Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom Virus?


  • This topic is locked This topic is locked
12 replies to this topic

#1 bigboy32692

bigboy32692

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 August 2015 - 05:39 AM

I have some kind of virus that comes on as soon as the desktop loads and takes over the whole screen. you cant ctrl alt delete, alt f4. nothing.  its a white screen with what looks like a search box at the bottom. the button says <? echo $submit,?>

below that in red letters it says press esc and try to connect to the internet. you have 30 seconds to do this.

i was able to get enough time to get into msconfig and disable everything but upon restart it was still here

 

 

please help



BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 05 August 2015 - 05:42 AM

Try to remove it with NPE which is great against ransomware and rogueware.

 

http://www.norton.com/npe



#3 bigboy32692

bigboy32692
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 August 2015 - 05:51 AM

I need something that I can boot to. 



#4 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 05 August 2015 - 06:09 AM

Boot NPE in safe mode (not networking).



#5 bigboy32692

bigboy32692
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 August 2015 - 06:18 AM

cant use safe mode. it does the same thing



#6 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 AM

Posted 05 August 2015 - 06:50 AM

Ok,try Dr.Web Live CD or ESET.



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:36 AM

Posted 05 August 2015 - 07:30 AM

Hi bigboy32692,
 
FRST Scan from RECOVERY Environment on Vista, 7, and 8:
 
