I have the FBI warning ransomware virus. I need help!

[Spectak26]

I have the FBI warning ransomware virus. I need help!

[MrCharlie]

Welcome to the forum, here's how we deal with that malware:

1. Please download Farbar Recovery Scan Tool and save it to a flash drive.
   Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
   Plug the flash drive into the infected PC.
   
2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
   If you are using Vista or Windows 7 enter System Recovery Options.
   To enter System Recovery Options from the Advanced Boot Options:
   
   • Restart the computer.
     
   • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
     
   • Use the arrow keys to select the Repair your computer menu item.
     
   • Select US as the keyboard language settings, and then click Next.
     
   • Select the operating system you want to repair, and then click Next.
     
   • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

[*]On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

[Spectak26]

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-06-2013 (ATTENTION: FRST version is 8 days old)

Ran by SYSTEM on 10-06-2013 13:14:10

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2799912 2011-06-09] (Synaptics Incorporated)

HKLM\...\Run: [setDefault] C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [42808 2011-06-27] (Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2013-03-12] (IDT, Inc.)

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)

Winlogon\Notify\ScCertProp: wlnotify.dll [X]

HKLM-x32\...\Run: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [168504 2011-06-27] (Hewlett-Packard Company)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2010-11-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-09-28] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\Phillip\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)

HKU\Phillip\...\Run: [Facebook Update] "C:\Users\Phillip\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-29] (Facebook Inc.)

HKU\Phillip\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

HKU\Phillip\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe -update activex [351904 2012-06-10] (Adobe Systems Incorporated)

Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File

==================== Services (Whitelisted) =================

S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2011-09-28] (Advanced Micro Devices, Inc.)

S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\diMaster.dll [309688 2012-04-12] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20110519.002\BHDrvx64.sys [1143416 2011-05-13] (Symantec Corporation)

S3 cxbu0x64; C:\Windows\System32\DRIVERS\cxbu0x64.sys [177920 2011-09-05] (HID Global Corporation)

S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20110519.031\IDSVia64.sys [488056 2011-05-13] (Symantec Corporation)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20110519.002\ENG64.SYS [117880 2011-05-18] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20110519.002\EX64.SYS [2011768 2011-05-18] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-03-27] (Symantec Corporation)

S1 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1309010.00E\ccSetx64.sys [x]

S3 SRTSP; \SystemRoot\System32\Drivers\NISx64\1309010.00E\SRTSP64.SYS [x]

S1 SRTSPX; \SystemRoot\system32\drivers\NISx64\1309010.00E\SRTSPX64.SYS [x]

S0 SymDS; system32\drivers\NISx64\1309010.00E\SYMDS64.SYS [x]

S0 SymEFA; system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS [x]

S1 SymIRON; \SystemRoot\system32\drivers\NISx64\1309010.00E\Ironx64.SYS [x]

S1 SymNetS; \SystemRoot\System32\Drivers\NISx64\1309010.00E\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-10 13:13 - 2013-06-10 13:13 - 00000000 ____D C:\FRST

2013-06-01 11:43 - 2013-06-01 11:43 - 00000000 ____D C:\Users\Phillip\Desktop\OCONUS2CONUS - Copy

2013-05-20 11:29 - 2013-06-10 10:40 - 00000000 ____D C:\Users\Phillip\AppData\Roaming\wabEventSupport16

==================== One Month Modified Files and Folders =======

2013-06-10 13:13 - 2013-06-10 13:13 - 00000000 ____D C:\FRST

2013-06-10 10:41 - 2012-03-06 05:51 - 00000000 ___RD C:\Users\Phillip\Podcasts

2013-06-10 10:41 - 2012-02-09 11:44 - 00000000 ____D C:\ProgramData\McAfee Security Scan

2013-06-10 10:41 - 2011-12-25 20:46 - 00000000 ____D C:\users\Phillip

2013-06-10 10:41 - 2011-11-25 01:02 - 00000000 ____D C:\ProgramData\Norton

2013-06-10 10:41 - 2011-07-23 12:54 - 00000000 ____D C:\ProgramData\RoxioNow

2013-06-10 10:41 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages

2013-06-10 10:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-06-10 10:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-06-10 10:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas

2013-06-10 10:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-06-10 10:41 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2013-06-10 10:40 - 2013-05-20 11:29 - 00000000 ____D C:\Users\Phillip\AppData\Roaming\wabEventSupport16

2013-06-10 10:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-06-10 10:33 - 2012-03-23 10:00 - 00000000 ___RD C:\Program Files (x86)\Skype

2013-06-10 10:33 - 2012-01-09 18:56 - 00000000 ____D C:\ProgramData\Skype

2013-06-10 10:33 - 2011-07-23 13:02 - 00000000 ____D C:\ProgramData\Adobe

2013-06-10 10:33 - 2011-02-10 11:23 - 00000000 ____D C:\SWSetup

2013-06-10 10:13 - 2011-11-25 01:33 - 00000000 ___RD C:\Users\Public\Recorded TV

2013-06-02 17:30 - 2012-01-12 22:09 - 00000000 ____D C:\Users\Phillip\AppData\Local\CrashDumps

