Jump to content

RANSOMWARE HELP


Recommended Posts

Hello. A few days ago I had a run in with the infamous DOJ Ransomware virus that has rendered my PC virtually useless to this point. I run with Windows XP Service Pack 3. I can log into windows normally but within 5 seconds the DOJ lock screen appears and I can only ctrl-alt-dlt to restart from that point. I can not access safe mode at all. Have even tried safe mode with command prompt. When I try any type of safe mode boot it goes to a blue screen that tells me windows has stopped due to a serious error to protect my computer. Or something along those lines. I have tried Hitman Pro usb and boot able disk approach and it will not boot in that mode. The only that I have been able to get to work is the Kaspersky Rescue disk 10 approach. I installed the updates before running that and done the scan. It found numerous items which I deleted and/or quarantined, but it did not find the actual ransom virus. In the detailed scan logs it shows that there was a read error trying to access the c:/windows/pss/HpM3util.exeStartup. I assume that means the startup menu. I have tried to run in at least 5 more times and it now finds no new viruses but still gives me the read error access of the above location. When I try to reboot into regular mode, it will and I can see everything load on my desktop but again after about 5-10 seconds the DOJ lock screen appears again. I am at a loss here. I even read on other threads and checked the registry keys for current programs and the run environment (HKEY'S) and they all appear to be listed as what I have read they should be? Any help or suggestions? The only thing I can do to see anything on my pc at this point is via the Kaspersky Rescue disk. Thank you in advance for any help.....

Link to post
Share on other sites

Welcome to the forum.

With Kaspersky Rescue disk, have you tried Windows Unlocker??

http://support.kaspersky.com/us/viruses/disinfection/8005

========================

If you did then see if you can create a Hiren’s BootCD:

http://www.tech-recipes.com/rx/41669/remove-nearly-any-virus-using-hirens-bootcd/

MrC

Link to post
Share on other sites

Mr C Good morning. I was able to boot using the Hiren's CD. Should I go ahead and run the virus scans of that program as per the instructions in the link you sent? You mentioned something about using FRST if I got it booted, so I wasn't sure if you meant using that before a Hiren's scan or after. Didn't want to do things out of order. I will keep the PC booted and await further instructions. Thanks again my friend.

Link to post
Share on other sites

You need to have a usb flash drive.

On a clean computer, download FRST

Copy it to the flash drive

Insert the flash drive in the sick computer

Boot up with Hiren's CD

Navigate to the USB flash drive

Double click on FRST.exe

Click Scan

It will create a log called FRST.txt on the USB flash drive

Take the drive out

Place it in the good computer

Navigate to it

Copy and paste the FRST.txt back here.

