created.

  • Insert the UBCD4Win disc into a CD/DVD drive
  • Restart the computer. It should boot from the UBCD4Win CD automatically
  • If it doesn't, and you are asked if you want to boot from CD, then, select that option

Note: Information on booting from CD > here

  • In the window that appears select Launch The Ultimate Boot CD For Windows, and press: Enter
  • It may take a longer for the Desktop to appear than it does when you start the computer normally, but, just let the process run itself until the Desktop appears
  • Once the Desktop appears, a message appers asking: Do you want to start Network support?, click Yes
  • You should now have a Desktop that looks like this:

Main.jpg
 
Phase IV - Running the FRST scan

  • Single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer

Note: If prompted to download the latest version, please do so from the link in Phase II

  • Click on the Scan button
  • When done scanning, the tool makes a log, FRST.txt on the pen drive. You can now close the pen drive, and safely remove it.
  • Insert the USB pen drive into your clean computer, and post the FRST.txt in your reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 ChrisHorn

ChrisHorn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 03 November 2014 - 07:27 AM

totally frustrated, unable to create UBCD4WIN ISO. 4 attempts with 3 different Win XP disks. get various errors and warnings -unable to create iso. 

 

also, I noticed there is a newer ultimate Boot CD on MajorGeeks.

 

Last attempt:

Builder has stopped because there are 47 build errors
ISO image is not created, you must fix the errors!
Building done...
There where 47 errors and 85 warnings

 

what next?



#8 ChrisHorn

ChrisHorn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 03 November 2014 - 08:08 AM

Was able to use Hiren's Boot CD.

