[homer32]

Got home from work this morning to find an odd screen on my computer. Said "your computer has been block" and needed a $300 payment to be made to unlock. Computer is an aged XP SP3 32-bit system pretty much at the end of usability. In fact, replacement components are en route for a new system rebuild.

So far I know that I can't seem to start Normal, Safe Mode, or Last Known Good Configuration. I have done a lot of reading today, and tried a few things, all of which have not worked. Using two seperate USB thumbdrives, I tried to create a bootable USB with HitMan Pro 3.7 tool. While the formatting seems to complete, the drive is never really seen a bootable. When I select the USB drive from Boot Menu, it restarts the computer after that option is chose and begins a normal boot up and Windows XP splash screen soon appears. Attempting a Safe Mode boot the scrolling text gets to something ending in "MUP".sys, then restarts again. Unfortunately, hard drive space has been a rare commodity, and due to that System Restore is not currently enabled.

Any recommendations to get a workable, bootable USB drive so that I can hopefully run a utility, like HitMan Pro, or something else? Also, guess I should note that computer uses Microsoft Security Essentials, updated a couple times per week, and full scans a couple times a week. Also using MalwareBytes software weekly. So whatever this is seems to be a recent exploit.

Any help is greatly appreciated!

Edited by homer32, 09 May 2013 - 06:05 PM.

[Advertisements]

Hello

Lets see if we can get this to run

• Download OTLPE from either location and save it to your desktop:
  
  http://oldtimer.geek...om/OTLPEStd.exe
  http://ottools.noahd...et/OTLPEStd.exe
  
• Double click the OTLPENet icon on your desktop
• "Do you want to burn the CD?" choose Yes
• ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
• Place a blank CD in your CD-Rom
• Click to start the burn process
• You will see a dialog "Operation successfully completed"
• Boot the non-working computer using the boot CD you just created
• In order to do so, the computer must be set to boot from the CD first
  
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
• OTL should now start.
• Push
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your next reply.

Gringo

[gringo_pr]

Hello

Lets see if we can get this to run

• Download OTLPE from either location and save it to your desktop:
  
  http://oldtimer.geek...om/OTLPEStd.exe
  http://ottools.noahd...et/OTLPEStd.exe
  
• Double click the OTLPENet icon on your desktop
• "Do you want to burn the CD?" choose Yes
• ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
• Place a blank CD in your CD-Rom
• Click to start the burn process
• You will see a dialog "Operation successfully completed"
• Boot the non-working computer using the boot CD you just created
• In order to do so, the computer must be set to boot from the CD first
  
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
• OTL should now start.
• Push
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your next reply.

Gringo

[homer32]

OK, I was finally able to download the OTLPE tools and run from the CD. Everything was very slow, with new windows and most actions taking close to 1 minute each, or more. But I was able to run the requested utility, retrieve the .txt file, and copy to USB drive to bring to another PC to post.

__
OTL logfile created on: 5/10/2013 5:05:44 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.23 Gb Total Space | 15.24 Gb Free Space | 22.01% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 874.51 Gb Free Space | 93.88% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004

