Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows 8.1 trojan.ransomlock.g FBI Moneypak [Solved]

Started by Ziggybeez , Feb 15 2015 03:19 PM

  • This topic is locked This topic is locked

#16
BrianDrab
Posted 25 February 2015 - 11:56 PM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

Perfect. Are you able to give me the exact FBI message that comes up on your screen?


  • 0

Advertisements

#17
BrianDrab
Posted 26 February 2015 - 11:33 AM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

I reviewed your logs and don't see any signs of infection. Are you still having the issue? If so please do the following while booted normally. All can be done within 10 minutes.
 
Step#1 - AdWCleaner
1. Please download AdwCleaner by Xplode onto your desktop.
2. Close all open programs and internet browsers.
3. Right-click on AdwCleaner.exe and select Run as administrator to run the tool.
4. Click on Scan.
5. After the scan is complete click on "Clean"
6. Confirm each time with Ok.
7. Your computer will be rebooted automatically. A text file will open after the restart.
8. Please post the content of that logfile with your next answer.
9. If need be, you can also find the logfile at C:\AdwCleaner\AdwCleaner[S0].txt as well.
 
 
Step#2 - Run RogueKiller

  • Click here to go to the RogueKiller download page.
  • Scroll down on the page and click on the Download button for the 64-bit version.

64bit.JPG

  • Quit all programs and close all browsers.
  • Double click the RogueKiller icon to run the program.
    NOTE: If this is the first time you have used the program you will need to accept the User Agreement and the browser will open with some information related to the program.
  • Wait until Prescan has finished ...This may take a few minutes, especially if it is the first time you have used the program.
  • Click on Scan
  • Wait for the end of the scan.
  • DO NOT delete anything at this time.
  • Please post the results of the scan.
  • NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again

 

 

Items for your next post

1. AdwCleaner log

2. RogueKiller log


  • 0

#18
Ziggybeez
Posted 01 March 2015 - 02:42 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

ADW CLEANER LOG

# AdwCleaner v4.111 - Logfile created 01/03/2015 at 15:22:08
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Patrick - THESHELTONS
# Running from : C:\Users\Patrick\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.delta.com

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]

-\\ Google Chrome v40.0.2214.93

[C:\Users\Patrick\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Patrick\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1813 bytes] - [01/03/2015 15:20:50]
AdwCleaner[S0].txt - [1610 bytes] - [01/03/2015 15:22:08]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1669  bytes] ##########


  • 0

#19
Ziggybeez
Posted 01 March 2015 - 02:43 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

Rogue Killer Report

RogueKiller V10.4.3.0 (x64) [Feb 23 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Patrick [Administrator]
Mode : Scan -- Date : 03/01/2015  15:36:41

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 16 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A}  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524}  -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 | (default) : {F241C880-6982-4CE5-8CF7-7085BA96DA5A}  -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 | (default) : {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}  -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 | (default) : {BBACC218-34EA-4666-9D7A-C78F2274A524}  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iscFlash (\??\C:\Windows\Temp\ArchesP10SP10SG_BIOS_V150_WIN\x64\iscflashx64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iscFlash (\??\C:\Windows\Temp\ArchesP10SP10SG_BIOS_V150_WIN\x64\iscflashx64.sys) -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E4BEBCEB-C6CC-48CC-A038-B0D84757B7CD} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E4BEBCEB-C6CC-48CC-A038-B0D84757B7CD} | DhcpNameServer : 65.32.5.111 65.32.5.112 [UNITED STATES (US)][UNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1024 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2099200 | Size: 100 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2304000 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2566144 | Size: 705313 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1447047168 | Size: 8838 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk Cruzer Glide USB Device +++++
--- User ---
[MBR] 33a0f33fb7e7f518f64aedcb9dad35b0
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


  • 0

#20
BrianDrab
Posted 01 March 2015 - 02:53 PM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

Thanks. Can you explain to me again exactly what is happening? The way I understand it now is that if you boot your computer and leave it sit for 10 minutes an FBI screen comes up which prevents you from doing anything else. Is this correct?


  • 0

#21
Ziggybeez
Posted 01 March 2015 - 04:40 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

That was before some of the scans we've run. As of today its been up and running for the last few hours and no warning or any type of interruption.


  • 0

#22
BrianDrab
Posted 01 March 2015 - 04:47 PM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

Excellent. I thought I was going crazy as it appears the main infection is gone. Let's do a final two scans to ensure no remnants are left behind.

 

Step#1 - Malwarebytes Scan


  • Download Malwarebytes to your desktop from here.
  • Right-click on the file that is downloaded to your desktop and select Run as administrator.
  • Select the appropriate language and click OK.
  • Click Next.
  • Select "I accept the agreement" and click Next.
  • Click Next
  • Change the install path if desired. Normally you will keep this as is. Click Next.
  • Click Next again.
  • Click Next again.
  • Click Install.
  • Uncheck "Enable free trial of Malwarebytes Anti-Malware Premium".
  • Click Finish
  • If an update is found you will be prompted to download and install. Go ahead.
  • Click the Settings button and then the Detection and Protection tab. Then check the box to Scan for rootkits. as shown below.
  • RootKitCheckBox.JPG
     
  • Click the Scan button at the top of the form and then click Scan Now.
    2.JPG
  • If anything is detected, there will be an Apply Actions button. Please click this.
  • Once the scan completes click the View detailed log link.
    3.JPG
  • Then click the Copy to clipboard button and paste into your next post.
    4.JPG

 

 

 

Step#2 - ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here. This scan can take hours to run but is necessary to ensure we don't miss anything. Plan accordingly.

