Hello,
Need help please.
Attached the FSR logs.
Thank you!
Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!
Hello,
Need help please.
Attached the FSR logs.
Thank you!
Hi, JTug.
Welcome to GTG Forums.
You didn't attached the logs. Why do you think you are infected by a rootkit?
sorry cant upload
Edited by JTug, 02 October 2021 - 04:38 PM.
Thank you for the logs. I will review them and be back to you as soon as I can.
Here are the ground rules during the cleaning procedure:
1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!
2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.
4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.
5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
Hello.
Hello.
It seems that FRST ran in the COMODO virtual environment. As a result, we see a false image generated inside the Comodo sandbox.Reboot the system and then run FRST again, outside the COMODO Sandbox.
Hi,
Thanks for your help and time.
I reboot and try to run FSR outside sandbox, but FSR crash all the time (Not Responding)!!!
Any idea or alternative tool?
Thank you
Disable COMODO and try to run FRST again.
This is from COMODO: Comodo Internet Security Enable / Disable AV, Firewall Auto-Sandbox and Viruscope
Let me know about the result.
Logs attached.
Kindest Regards
Hi, JTug.
Right now, there is no sign of active indection. However, I see that your files have been encrypted by TISC Ransomware. TISC is a file-encrypting ransomware infection that restricts access to data (documents, images, videos) by encrypting files with the “.tisc” extension. It then attempts to extort money from victims by asking for “ransom”, in the form of Bitcoin cryptocurrency, in exchange for access to data.
The first thing you can do is to upload samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR). This service is strictly for identifying what ransomware may have encrypted your files. It will attempt to point you in the right direction, and let you know if there is a known way of decrypting your files.
After that, although I see from your logs that you have done a lot of checks with several tools, we can use some other tools to ensure that everything is clean.
Here are my comments/instructions:
1. P2P program
You have uTorrent Web installed in your computer. This is a P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.
If you decide to keep it, DON'T use it during the cleaning procedure.
If you decide to uninstall it:
uTorrent Web
2. Proxies
Have you intentionally enabled these proxies?
ProxyEnable: [S-1-5-21-223814551-1140071388-4042786358-1001] => Proxy is enabled.
FF NetworkProxy: Mozilla\Firefox\Profiles\l8xjodc1.default-release -> type", 0
FF Extension: (Proxy Failover) - C:\Users\JTug\AppData\Roaming\Mozilla\Firefox\Profiles\l8xjodc1.default-release\features\{82eb8f34-4d71-4c32-887a-de1fe73455db}\[email protected] [2021-09-30]
3. FRST fix
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Start:: CreateRestorePoint: CloseProcesses: ContextMenuHandlers1: [CLVDShellExt] -> {3E2A0A32-6E14-4BAD-AA87-BBB6A75EBFF2} => -> No File ContextMenuHandlers1: [SHAREit.FileContextMenuExt] -> {430BD134-576D-4E75-87CD-0F5C6221A82B} => -> No File ContextMenuHandlers2: [CLVDShellExt] -> {3E2A0A32-6E14-4BAD-AA87-BBB6A75EBFF2} => -> No File ContextMenuHandlers4: [SHAREit.FileContextMenuExt] -> {430BD134-576D-4E75-87CD-0F5C6221A82B} => -> No File ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-223814551-1140071388-4042786358-1001 -> DefaultScope {58A62C29-8274-4A96-9D1A-261431BDBAEA} URL = SearchScopes: HKU\S-1-5-21-223814551-1140071388-4042786358-1001 -> {58A62C29-8274-4A96-9D1A-261431BDBAEA} URL = FirewallRules: [{B7C9703F-89BB-46A6-B572-1E81741F6338}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe => No File FirewallRules: [{B70742A6-3CA1-4246-8167-1B7D931296AD}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe => No File FirewallRules: [{AB73E184-BE4D-4643-8EA2-C91DD11F59FA}] => (Allow) C:\Program Files (x86)\Lenovo\Lenovo Photo Master\PhotoPlus.exe => No File FirewallRules: [{6095FCF1-45A4-45E2-896E-F78952F7B5EF}] => (Allow) C:\Program Files (x86)\Lenovo\Lenovo Photo Master\subsys\AdvPhotoEditor\PhotoDirector5.exe => No File FirewallRules: [{FD299C02-28F3-4529-8132-B2FE2F6B3490}] => (Allow) C:\Program Files\Lenovo PhotoMasterImport\PhotoMasterImport.exe => No File HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION S2 0161891631361214mcinstcleanup; C:\WINDOWS\TEMP\016189~1.EXE -cleanup -nolog [X] S2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [X] S2 Lenovo System Agent Service; "C:\Program Files\Lenovo\iMController\SystemAgentService.exe" [X] S2 LUService; C:\Program Files (x86)\Lenovo\Lenovo Updates\LUService.exe [X] S1 amsdk; \??