2013-06-01 11:43 - 2013-06-01 11:43 - 00000000 ____D C:\Users\Phillip\Desktop\OCONUS2CONUS - Copy

2013-05-18 08:05 - 2012-12-08 11:31 - 00000000 ____D C:\Users\Phillip\AppData\Local\Western Digital

2013-05-14 00:14 - 2011-11-25 00:43 - 02022156 ____A C:\Windows\WindowsUpdate.log

2013-05-14 00:09 - 2012-07-29 09:34 - 00000936 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2805231200-1761995493-249262182-1001UA.job

2013-05-13 23:44 - 2012-05-20 03:59 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-13 23:25 - 2012-03-28 10:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-13 19:44 - 2012-05-20 03:59 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-13 18:09 - 2012-07-29 09:34 - 00000914 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2805231200-1761995493-249262182-1001Core.job

2013-05-11 18:43 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-11 18:43 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

Files to move or delete:

====================

C:\Users\Phillip\AppData\Roaming\skype.dat

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-04 06:42:17

Restore point made on: 2013-05-07 11:41:44

Restore point made on: 2013-05-07 11:42:27

Restore point made on: 2013-05-10 17:45:32

Restore point made on: 2013-05-14 00:14:19

Restore point made on: 2013-05-14 11:31:09

Restore point made on: 2013-05-14 11:31:32

Restore point made on: 2013-05-14 23:00:27

Restore point made on: 2013-05-18 04:10:02

Restore point made on: 2013-05-21 11:56:00

Restore point made on: 2013-05-22 23:00:29

Restore point made on: 2013-05-23 23:00:24

Restore point made on: 2013-05-28 00:25:58

Restore point made on: 2013-05-31 12:53:43

Restore point made on: 2013-06-02 17:22:59

==================== Memory info ===========================

Percentage of memory in use: 20%

Total physical RAM: 3561.41 MB

Available physical RAM: 2836.38 MB

Total Pagefile: 3559.55 MB

Available Pagefile: 2834.39 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:446.99 GB) (Free:325.61 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

Drive e: (Recovery) (Fixed) (Total:14.61 GB) (Free:1.62 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)]

Drive f: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:0.41 GB) FAT32 (Disk=0 Partition=4)

Drive h: (IJASON) (Removable) (Total:1.87 GB) (Free:1.53 GB) FAT (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS

Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 484BE2D6)

Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=447 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=15 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: C3072E18)

Partition 1: (Active) - (Size=2 GB) - (Type=06)

Last Boot: 2013-06-06 06:40

==================== End Of Log ============================

[MrCharlie]

Is this a scan of the user account that's infected?? MrC

[Spectak26]

Yes

[Spectak26]

Well it doesnt have the Advanced options like my other Windows computers. its wierd. I had to hit escape for the options and still they are not the same.

[Spectak26]

You there?

[MrCharlie]

OK, I'm not seeing a load point for the malware in the log, but see if this works:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[Spectak26]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2013

Ran by SYSTEM at 2013-06-10 14:17:12 Run:1

Running from H:\

Boot Mode: Recovery

==============================================

C:\Users\Phillip\AppData\Roaming\skype.dat => Moved successfully.

==== End of Fixlog ====

[MrCharlie]

Does it boot now?? MrC

[Spectak26]

it boots but it wont take my original password i had set for it

[MrCharlie]

OK...Good:

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[Spectak26]

well I cant use this if I cant get into my profile. The computer wont take my original password.

[MrCharlie]

Can you get to the command prompt?? MrC

[Spectak26]

yes

[MrCharlie]

The infection you have is not known to cause that problem.

Try this instead, same as before.

This will restore the registry back to this date and hopefully will resolve that problem.

Last Boot: 2013-06-06 06:40

--------------------------------------------------

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[Spectak26]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2013

Ran by SYSTEM at 2013-06-10 15:38:59 Run:2

Running from H:\

Boot Mode: Recovery

==============================================

C:\Users\Phillip\AppData\Roaming\skype.dat => File/Directory not found.

==== End of Fixlog ====

[MrCharlie]

You used the wrong fixlist.txt

Used the new one I uploaded.

I attached it again.

MrC

[Spectak26]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2013

Ran by SYSTEM at 2013-06-10 15:52:45 Run:3

Running from H:\

Boot Mode: Recovery

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup

DEFAULT hive was successfully restored from registry back up.

SAM hive was successfully copied to System32\config\HiveBackup

SAM hive was successfully restored from registry back up.

SECURITY hive was successfully copied to System32\config\HiveBackup

SECURITY hive was successfully restored from registry back up.

SOFTWARE hive was successfully copied to System32\config\HiveBackup

SOFTWARE hive was successfully restored from registry back up.

SYSTEM hive was successfully copied to System32\config\HiveBackup

SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

[Spectak26]

you there?

[MrCharlie]

Don't worry about where I am.

Does the computer boot now??

MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!