Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with FRST.txt fix to remove CTB Locker


  • This topic is locked This topic is locked
4 replies to this topic

#1 RCronier

RCronier

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 15 June 2015 - 10:55 PM

o.k., so I was trying to remove a virus from my dads computer and didn't realize how embedded it was into the registry until further investigation. I have read a lot of your posts and rest assured that since I am asking for your help, I will do as you ask, but take note that I have already run Malwarebytes anti Malware, anti rootkit and FRST. I just have never messed with the fix on FRST and don't want to mess with his registry. Luckily he didn't have any files that were not replaceable and so I deleted them from his pictures....... But anyway, I am here and ready to do as directed so please let me know what you need. I am attaching what I already did but if you need me to start over then I will greatly comply.

 

Attached File  mbar-log-2015-06-15 (00-39-13).txt   2.94KB   4 downloads

 

Attached File  system-log.txt   19.31KB   2 downloads

 

Attached File  FRST_15-06-2015_23-51-12.txt   44.69KB   6 downloads

 

Attached File  Addition_15-06-2015_23-51-12.txt   30.29KB   2 downloads



BC AdBot (Login to Remove)

 


m

#2 RCronier

RCronier
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 16 June 2015 - 12:50 PM

If anyone sees this today and can help, I will be forever greatful.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 17 June 2015 - 08:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing suspicious was found on your logs.

The Best Buy start up items are not required.
If you wish to remove them run this fix.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2387057840-3057239107-685640680-1000\...\Run: [Best Buy pc app] => C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2011-11-21]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2011-11-21]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

What problem persists on this computer.

#4 RCronier

RCronier
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 17 June 2015 - 01:54 PM

ok, well I am sorry to have wasted time. The entries that I saw were on the mbar logs. I think he does complain about the BestBuy stuff but right now as long as I have succeeded in removing the Trojan then I am happy. Thank you so much for taking a look.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 18 June 2015 - 06:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users