Jump to content

Naathim

Honorary Members
  • Posts

    1,944
  • Joined

  • Last visited

Everything posted by Naathim

  1. Hi. Do you still have the samples of the infector and/or the encrypted files? I;m currently discussing this case with a developer. Any samples could help us a lot.
  2. Hi. Looks like we have some new variant of ransomware here... Can you please zip some of your files and attach them to your next post? Or upload it to dropbox and provide me a link? I'm currently doscussing it with a developer to find a possible solution.
  3. Hi and welcome. This looks like some kind of Ransomware. I suspect that your files had been encrypted, the question is how. Can you please zip three or four files and either attach them to your next post or upload to dropbox or something and provide me a link? I'll try to discuss it with a colleague who works with encryptors/decryptors.
  4. Hi and sorry for the delay. This forum is quite a busy one and sometimes we may unintentionally overlook a thread. If you still need help, please post back here and I will be very glad to help you Naat
  5. Hi and sorry for the delay. This forum is very busy and sometimes we just overlook a thread. If you still need help, post back here and I will be happy to help you Naat
  6. My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat Before we start please note the following:Analysis and research take some time, also sometimes real life gets in the way, please be patient.Limit your internet access to posting here, some infections just wait to steal typed-in passwords.Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.Paste the logs in your posts, attachments make my work harder and more complicated.Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.Note that we may live in totally different time zones, what may cause some delays between answers.I can't foresee everything, so if anything unexpected happens, please stop and inform me! There are no silly questions. Never be afraid to ask if in doubt! Let's start and enjoy the fight! Rules and policies We won't support any piracy. That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding! The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding! Failure to follow these guidelines will result with closing your topic and withdrawning any assistance. Hello I will be glad to help you One thing. While I will go through your previous thread, please re-post here FRST & Addition logfiles for the record. Sometimes I need to compare logs and it would make my work easier if I won't have to jump over the threads. Thank you! Naat
  7. I need to see an ARK report. Two failed, so let's try another. Scan with Malwarebytes' Anti-Rootkit Please download Malwarebytes' Anti-Rootkit and save the file to your desktop. Note that the tool is still in its BETA stage, therefore not all functionalities may be added. Right-click on icon and select Run as Administrator to start the tool.It will ask you for an extraction place - make sure you will unpack it to your desktop.After the extraction, the tool should start itself (no action required).On the Introduction screen click Next.On the Update screen click Update.When prompted about the succesful update, click Next.On the Scan System screen, make sure that all three optionsDriversSectorsSystemare checked for scanning and press Scan.Wait patiently and don't do anything on your machine while MBAR goes through your system! If no infection is found, just close the tool.If an infection is found, make sure that Create Restore Point is checked, then select Cleanup button to remove threats. The process will start and your machine will prompt you to reboot upon completion.When finished (either with or without cleanup), please navigate to the MBAR directory. Search there for these two files: > mbar-log-date(time).txt > system-log.txt Please include the content of both files in your reply.
  8. OK, let's run this tool instead. Scan with TDSSKiller Please download TDSSKiller by Kaspersky and save it to your desktop. Right-click on icon and select Run as Administrator to start the tool.Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.Your machine may appear very slow and unusable after that - it's normal.TDSSKiller will run automaticaly. Click on Change parameters and click OK.Make sure that Verify driver digital signatures & Detect TDLFS File System are marked and click OK.Click the Start Scan button and wait patiently.If anything will be found follow this guidelines: If a suspicious object is detected, the default action will be Skip, click on Continue.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. > Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. > If Cure is not available, please choose Skip instead.Do not choose Delete unless instructed!A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
  9. Well, this is it. We're really done now See below They are enough for an average user Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing. Recommended reading: MUST READ - security tips: Computer Security - a short guide to staying safer online. MUST READ - general maintenance: What to do if your Computer is running slowly? Recommended additional software: TFC - to clean unneeded temporary files. Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware. Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities. McShield - to prevent infections spread by removable media. CryptoPrevent - to secure yourself from very severe CryptoLocker infection. Unchecky - to prevent from installing additional foistware, implemented in legitimate installations. Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed. Stay safe, Naat
  10. Hi, Yes, it's OK to delete them, however we sould check your machine for any other malicious things. My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat Before we start please note the following: Analysis and research take some time, also sometimes real life gets in the way, please be patient.Limit your internet access to posting here, some infections just wait to steal typed-in passwords.Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.Paste the logs in your posts, attachments make my work harder and more complicated.Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.Note that we may live in totally different time zones, what may cause some delays between answers.I can't foresee everything, so if anything unexpected happens, please stop and inform me! There are no silly questions. Never be afraid to ask if in doubt! Let's start and enjoy the fight! Rules and policies We won't support any piracy. That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding! The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding! Failure to follow these guidelines will result with closing your topic and withdrawning any assistance. Scan with Malwarebytes' Anti-Malware Please download and install Malwarebytes Anti-Malware, or re-run it if you already have it installed.First of all select update.Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.Click the Scan tab, choose Threat Scan is checked and click Scan Now.If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.At the bottom click Export and choose Text file.Save the file to your desktop and include its content in your next reply. Scan with ZOEK Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one) Temporary disable your AntiVirus and AntiSpyware protection - instructions here. Right-click on icon and select Run as Administrator to start the tool.Wait patiently until the main console will appear, it may take a minute or two.In the main box please paste in the following script: createsrpoint;process;services-list;systemspecs;startupall;skipfix-iedefaults;firefoxlook;chromelook;filesrcm;installedprogs;Make sure that Scan All Users option is checked.Push Run Script and wait patiently. The scan may take a couple of minutes.When the scan completes, a zoek-results logfile should open in notepad.If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)Please include its content in your next reply. Don't forget to re-enable your switched-off protection software!
