[Resolved] Ransomware style infection

  • 43 Replies
  • 6930 Views
*

Offline sean

  • Bronze Member
  • 133
Re: [In Progress] Ransomware style infection
« Reply #30 on: January 04, 2014, 10:12:07 PM »
Here is the file:
« Last Edit: March 13, 2014, 06:50:18 PM by Hoov »

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27191
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Ransomware style infection
« Reply #31 on: January 04, 2014, 10:33:45 PM »
This computer is getting to the end of its working life. The processor is old and slow and you have next to no memory. You might be able to put in more memory and a faster harddrive, but you would be time and money ahead to buy a base model desktop or laptop for around $300. Comparing a new base model computer to this one would be like comparing a Porche to a Model T.

If you want, we can try tweaking a few things to see if we can get more speed out of it.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline sean

  • Bronze Member
  • 133
Re: [In Progress] Ransomware style infection
« Reply #32 on: January 04, 2014, 10:51:01 PM »
Thanks, that would be appreciated.

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27191
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Ransomware style infection
« Reply #33 on: January 05, 2014, 09:21:30 AM »
First we need to do some basic maintenance.

1.Download and scan with CCleaner
When you get to the website, there is a dark grey box on the left side with two tabs along the top. Inside this Dark Grey box is a light grey box. Below that light grey box is where the download links are at. The pay amount is for paid support.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

    • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.


    In the Applications Tab
      • Clean all except cookies in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Clean any others that you choose.


      4. Click the "Run Cleaner" button.
      5. A pop up box will appear advising this process will permanently delete files from your system.
      6. Click "OK" and it will scan and clean your system.
      7. Click "exit" when done.

      1. Double-click My Computer, and then right-click the hard disk that you want to check.
         2. Click Properties, and then click Tools.
         3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
         4. Check both of the following procedures:
                *  select the Automatically fix file system errors check box
                *  select the Scan for and attempt recovery of bad sectors check box
         5. Click Start
       
            Note If one or more of the files on the hard disk are open, you will receive the following message:
            The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
            Click Yes to schedule the disk check, and then restart your computer to start the disk check.



      And lastly I need you to defrag your harddrive.
          Open My Computer.
          Right-click on the C: drive, and then click Properties.
          On the Tools tab, click Defragment Now.
          Click Defragment.


      Once all of this is done, reboot your computer and let me know if there is any difference in how your computer is running.

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      *

      Offline sean

      • Bronze Member
      • 133
      Re: [In Progress] Ransomware style infection
      « Reply #34 on: January 05, 2014, 07:25:22 PM »
      seems a little better.

      *

      Offline Hoov

      • Malware Removal Mentors
      • Administrator
      • Diamond Member
      • 27191
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: [In Progress] Ransomware style infection
      « Reply #35 on: January 05, 2014, 07:28:48 PM »
      OK, now we check and see what is running.

      Download http://spywarehammer.com/Tools/HijackThis.exe and install it. Once it is running click the Open the Misc Tools Section Then click the Generate Startuplist log button. DO NOT check the two boxes next to the button. When you get a log, post the results here.

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      *

      Offline sean

      • Bronze Member
      • 133
      Re: [In Progress] Ransomware style infection
      « Reply #36 on: January 06, 2014, 12:49:13 PM »
      Here is the log:

      StartupList report, 1/6/2014, 12:26:21 PM
      StartupList version: 1.52.2
      Started from : C:\Documents and Settings\steve brophy\Desktop\HijackThis.EXE
      Detected: Windows XP SP3 (WinNT 5.01.2600)
      Detected: Internet Explorer v8.00 (8.00.6001.18702)
      * Using default options
      ==================================================

      Running processes:

