Ransom Locker

[B-boy/StyLe/]

Hello Epsilon,

Your GMER log looks good.

Ok, one final push. Please stay with me for the rest of the procedures.

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
      
   8. Now click on Advanced Settings and select the following:
      
      
      • • Scan for potentially unwanted applications
          
        • Scan for potentially unsafe applications
          
        • Enable Anti-Stealth Technology

[*]Push the Start button.

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, push

[*]Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Push the button.

[*]Push

Since you have trouble scanning with DDS, please do this instead.

We need to run an OTL Custom Scan

• Please reopen OTL on your desktop.
  
• Click on Scan All Users checkbox given at the top.
  
• Push the Run Scan button.
  
• Two reports will open, copy and paste them in a reply here:
  
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Regards,

Georgi

[Epsilon]

ESET scan

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\53376e12-531f86a2 multiple threats

C:\Documents and Settings\Owner\Local Settings\Temp\Download.exe multiple threats

C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-4\plugin-pdf2-1.php JS/Exploit.Pdfka.OVN trojan

C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-4\plugin-pdf2.php JS/Exploit.Pdfka.OVN trojan

C:\Downloads\NCH WavePad Sound Editor Master's Edition 4.24 + Keygen [RH]\NCH.WPSEME.4.24_[RH].rar a variant of Win32/Keygen.AT application

C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application

C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application

C:\Program Files\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application

C:\~ErdUserProfile.$$$\$PowerISO$\PROGRAMS\sdfix\SDFix.exe Win32/PrcView application

[B-boy/StyLe/]

Hello Epsilon,

I need to see the OTL log as well.

In the meantime please do this:

STEP 1

To Clear the Java Runtime Environment (JRE) cache, do this:

• Click Start > Settings > Control Panel.
  
• Double-click the Java icon.
  -The Java Control Panel appears.
  
• Click "Settings" under Temporary Internet Files.
  -The Temporary Files Settings dialog box appears.
  
• Click "Delete Files".
  -The Delete Temporary Files dialog box appears.
  -There are three options on this window to clear the cache.
  • Delete Files
    
  • View Applications
    
  • View Applets
    

  [*]Click "OK" on Delete Temporary Files window.

  -Note: This deletes all the Downloaded Applications and Applets from the cache.

  [*]Click "OK" on Temporary Files Settings window.

  [*]Close the Java Control Panel.

You can also view these instructions along with screenshots here.

STEP 2

Please download CCleaner and save it to your desktop.

Run the CCleaner installer.

During installation process, please UNCHECK all except Add Desktop Shortcut.

Please do NOT run a scan yet!

Now, open CCleaner:

Click the "Windows" tab.

Check everything under the "Internet Explorer" section except "Autocomplete Form History" and "Saved Passwords".

Check everything under the "Windows Explorer" section.

Check everything under the "System" section.

Check ONLY "Old Prefetch data" under the "Advanced" section.

Then, click the "Applications" tab:

Check everything under the "Firefox/Mozilla" section except "Saved Form Information" and "Saved Passwords".

CHECK everything else.

Next, click the "Options" button in the left pane, then click the "Advanced" button:

CHECK : "Only delete files in Windows Temp folders older than 24 hours".

Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

When done, please exit CCleaner.

CAUTION: Please do NOT use the "Registry" button in the left pane. This is a built-in registry cleaner. If you don

[Epsilon]

here is the otlpe scan

OTL.txt

Extras.txt

[B-boy/StyLe/]

Hello Epsilon,

We need to run an OTL Fix

There is no need to use OTLPE anymore !!!

1. Please download OTL from the link below:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Copy and Paste the following code into the textbox.

:OTL
DRV - [2010/01/06 00:04:02 | 000,385,536 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/11 17:14:44 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/11 17:14:44 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/11 17:14:44 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/11 17:14:12 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
[2010/12/15 06:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/02/07 02:24:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jennifer\Local Settings\Application Data\prvlcl.dat
[2010/04/20 20:21:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53980
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-2025429265-1957994488-1417001333-1004\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  File not found
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} -  File not found
:files
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\53376e12-531f86a2
C:\Documents and Settings\Owner\Local Settings\Temp\Download.exe
C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-4\plugin-pdf2-1.php
C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-4\plugin-pdf2.php
C:\Program Files\Windows Live\Messenger\msimg32.dll
C:\Program Files\Windows Live\Messenger\riched20.dll
C:\Program Files\Yontoo Layers\YontooIEClient.dll
C:\~ErdUserProfile.$$$\$PowerISO$\PROGRAMS\sdfix\SDFix.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-
:commands
[reboot]

[*]Push

[*]OTL may ask to reboot the machine. Please do so if asked.

[*]Click .

[*]A report will open. Copy and Paste that report in your next reply.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitComet, FrostWire and Azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software

I would recommend you to uninstall both of them !!!

UPDATING TASKS

Your Adobe Reader is out of date.

Older versions may have vulnerabilities that malware can use to infect your system.

Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 9.4.1 via Start => Control Panel > Add/Remove Programs

* Install the new downloaded updated software.

Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.

Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 4 x instead.

Foxit Reader 4x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE Runtime Environment 6u24 and save it to your desktop.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Java

[Epsilon]

everything is great thanks for all your help

[B-boy/StyLe/]

Hi Epsilon,

Did you complete all of the steps provided in my previous post ?

If so please post OTL fix log.

Please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.

Copy/paste the contents of that document back here in your next post.

Then I will give you my final recommendations.

Thanks !

Regards,

Georgi

[Epsilon]

========== OTL ==========

Error: Unable to stop service mfehidk!

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfehidk deleted successfully.

C:\WINDOWS\system32\drivers\mfehidk.sys moved successfully.

Service mfeavfk stopped successfully!

Service mfeavfk deleted successfully!

C:\WINDOWS\system32\drivers\mfeavfk.sys moved successfully.

Service mfesmfk stopped successfully!

Service mfesmfk deleted successfully!

C:\WINDOWS\system32\drivers\mfesmfk.sys moved successfully.

Service mfebopk stopped successfully!

Service mfebopk deleted successfully!

C:\WINDOWS\system32\drivers\mfebopk.sys moved successfully.

Service mferkdk stopped successfully!

Service mferkdk deleted successfully!

C:\WINDOWS\system32\drivers\mferkdk.sys moved successfully.

C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully.

C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.

C:\Documents and Settings\Jennifer\Local Settings\Application Data\prvlcl.dat moved successfully.

C:\Documents and Settings\All Users\Application Data\Kaspersky SDK folder moved successfully.

Prefs.js: "127.0.0.1" removed from network.proxy.http

Prefs.js: 53980 removed from network.proxy.http_port

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry value HKEY_USERS\S-1-5-21-2025429265-1957994488-1417001333-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d9288080-1baa-4bc4-9cf8-a92d743db949}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d9288080-1baa-4bc4-9cf8-a92d743db949}\ not found.

========== FILES ==========

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\53376e12-531f86a2 moved successfully.

File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Download.exe not found.

File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-4\plugin-pdf2-1.php not found.

File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-4\plugin-pdf2.php not found.

C:\Program Files\Windows Live\Messenger\msimg32.dll moved successfully.

C:\Program Files\Windows Live\Messenger\riched20.dll moved successfully.

C:\Program Files\Yontoo Layers\YontooIEClient.dll moved successfully.

C:\~ErdUserProfile.$$$\$PowerISO$\PROGRAMS\sdfix\SDFix.exe moved successfully.

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\AvgUninstallURL deleted successfully.

========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 05012011_153741

[B-boy/StyLe/]

Hi Epsilon,

Nicely done !

I have some final words for you.

All Clean :thumbsup:

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean

STEP 1 CLEANUP

To remove all of the tools we used and the files and folders they created, please do the following:

Please reopen on your desktop.

In the upper right click CleanUp

This will delete OTL and will clean up after it.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

You can uninstall now - ESET Online Scanner v3 and CCleaner.

STEP 2 SECURITY ADVICES

Keep your antivirus software turned on and up-to-date

• Make sure your antivirus software is turned on and up-to-date.
  
• I noticed that you use avast 5 and I would recommend you to update it to its latest version => click here
  
• New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  Note:
  
• You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit Windows Update regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
   
2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
   
3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
   
4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
   Foistware, And how to avoid it.
   There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
   
5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
   
6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
   
7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
   
8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
   
9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
   
10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
    

Don't use pirated software !!!

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

Create an image of your system

It is always a good idea to do a backup of all important files just in case something happens it.

Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.

The download link is here => http://www.macrium.com/reflectfree.asp

The tutorials can be found here => http://www.macrium.com/tutorial.asp

Be sure to read the tutorial first. :thumbup2:

Follow this list and your potential for being infected again will reduce dramatically.

STEP 3 IMPROVE YOUR PC PERFORMANCE

Use Disk Cleanup to delete files you no longer need and reclaim storage space on your computer.

Open Disk Cleanup by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.

If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.

Click the Disk Cleanup tab, and then select the check boxes for the files you want to delete.

When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.

You can use Disk Defragmenter to rearrange files and unused space on your hard disk so that programs run faster

Please Open Disk Defragmenter by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Defragmenter

Select the drive you want to Defragment (the drive where Windows is installed).

Click Defragment Now.

Use MSConfig to disable any processes that you do not want running in the background of the computer.

Please type msconfig in the start menu, then hit enter.

Go to the startup tab and then uncheck any programs that you don't need to load with Windows.

Click the "Apply" button and click "OK" to close the MSCONFIG window.

Restart your computer to save the changes you made to the Startup.

You might have a popup window when you log on. This is typical. Just click ok. You can also make the popup window not come up anymore by checking the box there.

The programs you removed will no longer automatically launch once Windows starts up.

Safe Surfing !

Regards,

Georgi

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.