  11. Very good Update me about any remaining issues. Scan with Security Check Please download Security Check by Screen317 and save it to your desktop. Right-click on icon and select Run as Administrator to start the tool.Follow onscreen instructions inside the black box. This scan won't take long.Soon a notepad document called checkup.txt will open automaticaly.Please include the content of that document.
  12. No no no, still cleaning remains Clean with DelFix Please download DelFix by Xplode and save it to your desktop. Right-click on icon and select Run as Administrator to start the tool.Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.Push Run.When finished, it will display a notepad report.Include it for my review. Please also manually reboot your machine after posting your logfile.
  13. Looks good to me Please update me about any other issues that persist.
  14. Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Press the + R on your keyboard at the same time. Type Notepad and click OK. Copy the entire content of the codebox below and paste into the Notepad document: startHKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/w...C05RDIwQy0zN1RT"&"inst=NzctMTIyNzA3NzAwOS1GSSsxLUZMMTArMS1ERFQrMC1UVUcrMy1MU0QrM (the data entry has 100 more characters).Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Metacafe.lnkShortcutTarget: Metacafe.lnk -> C:\$RECYCLE.BIN\S-1-5-21-3726736968-409882640-1958551794-1000\MetacafeAgent.exe (No File)Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FileWinsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [223232] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)S3 catchme; \??\C:\ComboFix\catchme.sys [X]2014-08-22 14:00 - 2014-08-23 16:48 - 00000000 ____D () C:\ProgramData\HitmanPro2014-08-20 18:46 - 2014-08-20 18:46 - 00000666 _____ () C:\Toolbars.dat2014-08-19 23:07 - 2014-08-27 09:44 - 00000000 ____D () C:\ProgramData\GlarySoft2014-08-17 16:29 - 2014-08-17 16:29 - 04763288 _____ (AVG Technologies) C:\Users\savas.kyriakidis\Downloads\avg_avct_stb_all_2014_4745.exe2014-08-17 15:54 - 2014-08-17 15:54 - 04462440 _____ (AVG Technologies) C:\Users\savas.kyriakidis\Downloads\avg_avct_stb_all_2014_4335_welcomecmp.exe2014-08-16 17:04 - 2014-08-16 17:05 - 04755832 _____ (AVG Technologies) C:\Users\savas.kyriakidis\Downloads\avg_free_stb_all_2014_4744_cnet.exe2014-08-15 13:32 - 2014-08-15 13:32 - 06534584 _____ (Systweak Software ) C:\Users\savas.kyriakidis\Downloads\PCDiagnosisProTPSSetup.exe2014-08-14 18:19 - 2014-08-27 09:44 - 00000000 ____D () C:\Users\savas.kyriakidis\AppData\Roaming\GlarySoft2014-08-14 18:19 - 2014-08-23 11:16 - 00000000 ____D () C:\Users\savas.kyriakidis\AppData\Roaming\DiskDefrag2014-08-14 18:18 - 2014-08-14 18:18 - 14416448 _____ () C:\Users\savas.kyriakidis\Downloads\gu5setup (5).exe2014-08-14 18:18 - 2014-08-14 18:18 - 14416448 _____ () C:\Users\savas.kyriakidis\Downloads\gu5setup (4).exe2014-08-14 18:15 - 2014-08-14 18:16 - 14416448 _____ () C:\Users\savas.kyriakidis\Downloads\gu5setup (3).exe2014-08-14 18:15 - 2014-08-14 18:15 - 14416448 _____ () C:\Users\savas.kyriakidis\Downloads\gu5setup (2).exe2014-08-14 18:14 - 2014-08-14 18:14 - 14416448 _____ () C:\Users\savas.kyriakidis\Downloads\gu5setup (1).exe2014-08-14 18:13 - 2014-08-14 18:13 - 14416448 _____ () C:\Users\savas.kyriakidis\Downloads\gu5setup.exe2014-08-15 11:17 - 2014-08-15 11:17 - 03552760 _____ (tuneuppro.com ) C:\Users\savas.kyriakidis\Downloads\tall_150803173445318587.exe2014-08-15 