\C:\WINDOWS\system32\drivers\amsdk.sys [X] 2021-10-02 15:22 - 2021-10-02 15:23 - 000153320 _____ C:\TDSSKiller.2.8.16.0_02.10.2021_15.22.43_log.txt 2021-10-02 15:22 - 2021-10-02 15:22 - 002237968 _____ (Kaspersky Lab ZAO) C:\Users\JTug\Downloads\tdsskiller.exe 2021-10-02 15:20 - 2021-10-02 15:21 - 005198336 _____ (AVAST Software) C:\Users\JTug\Downloads\aswMBR.exe 2021-10-02 10:54 - 2021-10-02 16:37 - 000000000 ____D C:\Users\JTug\AppData\Local\FSDART 2021-10-02 10:54 - 2021-10-02 12:42 - 000000000 ____D C:\ProgramData\F-Secure 2021-10-02 10:54 - 2021-10-02 10:54 - 000000000 ____D C:\Users\JTug\AppData\Local\F-Secure 2021-10-02 10:52 - 2021-10-02 10:52 - 012401864 _____ (F-Secure Corporation) C:\Users\JTug\Downloads\F-SecureOnlineScanner.exe 2021-10-02 10:50 - 2021-10-02 10:55 - 000000000 ____D C:\KVRT2020_Data 2021-10-02 10:49 - 2021-10-02 10:49 - 107072880 _____ (AO Kaspersky Lab) C:\Users\JTug\Downloads\KVRT.exe 2021-10-02 10:48 - 2021-10-02 10:48 - 003333936 _____ (Trend Micro Inc.) C:\Users\JTug\Downloads\HousecallLauncher64.exe 2021-10-02 10:48 - 2021-10-02 10:48 - 000000036 _____ C:\Users\JTug\AppData\Local\housecall.guid.cache 2021-10-02 10:34 - 2021-10-02 12:48 - 000910523 _____ C:\WINDOWS\ZAM.krnl.trace 2021-10-02 10:34 - 2021-10-02 10:34 - 000000000 ____D C:\Users\JTug\AppData\Local\Zemana 2021-10-02 10:33 - 2021-10-02 12:48 - 000000000 ____D C:\Users\JTug\AppData\Local\AMSDK 2021-10-02 10:00 - 2021-10-02 10:00 - 000000000 ____D C:\Program Files\Malwarebytes 2021-10-02 09:55 - 2021-10-02 17:32 - 000000000 ____D C:\Users\JTug\Desktop\comboF 2021-10-01 19:30 - 2021-10-01 19:30 - 000000000 ___HD C:\$AV_ASW 2021-10-01 19:26 - 2021-10-01 19:26 - 000000000 ____D C:\Users\JTug\AppData\Local\CEF 2021-10-01 19:10 - 2021-10-01 19:10 - 000000000 ____D C:\ProgramData\SProvide 2021-10-01 19:09 - 2021-10-02 16:37 - 000000000 ____D C:\ProgramData\Avast Software 2021-10-01 19:03 - 2021-10-01 19:03 - 000000108 _____ C:\Users\João 2021-10-01 19:00 - 2021-10-01 19:30 - 012134044 _____ C:\ProgramData\zohplghndapsm.tmp 2021-10-01 18:58 - 2021-10-01 18:58 - 000000000 ____D C:\ProgramData\Posse 2021-10-01 18:51 - 2021-10-01 18:51 - 000000000 ____D C:\Users\JTug\AppData\Roaming\calaba 2021-10-01 18:30 - 2021-10-01 18:44 - 000000000 ____D C:\ProgramData\Systemd 2021-10-01 18:30 - 2021-10-01 18:31 - 000000000 ____D C:\ProgramData\LKV6C095U2AXBTSQAKA51HXZH 2021-10-01 18:29 - 2021-10-01 18:29 - 000000000 ____D C:\Users\JTug\AppData\Local\Yandex 2021-10-01 18:28 - 2021-10-01 18:28 - 003265024 _____ C:\Users\JTug\AppData\Roaming\2323329.scr 2021-10-01 18:28 - 2021-10-01 18:28 - 002788864 _____ C:\Users\JTug\AppData\Roaming\2280703.scr 2021-10-01 18:28 - 2021-10-01 18:28 - 000216064 _____ (jfasdjk) C:\Users\JTug\AppData\Roaming\2366582.scr 2021-10-01 18:28 - 2021-10-01 18:28 - 000206848 _____ (jfasdjk) C:\Users\JTug\AppData\Roaming\4514659.scr 2021-10-01 18:28 - 2021-10-01 18:28 - 000068608 _____ (Hoting) C:\Users\JTug\AppData\Roaming\6999437.scr 2021-10-01 18:48 - 2017-05-31 10:48 - 000000000 ____D C:\AdwCleaner 2021-10-01 18:40 - 2018-11-06 16:01 - 000000000 ____D C:\Saft 2021-10-01 18:40 - 2018-06-13 08:09 - 000000000 ____D C:\Astor 2021-10-01 18:40 - 2017-06-19 14:35 - 000000000 ____D C:\SiLabs 2021-09-13 16:48 - 2015-06-18 19:56 - 000000000 ____D C:\Program Files\Common Files\McAfee 2021-09-12 00:19 - 2015-06-18 19:56 - 000000000 ____D C:\ProgramData\McAfee EmptyTemp: End::
4. Eset Online Scanner
Download ESET Online Scanner and save it to your desktop.
