Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: FBI Ransomware

02 Jun 2013   #21
cottonball

Windows 7 Home Premium
 
 

trampy,

Will be back shortly.

Checking the info on your reports...


My System SpecsSystem Spec
.
02 Jun 2013   #22
cottonball

Windows 7 Home Premium
 
 

trampy,

Please do the following...

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy/paste all the contents of the quote box below to Notepad (do not copy the word 'Quote').
Save it on the Desktop as: fixlist.txt

Quote:
start
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File
SSODL-x32: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File
URLSearchHook: (No Name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKCU - No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
2013-05-07 00:59 - 2013-05-07 00:59 - 00000000 ____A C:\flashplayer.exe
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\Macromedia
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\Adobe
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\7db5f4df-9768-49f3-a2a5-3b007bd42c2bad
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____A C:\mstsc.exe
2013-05-04 06:58 - 2013-05-04 03:09 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\7db5f4df-9768-49f3-a2a5-3b007bd42c2bad
2013-05-04 06:58 - 2013-05-04 01:01 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\Saxo
2013-05-04 03:08 - 2013-05-04 03:08 - 00000000 ____A C:\Users\Floyd\windowsupdate.exe
2013-05-04 03:08 - 2013-05-04 03:08 - 00000000 ____A C:\Users\Floyd\flashplayer.exe
2013-05-04 02:48 - 2013-05-04 01:01 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\Onpyr
2013-05-04 01:02 - 2013-05-04 01:02 - 00000001 ____A C:\ProgramData\dqn77kUm.exe_.b
2013-05-04 01:02 - 2013-05-04 01:02 - 00000001 ____A C:\ProgramData\dqn77kUm.exe.b
2013-05-04 01:01 - 2013-05-04 01:01 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\Sikab
C:\vlcplayer.exe
C:\ProgramData\2219692.bat
C:\ProgramData\2219692.pad
C:\ProgramData\2219692.reg
C:\ProgramData\IBuMO8uoK.dat
C:\ProgramData\nud0repor.pad
TDL4: custom:26000022 <===== ATTENTION!
end
WARNING: This script is written specifically for trampy, for use on this particular computer.
Running the script on another computer may cause damage to the Operating System!!

Run FRST again, but this time press the Fix button just once, and wait.

When done, the tool makes a log on the Desktp.
This time it is called: Fixlog.txt

Please post Fixlog.txt in your reply.


~~~~
Next, please go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_06.02.2013_15.31.43_log.txt

Please attach the TDSSKiller log in your reply.

There is still more work to be done. Need to go out for a while. Will be back o/a 5:00PM CST (Illinois)
My System SpecsSystem Spec
02 Jun 2013   #23
trampy

windows 7 home premium 64 bit
 
 

Here are the new logs. I found 4 tdsskiller logs so I posted them all, hope thats not a problem.
My System SpecsSystem Spec
.

02 Jun 2013   #24
cottonball

Windows 7 Home Premium
 
 

Please run TDSSKiller once again
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK
Press: Start Scan

When presented with the TDSS File System entry in Threats Detected, select: Delete
Please provide the new TDSSKiller log in your reply.


~~~~
Also, please proceed with Downloading MiniToolBox
Save to the Desktop
Double-click the downloaded file to run it.

Image courtesy of BleepingComputer:



When the above console opens, please check the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings (Only if you use FireFox)
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List Restore Points
Click: Go

Please post the result Result.txt in your reply.
(A copy of Result.txt is also saved in the same directory the tool is run (Desktop).)
My System SpecsSystem Spec
02 Jun 2013   #25
trampy

windows 7 home premium 64 bit
 
 

Here are the logs


Attached Files
File Type: txt TDSSKiller.2.8.16.0_02.06.2013_14.56.32_log.txt (127.0 KB, 1 views)
File Type: txt Result.txt (9.1 KB, 4 views)
My System SpecsSystem Spec
02 Jun 2013   #26
cottonball

Windows 7 Home Premium
 
 

We need to repair the Winsock settings. Do so automatically by clicking the Fix-it button on the Microsoft link: http://go.microsoft.com/?linkid=9662461

Click Run in the File Download dialog box, and then follow the steps in the Fix-it wizard.

Reboot once the tool is finished.

~~~~
Please run the MiniToolBox once again, and this time only check:
List Winsock Entries
Click: Go
Please post the new Result.txt in your reply.

~~~~
When done, please download the Farbar Service Scanner

Save to the Desktop
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press: Scan
  • FSS creates a log, FSS.txt, on the Desktop.
Please provide the FSS.txt in your reply.

~~~~
Need to be out again. Will be back in a couple of hours.

Thanks for your patience!!
My System SpecsSystem Spec
02 Jun 2013   #27
trampy

windows 7 home premium 64 bit
 
 

Here ya go, and thank you for all the help.


Attached Files
File Type: txt FSS.txt (5.2 KB, 3 views)
My System SpecsSystem Spec
02 Jun 2013   #28
cottonball

Windows 7 Home Premium
 
 

trampy,

We still have some damage to repair, as shown below:

Windows Firewall:
=============
MpsSvc Service
bfe Service

Action Center
============
wscsvc Service

Windows Update:
============
wuauserv service
BITS Service

Windows Defender:
==============
WinDefend Service

Other Services:
==============
Internet Connection Sharing (SharedAccess)
IPHelper service (iphlpsvc)

This ransomware that got hold of the computer came accompanied with ZeroAccess, and it normally takes its toll.

Will get the info needed to do the repairs, however, will not be able to do so until tomorrow.

Also, following my previous post, please provide the latest MiniToolBox Result.txt
Need to see what happened there.

Thanks for your patience.
My System SpecsSystem Spec
02 Jun 2013   #29
trampy

windows 7 home premium 64 bit
 
 

kk np


Attached Files
File Type: txt Result.txt (9.1 KB, 3 views)
My System SpecsSystem Spec
02 Jun 2013   #30
cottonball

Windows 7 Home Premium
 
 

That's the old report...
My System SpecsSystem Spec
Reply

 FBI Ransomware




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Crypto Locker ransomware
I heard reports of a new piece of malware that is going around. This one is particularly nasty, It Encrypts all of the data on your drive and mapped network drives with a RSA 256 bit AES key. Once encrypted there is no way to decrypted. The only way to get the files back is from an off site backup...
System Security
How to get rid of MoneyPak ransomware infection
My husband's user account has been taken over by the FBI-MoneyPak virus and is currently unusable. The other two accounts on the computer are password-protected (his isn't) and seem OK for now. I ran Windows Security Essentials and Malwarebytes scans from my account and they detected nothing. How...
System Security
help needed ransomware
Firstly hi all.A few nights ago I was stung with the met police operating system locked,screen it looked a it iffy but I still panicked,with being quite a newbie with pc's,not knowing at the time, what it was my first reaction was to do a full,system recovery back to factory settings,it was lucky...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 11:36.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App