11:17 - 2014-08-15 11:17 - 03552760 _____ (tuneuppro.com ) C:\Users\savas.kyriakidis\Downloads\tall_150803172000784607.exe2014-08-14 17:37 - 2014-08-14 17:40 - 03552760 _____ (tuneuppro.com ) C:\Users\savas.kyriakidis\Downloads\tall_140809374825884190.exe2014-08-14 17:37 - 2014-08-14 17:37 - 03552760 _____ (tuneuppro.com ) C:\Users\savas.kyriakidis\Downloads\tall_140809372042763201.exe2014-08-14 17:37 - 2014-08-14 17:37 - 03552760 _____ (tuneuppro.com ) C:\Users\savas.kyriakidis\Downloads\tall_140809371092783465.exe2014-08-27 10:44 - 2011-07-10 19:25 - 00000000 ____D () C:\Program Files\AVG2014-08-27 10:41 - 2014-08-27 10:41 - 03386520 _____ (AVG Technologies CZ, s.r.o.) C:\Users\savas.kyriakidis\Downloads\avg_remover_stf_x86_2014_4116.exe2014-08-27 09:44 - 2014-08-19 23:07 - 00000000 ____D () C:\ProgramData\GlarySoft2014-08-27 09:44 - 2014-08-14 18:19 - 00000000 ____D () C:\Users\savas.kyriakidis\AppData\Roaming\GlarySoft2014-08-22 14:32 - 2014-08-22 14:32 - 00000000 ____D () C:\Users\savas.kyriakidis\Documents\ProcAlyzer Dumps2014-08-16 12:05 - 2014-08-16 12:05 - 00000000 ____D () C:\ProgramData\SlimWare Utilities Inc2014-08-16 12:05 - 2014-08-15 20:57 - 00000000 ____D () C:\Users\savas.kyriakidis\AppData\Local\SlimWare Utilities Inc2014-08-16 12:04 - 2014-08-16 12:04 - 00000000 ____D () C:\Users\savas.kyriakidis\AppData\Local\Downloaded Installers2014-08-16 09:22 - 2014-08-15 20:56 - 00000000 ____D () C:\Program Files\DriverUpdateAlternateDataStreams: C:\ProgramData\TEMP:0B4227B4AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2Task: {FCAFF07B-D3AC-4A0C-A6E2-6C23DFC270C9} - \{B7983C11-5FD9-12B1-4EAA-DE223F2AD5D5} No Task File <==== ATTENTIONTask: {C22BB22A-70B9-4AEA-B6E6-2234A457F078} - System32\Tasks\SlimCleaner Plus (Scheduled Scan - savas.kyriakidis) => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exeC:\Program Files\SlimCleaner PlusTask: {C22BB22A-70B9-4AEA-B6E6-2234A457F078} - System32\Tasks\SlimCleaner Plus (Scheduled Scan - savas.kyriakidis) => C:\Program Files\SlimCleaner Plus\SlimCleanerPlus.exeTask: {788B04FA-AA4F-4BCC-9AAE-A2881E7E64E6} - \Scheduled Update for Ask Toolbar No Task File <==== ATTENTIONTask: {510F6543-BD19-48A5-9E5E-D5E371879760} - System32\Tasks\AVG\PC Tuneup 2011\Integrator\Start On Rita Logon => C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exeC:\Program Files\AVGTask: {510F6543-BD19-48A5-9E5E-D5E371879760} - System32\Tasks\AVG\PC Tuneup 2011\Integrator\Start On Rita Logon => C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exeTask: {30B9F70E-3CAE-49C3-9D96-BE89B7AA59AB} - \Time Trigger Test Task No Task File <==== ATTENTIONTask: {2343967C-C69F-44DE-8AA3-E9113A3466E5} - \Security Center Update - 754758581 No Task File <==== ATTENTIONTask: {1D455FF0-01E6-438C-A9D6-27C72AC03552} - \PC Performer No Task File <==== ATTENTIONCMD: netsh winsock resetEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name.Both files, FRST and fixlist.txt have to be in the same location or the fix will not work! Right-click on icon and select Run as Administrator to start the tool.> XP users click run after receipt of Windows Security Warning - Open File. > 8 users will be prompted about Windows SmartScreen protection - click More information and Run. Press the Fix button just once and wait.If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.When finished FRST will generate a log on the Desktop, called Fixlog.txt.Please include it in your reply.
  15. True, you don't have Java so skip it. Scan with Malwarebytes' Anti-Malware Please re-run Malwarebytes' Anti-Malware. First of all, select update.Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.Click the Scan tab, choose Threat Scan is checked and click Scan Now.If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the newest Scan Log.At the bottom click Export and choose Text file.Save the file to your desktop and include its content in your next reply. Scan with ESET Online Scanner This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox. Temporary disable your AntiVirus and AntiSpyware protection - instructions here. Please visit ESET Online Scanner website. Click there Run ESET Online Scanner. If using Internet Explorer: Accept the Terms of Use and click Start.Allow the running of add-on.If using Mozilla Firefox or Google Chrome: Download esetsmartinstaller_enu.exe that you'll be given link to.Double click esetsmartinstaller_enu.exe.Allow the Terms of Use and click Start.To perform the scan: Make sure that Enable detecion of potentially unwanted applications is checked.In the Advanced Settings dropdown menu:Make sure that Remove found threats is unchecked.Scan archives is checked.Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.Use custom proxy settings is unchecked.Click StartThe program will begin to download it's virus database. The speed may vary depending on your Internet connection.When completed, the program will begin to scan. This may take several hours. Please, be patient.Do not do anything on your machine as it may interrupt the scan.When the scan is done, click Finish.A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.Please include this logfile in your next reply. Don't forget to re-enable previously switched-off protection software!
  16. I am very careful about tools that are advertised with "FIX ALL ERRORS" and "SPEED UP YOUR MACHINE". Without some level of registry and system knowledge users are not able to control what are they doing actually. Below you will find two good readings about this kind of software: Microsoft support policy for the use of registry cleaning utilities Miekiemoes (Microsoft MVP) blog Post me fresh FRST & Addidtion reports. Let's see what has changed and what still has to be done.
  17. Update outdated software Staying always updated is crucial, not only for your operating system, but also for any third-party installed software. Your logs clearly indicate that some of your software needs updating. Updating Java manually Click the Start buttonClick Control PanelDouble click Java - Looks like a coffee cup. You may have to switch to Classical View to see it.Click the Update tabClick Update NowAllow any updates to be downloaded and installed.If prompted (during the installation) to also install ASK toolbar, leave this unchecked - Ask does not have a good reputation.From Control panel also please remove any older versions of Java - do not leave them installed!. Updating Adobe manually Visit Adobe website.You will see a download option there for the newest Adobe Acrobat version.In the center part you will be prompted to install McAfee Security Scan Plus as a free program. This is foistware. Remember to leave the box for McAfee UNCHECKED.Click on Install, save the file to a convenient location, double-click it and follow the prompts.Remember to keep your software always up-to-date. Report when done.
  18. I suspect that the wrong screen calibration may have something to do with this. Unfortunately, it's not my area of expertise. Run this tool instead of GMER: Scan with TDSSKiller Please download TDSSKiller by Kaspersky and save it to your desktop. Right-click on icon and select Run as Administrator to start the tool.Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.Your machine may appear very slow and unusable after that - it's normal.TDSSKiller will run automaticaly. Click on Change parameters and click OK.Make sure that Verify driver digital signatures & Detect TDLFS File System are marked and click OK.Click the Start Scan button and wait patiently.If anything will be found follow this guidelines: If a suspicious object is detected, the default action will be Skip, click on Continue.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.> Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. > If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed!A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
  19. I have removed what I saw. There was an Astromenda entry, so it should be gone now. Scan with Security Check Please download Security Check by Screen317 and save it to your desktop. Right-click on icon and select Run as Administrator to start the tool.Follow onscreen instructions inside the black box. This scan won't take long.Soon a notepad document called checkup.txt will open automaticaly.Please include the content of that document.
  20. The scripts are for one-use only. I told you in my first post: Please re-run FRST, make sure that Addition box is checked and press Scan. Two logs should appear - post them.
  21. I don't think that there is tracur here, couse I don;t see any signs of it in your logs. Please tell me what other issues persist. Scan with Security Check Please download Security Check by Screen317 and save it to your desktop. Right-click on icon and select Run as Administrator to start the tool.Follow onscreen instructions inside the black box. This scan won't take long.Soon a notepad document called checkup.txt will open automaticaly.Please include the content of that document.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.