In your next reply please post:
Hi DR M,
"What did you do with the P2P program" --> I will remove later.
"Your reply about proxies" --> I dont do that with the proxies, should be the malware.
Attached the logs.
I upload file to id-ransomware, you can see: https://id-ransomwar...98eb43f2f07dd65
Thanks
Good day to you, JTug.
Unfortunately, in most cases, it’s not possible to recover the files encrypted by the TISC ransomware because the private key which is needed to unlock the encrypted files is only available through the cybercriminals. But you can use Emsisoft decryptor and check if you can do something: Emsisoft releases new decryptor for STOP Djvu ransomware - Emsisoft | Security Blog
Let's see fresh FRST logs now.
Hello and good day to you,
No luck with emisoft. I do some research and reading (https://geeksadvice....nsomware-virus/), do you trust on this info?
Attached the logs.
Regards,
ps: im gonna unistall p2p now
You forgot the Addition.txt .
Since you are going to uninstall the P2P program, run the FRST after the uninstall and attach both logs here.
I would also like to remind you the second ground rule:
Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
Also please DO NOT edit your posts after they are being answered.
You make the procedure more difficult and complicated to me.
Thanks.
done.
thanks
Hi, JTug.
Have you removed elsewhere most of the encrypted files?
It seems that unfortunately Emsisoft could not decrypted them and there is nothing to do about this, rather than keep the files hoping for a method to decrypt them one day.
Let's continue.
1. Move FRST on to the Desktop
Please move FRST tool on to your Desktop. Just drag it from the ComboF folder on to the Desktop.
2. Uninstall Lenovo App Services
This pre-installed program by SweetLabs is considered as a PUP, meaning a potentially unwanted application. Please uninstall it.
Lenovo App Services
3. FRST fix
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Start:: CreateRestorePoint: CloseProcesses: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\amsdk.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\amsdk.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="" HKU\S-1-5-21-223814551-1140071388-4042786358-1001\...\StartupApproved\Run: => "utweb" FirewallRules: [{DD133BAD-4018-4615-B392-6F4564916935}] => (Allow) C:\Users\JTug\AppData\Roaming\uTorrent Web\utweb.exe => No File FirewallRules: [{3DD26CA3-1F63-40DE-AEC3-7E4528CB2C6F}] => (Allow) C:\Users\JTug\AppData\Roaming\uTorrent Web\utweb.exe => No File HKU\S-1-5-21-223814551-1140071388-4042786358-1001\...\Run: [utweb] => "C:\Users\JTug\AppData\Roaming\uTorrent Web\utweb.exe" /MINIMIZED FF NetworkProxy: Mozilla\Firefox\Profiles\l8xjodc1.default-release -> type", 0 Task: {F080E6AE-B1C4-495E-93EE-EBAC5ACE2DA0} - System32\Tasks\Lenovo App Services => C:\ProgramData\Lenovo App Services\Engine\LenovoAppServices.exe [7657160 2020-12-31] (SweetLabs Inc. -> Lenovo) Task: {044B8B59-15B0-4D90-A17B-BD41584A4048} - System32\Tasks\Lenovo\Experience Improvement Logon => C:\Program Files\Lenovo\ExperienceImprovement\LenovoExperienceImprovement.exe Task: {3C7D0669-1011-4889-9FFB-51ED57F37630} - System32\Tasks\Lenovo\Dependency Package Auto Update => C:\Program Files\Lenovo\iMController\AutoUpdate.exe 2021-10-03 09:11 - 2021-10-03 09:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware 2021-10-03 09:11 - 2021-10-03 