 

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats is NOT checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
     
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed, if anything was detected please click the List of found threats link.
  • ThreatsFound.JPG
     
  • Then click the Copy to Clipboard link and paste this information into your next reply.
  • CopyToClipboard.JPG

     

     

  • Then you may click the Back button.
  • Check Uninstall Application on Close before clicking finish.

 
Items for your next post

 

1. Malwarebytes log
2. Contents of the ESET log file

 


  • 0

#23
Ziggybeez
Posted 01 March 2015 - 05:34 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

What is the proper way to temporarily disable Norton Internet Security?


  • 0

#24
BrianDrab
Posted 01 March 2015 - 05:38 PM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

The best way is to right-click the Norton icon down in your system tray by your time on the computer. There should be an option to disable antivirus and I believe you get to pick a timeframe of how long to do this.


  • 0

#25
Ziggybeez
Posted 01 March 2015 - 05:46 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

thanks! Malwarebytes scan in progress


  • 0

Advertisements

#26
BrianDrab
Posted 01 March 2015 - 05:51 PM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

Nice! :thumbsup:


  • 0

#27
Ziggybeez
Posted 01 March 2015 - 05:56 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

 Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/1/2015
Scan Time: 6:27:21 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.01.04
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Patrick

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 352273
Time Elapsed: 24 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


  • 0

#28
Ziggybeez
Posted 01 March 2015 - 07:09 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

the ESET Scan states no threats found.


  • 0

#29
BrianDrab
Posted 01 March 2015 - 07:13 PM

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,591 posts

Perfect. If you have no further questions and are satisfied please see below.

 

OK! Well done, your computer is clean again! :thumbsup: Part of our jobs here at G2G is to help you clean your computer. But beyond that and just as important is to provide you with some information to keep you safe and secure on the net as well as to share knowledge. Following is that information.
 
 
1. Clean Up!
We need to remove all the tools that we used so that should you ever be re-infected, you will download updated versions which may have updated detection logic.
1. Download Delfix from here.
2. Ensure everything is checked.
3. Click Run.
Note: The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
Note: Delete any  other .bat, .log, .reg, .txt,  and any other files created during this process, and left on the desktop and empty the Recycle Bin.
 
2. Keeping Programs Updated
You need to ensure that any programs installed on your machine are kept current. The bad guys exploit vulnerabilities that are found in older versions of software. A very good piece of software that keeps your programs up-to-date is Secunia Personal Software Inspector (PSI). You can download and install it from here. You can read more information about this free software as well as a video walkthrough from here.
 
3. Antimalware- Preventative

Note: Let's keep Malwarebytes installed as it's a fantastic piece of software. Malwarebytes is an anti-malware software and not an antivirus software so it won't conflict with the Antivirus that you are running. I would recommend that you open up this program, allow it to update and scan your machine at least quarterly...monthly if you can.
 
4. Crypto Warning!!!! - Complete Data Loss can occur!
There are particularly nasty infections out there at the moment that encrypt your data and hold it for ransom. You may read more about this here.
 

  • Download CryptoPrevent free for home use here following the instructions below.
  • Save the file to your desktop from the link above and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
  • You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
  • You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
  • You will be prompted to click OK to continue and select your protection level. Go ahead and click OK.
  • Click the Apply button to set Default protection.
  • You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
  • That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.
 
UpdatesV7.4.11.JPG
 
 
For more information about computer security and how to protect yourself when on the internet, please read this guide Best Practices for Safe Computing
 
OK, all the best, and stay safe!
 

Items for your next post
1. Contents of the delfix log


  • 0

#30
Ziggybeez
Posted 01 March 2015 - 07:31 PM

Ziggybeez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts

# DelFix v10.9 - Logfile created 01/03/2015 at 20:27:24
# Updated 27/02/2015 by Xplode
# Username : Patrick - THESHELTONS
# Operating System : Windows 8.1  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Patrick\Desktop\Addition.txt
Deleted : C:\Users\Patrick\Desktop\AdwCleaner.exe
Deleted : C:\Users\Patrick\Desktop\FRST.txt
Deleted : C:\Users\Patrick\Desktop\FRST64.exe
Deleted : C:\Users\Patrick\Desktop\RogueKillerX64 - Shortcut.lnk
Deleted : C:\Users\Patrick\Desktop\RogueKillerX64.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #43 [Windows Update | 01/14/2015 10:55:20]
Deleted : RP #44 [Scheduled Checkpoint | 01/22/2015 07:45:46]
Deleted : RP #45 [Windows Update | 01/31/2015 17:10:12]
Deleted : RP #46 [Windows Update | 03/01/2015 20:45:44]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP