Got hit with Ransomware Encryption Trojan

[thebladeroden]

Trying rebooting out of safemode and clicker3.exe and conhost.exe came back, booo.

 

[cottonball]

thebladeroden,

This malware is a tough one. Your best bet may end up being a clean install, and that is something I recommend only in cases where hope does not appear to be a strategy.

You may want to think about it...


Are you running Malwarebytes Anti-Malware Free, or the Pro version?

In any event, please run the following programs, in the order presented: MBAM > RogueKiller > FRST and provide the four reports produced.

:info: Open MBAM, click the Settings tab at the top, and, in the left column, select:
Detections and Protections
If not already checked, select: Scan for rootkits

Click the Scan tab at the top of the program window, and select: Threat Scan

Next, click: Scan Now

If you receive a message that updates are available, click: Update Now
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.

If potential threats are detected, select Quarantine All as the Action for all the listed items.

Next, click: Apply Actions

While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.

:ar: Please post the MBAM report in your reply.

Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2. If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


:info: Next, please download RogueKiller:
RogueKiller Download
Save to the Desktop

After closing all windows and browsers, right-click the downloaded RogueKiller file and select:
Run as Administrator

If your Antivirus program alerts you about the program, please allow it to run, or temporarily disable your AV.

Next, read and Accept the license terms.

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished)
Press: SCAN

When done, a report opens on the drive: RKreport.txt

:ar: Please provide the RKreport.txt (Mode: Scan) in your reply.


:info: Last, please use the Farbar Recovery Scan Tool once agian.
At the program console, click on: Addition.txt

:ar When done, please post both reports (FRST.txt and Addition.txt), and let's see what they show.

 

[thebladeroden]

MBAM - Pastebin.com MBAM

Roguekiller - Pastebin.com Roguekiller

FRST - Pastebin.com FRST

Addition - Pastebin.com Addition

 

[cottonball]

thebladeroden,

:info: If downloads are not allowed on Internet Explorer, re-enable them by going to: Tools > Internet Options > Security
In the Security tab, click on: Reset all areas to the default level
You should be able to download from IE.

:info: Please do the following, and DO read the instructions carefully!
Trojan.Poweliks Removal Tool | Symantec

Download the Trojan.Poweliks Removal Tool to the Desktop.
FixPoweliks64.exe for 64-bit computers:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixPoweliks64.exe

Close all the running programs/windows.
Double-click the FixPoweliks64.exe to start the tool.
Click to accept the EULA

Click Start for the tool to run.

When done, a message prompting you to check the results (FixPoweliks64.log) appears, click: OK
Restart the computer.
:ar: Please post the FixPoweliks64.log in your reply.


:info: Right after you finish with the Poweliks Removal Tool, please run RogueKiller and perform a Scan as before.
Please run it from the Desktop.
:ar: Post its new RKreport.txt in your reply.


:info: Next, please run FRST64. However, do not run it from H:\, also run it from the Desktop.
:ar: Also post the new FRST64.txt in your reply.

Thanks!

 

[cottonball]

Also...

:info: Let's use the following to make sure malware is not lurking in the Master Boot Record...

Download: TDSSKiller
TDSSKiller Download


Select the .exe version

• Doubleclick on TDSSKiller.exe to run the program.
• At the Kaspersky TDSSKiller interface, click: Change parameters
• Check: Detect TDLFS file system
• Click: OK
• Now, click Start Scan and allow the scan to run
• If any threats are found, select: Skip (Do not select: Delete!!)
• Click: Continue
• Click: Reboot computer

:ar: When done, please provide the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\)

 

[thebladeroden]

Well I'll be out of town for the town for the next week, so we will have to continue this then. Thanks for the help though.

 

[cottonball]

thebladeroden.

If that is the case, please do not use the instructions in Post #24 and 25.

In addition, you have requested and are accepting help here:
KeyHolder ransomware log - Virus, Trojan, Spyware, and Malware Removal Logs

There is no way I will offer any more help under these circumstances. It is like trying to drive two cars at the same time...a counterproductive endeavor.

 

[Layback Bear]

Good find and decision cottonball.