========== Win32 Services (SafeList) ==========

SRV - [2013/04/13 01:39:06 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/04/10 22:40:17 | 000,170,912 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/03/12 15:39:40 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/27 14:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/11/07 00:27:10 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2012/11/07 00:26:13 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2010/12/17 00:28:42 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/03/05 01:38:00 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (dsnpfdMP)
DRV - File not found [Kernel | On_Demand] -- -- (dsnpfd)
DRV - File not found [Kernel | On_Demand] -- -- (CTSBLFX.DLL)
DRV - File not found [Kernel | On_Demand] -- -- (CTERFXFX.DLL)
DRV - File not found [Kernel | On_Demand] -- -- (CTAUDFX.DLL)
DRV - File not found [Kernel | On_Demand] -- -- (COMMONFX.DLL)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2012/11/07 00:26:17 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/11/09 23:42:12 | 007,493,120 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2010/07/09 15:18:54 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\cpuz134_x32.sys -- (cpuz134)
DRV - [2010/05/31 13:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/31 13:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/11/12 16:48:56 | 000,005,504 | ---- | M] () [File_System | Auto] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2008/11/25 04:35:54 | 000,211,496 | ---- | M] (Silicon Image, Inc) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Si3114r5.sys -- (Si3114r5)
DRV - [2008/11/25 04:35:54 | 000,017,064 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SiWinAcc.sys -- (SiFilter)
DRV - [2008/11/25 04:35:54 | 000,012,200 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SiRemFil.sys -- (SiRemFil)
DRV - [2008/08/18 21:54:00 | 000,145,952 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nvgts.sys -- (nvgts)
DRV - [2008/08/01 14:36:00 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/08/01 14:36:00 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/07/07 12:37:04 | 000,189,464 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2008/07/07 12:36:36 | 000,162,840 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2008/07/07 12:36:10 | 000,797,720 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2008/07/07 12:35:46 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008/07/07 12:34:08 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008/07/07 12:33:40 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008/07/07 12:33:16 | 000,127,512 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008/07/07 12:31:44 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008/07/07 12:31:10 | 000,532,376 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008/07/07 12:29:58 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008/06/27 21:21:44 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2008/06/27 21:21:44 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2008/06/27 21:21:38 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2008/06/27 21:21:38 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2008/06/27 21:21:26 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2008/06/27 21:21:26 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2008/06/27 21:21:18 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2008/06/27 21:21:18 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2008/04/13 14:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 13:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/12/06 12:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/07/20 20:40:10 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2007/04/17 00:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/12 11:10:26 | 000,164,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2007/04/12 11:10:26 | 000,066,816 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2007/04/12 11:10:24 | 001,317,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2007/04/12 11:10:22 | 000,323,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2007/04/12 11:10:22 | 000,128,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2007/04/12 11:10:20 | 000,280,320 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2007/04/12 11:10:18 | 000,168,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2006/07/02 00:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2001/08/17 17:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 26 CC E0 56 B6 36 CE 01 [binary data]
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Jade_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://fileforum.betanews.com/
IE - HKU\Jade_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/13 01:39:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2013/04/13 01:32:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/04/13 01:39:17 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 21:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/03/03 20:12:16 | 000,002,086 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\Jade_ON_C\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\Jade_ON_C..\Run: [CryptBox] File not found
O4 - Startup: C:\Documents and Settings\Jade\Start Menu\Programs\Startup\Dropbox.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Jade_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1236548869265 (WUWebControl Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creat...101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1344210542025 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15106/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...rl.cab?lmi=1007 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 132.120.60.1 205.171.2.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/08 02:47:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/05/09 09:46:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Report
[2013/04/16 19:12:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jade\Local Settings\Application Data\Sun
[2013/04/13 01:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/04/11 09:13:21 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2013/04/11 09:13:18 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2013/04/10 22:40:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ask
[2013/04/10 22:40:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/04/10 22:40:34 | 000,861,088 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2013/04/10 22:40:34 | 000,262,560 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/04/10 22:40:34 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013/04/10 22:40:29 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/04/10 22:40:29 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/04/10 22:40:29 | 000,094,112 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2008/06/27 19:26:00 | 000,010,752 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2008/06/27 18:59:50 | 000,010,240 | ---- | C] ( ) -- C:\WINDOWS\System32\killapps.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/05/09 23:39:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/05/09 19:56:54 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/05/09 19:53:37 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/05/09 19:46:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/05/09 11:22:15 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000005-00000000-00000007-00001102-00000004-20021102}.rfx
[2013/05/09 11:22:15 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000007-00001102-00000004-20021102}.rfx
[2013/05/09 11:22:14 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000007-00001102-00000004-20021102}.rfx
[2013/05/09 11:22:14 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000007-00001102-00000004-20021102}.rfx
[2013/05/09 11:22:14 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000005-00000000-00000007-00001102-00000004-20021102}.rfx
[2013/05/02 11:28:50 | 000,238,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2013/04/25 23:05:30 | 000,093,956 | ---- | M] () -- C:\Documents and Settings\Jade\Desktop\Whirlpool WSF26C2EXW01 Dimension Guide_EN.pdf