09:11 - 000000000 ____D C:\ProgramData\GridinSoft 2021-10-03 09:10 - 2021-10-03 09:42 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware 2021-10-03 09:04 - 2021-10-03 09:04 - 000989584 _____ (GridinSoft LLC) C:\Users\JTug\Downloads\install-antimalware-gsa.exe 2021-10-02 15:27 - 2021-10-02 15:41 - 000000000 ____D C:\Users\JTug\Desktop\mbar 2021-10-02 15:27 - 2021-10-02 15:41 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2021-10-02 15:27 - 2021-10-02 15:27 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\1443A1E9.sys 2021-10-02 15:27 - 2021-10-02 15:27 - 000192952 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2021-10-02 15:27 - 2021-10-02 15:27 - 000000000 ____D C:\ProgramData\Malwarebytes 2021-10-02 10:54 - 2021-10-02 16:37 - 000000000 ____D C:\Users\JTug\AppData\Local\FSDART 2021-10-02 10:54 - 2021-10-02 10:54 - 000000000 ____D C:\Users\JTug\AppData\Local\F-Secure 2021-10-02 10:48 - 2021-10-02 10:48 - 000000036 _____ C:\Users\JTug\AppData\Local\housecall.guid.cache 2021-10-02 10:34 - 2021-10-02 10:34 - 000000000 ____D C:\Users\JTug\AppData\Local\Zemana 2021-10-02 10:33 - 2021-10-02 12:48 - 000000000 ____D C:\Users\JTug\AppData\Local\AMSDK 2021-10-02 09:55 - 2021-10-03 08:39 - 000000000 ____D C:\Users\JTug\Desktop\comboF 2021-10-01 19:26 - 2021-10-01 19:26 - 000000000 ____D C:\Users\JTug\AppData\Local\CEF 2021-10-01 18:55 - 2021-10-01 19:37 - 000000000 ____D C:\Users\JTug\AppData\Roaming\Intel Rapid 2021-10-01 18:51 - 2021-10-01 18:51 - 000000000 ____D C:\Users\JTug\AppData\Roaming\calaba 2021-10-01 18:30 - 2021-10-01 19:37 - 000000000 ____D C:\ProgramData\Microsoft Network 2021-10-01 18:30 - 2021-10-01 18:30 - 000000001 _____ C:\ProgramData\check.txt 2021-10-01 18:30 - 2021-10-01 18:30 - 000000000 ____D C:\ProgramData\Data 2021-10-01 18:29 - 2021-10-02 20:35 - 000000000 ____D C:\Users\JTug\AppData\Local\e9c329ea-2afc-41e9-92cf-f5eb6febe253 2021-10-01 18:29 - 2021-10-01 19:32 - 000000000 ____D C:\Users\JTug\AppData\Local\aab6d2d4-4ebf-4bee-bef7-007a986d6986 2021-10-01 18:29 - 2021-10-01 18:30 - 000000000 ____D C:\SystemID 2021-10-01 18:29 - 2021-10-01 18:29 - 000000559 _____ C:\Users\JTug\AppData\Local\bowsakkdestx.txt 2021-10-01 18:29 - 2021-10-01 18:29 - 000000000 ____D C:\Users\JTug\AppData\Local\Yandex 2021-10-01 18:28 - 2021-10-01 19:37 - 000000000 ___HD C:\Users\JTug\AppData\Roaming\WinHost 2021-10-01 18:28 - 2021-10-01 18:28 - 000068608 _____ (Hoting) C:\Users\JTug\AppData\Roaming\6999437.scr 2021-10-01 18:40 - 2021-10-01 18:40 - 000001110 _____ C:\Users\JTug\_readme.txt 2021-09-12 07:38 - 2021-10-01 18:06 - 000000000 ____D C:\Users\JTug\AppData\Local\BitTorrentHelper 2021-09-11 17:09 - 2021-09-11 17:09 - 000001874 _____ C:\Users\JTug\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\uTorrent Web.lnk 2021-09-11 17:09 - 2021-09-11 17:09 - 000000000 ____D C:\Users\JTug\AppData\Local\UTW008 2021-10-02 09:39 - 2015-06-18 19:52 - 000000000 ____D C:\ProgramData\Lenovo App Services C:\Users\JTug\AppData\Roaming\uTorrent Web C:\ProgramData\Lenovo App Services C:\Program Files\Lenovo\ExperienceImprovement C:\Program Files\Lenovo\iMController RestoreQuarantine: C:\FRST\Quarantine\C\Saft RestoreQuarantine: C:\FRST\Quarantine\C\SiLabs RestoreQuarantine: C:\FRST\Quarantine\C\Astor RemoveProxy: EmptyTemp: End::
0 members, 0 guests, 0 anonymous users
Community Forum Software by IP.Board
Licensed to: Geeks to Go, Inc.