Hit by Ransomware - Trojan.FakeMS & Trojan.Clicker.FMS

DrGold · September 9, 2015

Hello,

Please help, I've ran MWB but I keep getting pop-up notifications of Trojan.FakeMS & Trojan.Clicker.FMS

Also all my files now have ".abc" after them and all folders now have a "restore_files_gavva.HTML" and "restore_files_gavva.TXT" file in them.

DrG

Addition.txt

FRST.txt

DrGold · September 9, 2015

I tried to run RogueKiller, but when I right-click to run as admin - I get a pop-up from MWB?

Non-Malware Detected : PUP.Optional.InstallCore

And it doesn't look like the software installs?

DrGold · September 9, 2015

I tried to run RogueKiller, but when I right-click to run as admin - I get a pop-up from MWB?

Non-Malware Detected : PUP.Optional.InstallCore

And it doesn't look like the software installs?

Temperately disabled MWB and RogueKiller was able to install.

During the long scan, Malicious Website Blocked notifications where popping up every minute.

Report is now attached.

RKreport_SCN_09092015.txt

kevinf80 · September 9, 2015

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Next,

Unable to read the FRST logs you`ve posted, RogueKiller log indicates bad infection. Run the following:

1.Download Malwarebytes Anti-Rootkit from this link:

http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

7. The following image opens, select Update

8. When the update completes select Next.

9. In the following window ensure "Targets" are ticked. Then select "Scan"

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

13. Verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Thanks,

Kevin...

DrGold · September 10, 2015

Thank you so much for your help Kevin,

Here is the 2 scans results.

Internet Access, Windows Firewall & Update are all in working order.

I still see pieces of the trojan, those "restore_".html & "restore_".txt files in most folders.

Are these harmful?

Can I delete them all?

What does MWB Anit-Rootkit 'fixdamange' do?

Should I run it?

Do I re-run Malwarebytes? RogueKiller?

Did this virus come with a file i recently downloaded?

If so, if I open it will I be infected all over again?

How can I prevent this from happening again?

So... when is a good time to mention the damage and start crying .......

How bad is it, is all my personal data hacked?

Do you know if any of my files were stolen/copied during this breach?

I will preciously change the passwords to all my websites, but what about my identity, SSN...etc?

So basically everything else is Data Encrypted with ".abc" extension.

Some video and music files survived, but all pictures and documents are locked.

All applications work, but all saved settings/add-ons are missing. Examples: Google Chrome extensions are corrupted, Outlook profile is corrupted. iTunes library is missing...etc.

Will I have to uninstall/re-install these apps like Google Chrome?

Should I re-install windows?

Thanks again Kevin for the quick reply, sorry for all the questions.

DrG

mbar-log-2015-09-09 (17-59-35).txt

mbar-log-2015-09-09 (18-57-07).txt

system-log.txt

kevinf80 · September 10, 2015

Fix damage from MBAR will reset/fix system settings that may have been damaged or corrupted by infections, as your internet connect, firewall and windows updates are working that action is not required...

Before we make any decisions on the way forward I`d like two fresh logs from FRST, before that run the following:

Please open Malwarebytes Anti-Malware.

On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may or may not see this message box.

'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.
After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:

Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export > From export you have three options:

Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish. Follow the instructions above....

Next,

Download

TFC to your desktop, from either of the following links
http://oldtimer.geekstogo.com/TFC.exe
http://itxassociates.com/OT-Tools/TFC.exe

Save any open work. TFC may close all open application windows.
Double-click TFC.exe to run the program. Vista or Windows 7/8/10 users accept the UAC alert if offered.
If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer than a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important
Windows 10 may post an error for the start menu, sign out and back in then re-boot...

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Next,

Download AdwCleaner by Xplode onto your Desktop.

Double click on Adwcleaner.exe to run the tool.
Click on the Scan in the Actions box
Please wait fot the scan to finish..
When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
Click on the Cleaning box.
Next click OK on the "Closing Programs" pop up box.
Click OK on the Information box & again OK to allow the necessary reboot
After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

Next,

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

Finally,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....

Also read the following:

Have a read of the tutorial regarding Cryptowall infections...

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Your files will more than likely not be recoverable, but there maybe a slim chance. Have a read at the following link:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

Thank you,

Kevin....

DrGold · September 10, 2015

Kevin,

Just to clarify:

Before we make any decisions on the way forward I`d like two fresh logs from FRST, before that run the following:

Do you want fresh logs from FRST now? or after running the following....?