[2013/04/25 23:05:24 | 002,006,014 | ---- | M] () -- C:\Documents and Settings\Jade\Desktop\Whirlpool WSF26C2EXW01 Use and Care_EN.pdf
[2013/04/22 15:21:50 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Jade\Desktop\CrystalDiskInfo.lnk
[2013/04/22 15:21:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\CrystalDiskInfo
[2013/04/15 17:36:20 | 000,001,028 | ---- | M] () -- C:\Documents and Settings\Jade\Start Menu\Programs\Startup\Dropbox.lnk
[2013/04/10 22:40:19 | 000,094,112 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/04/10 22:40:16 | 000,262,560 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/04/10 22:40:15 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/04/10 22:40:15 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/04/10 22:40:15 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013/04/10 22:40:14 | 000,861,088 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2013/04/10 22:40:14 | 000,782,240 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2013/04/10 05:21:09 | 000,172,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/04/10 05:20:03 | 001,053,464 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/04/25 23:05:30 | 000,093,956 | ---- | C] () -- C:\Documents and Settings\Jade\Desktop\Whirlpool WSF26C2EXW01 Dimension Guide_EN.pdf
[2013/04/25 23:05:22 | 002,006,014 | ---- | C] () -- C:\Documents and Settings\Jade\Desktop\Whirlpool WSF26C2EXW01 Use and Care_EN.pdf
[2013/01/09 07:02:47 | 001,053,464 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/03/21 03:04:11 | 000,000,373 | ---- | C] () -- C:\Documents and Settings\Jade\cryptboxdrives.xml
[2012/02/14 18:19:33 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/25 00:40:25 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\rtvcvfw32.dll
[2012/01/13 22:53:44 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011/11/10 01:39:44 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OpenVideo.dll
[2011/11/10 01:39:32 | 000,054,784 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011/02/11 15:10:27 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/07/06 13:04:12 | 000,000,068 | -H-- | C] () -- C:\WINDOWS\popcreg.dat
[2010/07/06 13:04:12 | 000,000,020 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/10/26 19:39:02 | 000,000,202 | ---- | C] () -- C:\Documents and Settings\Jade\Application Data\burnaware.ini
[2009/09/13 23:13:23 | 000,013,132 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/09/06 22:51:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/09/02 18:29:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/09/02 18:26:07 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/07/14 21:43:46 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/07/14 21:43:46 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/06/10 12:54:20 | 000,243,168 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/06/01 14:26:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/21 15:02:30 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Jade\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/09 18:30:55 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/03/08 18:12:18 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/03/08 17:39:39 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/03/08 17:34:11 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009/03/08 02:49:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/03/08 02:45:26 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/03/07 11:07:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/07 11:06:32 | 000,172,280 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/06/27 20:05:08 | 000,049,565 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/06/27 20:05:06 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/06/27 19:27:54 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008/06/27 19:25:02 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\psconv.exe
[2008/06/27 19:09:36 | 000,386,852 | ---- | C] () -- C:\WINDOWS\System32\ctdnlstr.dat
[2008/06/27 19:09:36 | 000,051,787 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2008/06/27 19:03:54 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\regplib.exe
[2008/06/27 19:02:56 | 000,149,838 | ---- | C] () -- C:\WINDOWS\System32\ctbas2w.dat
[2008/06/27 19:00:36 | 000,274,587 | ---- | C] () -- C:\WINDOWS\System32\ctsbas2w.dat
[2008/06/27 19:00:24 | 000,241,084 | ---- | C] () -- C:\WINDOWS\System32\CTSBASW.DAT
[2008/06/27 19:00:24 | 000,115,166 | ---- | C] () -- C:\WINDOWS\System32\CTBASICW.DAT
[2008/06/27 18:59:56 | 000,313,207 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2008/06/27 18:59:56 | 000,053,932 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2008/06/27 18:59:54 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\enlocstr.exe
[2007/08/13 22:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2007/08/06 13:07:30 | 000,009,584 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/07/23 11:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/07/23 11:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/07/23 11:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/07/23 11:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/07/23 11:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/07/23 11:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/07/23 11:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/07/23 11:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/07/23 11:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/04/27 12:43:58 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2007/04/12 11:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
[2006/10/02 19:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,578,560 | ---- | C] () -- C:\WINDOWS\System32\user32.ini
[2001/08/23 08:00:00 | 000,502,718 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,088,242 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2012/03/21 03:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Abelssoft
[2009/03/12 23:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Acreon
[2012/03/26 22:43:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Ashampoo
[2010/06/09 00:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Auslogics
[2011/11/21 22:08:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Canneverbe Limited
[2013/04/07 16:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Curse Advertising
[2011/08/20 21:24:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\DeskSoft
[2011/05/18 21:04:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\DiskSpaceFan
[2013/05/09 19:54:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Dropbox
[2010/03/30 12:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\e
[2011/10/12 23:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Jobulator
[2012/03/16 02:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\MAGIX
[2012/06/07 01:44:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Mumble
[2009/08/23 16:25:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\RayV
[2011/05/25 14:24:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\RIFT
[2012/02/20 17:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Rovio
[2013/04/29 01:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\TS3Client
[2009/03/09 17:58:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jade\Application Data\Windows Search
[2012/03/26 22:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2013/04/10 22:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
[2012/03/31 01:04:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Battle.net
[2011/11/21 22:08:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011/09/10 11:20:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Caphyon
[2009/03/12 22:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2011/08/20 21:24:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DeskSoft
[2013/05/09 09:59:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2012/03/16 02:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MAGIX
[2010/07/06 13:04:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2012/03/16 02:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xara
[2009/09/13 22:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/02 23:15:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