On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 bigboy32692

bigboy32692
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 August 2015 - 02:28 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:02-08-2015 01
Ran by SYSTEM on MINWINPC (05-08-2015 14:24:18)
Running from g:\
Platform: Windows Vista ™ Home Premium Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\Default\...\Run: [HPADVISOR] => C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [972080 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] => C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [972080 2008-09-30] (Hewlett-Packard)
HKU\fbwuser\...\Run: [HPADVISOR] => C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [972080 2008-09-30] (Hewlett-Packard)
HKU\Test\...\Run: [HPADVISOR] => C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [972080 2008-09-30] (Hewlett-Packard)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S4 dlcc_device; C:\Windows\system32\dlcccoms.exe [538096 2007-02-14] ( )
S4 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-10-09] (Hewlett-Packard)
S4 hshld; C:\Program Files\Hotspot Shield\bin\cmw_srv.exe [919040 2014-05-16] (AnchorFree Inc.)
S4 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-05-16] ()
S4 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe [430344 2014-05-16] ()
S4 InboxAce_1gService; C:\Program Files\InboxAce_1g\bar\1.bin\1gbarsvc.exe [88648 2014-07-02] (COMPANYVERS_NAME)
S4 Norton Internet Security; C:\Program Files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [117648 2011-09-21] (Symantec Corporation)
S4 Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [365952 2008-10-06] ()
S4 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [241734 2008-09-15] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S1 BHDrvx86; C:\Windows\System32\Drivers\NIS\1008030.006\BHDrvx86.sys [259632 2009-08-21] (Symantec Corporation)
S1 ccHP; C:\Windows\System32\Drivers\NIS\1008030.006\ccHPx86.sys [467592 2011-10-12] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389456 2015-07-27] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [122192 2015-07-27] (Symantec Corporation)
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [19456 2009-11-10] (LeapFrog)
S1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [39624 2014-05-16] (AnchorFree Inc.)
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20150803.001\IDSvix86.sys [523512 2015-06-19] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20150803.005\NAVENG.SYS [104440 2015-05-20] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20150803.005\NAVEX15.SYS [1645432 2015-05-20] (Symantec Corporation)
S3 PRISM_A02; C:\Windows\System32\DRIVERS\WUSB20XP.sys [339488 2004-01-06] (Cisco-Linksys, LLC.)
S3 SRTSP; C:\Windows\System32\Drivers\NIS\1008030.006\SRTSP.SYS [308272 2009-08-21] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NIS\1008030.006\SRTSPX.SYS [43696 2009-08-21] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NIS\1008030.006\SYMEFA.SYS [310320 2009-08-21] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2009-10-30] (Symantec Corporation)
S3 SYMFW; C:\Windows\System32\Drivers\NIS\1008030.006\SYMFW.SYS [89976 2011-09-21] (Symantec Corporation)
S1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [25648 2009-08-21] (Symantec Corporation)
S3 SYMNDISV; C:\Windows\System32\Drivers\NIS\1008030.006\SYMNDISV.SYS [48760 2011-09-21] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\NIS\1008030.006\SYMTDI.SYS [217464 2011-09-21] (Symantec Corporation)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [37064 2014-03-19] (Anchorfree Inc.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-05 14:23 - 2015-08-05 14:23 - 00000000 ____D C:\FRST
2015-08-05 06:52 - 2015-08-05 06:52 - 00000000 ____D C:\NBRT
2015-08-02 06:57 - 2015-08-05 02:36 - 00004392 _____ C:\Windows\System32\spsys.log
2015-08-01 06:28 - 2015-08-02 06:21 - 00000000 ___HD C:\Users\Public\Documents\Report
2015-08-01 06:28 - 2015-08-02 06:21 - 00000000 ___HD C:\ProgramData\Documents\Report
2015-07-22 00:02 - 2015-07-14 08:02 - 00034304 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2015-07-22 00:02 - 2015-07-14 06:23 - 00296960 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2015-07-18 00:24 - 2015-07-03 08:04 - 01316864 _____ (Microsoft Corporation) C:\Windows\System32\ole32.dll
2015-07-18 00:24 - 2015-06-24 18:57 - 02066432 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2015-07-18 00:22 - 2015-06-17 08:50 - 02264576 _____ (Microsoft Corporation) C:\Windows\System32\msi.dll
2015-07-18 00:22 - 2015-06-17 07:09 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\msiexec.exe
2015-07-18 00:21 - 2015-06-12 08:01 - 00298496 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll
2015-07-16 00:37 - 2015-05-31 00:11 - 00225792 _____ (Microsoft Corporation) C:\Windows\System32\cewmdm.dll
2015-07-16 00:35 - 2015-06-27 08:02 - 00501248 _____ (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2015-07-16 00:35 - 2015-06-27 08:02 - 00218112 _____ (Microsoft Corporation) C:\Windows\System32\msv1_0.dll
2015-07-16 00:35 - 2015-06-27 08:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\System32\advapi32.dll
2015-07-16 00:35 - 2015-06-27 06:21 - 00217088 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb10.sys
2015-07-16 00:35 - 2015-06-27 06:21 - 00081408 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb20.sys
2015-07-16 00:35 - 2015-06-12 05:13 - 00440768 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2015-07-16 00:35 - 2015-05-08 15:08 - 00821760 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2015-07-16 00:35 - 2015-01-08 16:17 - 00107008 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxsmb.sys
2015-07-16 00:34 - 2015-07-02 07:37 - 06009856 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2015-07-16 00:34 - 2015-07-02 05:14 - 01638912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2015-07-16 00:34 - 2015-06-16 21:26 - 00421376 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2015-07-16 00:34 - 2015-06-16 21:20 - 11085312 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2015-07-16 00:33 - 2015-06-16 21:26 - 01214976 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2015-07-16 00:33 - 2015-06-16 21:26 - 00916992 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2015-07-16 00:33 - 2015-06-16 21:26 - 00236544 _____ (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2015-07-16 00:33 - 2015-06-16 21:26 - 00105984 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2015-07-16 00:33 - 2015-06-16 21:24 - 00206848 _____ (Microsoft Corporation) C:\Windows\System32\occache.dll
2015-07-16 00:33 - 2015-06-16 21:22 - 00630784 _____ (Microsoft Corporation) C:\Windows\System32\mstime.dll
2015-07-16 00:33 - 2015-06-16 21:22 - 00630272 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2015-07-16 00:33 - 2015-06-16 21:22 - 00193536 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2015-07-16 00:33 - 2015-06-16 21:22 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2015-07-16 00:33 - 2015-06-16 21:22 - 00055296 _____ (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2015-07-16 00:33 - 2015-06-16 21:21 - 01469440 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2015-07-16 00:33 - 2015-06-16 21:21 - 00727552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2015-07-16 00:33 - 2015-06-16 21:21 - 00043520 _____ (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2015-07-16 00:33 - 2015-06-16 21:21 - 00025600 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 02006016 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 00387584 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 00164352 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2015-07-16 00:33 - 2015-06-16 21:20 - 00055808 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2015-07-16 00:33 - 2015-06-16 21:19 - 00348160 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2015-07-16 00:33 - 2015-06-16 21:19 - 00216576 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2015-07-16 00:33 - 2015-06-16 21:19 - 00019456 _____ (Microsoft Corporation) C:\Windows\System32\corpol.dll
2015-07-16 00:33 - 2015-06-16 20:14 - 00385024 _____ (Microsoft Corporation) C:\Windows\System32\html.iec
2015-07-16 00:33 - 2015-06-16 18:58 - 00174080 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2015-07-16 00:33 - 2015-06-16 18:58 - 00133632 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2015-07-16 00:33 - 2015-06-16 18:57 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2015-07-08 15:07 - 2015-07-08 15:42 - 00001064 _____ C:\Users\Johnny Shula\Documents\K Bumper.m3u
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-05 02:37 - 2009-04-21 22:52 - 00000000 ____D C:\Users\Johnny Shula\Local Settings\Application Data\Temp
2015-08-05 02:36 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-05 02:36 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-05 01:58 - 2009-03-23 08:48 - 01455285 _____ C:\Windows\WindowsUpdate.log
2015-08-05 01:50 - 2009-10-13 22:04 - 00502878 _____ C:\ProgramData\nvModes.dat
2015-08-05 01:50 - 2009-10-13 22:04 - 00502878 _____ C:\ProgramData\nvModes.001
2015-08-02 07:19 - 2012-04-10 12:05 - 00000000 ____D C:\Users\Test\Local Settings\Application Data\Temp
2015-08-01 16:45 - 2009-04-22 18:09 - 00000021 _____ C:\ProgramData\hpqp.txt
2015-08-01 06:05 - 2015-02-09 05:18 - 00001931 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-01 06:05 - 2015-02-09 05:18 - 00001931 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2015-07-26 13:38 - 2009-11-08 13:16 - 00000052 _____ C:\Windows\System32\DOErrors.log
2015-07-22 00:24 - 2006-11-02 04:47 - 00398232 _____ C:\Windows\System32\FNTCACHE.DAT
2015-07-20 18:06 - 2010-07-17 14:36 - 00000680 _____ C:\Users\Johnny Shula\Local Settings\Application Data\d3d9caps.dat
2015-07-20 18:06 - 2010-07-17 14:36 - 00000680 _____ C:\Users\Johnny Shula\AppData\Local\d3d9caps.dat
2015-07-20 16:31 - 2008-01-20 18:47 - 00421816 _____ C:\Windows\PFRO.log
2015-07-18 00:21 - 2013-08-14 00:52 - 00000000 ____D C:\Windows\System32\MRT
2015-07-18 00:09 - 2008-10-25 15:52 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-07-17 09:02 - 2006-11-02 02:33 - 00759582 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-16 20:19 - 2013-07-25 15:29 - 00019490 _____ C:\Users\Johnny Shula\Documents\Bumper.m3u
 