Ran FRST. Here's log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-11-2014
Ran by SYSTEM on MiniXP on 03-11-2014 08:03:39
Running from D:\
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM\...\Run: [TkBellExe] => C:\program files\real\realplayer\update\realsched.exe [295512 2013-12-01] (RealNetworks, Inc.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM\...\Run: [nwiz] => nwiz.exe /installquiet
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [MsmqIntCert] => regsvr32 /s mqrt.dll
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [1400832 2010-07-19] (Intel® Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1206544 2010-07-19] (Intel® Corporation)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [488816 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [AESTFltr] => C:\Windows\system32\AESTFltr.exe [737280 2009-07-07] (Andrea Electronics Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
HKLM\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [434080 2011-07-27] (Microsoft Corporation)
HKLM\...\Winlogon: [UIHost] C:\Windows\system32\logonui.exe [514560 2008-04-13] (Microsoft Corporation)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\CHornickle\...\Run: [Google Update] => C:\Documents and Settings\CHornickle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [136176 2011-10-24] (Google Inc.)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-13] (Microsoft Corporation)
S2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170912 2013-03-23] (Oracle Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S2 MSMQ; C:\WINDOWS\system32\mqsvc.exe [4608 2008-04-13] (Microsoft Corporation)
S2 MSMQTriggers; C:\WINDOWS\system32\mqtgsvc.exe [117248 2008-04-13] (Microsoft Corporation)
S2 MSSQL$GETSMART; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S2 S24EventMonitor; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [966656 2010-07-19] (Intel® Corporation)
S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
S2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-13] (Microsoft Corporation)
S2 STacSV; c:\program files\idt\wdm\stacsv.exe [229458 2010-03-10] (IDT, Inc.)
S2 W3SVC; C:\Windows\system32\inetsrv\inetinfo.exe [15360 2008-04-13] (Microsoft Corporation)
S2 WLANKEEPER; C:\Program Files\Intel\WiFi\bin\WLKeeper.exe [364544 2010-07-19] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AESTAud; C:\Windows\System32\drivers\AESTAud.sys [113664 2009-04-22] (Andrea Electronics Corporation)
S1 avgtp; C:\WINDOWS\system32\drivers\avgtpx86.sys [37664 2013-11-12] (AVG Technologies)
S3 e1yexpress; C:\Windows\System32\DRIVERS\e1y5132.sys [241880 2011-03-23] (Intel Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 MQAC; C:\WINDOWS\system32\drivers\mqac.sys [92544 2008-04-13] (Microsoft Corporation)
S3 NETwNx32; C:\Windows\System32\DRIVERS\NETwNx32.sys [6650752 2010-07-14] (Intel Corporation)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [16472 2011-09-03] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [11104 2011-09-03] ()
S2 s24trans; C:\Windows\System32\DRIVERS\s24trans.sys [13952 2010-05-20] (Intel Corporation)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1656499 2010-03-10] (IDT, Inc.)
S3 teamviewervpn; C:\Windows\System32\DRIVERS\teamviewervpn.sys [25088 2012-08-07] (TeamViewer GmbH)
S0 cerc6; No ImagePath
S1 ffxqcoyc; \??\C:\WINDOWS\system32\drivers\ffxqcoyc.sys [X]
S4 IntelIde; No ImagePath
S1 mxbrastf; \??\C:\WINDOWS\system32\drivers\mxbrastf.sys [X]
S1 OMCI; \??\C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [X]
S1 pnnhircr; \??\C:\WINDOWS\system32\drivers\pnnhircr.sys [X]
S1 qbfosomg; \??\C:\WINDOWS\system32\drivers\qbfosomg.sys [X]
S1 sajsfhas; \??\C:\WINDOWS\system32\drivers\sajsfhas.sys [X]
S1 vbnlptfi; \??\C:\WINDOWS\system32\drivers\vbnlptfi.sys [X]
S1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 07:53 - 2014-11-03 07:54 - 00000000 ____D () C:\FRST
2014-10-31 19:17 - 2014-10-31 19:17 - 00000394 _____ () C:\Windows\wmsetup.log
2014-10-31 15:17 - 2014-10-31 15:18 - 00000178 ___SH () C:\Documents and Settings\Chris Hornickle.CHRISH\ntuser.ini
2014-10-31 15:17 - 2014-10-31 15:17 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle.CHRISH\Local Settings\Temp
2014-10-31 15:17 - 2013-02-01 01:55 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle.CHRISH\Application Data\TuneUp Software
2014-10-31 15:17 - 2012-07-11 07:04 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle.CHRISH\My Documents\Visual Studio 2005
2014-10-31 15:17 - 2011-10-24 13:37 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle.CHRISH\Local Settings\Application Data\Microsoft Help
2014-10-31 15:17 - 2011-10-21 00:07 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle.CHRISH\Application Data\Macromedia
2014-10-30 20:24 - 2014-10-31 12:55 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-10-30 19:30 - 2014-10-30 19:28 - 16783752 _____ (Bitdefender LLC) C:\Documents and Settings\Chris Hornickle\Desktop\BDRemoval_Trojan_Ransom_IcePol.exe
2014-10-30 19:30 - 2014-10-30 18:09 - 10284408 _____ (SurfRight B.V.) C:\Documents and Settings\Chris Hornickle\Desktop\HitmanPro.exe
2014-10-26 22:47 - 2014-10-26 22:47 - 00002668 _____ () C:\Documents and Settings\Chris Hornickle\Desktop\Skippack Fantasy Football League.lnk
2014-10-21 10:31 - 2014-10-21 10:31 - 00000138 _____ () C:\Documents and Settings\Chris Hornickle\Desktop\Skippack NFL  Fantasy Football  Yahoo Sports.url
2014-10-14 13:26 - 2014-10-14 13:26 - 00000177 _____ () C:\Documents and Settings\Chris Hornickle\Desktop\GotSoccer Team Detail.url