========== Purity Check ==========


< End of report >
__

[gringo_pr]

Hello


I do not see the ransomware virus in this report .Try this please. You will need a USB drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer

• Insert your USB drive
• Press Start > My Computer > right click your USB drive > choose Format > Quick format
• Double click the unetbootin-xpud-windows-387.exe that you just downloaded
• Press Run then OK
• Select the DiskImage option then click the browse button located on the right side of the textbox field.
• Browse to and select the xpud-0.9.2.iso file you downloaded
• Verify the correct drive letter is selected for your USB device then click OK
• It will install a little bootable OS on your USB device
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
• After it has completed do not choose to reboot the clean computer simply close the installer
• Next download http://noahdfear.net...loads/driver.sh to your USB
• Remove the USB and insert it in the sick computer
• Boot the Sick computer
• Press F12 and choose to boot from the USB
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see driver.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be located on your USB drive named report.txt
• Remove the USB drive and insert back in your working computer and navigate to report.txt
  
  Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

[homer32]

OK, I followed these instructions very carefully, and am pretty certain I did not mess something up. But, when I attempt to boot from any one of three different USB thumb drives, the computer seems to ignore the fact that they are even there. I've changed the BIOS setting to allow boot priority to Removable before Hard Drive, with CD being between Removable and Hard Drive. Each time start up, I soon see the Windows XP splash screen and my regular Windows log in screen soon after.

This is what was occurring when I tried to create a bootable USB drive earlier, to run the HitmanPro utility I saw referenced on another site. Windows XP splash screen, but never anything acknowledging the USB drive as bootable at all. Also, regarding the HitmanPro utility, while booted from the OTLPE CD, I ran the HitmanPro tool from a USB thumb drive and it found no errors. Hopeful, I started up the computer regularly, but immediately upon loading the Windows desktop, the screen was covered with a white overlay and then the same FBI ransom screen as seen yesterday.

Any ideas of what I might need to check to allow a successful USB drive boot? Could I possibly run these last tools you mentioned while booted from the CD? The three USB drives being used are a 512MB and 2GB Sandisk, and some generic 2GB drive I received from CDW. It seems that so far the bootable OTLPE CD is the only other option that is bootable for some reason.

Thanks for your continued assistance. It is greatly appreciated! 8^)

Edited by homer32, 10 May 2013 - 07:59 AM.

[gringo_pr]

Hello


Lets try it with a cd then

Try this please. You will still need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD.
• Next download driver.sh to your USB drive
• Remove the USB & CD and insert it in the sick computer
• Boot the Sick computer with the CD you just burned
• The computer must be set to boot from the CD
• Gently tap F12 and choose to boot from the CD
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see driver.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be located on your USB drive named report.txt
• Remove the USB drive and insert it back in your working computer and navigate to report.txt
  
  Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

[homer32]

Wow that xPUD CD is awesome. I miss being more in the know about stuff than I am currently.

Here is the contents of the report.txt file. Guessing something didn't work quite right as the report file is only one line containing date and time info. I saw the utility processing info about drivers in various directories, but it didn't seem to have saved any of that information.