      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
      C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
      C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
      C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\brsvc01a.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\brss01a.exe
      C:\WINDOWS\system32\Brmfrmps.exe
      C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
      C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
      C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
      C:\WINDOWS\system32\mfevtps.exe
      C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
      C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
      C:\Program Files\Dell Support Center\bin\sprtsvc.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
      C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      C:\WINDOWS\stsystra.exe
      C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
      C:\Program Files\McAfee.com\Agent\mcagent.exe
      C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
      C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
      C:\WINDOWS\system32\igfxpers.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
      C:\WINDOWS\system32\dla\tfswctrl.exe
      C:\Program Files\Dell Support Center\bin\sprtcmd.exe
      C:\Program Files\Brother\ControlCenter2\brctrcen.exe
      C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\Program Files\NetWaiting\netWaiting.exe
      C:\Program Files\DellSupport\DSAgnt.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\WINDOWS\system32\igfxsrvc.exe
      C:\Documents and Settings\steve brophy\Desktop\HijackThis.exe

      --------------------------------------------------

      Listing of startup folders:

      Shell folders Common Startup:
      [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
      Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

      --------------------------------------------------

      Checking Windows NT UserInit:

      [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
      UserInit = C:\WINDOWS\system32\userinit.exe,

      --------------------------------------------------

      Autorun entries from Registry:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

      UserFaultCheck = %systemroot%\system32\dumprep 0 -u
      SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
      SigmatelSysTrayApp = stsystra.exe
      SetDefPrt = C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
      QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
      PaperPort PTD = C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
      mcui_exe = "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
      KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
      ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
      IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
      IndexSearch = C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
      igfxtray = C:\WINDOWS\system32\igfxtray.exe
      igfxpers = C:\WINDOWS\system32\igfxpers.exe
      igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
      DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
      dscactivate = "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
      dla = C:\WINDOWS\system32\dla\tfswctrl.exe
      DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
      ControlCenter2.0 = C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
      Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      Adobe ARM = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

      --------------------------------------------------

      Autorun entries from Registry:
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run

      MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
      ModemOnHold = C:\Program Files\NetWaiting\netWaiting.exe
      DellSupport = "C:\Program Files\DellSupport\DSAgnt.exe" /startup
      ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

      --------------------------------------------------

      Autorun entries in Registry subkeys of:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

      [OptionalComponents]
       =

      --------------------------------------------------

      Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

      Shell=*INI section not found*
      SCRNSAVE.EXE=*INI section not found*
      drivers=*INI section not found*

      Shell & screensaver key from Registry:

      Shell=Explorer.exe
      SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
      drivers=*Registry value not found*

      Policies Shell key:

      HKCU\..\Policies: Shell=*Registry value not found*
      HKLM\..\Policies: Shell=*Registry value not found*

      --------------------------------------------------


      Enumerating Browser Helper Objects:

      AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
      (no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
      scriptproxy - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120627213603.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
      (no name) - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - {B164E929-A1B6-4A06-B104-2CD0E90A88FF}
      (no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing) - {DBC80044-A445-435b-BC74-9C25C1C588A9}

      --------------------------------------------------

      Enumerating Task Scheduler jobs:

      Adobe Flash Player Updater.job
      User_Feed_Synchronization-{375BC084-580F-4C01-BEA2-5588A6054F26}.job

      --------------------------------------------------

      Enumerating Download Program Files:

      [Shockwave Flash Object]
      InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash32_11_9_900_170.ocx
      CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

      --------------------------------------------------

      Enumerating ShellServiceObjectDelayLoad items:

      PostBootReminder: C:\WINDOWS\system32\shell32.dll
      CDBurn: C:\WINDOWS\system32\SHELL32.dll
      WebCheck: C:\WINDOWS\system32\webcheck.dll
      SysTray: C:\WINDOWS\system32\stobject.dll
      WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

      --------------------------------------------------
      End of report, 7,843 bytes
      Report generated in 0.703 seconds

      Command line options:
         /verbose  - to add additional info on each section
         /complete - to include empty sections and unsuspicious data
         /full     - to include several rarely-important sections
         /force9x  - to include Win9x-only startups even if running on WinNT
         /forcent  - to include WinNT-only startups even if running on Win9x
         /forceall - to include all Win9x and WinNT startups, regardless of platform
         /history  - to list version history only

      *

      Offline Hoov

      • Malware Removal Mentors
      • Administrator
      • Diamond Member
      • 27191
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: [In Progress] Ransomware style infection
      « Reply #37 on: January 06, 2014, 08:55:08 PM »
      The programs listed below can be stopped from starting with windows (if you do not use the, or can wait a few more seconds for them to start).

      DVDLauncher.exe - Allows you to play DVD movies when you insert a DVD.
      msmsgs.exe - Windows Messenger
      netWaiting.exe - this is a net waiting for dialup modems when you receive a call while online.
      DSAgnt.exe - Dell Support
      Various Brother printer and scanner monitors. Can be started manually.
      SSBkgdupdate.exe - Scansoft OmniPage Autoupdater
      QuickTime Task - Quicktime
      PaperPort PTD - PaperPort
      DellSupportCenter
      Adobe Reader Speed Launcher - Launches Adobe Reader automatically in seconds rather than a minute


      If you don't need them, go ahead and go into their settings and turn the setting off that lets them start with windows. If you cannot figure out how to stop them, there is a tool below that lets you do that. The more you can stop from starting with windows, the more memory and CPU Cycles you will have. The computer will seem faster and run better.


      Get Mike Lin''s Startup Control Panel and install it. Don''t get the standalone version. Install it, and then go to the windows control panel and start the Startup Control Panel.


      Let me know if you have any questions.

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      *

      Offline sean

      • Bronze Member
      • 133
      Re: [In Progress] Ransomware style infection
      « Reply #38 on: January 06, 2014, 09:48:26 PM »
      Done.  It's a noticeable improvement.

      *

      Offline Hoov

      • Malware Removal Mentors
      • Administrator
      • Diamond Member
      • 27191
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: [In Progress] Ransomware style infection
      « Reply #39 on: January 06, 2014, 09:57:25 PM »
      If you run startup control panel, and go thru the various tabs, you may be able to find other programs that you do not need.

      Do you have any other problems, questions or concerns?

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      *

      Offline sean

      • Bronze Member
      • 133
      Re: [In Progress] Ransomware style infection
      « Reply #40 on: January 06, 2014, 10:05:18 PM »
      Thanks!

      I remember there was an easy utility for removing the various spyware removal tools from the desktop?
      Or should I just remove them manually?

      *

      Offline Hoov

      • Malware Removal Mentors
      • Administrator
      • Diamond Member
      • 27191
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: [In Progress] Ransomware style infection
      « Reply #41 on: January 06, 2014, 10:10:40 PM »
      Nope, that is part of the cleanup. If you are all ready,

      Now  there are a few thing's you need to do to fully clean your system and keep it secure.

      Run OTC
      Download OTC to your desktop and run it
      Click Yes to beginning the Cleanup process and remove these components, including this application.
      You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

      Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

      Disable and Enable System Restore.
      I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.
      For Vista use these instructions, Windows Vista Restore Guide
      For XP use these instructions, Windows XP System Restore Guide
      Reboot
      Re-enable system restore with instructions from tutorial above
      Create a System Restore Point
      Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

      Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

      Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
      Firefox.
      It is also worth trying Thunderbird for controlling spam in your e-mail.

      Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

      Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

      Always use a firewall.
      Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
       
      Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


      Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


       MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. Download version 2. It is not the download button, but just underneath it. It will monitor the software you have installed and let you know when something needs to be updated.

      Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

      Before using any malware detection / removal software Check with Rogue/Suspect Spyware List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

      We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
      PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

      Let us know if you have any more problems, either new or old.
      Have a good time surfing the net, but stay safe.
      If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

      *

      Offline sean

      • Bronze Member
      • 133
      Re: [In Progress] Ransomware style infection
      « Reply #42 on: January 08, 2014, 02:56:05 PM »
      Thank you very much, Hoov.

      Your assistance was greatly appreciated!

      *

      Offline Hoov

      • Malware Removal Mentors
      • Administrator
      • Diamond Member
      • 27191
      • Unwilling part owner of Gov't. Motors and Chrysler
        • Hoov's Personal Site
      Re: [In Progress] Ransomware style infection
      « Reply #43 on: January 08, 2014, 04:37:55 PM »
      You are welcome!

      Former Consumer Security MVP
      2011-2014

      If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!