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 12:45 - 2014-09-30 16:33 - 00044113 _____ () C:\Windows\WindowsUpdate.log
2014-11-03 12:45 - 2014-04-01 13:22 - 00000216 _____ () C:\Windows\wiadebug.log
2014-11-03 12:45 - 2014-04-01 13:22 - 00000050 _____ () C:\Windows\wiaservc.log
2014-11-03 12:45 - 2014-04-01 12:55 - 00032104 _____ () C:\Windows\SchedLgU.Txt
2014-11-03 12:45 - 2013-10-07 19:51 - 00524288 _____ () C:\Windows\System32\config\SpybotSD.evt
2014-11-03 12:45 - 2011-10-21 00:05 - 00180147 _____ () C:\Windows\System32\nvModes.001
2014-11-03 12:45 - 2011-10-20 16:55 - 00000000 ____D () C:\Windows\System32\inetsrv
2014-10-31 20:06 - 2011-10-20 17:05 - 00774194 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-31 20:02 - 2011-10-20 21:15 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-10-31 20:00 - 2011-10-21 12:56 - 00000000 __SHD () C:\Windows\CSC
2014-10-31 13:56 - 2011-10-20 21:26 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle\Local Settings\Temp
2014-10-31 13:06 - 2010-05-12 16:06 - 00247299 _____ () C:\Windows\System32\NvApps.xml
2014-10-20 19:12 - 2014-05-17 15:45 - 00000000 ____D () C:\Documents and Settings\Chris Hornickle\Desktop\Valley Venom 2014-2015
2014-10-16 12:23 - 2011-10-21 00:57 - 00002358 _____ () C:\Documents and Settings\Chris Hornickle\Desktop\Google Chrome.lnk
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-3d0f4b0a.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-440af0c1.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-971a0813.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-c1e1c8cc.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2008-04-13 23:00] - [2012-10-03 04:58] - 0613376 ____A (Microsoft Corporation) 5c7a414f17fb68c7923db374eab3f8ca    

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2008-04-13 23:00] - [2014-04-06 01:28] - 0402944 ____A (Microsoft Corporation) 15e1cf0d6c096667cae89da716966f5f    

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 2035.84 MB
Available physical RAM: 1690.91 MB
Total Pagefile: 1808.46 MB
Available Pagefile: 1182.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 2007.45 MB

==================== Drives ================================

Drive b: (RamDrive) (Fixed) (Total:0.53 GB) (Free:0.52 GB) NTFS
Drive c: () (Fixed) (Total:232.7 GB) (Free:54.06 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HITMANPRO) (Removable) (Total:1.86 GB) (Free:1.84 GB) FAT32
Drive e: (HBCD 15.2) (CDROM) (Total:0.58 GB) (Free:0 GB) CDFS
Drive x: (Mini Xp) (Fixed) (Total:0.23 GB) (Free:0.23 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: A42D04A3)
Partition 1: (Not Active) - (Size=188 MB) - (Type=DE)
Partition 2: (Active) - (Size=232.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 5017AE6A)
Partition 1: (Active) - (Size=1.9 GB) - (Type=0B)

==================== End Of Log ============================



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 03 November 2014 - 12:09 PM

Hi ChrisHorn,
 
Sorry about the trouble you had trying to build the UBCD4WIN iso.
 
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------

We need to search for a file with FRST:

  • Boot into UBCD4Win like you did before and single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • In the search box, type the following: user32*;rpcss*
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 ChrisHorn

ChrisHorn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 03 November 2014 - 12:28 PM

I want to see if I can wipe it first.

Here's log:

Farbar Recovery Scan Tool (x86) Version: 02-11-2014
Ran by SYSTEM at 2014-11-03 12:22:15
Running from D:\
Boot Mode: Recovery

================== Search: "user32*;rpcss*" ===================

C:\WINDOWS\system32\rpcss.dll
[2008-04-13 23:00][2014-04-06 01:28] 0402944 ____A (Microsoft Corporation) 15e1cf0d6c096667cae89da716966f5f    

C:\WINDOWS\system32\user32.dll
[2008-04-13 23:00][2012-10-03 04:58] 0613376 ____A (Microsoft Corporation) 5c7a414f17fb68c7923db374eab3f8ca    

C:\WINDOWS\system32\user32.ini
[2008-04-13 23:00][2012-10-03 04:58] 0578560 ____A () df74697fb06a25f2d119eca1ac4ae8c2    

C:\WINDOWS\system32\dllcache\rpcss.dll
[2008-04-13 23:00][2009-02-09 12:10] 0402944 ___AC (Microsoft Corporation) fe1b46db742475d852fcd685573cdbe1    

C:\WINDOWS\system32\dllcache\user32.dll
[2008-04-13 23:00][2012-10-03 04:58] 0613376 ____A (Microsoft Corporation) 5c7a414f17fb68c7923db374eab3f8ca    

C:\WINDOWS\system32\dllcache\user32.ini
[2008-04-13 23:00][2012-10-03 04:58] 0578560 ____A () df74697fb06a25f2d119eca1ac4ae8c2    

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2011-10-20 22:08][2008-04-13 23:00] 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509    

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2011-10-20 22:03][2009-02-09 10:56] 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2    

X:\I386\System32\rpcss.dll
[2012-11-07 00:00][2012-11-07 00:00] 0399360 ____A (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509    

X:\I386\System32\user32.dll
[2012-11-07 00:00][2012-11-07 00:00] 0457728 ____A (Microsoft Corporation) 196ccb3fd6885eea9bfbe5badc62074c    

=== End Of Search ===


I want to see if I can wipe it first. This pc is noncritical and no financial info is on it or done on it.

Here's log:

Farbar Recovery Scan Tool (x86) Version: 02-11-2014
Ran by SYSTEM at 2014-11-03 12:22:15
Running from D:\
Boot Mode: Recovery

================== Search: "user32*;rpcss*" ===================

C:\WINDOWS\system32\rpcss.dll
[2008-04-13 23:00][2014-04-06 01:28] 0402944 ____A (Microsoft Corporation) 15e1cf0d6c096667cae89da716966f5f    

C:\WINDOWS\system32\user32.dll
[2008-04-13 23:00][2012-10-03 04:58] 0613376 ____A (Microsoft Corporation) 5c7a414f17fb68c7923db374eab3f8ca    

C:\WINDOWS\system32\user32.ini
[2008-04-13 23:00][2012-10-03 04:58] 0578560 ____A () df74697fb06a25f2d119eca1ac4ae8c2    

C:\WINDOWS\system32\dllcache\rpcss.dll
[2008-04-13 23:00][2009-02-09 12:10] 0402944 ___AC (Microsoft Corporation) fe1b46db742475d852fcd685573cdbe1    

C:\WINDOWS\system32\dllcache\user32.dll
[2008-04-13 23:00][2012-10-03 04:58] 0613376 ____A (Microsoft Corporation) 5c7a414f17fb68c7923db374eab3f8ca    

C:\WINDOWS\system32\dllcache\user32.ini
[2008-04-13 23:00][2012-10-03 04:58] 0578560 ____A () df74697fb06a25f2d119eca1ac4ae8c2    

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2011-10-20 22:08][2008-04-13 23:00] 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509    

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2011-10-20 22:03][2009-02-09 10:56] 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2    

X:\I386\System32\rpcss.dll
[2012-11-07 00:00][2012-11-07 00:00] 0399360 ____A (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509    

X:\I386\System32\user32.dll
[2012-11-07 00:00][2012-11-07 00:00] 0457728 ____A (Microsoft Corporation) 196ccb3fd6885eea9bfbe5badc62074c    

=== End Of Search ===



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 04 November 2014 - 11:20 AM

Hi ChrisHorn
 
We need to run a fix with FRST:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
Replace: X:\I386\System32\rpcss.dll C:\WINDOWS\system32\rpcss.dll
Replace: X:\I386\System32\user32.dll C:\WINDOWS\system32\user32.dll
Replace: X:\I386\System32\rpcss.dll C:\WINDOWS\system32\dllcache\rpcss.dll
Replace: X:\I386\System32\user32.dll C:\WINDOWS\system32\dllcache\user32.dll
C:\WINDOWS\system32\user32.ini
C:\WINDOWS\system32\dllcache\user32.ini
  • Boot into UBCD4Win like you did before and single-click My computer from the UBCD4Win Desktop, and navigate to the Farbar Recovery Scan Tool (FRST.exe) saved to the pen drive.
  • Double-click on FRST.exe to begin running the tool
  • Press the Fix button just once and wait
  • When finished, FRST will generate a log (Fixlog.txt) on the flashdrive
  • Please copy and paste the log in your next reply.

Please try and boot into normal mode, let me know whether you are successful or not.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 ChrisHorn

ChrisHorn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 05 November 2014 - 08:32 AM

Thanks for help, but after waiting. I decided to just reformat laptop and start fresh.

please close post



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 05 November 2014 - 12:05 PM

Hi ChrisHorn,

 

Thank you for letting me know.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:47 AM

Posted 05 November 2014 - 12:05 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users