Some files in TEMP:
====================
C:\Users\Johnny Shula\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Johnny Shula\AppData\Local\Temp\HPQSi.exe
C:\Users\Johnny Shula\AppData\Local\Temp\hssinst.dll
C:\Users\Johnny Shula\AppData\Local\Temp\HssInstaller.exe
C:\Users\Johnny Shula\AppData\Local\Temp\mediaimpression.exe
C:\Users\Johnny Shula\AppData\Local\Temp\SP43672.exe
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2015-05-14 00:08] - [2015-04-10 15:22] - 0279552 ____A (Microsoft Corporation) 4F0A7910FC7D8A66433FA9961EEF8BB5
 
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll
[2011-04-15 13:44] - [2011-03-02 07:44] - 0168448 ____A (Microsoft Corporation) 85E861D0B88DB2B54ACB0839654C09F7
 
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2015-06-11 00:02:08
Restore point made on: 2015-06-12 10:49:40
Restore point made on: 2015-06-14 06:25:48
Restore point made on: 2015-06-16 14:51:02
Restore point made on: 2015-06-20 11:21:02
Restore point made on: 2015-07-01 16:32:07
Restore point made on: 2015-07-02 06:50:06
Restore point made on: 2015-07-03 07:41:55
Restore point made on: 2015-07-05 06:18:14
Restore point made on: 2015-07-10 14:20:19
Restore point made on: 2015-07-11 06:27:10
Restore point made on: 2015-07-13 15:57:31
Restore point made on: 2015-07-14 10:04:29
Restore point made on: 2015-07-16 00:06:50
Restore point made on: 2015-07-18 00:02:57
Restore point made on: 2015-07-22 00:01:42
Restore point made on: 2015-07-23 21:48:55
Restore point made on: 2015-08-03 12:48:13
 
==================== Memory info =========================== 
 
Percentage of memory in use: 26%
Total physical RAM: 1789.69 MB
Available physical RAM: 1310.23 MB
Total Virtual: 1554.56 MB
Available Virtual: 1386.91 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:222 GB) (Free:111.86 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10.88 GB) (Free:1.77 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive g: (NBRT) (Removable) (Total:28.86 GB) (Free:28.86 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 2D900954)
Partition 1: (Active) - (Size=222 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 28.9 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2015-08-05 02:05
 
==================== End of log ============================


#9 bigboy32692

bigboy32692
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 August 2015 - 05:20 PM

I was able to boot to recovery and use system restore. went back a week and now its working back to normal.  should i still be concerned that the virus is still there or would going back a week completely resolve it?



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:36 AM

Posted 06 August 2015 - 04:09 AM

Hi bigboy32692,
 
You should hopefully be okay, but please run this for me so I can be sure :)
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
xXToffeeXx~

~ moved to MRT due to presence of FRST logs, myrti ~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:36 AM

Posted 08 August 2015 - 04:21 AM

Hi bigboy32692,
 
This is a 3 day bump:
 
It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 bigboy32692

bigboy32692
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 08 August 2015 - 10:14 AM

sorry, it seems to be fine since the restore back to last week.  thanks for all the help



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:36 AM

Posted 08 August 2015 - 10:17 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users