Also, I can't open the https://forums.amlwarebytes.orgpage from the infected computer? Other parts of the website work.

DrGold · September 10, 2015

Kevin,

Here is fresh FRST logs.

Shall I continue with your instructions?

Addition.txt

FRST.txt

DrGold · September 10, 2015

Kevin,

I continued on... here is the Scan Log from Malwarebytes Anti-Malware

Scan Date: 9/10/2015

Scan Time: 11:13 AM

Logfile:

Administrator: Yes

Version: 2.1.8.1057

Malware Database: v2015.09.10.06

Rootkit Database: v2015.08.16.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Jonathan

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 412304

Time Elapsed: 40 min, 21 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 6

PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{78EA5335-BBD5-4757-A2DD-0B9B022F89AD}, Quarantined, [340ab37b72191f179b10d7e8778d8080],

PUP.Optional.MicrofastPC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microfast_Daily, Delete-on-Reboot, [eb53ca64107b93a328659609aa5a60a0],

PUP.Optional.MicrofastPC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microfast_LogOn, Delete-on-Reboot, [c27cda543c4f37ff3756d9c61aea49b7],

PUP.Optional.WinYahoo, HKU\S-1-5-21-1216855344-765800351-2056725506-1001\SOFTWARE\wincy, Quarantined, [88b65dd11b70a690f898ea3d2fd4bd43],

PUP.Optional.WinYahoo, HKU\S-1-5-21-1216855344-765800351-2056725506-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{78EA5335-BBD5-4757-A2DD-0B9B022F89AD}, Quarantined, [1b2380ae1477251137716d5233d134cc],

PUP.Optional.ProductSetup, HKU\S-1-5-21-1216855344-765800351-2056725506-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [320c2a046a21ca6c4f863872fa0a8779],

Registry Values: 6

PUP.Optional.NotChromeRun, HKU\S-1-5-21-1216855344-765800351-2056725506-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|GoogleChromeAutoLaunch_451972798DB8F38AD0FEFD87D1F47CA6, "C:\Users\Jonathan\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session, Quarantined, [bd818ea0acdfd165bfdfbde8cc3822de]

PUP.Optional.ProductSetup, HKU\S-1-5-21-1216855344-765800351-2056725506-1001\SOFTWARE\PRODUCTSETUP|tb, 0N1H1R2W1I0B1T2X2W, Quarantined, [320c2a046a21ca6c4f863872fa0a8779]

Registry Data: 1

Folders: 3

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\Backup, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\BackupStartup, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

Files: 12

PUP.Optional.InstallCore, C:\Users\Jonathan\AppData\Local\Temp\Setup_18362DCF.exe, Quarantined, [c37b58d6632867cf580c6f2eb94cd030],

PUP.Optional.MicrofastPC, C:\Windows\System32\Tasks\Microfast_Daily, Quarantined, [9ca266c80a8141f54b3ffda22dd7d828],

PUP.Optional.MicrofastPC, C:\Windows\System32\Tasks\Microfast_LogOn, Quarantined, [2f0f79b5d8b3290d6d1da0ffb94b09f7],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\ApplicationPaths.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\COMAndActiveXControls.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\FileExtensions.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\Fonts.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\HelpFiles.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\MRUList.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\SharedDLLs.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.MicrofastPC, C:\Users\Jonathan\AppData\Roaming\MicrofastPC\UninstallEntries.dat, Quarantined, [7ac454da543777bfdf17bc57d62d3cc4],

PUP.Optional.WinYahoo, C:\Users\Jonathan\AppData\Local\Chromium\User Data\Default\Secure Preferences, Good: ("session":{"restore_on_startup":4,"startup_urls":["https://www.malwarebytes.org/restorebrowser/]}}),Bad: ("session":{"restore_on_startup":4,"startup_urls":["http://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_37&param1=1&param2=f%3D7%26b%3Dchmm%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FzztB0F0Azz0DzytDtB0C0CtBtCyBtBtN0D0Tzu0StCtAyEyBtN1L2XzutAtFtCtBtFyDtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyEyCzy0EtCtDyBtBtG0A0A0DzytGyE0A0F0CtG0A0AtCyBtG0ByByBtByD0ByByB0CyC0B0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AtB0FtDyB0B0AyDtGtB0DzzyDtGyEyByB0EtGzy0F0E0AtGtB0E0AtCyDtA0E0C0D0C0D0F2QtN0A0LzutBtN1B2Z1V1T1S1NzuzyyEyE%26cr%3D501623421%26a%3Dwncy_bimmed_15_37%26os%3DWindowsReplaced,[251977b76d1e3df911b74d59b0551ee2]B7Replaced,[251977b76d1e3df911b74d59b0551ee2]BHomeReplaced,[251977b76d1e3df911b74d59b0551ee2]BPremium&uref=chmm"]}}), %5

Physical Sectors: 0

(No malicious items detected)

(end)

Running TFC now.

kevinf80 · September 10, 2015

If you look at the instructions in reply #6 you just follow the list, the instruction to run FRST again is at the end, I want the FRST logs after completing the tools I listed...

Thank you,

Kevin...

DrGold · September 10, 2015

OK Kevin,

AdwCleaner Logs:

# AdwCleaner v5.007 - Logfile created 10/09/2015 at 14:52:04

# Updated 08/09/2015 by Xplode

# Database : 2015-09-08.2 [server]

# Operating system : Windows 7 Home Premium Service Pack 1 (x64)

# Username : Jonathan - JONATHAN-DELL

# Running from : C:\Users\Jonathan\Desktop\AdwCleaner.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\apn

[-] Folder Deleted : C:\ProgramData\{8AF32939-989B-460A-8726-CA2C776032A1}

[-] Folder Deleted : C:\Users\Jonathan\AppData\Roaming\Solvusoft

***** [ Files ] *****

[-] File Deleted : C:\Windows\Sysnative\roboot64.exe

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

[-] Task Deleted : updateTask

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

[-] Key Deleted : HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

***** [ Web browsers ] *****

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1188 bytes] ##########

JRT LOG:::

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 7.6.1 (09.08.2015:1)

OS: Windows 7 Home Premium x64

Ran by Jonathan on Thu 09/10/2015 at 18:10:25.83

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\PCDEventLauncherTask

Successfully deleted: [Task] C:\Windows\system32\tasks\PCDoctorBackgroundMonitorTask

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Chrome

[C:\Users\Jonathan\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Jonathan\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Jonathan\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Jonathan\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Thu 09/10/2015 at 18:15:47.21

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malicious Software Removal Tool Running Now...

DrGold · September 10, 2015

Kev, MSRT Log plus FRST Logs.

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.8, January 2014 (build 5.8.9803.0)

Started On Tue Jan 14 23:24:42 2014

Engine: 1.1.10201.0

Signatures: 1.165.1273.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Tue Jan 14 23:26:30 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.10, March 2014 (build 5.10.10001.0)

Started On Wed Apr 30 20:22:11 2014

Engine: 1.1.10302.0

Signatures: 1.167.1001.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 30 20:24:13 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.11, April 2014 (build 5.11.10100.0)

Started On Wed Apr 30 22:17:52 2014

Engine: 1.1.10401.0

Signatures: 1.169.1258.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 30 22:19:23 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.12, May 2014 (build 5.12.10200.0)

Started On Mon Jun 09 23:14:36 2014

Engine: 1.1.10502.0

Signatures: 1.173.1305.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Mon Jun 09 23:16:07 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.14, July 2014 (build 5.14.10402.0)

Started On Tue Jul 15 23:45:21 2014

Engine: 1.1.10701.0

Signatures: 1.177.949.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Tue Jul 15 23:47:16 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.15, August 2014 (build 5.15.10500.0)

Started On Sat Aug 16 03:09:29 2014

Engine: 1.1.10802.0

Signatures: 1.179.1796.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sat Aug 16 03:13:22 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.18, November 2014 (build 5.18.10802.0)

Started On Tue Nov 25 18:58:40 2014

Engine: 1.1.11104.0

Signatures: 1.187.1116.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Tue Nov 25 19:03:53 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.19, December 2014 (build 5.19.10902.0)

Started On Mon Dec 22 16:00:47 2014

Engine: 1.1.11202.0

Signatures: 1.189.872.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Mon Dec 22 16:05:11 2014

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.20, January 2015 (build 5.20.11000.0)

Started On Sun Jan 25 13:42:30 2015

Engine: 1.1.11302.0

Signatures: 1.191.1276.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sun Jan 25 13:55:44 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.21, February 2015 (build 5.21.11102.0)

Started On Thu Feb 12 03:02:42 2015

Engine: 1.1.11302.0

Signatures: 1.191.3593.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 12 03:08:48 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.22, March 2015 (build 5.22.11202.0)

Started On Wed Mar 11 03:03:54 2015

Engine: 1.1.11400.0

Signatures: 1.193.1181.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 11 03:10:45 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.23, April 2015 (build 5.23.11300.0)

Started On Wed Apr 15 03:04:40 2015

Engine: 1.1.11502.0

Signatures: 1.195.1215.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 15 03:10:17 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.24, May 2015 (build 5.24.11401.0)

Started On Wed May 13 03:10:17 2015

Engine: 1.1.11602.0

Signatures: 1.197.1100.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed May 13 03:16:45 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.25, June 2015 (build 5.25.11502.0)

Started On Thu Jun 11 03:03:24 2015

Engine: 1.1.11701.0

Signatures: 1.199.892.0

Results Summary:

----------------

No infection found.

Failed to submit clean hearbeat MAPS report: 0x80004005

Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 11 03:11:55 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.26, July 2015 (build 5.26.11604.0)

Started On Thu Jul 16 03:01:24 2015

Engine: 1.1.11804.0

Signatures: 1.201.883.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 16 03:09:56 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)

Started On Wed Aug 12 03:01:58 2015

Engine: 1.1.11903.0

Signatures: 1.203.693.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 12 03:09:26 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.28, September 2015 (build 5.28.11802.0)

Started On Wed Sep 09 03:25:37 2015

Engine: 1.1.12002.0

Signatures: 1.205.646.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 09 03:56:54 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.28, September 2015 (build 5.28.11802.0)

Started On Wed Sep 09 12:09:42 2015

Engine: 1.1.12002.0

Signatures: 1.205.646.0

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 09 13:29:25 2015

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.28, September 2015 (build 5.28.11802.0)

Started On Thu Sep 10 18:31:18 2015

Engine: 1.1.12002.0

Signatures: 1.205.646.0

Results Summary:

----------------

No infection found.

Addition.txt

FRST.txt

kevinf80 · September 10, 2015

Run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

We need to run an online AV scan as follows..

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

Accept the Terms of Use and click Start.
Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

Download esetsmartinstaller_enu.exe that you'll be given link to.
Double click esetsmartinstaller_enu.exe.
Allow the Terms of Use and click Start.

To perform the scan:

Make sure that Remove found threats is Checked.
Scan archives is checked.
In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
Under “Enable Stealth Technology select “Change” select any extra drives in that window.
Click Start
The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
When completed, the program will begin to scan. This may take several hours. Please, be patient.
Do not do anything on your machine as it may interrupt the scan.
When the scan is done, click Finish.
A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable security software!

Post those logs, also give an update on any remaining issues or concerns...

Thank you,

Kevin..

Fixlist.txt

DrGold · September 11, 2015

Kev,

Log files attached.

I think my system is almost back to normal.

Which software can I uninstall?

What do you recommend I keep and use?

Would MWB Premium have stopped this attack?

FRST.txt

log.txt

kevinf80 · September 11, 2015

Please read the instructions from my last reply, you given the log from an FRST scan, not what I asked for. It is essential that you run FRST the way I have listed, there is malicious entries in the fix script that must be dealt with.....

DrGold · September 12, 2015

Kev,

I'm sorry I posted the wrong log. Here you go.

Fixlog.txt

kevinf80 · September 12, 2015

Excellent, what is the status of your system now, are there any remaining issues or concerns?

DrGold · September 14, 2015

I think everything is in working order. THANK YOU SO MUCH!

I'll continue to run any other recommended programs you got...

So what should I do with the encrypted files?

- search for files with *.abc extension and delete?

Which software can I uninstall?

What do you recommend I keep and use?

kevinf80 · September 14, 2015

The encrypted files will not be recoverable, yep agree what you say find and delete them all..

Next,

Do the following to clean up remove tools etc...

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

Remove disinfection tools
Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
Reset system settings

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following link to fully understand PC Security and Best Practices, you may it useful....

Answers to Common Security Questions and bst Practices

Let me know if we can close out...

Thank you,

Kevin..

DrGold · September 15, 2015

Thanks again Kevin.

You can close out...

kevinf80 · September 15, 2015

OK, thanks for the update....

Take care and surf safe

Kevin...

AdvancedSetup · September 18, 2015

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Hit by Ransomware - Trojan.FakeMS & Trojan.Clicker.FMS

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information