Solved Malware removal help (possibly teslacrypt)

[FairyL]

When I ran Maleware Bytes, it identified the virus and quarantined it, eventually removing it. Hitman Pro is showing "no threats" now. The threats diagnosed by SpyHunter 4 are "Bravenet, mediaples, xiti.com and gator" all either tracking cookies or spyware cookies. I thought I had gotten rid of the virus but now everytime I restart my computer the pop-up above keeps showing up. I don't know how to get rid of that. Please help.
As for my encrypted files, I actually had a backup on ropbox and even though it did get nfected as well, I asked dropbox to do a rollback before the date my files were deleted and I'm fairly certain I can retrieve most of my files. I'm just concerned about the pop-ups. Does it mean that my computer still has the virus ? If not, how do I get rid of the pop ups?
Also I looked it up online, and I'm not sure whether the virus is teslacrypt or cryptowall.

 

[FairyL]

Sorry, I just scanned with Farbar and I'm attaching the FRST report

 

[TwinHeadedEagle]

Hello,


Looks like TeslaCrypt, but let's do some procedure to be completely sure about it. If this is TeslaCrypt indeed, we can restore your files.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



You will also find Upload.zip archive on your Desktop. Please upload it Free large file hosting. Send big files the easy way! and give me download link.

 

[FairyL]

Thank you so much for the prompt reply!

Here is the download link for the upload.zip archive: Upload.zip (2.49MB) - SendSpace.com

Hope it works.

 

[TwinHeadedEagle]

Please run one more fix with this fixlist.txt attached and upload again Upload.zip archive.

 

[FairyL]

I'm attaching the fixlog.txt but this time there was no Upload.zip archive generated.

 

[TwinHeadedEagle]

Sorry, it was my mistake. Go to C:\FRST, right click on Quarantine, select Send to >> Compressed (zipped) folder and upload this archive.

 

[FairyL]

That's alright. I tried that and it's saying: Compressed (zipped) folders error- file not found or no read permission

 

[TwinHeadedEagle]

Please try this fixlist then.

 

[FairyL]

Alright so I'm attaching the file. An here is the upload.zip archive for it: Upload.zip (250B) - SendSpace.com

 

[TwinHeadedEagle]

It seems you can use Kaspersky RannohDecryptor to save your files.

Let's first clean your PC from the remnants of infection.

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[FairyL]

Is the Kaspersky RannohDecryptor found online to download free?

 

[TwinHeadedEagle]

Yes, but there is a trick how to use it.

In your case, you must find the largest file that has been infected, because this infection works in that way. Only files the same size and smaller will be disinfected. Meaning if you find the largest infected file all files will be disinfected.

Let's perform FRST fix first:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



To disinfect the system:

1. Download RannohDecryptor.zip. The following pages contain information on how to download the file.
2. Run RannohDecryptor.exe on the infected computer.
3. In the main window, click Start scan.

1. Indicate path to one encrypted file and one not encrypted file.
   If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted.
2. Wait until the files are found and decrypted.
3. Reboot the computer, if needed.

 

[FairyL]

I'm attaching the fixlog.txt
As for the RannohDecryptor, I'm downloading it now but how do I identify which of the infected files is the largest? Sorry, I'm not really techy at all.

 

[FairyL]

so I think I found out how to identify the largest file. But it's showing up a 'system file' that reads 'pagefile.sys C:/' and a message pops up saying modifying the file can damage the system. It's size is 8.0GB. Should I proceed or choose another file?

 

[TwinHeadedEagle]

Trick is to find the largest encrypted file. Can you do that?

 

[FairyL]

Not quite. Can you tell me how to find the largest encrypted file?

 

[TwinHeadedEagle]

• Please download and unpack Search Everything
• Start Everything.exe
• In the search field, please type exactly this:
  

  *.crypt

• It will list all the files with .crypt extension.
• Click on Size column so it can sort them for you, putting the biggest one on the top.
• Make a picture of this window and attach the picture in your next reply.

 

[FairyL]

Is this it?

 

[TwinHeadedEagle]

Yes, this is okay. The first one SOC + Textbook.pdf. Is there a way to find the original file somewhere or to download?