MrC

Link to post
Share on other sites

FRST SCAN RESULTS

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-09-2014
Ran by SYSTEM on MiniXP on 11-09-2014 12:09:48
Running from D:\
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet004
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [16132608 2007-04-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG9_TRAY] => C:\Program Files\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\real\realplayer\update\realsched.exe [296056 2011-12-07] (RealNetworks, Inc.)
Winlogon\Notify\avgrsstarter: C:\Windows\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\PCANotify: C:\Windows\system32\PCANotify.dll (Symantec Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
HKLM\...\Policies\Explorer: [NoCDBurning] 0
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-09-17] (AVG Technologies CZ, s.r.o.)
S4 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [106496 2004-11-01] (Symantec Corporation)
S4 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96341 2006-03-30] (Canon Inc.)
S2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [161768 2012-09-26] (Oracle Corporation)
S4 VideoAcceleratorService; C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe [313624 2011-12-07] (Speedbit Ltd.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-17] (Advanced Micro Devices)
S1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [226016 2013-01-15] (AVG Technologies CZ, s.r.o.)
S1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)
S1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [243152 2011-05-05] (AVG Technologies CZ, s.r.o.)
S1 awecho; C:\Windows\System32\drivers\awechomd.sys [8368 2004-03-05] (Symantec Corporation)
S1 awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [11165 2003-11-18] (Symantec Corporation)
S1 AW_HOST; C:\Windows\System32\drivers\aw_host5.sys [16984 2003-10-23] (Symantec Corporation)
S3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc.              )
S3 FETNDISB; C:\Windows\System32\DRIVERS\fetnd5b.sys [42496 2007-08-02] (VIA Technologies, Inc.              )
S0 Gernuwa; C:\Windows\System32\Drivers\Gernuwa.sys [13898 2003-04-21] (Symantec Corporation)
S2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2008-01-09] (RealNetworks, Inc.)
S3 S3GIGP; C:\Windows\System32\DRIVERS\S3gIGPm.sys [659456 2007-08-02] (S3 Graphics Co., Ltd.)
S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [104144 2008-01-07] (Symantec Corporation)
S0 videX32; C:\Windows\System32\DRIVERS\videX32.sys [9216 2006-10-18] (VIA Technologies, Inc.)
S3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [10144 2004-04-14] (Logitech Inc.)
S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [21280 2004-04-14] (Logitech Inc.)
S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [5600 2004-04-14] (Logitech Inc.)
S3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [44064 2004-04-14] (Logitech Inc.)
S0 xfilt; C:\Windows\System32\DRIVERS\xfilt.sys [17920 2006-10-18] (VIA Technologies,Inc)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S4 IntelIde; No ImagePath
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-11 12:09 - 2014-09-11 12:09 - 00000000 ____D () C:\FRST
2014-09-08 14:09 - 2008-04-14 00:11 - 00021504 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll
2014-09-08 14:09 - 2008-04-14 00:11 - 00021504 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll
2014-09-08 14:09 - 2008-04-14 00:11 - 00021504 _____ (Microsoft Corporation) C:\Windows\System32\hidserv.dll
2014-09-04 21:20 - 2014-09-04 21:20 - 00033512 _____ () C:\Windows\System32\Drivers\TrueSight.sys
2014-09-04 19:51 - 2014-09-10 12:00 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-11 14:00 - 2008-01-08 19:02 - 00000216 _____ () C:\Windows\wiadebug.log
2014-09-11 14:00 - 2008-01-08 19:02 - 00000049 _____ () C:\Windows\wiaservc.log
2014-09-11 14:00 - 2007-08-02 01:13 - 00032338 _____ () C:\Windows\SchedLgU.Txt
2014-09-11 14:00 - 2007-08-02 01:09 - 01259934 _____ () C:\Windows\WindowsUpdate.log
2014-09-11 13:58 - 2006-02-28 12:00 - 00012598 _____ () C:\Windows\System32\wpa.dbl
2014-09-11 12:09 - 2014-09-11 12:09 - 00000000 ____D () C:\FRST
2014-09-10 12:00 - 2014-09-04 19:51 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-09-10 11:51 - 2007-08-02 01:35 - 00000000 ____D () C:\Windows\pss
2014-09-08 14:09 - 2013-10-10 08:03 - 00031345 _____ () C:\Windows\setupapi.log
2014-09-08 14:09 - 2013-09-12 10:50 - 00000176 _____ () C:\Windows\setupact.log
2014-09-05 15:05 - 2010-09-17 14:37 - 00000000 ____D () C:\Windows\System32\Drivers\Avg
2014-09-04 21:25 - 2008-01-07 17:42 - 00000000 __SHD () C:\Windows\CSC
2014-09-04 21:25 - 2007-08-02 01:09 - 00000000 ____D () C:\Windows\System32\Restore
2014-09-04 21:20 - 2014-09-04 21:20 - 00033512 _____ () C:\Windows\System32\Drivers\TrueSight.sys
2014-09-04 21:02 - 2014-04-08 20:07 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-09-04 20:44 - 2008-01-08 17:27 - 07970816 _____ () C:\Delivery Log 10.mdb
2014-08-16 08:00 - 2007-08-02 02:11 - 96303304 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2006-02-28 12:00] - [2014-03-12 10:48] - 0617984 ____A (Microsoft Corporation) 3e0262ac566abeb1eade6cfafc834dac     
 
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points (XP) =====================
 
RP: -> 2014-09-04 21:25 - 028672 _restore{884DBFDA-225A-42FB-8BB0-CFB0C8274DE8}\RP1 
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 17%
Total physical RAM: 1918.49 MB
Available physical RAM: 1592.1 MB
Total Pagefile: 1691.8 MB
Available Pagefile: 1101.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 2007.46 MB
 
