FBI Ransomware

trampy,

Will be back shortly.

Checking the info on your reports...

trampy,

Please do the following...

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy/paste all the contents of the quote box below to Notepad (do not copy the word 'Quote').
Save it on the Desktop as: fixlist.txt

start
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File
SSODL-x32: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File
URLSearchHook: (No Name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKCU - No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
2013-05-07 00:59 - 2013-05-07 00:59 - 00000000 ____A C:\flashplayer.exe
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\Macromedia
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\Adobe
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\7db5f4df-9768-49f3-a2a5-3b007bd42c2bad
2013-05-06 18:35 - 2013-05-06 18:35 - 00000000 ____A C:\mstsc.exe
2013-05-04 06:58 - 2013-05-04 03:09 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\7db5f4df-9768-49f3-a2a5-3b007bd42c2bad
2013-05-04 06:58 - 2013-05-04 01:01 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\Saxo
2013-05-04 03:08 - 2013-05-04 03:08 - 00000000 ____A C:\Users\Floyd\windowsupdate.exe
2013-05-04 03:08 - 2013-05-04 03:08 - 00000000 ____A C:\Users\Floyd\flashplayer.exe
2013-05-04 02:48 - 2013-05-04 01:01 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\Onpyr
2013-05-04 01:02 - 2013-05-04 01:02 - 00000001 ____A C:\ProgramData\dqn77kUm.exe_.b
2013-05-04 01:02 - 2013-05-04 01:02 - 00000001 ____A C:\ProgramData\dqn77kUm.exe.b
2013-05-04 01:01 - 2013-05-04 01:01 - 00000000 ____D C:\Users\Floyd\AppData\Roaming\Sikab
C:\vlcplayer.exe
C:\ProgramData\2219692.bat
C:\ProgramData\2219692.pad
C:\ProgramData\2219692.reg
C:\ProgramData\IBuMO8uoK.dat
C:\ProgramData\nud0repor.pad
TDL4: custom:26000022 <===== ATTENTION!
end

WARNING: This script is written specifically for trampy, for use on this particular computer.
Running the script on another computer may cause damage to the Operating System!!

Run FRST again, but this time press the Fix button just once, and wait.

When done, the tool makes a log on the Desktp.
This time it is called: Fixlog.txt

Please post Fixlog.txt in your reply.


~~~~
Next, please go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_06.02.2013_15.31.43_log.txt

Please attach the TDSSKiller log in your reply.

There is still more work to be done. Need to go out for a while. Will be back o/a 5:00PM CST (Illinois)

Please run TDSSKiller once again
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK
Press: Start Scan

When presented with the TDSS File System entry in Threats Detected, select: Delete
Please provide the new TDSSKiller log in your reply.


~~~~
Also, please proceed with Downloading MiniToolBox
Save to the Desktop
Double-click the downloaded file to run it.

Image courtesy of BleepingComputer:



When the above console opens, please check the following boxes:

• Flush DNS
• Report IE Proxy Settings
• Report FF Proxy Settings (Only if you use FireFox)
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List Restore Points

Click: Go

Please post the result Result.txt in your reply.
(A copy of Result.txt is also saved in the same directory the tool is run (Desktop).)

We need to repair the Winsock settings. Do so automatically by clicking the Fix-it button on the Microsoft link: http://go.microsoft.com/?linkid=9662461

Click Run in the File Download dialog box, and then follow the steps in the Fix-it wizard.

Reboot once the tool is finished.

~~~~
Please run the MiniToolBox once again, and this time only check:
List Winsock Entries
Click: Go
Please post the new Result.txt in your reply.

~~~~
When done, please download the Farbar Service Scanner

Save to the Desktop

• Make sure the following options are checked:
  
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press: Scan
• FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.

~~~~
Need to be out again. Will be back in a couple of hours.

Thanks for your patience!!

trampy,

We still have some damage to repair, as shown below:

Windows Firewall:
=============
MpsSvc Service
bfe Service

Action Center
============
wscsvc Service

Windows Update:
============
wuauserv service
BITS Service

Windows Defender:
==============
WinDefend Service

Other Services:
==============
Internet Connection Sharing (SharedAccess)
IPHelper service (iphlpsvc)

This ransomware that got hold of the computer came accompanied with ZeroAccess, and it normally takes its toll.

Will get the info needed to do the repairs, however, will not be able to do so until tomorrow.

Also, following my previous post, please provide the latest MiniToolBox Result.txt
Need to see what happened there.

Thanks for your patience.

That's the old report...