met police ransum. jpeg and pdf files wont open

[richy]

Hello I have been ifected with ransum virus which i think i have removed( Win32Filecoder.AO.Gen.txt). But I need help to restore all my jpeg and pdf files. I have tried with kasperspy decrypter with no luck, I have some origianal files but there a couple of kbytes size difference so program won't work. any help greatly appreciated.

 

[Fiery]

Hi and welcome to MalwareTips!

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Start your computer in Safe Mode with Networking.

• Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
  [*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
  [*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.

<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>

<h2> Step 2: Download and run RKill</h2>
Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
• Double click the RKill desktop icon.
• It will quickly run. If it does not run, try another download link from above.

<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />

• When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>;*.local
O2 - BHO: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - G:\Program Files (x86)\pdfforge Toolbar\IE\6.6\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - G:\Program Files (x86)\pdfforge Toolbar\IE\6.6\pdfforgeToolbarIE.dll (Spigot, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9D7C8411-0A4D-43BF-BA5E-30B37B65B3EB}: DhcpNameServer = 194.168.4.100 194.168.8.100

:Files
G:\Program Files (x86)\pdfforge Toolbar
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Then click Run Fix. Post the log afterwards.

---

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[richy]

Hi Fiery thanks for your reply. logs attached.

 

[Fiery]

Hi,

Let's make sure all the malware is gone first before we fix the file extension problems.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;;*.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9D7C8411-0A4D-43BF-BA5E-30B37B65B3EB}: DhcpNameServer = 194.168.4.100 194.168.8.100

:Files
G:\Windows\System32\user32.dll|G:\Windows\SysWOW64\user32.dll /replace
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content afterwards.

---

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 

[richy]

Hi Fiery

mbam log attached

thanks

 

[richy]

I cant attach the otl log, it said type of attachment not allowed. do you want me to run it again?

 

[Fiery]

You can just copy and paste the OTL log directly into your reply. The log shouldn't be too long

 

[richy]

========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9D7C8411-0A4D-43BF-BA5E-30B37B65B3EB}\\DhcpNameServer| /E : value set successfully!

OTL by OldTimer - Version 3.2.69.0 log created on 01192013_233556

 

[Fiery]

Did you copy and paste the rest of the OTL fix?

:Files
G:\Windows\System32\user32.dll|G:\Windows\SysWOW64\user32.dll /replace
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

If you haven't, do that first then go onto the next step.

---

Please download ERUNT from here to your USB and transfer it to your infected PC.

• Install ERUNT by following the prompts
  (use the default install settings but say no to the part that asks you to add ERUNT to the start-up folder.
• Start ERUNT by double clicking on the desktop icon or choosing to
• Choose a location for the backup
  (The default location is C:\WINDOWS\ERDNT)
• Make sure that boxes beside System Registry and Current User Registry are checked
  
  
• Press OK
• Press YES to create the folder.

---

Next, download the files I have attached below and save them to your Desktop. Make sure you do the following in an adminastrator account.

Right-click on 1 file, click Merge. If UAC prompts, click yes.

Do that for all three files then reboot. See if you can open pdf, jpeg and txt files now.

 

[richy]

After doing the last patch I get system error chrome.exe

USER32.dll is missing from computer.

 

[Fiery]

Open OTL. Under custom scan/fixes, copy and paste the following:

:Files
G:\Windows\System32\user32.dll|G:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll /replace

:commands
[reboot]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

 

[richy]

When I try to run otl, the instruction at 0 x 0000000 referenced memory at 0 x 0000000. The memory could not be read.

 

[Fiery]

Goto Start > Computer > Organize > Folder and File Option > View > Show hidden folders and files > Ok

Navigate to G:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll , copy user32.dll. Then navigate to G:\Windows\System32\ and paste the file in that folder

 

[richy]

File is already in sys32 folder, if I paste it to replace it said action can't be taken file or folder already in use

 

[Fiery]

Are you still getting the user32.dll error message?

 

[richy]

Yes, should I do a system restore and start the process again?

 

[Fiery]

Yes, that would be the shortest route.

the user32.dll was damaged by the malware, that's why I wanted to replace it.

 

[Fiery]

Don't perform the OTL fix, just run adwCleaner for now then do a OTL scan but under custom scan/ fixes type:

/md5start
user32.dll
/md5stop

Then click Run Scan

 

[richy]

otl report attached

thanks

 

[richy]

adw cleaner report attached

thanks