--
Fri May 10 12:32:05 UTC 2013
--

[gringo_pr]

Hello

I am more interested in this report and is where we are working towards - the important part now is that you were able to boot into xpud

Download http://noahdfear.net/downloads/rst.sh to the USB drive

• Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
• Press File
• Expand mnt
• Expand your USB (sdb1)
• Confirm that you see rst.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash rst.sh
• Press Enter
• After it has finished a report will be located at sdb1 named enum.log
• Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

[homer32]

Ran the driver.sh from terminal again, hoping for more data in the log file. Nothing else to report. This was before I saw your most current post.

When I run the rst.sh file from the terminal it is searching for Restore Points. After it finishes, I see the enum.log file in the USB drive directory. When I move the drive from the sick computer to my laptop, the enum.txt file is no longer there. When I attempt to open the enum.log file from within xPUD, it doesn't seem to do anything. When I try to Open With, there are no options listed. If I put the USB drive back in sick computer, still the enum.txt file is missing.

EDIT: I reran the rst.sh file, then tried to open Firefox within xPUD to post, but couldn't get Firefox to load any webpage, though active Ethernet connection is on sick computer right now. I ended up just typing the enum.log contents from the sick computer's screen to my laptop.

Contents are...

--
25.8M May 10 2013 /mnt/sda1/WINDOWS/system32/config/software
14.5M May 10 2013 /msn/sda1/WINDOWS/system32/config/system

25.6M may 9 14:01 /sda1/~/RP1/~SOFTWARE
14.3M May 9 14:01 /sda1/~/RP1/~SYSTEM

Edited by homer32, 10 May 2013 - 12:18 PM.

[gringo_pr]

Let's see if there is an available registry backup we can use to help get your computer booting properly

• Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
• Press File
• Expand mnt
• Expand your USB (sdb1)
• Press Tool at the top
• Choose Open Terminal
• Type bash rst.sh -r
• Type 1
• Press Enter
• After it has finished a report will be located at sdb1 named restore.log
• Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review

[homer32]

Text from restore.log file...

--
SOFTWARE hive restored from RP1
SYSTEM hive restored from RP1
SECURITY hive restored from RP1
SAM hive restored from RP1
--

Rebooting into Windows XP normally still results in the ransomware block and inability to do anything.

[homer32]

Hey gringo_pr, I am about to leave home and area for a couple days. I will have internet access, but of course not be home and around the down system to continue troubleshooting til Sunday night probably. Just passing this along, in case there are further posts and ideas and I'm not quite as prompt to respond and/or follow through on things.

Again, thanks for your assistance so far. Hopefully we can continue and still get things working when I return. Thanks!

[gringo_pr]

try running this when you get back - http://forum.avira.c...&threadID=82163


gringo

[homer32]

Received a newly downloaded and burned CD of Bit Defender bootable CD and started a scan just as I got home, as I knew it would probably take some time and I also had to tend to a few other things. I saw that the Bit Defender utility did update first. I'm not sure if it did ever completely finish a scan, but after trying to run it twice from a fresh start, it did find one virus named pdf:exploit.PDF-JS.JV. It looks like the file is located at C:/Documents and Settings/Jade/Local Settings/Temporary Internet Files/Content.IE5/2SY9H48/3493[1].pdf. So far, on each attempt when Bit Defender found the virus, it was unable to remove or fix the file ("Failed to remove and/or fix was the message), and seemed to lock up at this point both times. So it did not scan further or allow any interaction once the lockups occurred.

At this point, I had the Avira CD installed to CD and ready to boot. This CD seems to lock up and become unresponsive immediately upon loading the Avira AntiVir Rescue System interface. Still trying to get it to work, but probably headed to bad fairly soon.

For the night I lastly tried to boot from the OTLPE CD, then navigated to the above path where the identified file was at. I realize now, too late, that maybe I shouldn't have, but I DID delete the entire directory "2SY9H48". Hoping for a good outcome finally, I then rebooted the computer normally and logged in. Same thing, unfortunately. Still get the prompt white screen, then filled in with the FBI and MoneyPak "computer has been blocked" screen, locking out any and everything.

I'll try again and check back in the morning.

Edited by homer32, 13 May 2013 - 01:31 AM.

[homer32]

Started another Bit Defender scan as I went to bed. This morning the scan had completed successfully, and "No threats have been detected". Gonna try to load up from the Avira CD and run another scan there. Maybe it can find something else different.