New
#11
Thanks Cottonball and everyone else for the help. I'm going to do as suggested. As for counting the days in away I am, she's my youngest (18) and is ready to leave the nest, whereas son at 25 still lives at home.
Thanks Cottonball and everyone else for the help. I'm going to do as suggested. As for counting the days in away I am, she's my youngest (18) and is ready to leave the nest, whereas son at 25 still lives at home.
I noticed the thread was solved but another way to remove this is using windows defender offline and scanning and removing from a usb stick. I removed this ransom ware off my aunts pc using this method. Hitman pro didn't help in this situation for me.
Has a download link for 32 and 64bit and talks to you about the program and how to use it
http://blogs.technet.com/b/security/...r-offline.aspx
Last edited by M1GU31; 25 Feb 2013 at 16:12.
Cottonball,
For some reason the computer would not boot from the flash drive, so i just installed hitmanPro and ran the scan. It found and removed the ransomware. I then used roquekiller and it produced the following report.
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : sydni [Admin rights]
Mode : Scan -- Date : 02/25/2013 10:43:37
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Microsoft Games (rundll32.exe "C:\Users\sydni\AppData\Local\Microsoft Help\Microsoft Games\afqxk.dll",DllRegisterServer) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : Adobe (rundll32.exe "C:\Users\sydni\AppData\Local\AOL\Adobe\ymkqqtz.dll",CreateInstance) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : AOL (rundll32.exe "C:\Users\sydni\AppData\Local\assembly\AOL\nyshiwys.dll",winampGetInModule2W) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3479480845-2421475870-3400767138-1000_Classes[...]\Run : WeatherBug (rundll32.exe "C:\Users\sydni\AppData\Local\Yahoo\WeatherBug\jloebxo.dll",svn_lock_createW) [x] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x824E1591 -> HOOKED (Unknown @ 0x89475068)
SSDT[14] : NtAlertThread @ 0x8245A1F5 -> HOOKED (Unknown @ 0x895D9118)
SSDT[18] : NtAllocateVirtualMemory @ 0x8249647D -> HOOKED (Unknown @ 0x897117D8)
SSDT[21] : NtAlpcConnectPort @ 0x82438824 -> HOOKED (Unknown @ 0x88B1F7B0)
SSDT[42] : NtAssignProcessToJobObject @ 0x8240BB08 -> HOOKED (Unknown @ 0x8956F110)
SSDT[67] : NtCreateMutant @ 0x8246E7A2 -> HOOKED (Unknown @ 0x897125B8)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8240E31F -> HOOKED (Unknown @ 0x89714998)
SSDT[78] : NtCreateThread @ 0x824DFBA4 -> HOOKED (Unknown @ 0x89711C68)
SSDT[116] : NtDebugActiveProcess @ 0x824B2CA0 -> HOOKED (Unknown @ 0x89656120)
SSDT[129] : NtDuplicateObject @ 0x824464E1 -> HOOKED (Unknown @ 0x89711970)
SSDT[147] : NtFreeVirtualMemory @ 0x822D2F1D -> HOOKED (Unknown @ 0x89712F00)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82408F15 -> HOOKED (Unknown @ 0x895C1388)
SSDT[158] : NtImpersonateThread @ 0x8241E50F -> HOOKED (Unknown @ 0x8947C2F0)
SSDT[165] : NtLoadDriver @ 0x823B9DEE -> HOOKED (Unknown @ 0x88B1F738)
SSDT[177] : NtMapViewOfSection @ 0x8245E83A -> HOOKED (Unknown @ 0x89712DE0)
SSDT[184] : NtOpenEvent @ 0x82447D5F -> HOOKED (Unknown @ 0x89366108)
SSDT[194] : NtOpenProcess @ 0x8246EF3E -> HOOKED (Unknown @ 0x89711B10)
SSDT[195] : NtOpenProcessToken @ 0x8244F9C0 -> HOOKED (Unknown @ 0x89562DA8)
SSDT[197] : NtOpenSection @ 0x8245F60D -> HOOKED (Unknown @ 0x895A4120)
SSDT[201] : NtOpenThread @ 0x8246A48F -> HOOKED (Unknown @ 0x89711A40)
SSDT[210] : NtProtectVirtualMemory @ 0x82468272 -> HOOKED (Unknown @ 0x89714B88)
SSDT[282] : NtResumeThread @ 0x82469ADA -> HOOKED (Unknown @ 0x8947E068)
SSDT[289] : NtSetContextThread @ 0x824E103F -> HOOKED (Unknown @ 0x89355118)
SSDT[305] : NtSetInformationProcess @ 0x82462868 -> HOOKED (Unknown @ 0x89712C08)
SSDT[317] : NtSetSystemInformation @ 0x82434E9B -> HOOKED (Unknown @ 0x895B6120)
SSDT[330] : NtSuspendProcess @ 0x824E14CB -> HOOKED (Unknown @ 0x895A2118)
SSDT[331] : NtSuspendThread @ 0x823E8921 -> HOOKED (Unknown @ 0x8947B110)
SSDT[334] : NtTerminateProcess @ 0x8243F0D3 -> HOOKED (Unknown @ 0x88D56DA8)
SSDT[335] : NtTerminateThread @ 0x8246A4C4 -> HOOKED (Unknown @ 0x8936A110)
SSDT[348] : NtUnmapViewOfSection @ 0x8245EAFD -> HOOKED (Unknown @ 0x89561DA8)
SSDT[358] : NtWriteVirtualMemory @ 0x8245B8CD -> HOOKED (Unknown @ 0x89711680)
SSDT[382] : NtCreateThreadEx @ 0x82469F79 -> HOOKED (Unknown @ 0x89714A68)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8999EE78)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8999EC28)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8999EB68)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8999ECE8)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8999EDA8)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x8999E8F8)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x8999EA98)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8999E9C8)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8999EF38)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87C483E0)
_INLINE_ : NtAllocateVirtualMemory -> HOOKED (\??\C:\Windows\system32\drivers\hitmanpro37.sys @ 0xB0542566)
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9250827AS +++++
--- User ---
[MBR] b53a47771bf5e1c78ce5a2a891eab856
[BSP] 7aa6a89907a87e66c4d8b33fd195b1e7 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 228263 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 467484672 | Size: 10208 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] 6f24357292dfcf2f4126c3dad1ca9445
[BSP] b0aa0a426751b111cace3c8865469653 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7436 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_02252013_02d1043.txt >>
RKreport[1]_S_02252013_02d1043.txt
Thanks again everyone
As long as the ransomeware is gone, we're good.
Please run RogueKiller again.
Click the Registry tab.
Make sure the entries there are checked.
Then, press the [Delete] button.
Please post the new RKreport (Mode: Delete) in your reply.
(The RKreport also opens using the Report button on the console.)