==================== Drives ================================
 
Drive b: (RamDrive) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive c: () (Fixed) (Total:232.88 GB) (Free:136.28 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Removable) (Total:3.72 GB) (Free:3.72 GB) FAT32
Drive e: (HBCD 15.2) (CDROM) (Total:0.58 GB) (Free:0 GB) CDFS
Drive x: (Mini Xp) (Fixed) (Total:0.23 GB) (Free:0.23 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: AFB3AFB3)
Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: C30314AA)
Partition 1: (Active) - (Size=3.7 GB) - (Type=0B)
 
==================== End Of Log ============================
Link to post
Share on other sites

From the log this is the problem: (patched file)

 


C:\Windows\System32\User32.dll
[2006-02-28 12:00] - [2014-03-12 10:48] - 0617984 ____A (Microsoft Corporation) 3e0262ac566abeb1eade6cfafc834dac

 

===========================

Boot back up with the disk and flash drive
Run FRST
In the Search box type: User32.dll

It then should look like:

Search: User32.dll

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

Link to post
Share on other sites

Search log as follows:

 

Farbar Recovery Scan Tool (x86) Version: 11-09-2014
Ran by SYSTEM at 2014-09-11 13:52:28
Running from D:\
Boot Mode: Recovery
 
================== Search: "User32.dll" ===================
 
C:\WINDOWS\system32\user32.dll
[2006-02-28 12:00][2014-03-12 10:48] 0617984 ____A (Microsoft Corporation) 3e0262ac566abeb1eade6cfafc834dac     
 
C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2008-09-04 04:29][2014-03-12 10:48] 0617984 ____A (Microsoft Corporation) 6a496a532f35f108a20e9f7e53f9e82f     
 
C:\WINDOWS\ERDNT\cache\user32.dll
[2010-08-02 17:16][2008-04-14 00:12] 0578560 ___AC (Microsoft Corporation) b26b135ff1b9f60c9388b4a7d16f600b     
 
C:\WINDOWS\$NtServicePackUninstall$\user32.dll
[2008-09-04 10:48][2007-03-08 15:36] 0577536 ____C (Microsoft Corporation) b409909f6e2e8a7067076ed748abf1e7     
 
X:\I386\System32\user32.dll
[2012-11-07 00:00][2012-11-07 00:00] 0457728 ____A (Microsoft Corporation) 196ccb3fd6885eea9bfbe5badc62074c     
 
=== End Of Search ===
Link to post
Share on other sites

OK, clear all the logs off of the flash drive except FRST

Download the attched fixlist.txt to the good computer and then copy it to the flash drive.

Boot up as before

Run FRST

Press FIX once and wait

When done it will place Fixlog.txt on the flash drive

Copy and paste it back here

See if the computer boots now

If not, re-scan with FRST as I initially had you do and post the new log

MrC

Link to post
Share on other sites

Fix log attached

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-09-2014
Ran by SYSTEM at 2014-09-11 14:28:03 Run:1
Running from D:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
Replace: C:\WINDOWS\ERDNT\cache\user32.dll C:\WINDOWS\system32\user32.dll
 
 
*****************
 
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.
C:\WINDOWS\system32\user32.dll => Moved successfully.
C:\WINDOWS\ERDNT\cache\user32.dll copied successfully to C:\WINDOWS\system32\user32.dll
 
==== End of Fixlog ====
Link to post
Share on other sites

Good, I would run TDSSKiller and a Threat scan with Malwarebytes:

Make sure you have created that system restore point before you continue!

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

    tds2.jpg

  • Put a checkmark beside loaded modules.

    13040712472913819.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    tds2.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdsskiller_guide_5.gif

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    tdsskiller_guide_3.gif

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Then...........

Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

MrC

Link to post
Share on other sites

In the threats listing for TDS it shows three possible threats. All three might be what I believe to be part of our network they are as follows:

 

Unsigned File

SERVICE: awecho

suspicious object: medium risk

 

Unsigned File

SERVICE: awhost32

suspicious object: medium risk

 

Unsigned File

SERVICE: AW_HOST

suspicious object: medium risk

 

What should I do about these?

Link to post
Share on other sites

MBAM Scan log below: All seems well and in working order. If you agree with the scans looking clean or if there might be anything else you would suggest I run, let me know. Otherwise I think we are good. Thank you so much for all your help, Mr C

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/11/2014
Scan Time: 4:43:10 PM
Logfile: mbytes091114.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.09.11.07
Rootkit Database: v2014.09.10.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User:
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 543233
Time Elapsed: 1 hr, 15 min, 49 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.