Ransomware - PCEU virus

[Fiery]

Please use the New Reply function so I get a notification when you have replied

There's malware preventing us from running the tools.

Start your computer in Safe Mode with Networking.

• Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
  [*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
  [*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.

<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>

<h2> Step 2: Download and transfer RKill to your infected PC</h2>
Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to the Desktop.
• Double click the RKill desktop icon.
• It will quickly run. If it does not run, try another download link from above.

<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />

• When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>

Then attempt to run a OTL scan in safe mode

 

[Fryern]

Good morning I'll give you last post attention now

So I have on my Mac Rkill.com, rkill.exe and iexplorer.exe from your links. I do not believe Safe Mode with Networking will give me internet on the PC.

I am about to go on the PC so if I cannot get an internet connection I will copy the files to the desktop (as before). rkill.exe & iexplorer.exe should run imo


Is that what I should do?

I have the PC back, the problem is no internet

Just ran malarebytes full scan found this:
Trojan Agent C:\Users\chris\App Data\Roaming\skype.dat

Removed it restarted and scanning again to see if it comes back
btw I have 'lost' my printer. easily solved when the internet comes back

 

[Fryern]

Good morning I'll give you last post attention now

So I have on my Mac Rkill.com, rkill.exe and iexplorer.exe from your links. I do not believe Safe Mode with Networking will give me internet on the PC.

I am about to go on the PC so if I cannot get an internet connection I will copy the files to the desktop (as before). rkill.exe & iexplorer.exe should run imo - not sure what to do with rkill.com?


Is that what I should do?

I have the PC back, the problem is no internet

Just ran malarebytes full scan found this:
Trojan Agent C:\Users\chris\App Data\Roaming\skype.dat

Removed it restarted and scanning again to see if it comes back

Not showing on 2nd scan


btw I have 'lost' my printer. easily solved when the internet comes back

Safe mode with Networking does not give me an internet connection - back to the flash route? Time 12,00 gmt

 

[Fryern]

rkill text

may have sequence wrong

otl scan next

 

[Fryern]

rkill text

may have sequence wrong

otl scan next

OYL scan after RKILL in safe mode with networking still hangs on Firefox Settings 14:30

 

[Fiery]

Good afternoon,

Sounds to me you have a rootkit still hiding on your PC. Continue to transfer the tools from your Mac to your PC until we get internet back.

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

---

Please download ServicesRepair and save it to your desktop.

• Double-click ServicesRepair.exe
• If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
• Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.

 

[Fryern]

OK just so you know whatever sequence I run iexplorer/OTL I get the Firefox hang.

Will be a little while before I come back again

 

[Fryern]

I am trying to attach the analysis. Just doesn't want to load up!!

 

[Fryern]

I've been trying to upload the log for the past 2 hours.

One TDSS4 was found and deleted. About 12 warnings which went to skip but nothing malicious.

Still unable to get an internet connection via wireless. Not sure whether it is worth trying ethernet?

Means moving the PC to the modem

 

[Fiery]

If the TDSS log doesn't want to upload, can you just copy the last portion of the log directly into the reply? Just the list of the suspicious and detections. It looks like TDSSkiller caught a rootkit.

Attempt to run a OTL scan now in safe mode now

 

[Fryern]

15:55:51.0559 1628 Scan finished

15:55:51.0559 1628 ============================================================

15:55:51.0574 1576 Detected object count: 11

15:55:51.0574 1576 Actual detected object count: 11

15:58:56.0902 1576 FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0902 1576 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0902 1576 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0902 1576 NSUService ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 NSUService ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0902 1576 PACSPTISVR ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 PACSPTISVR ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0902 1576 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0902 1576 RtkAudioService ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0902 1576 RtkAudioService ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0918 1576 ServiceLayer ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0918 1576 ServiceLayer ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0918 1576 VAIO Entertainment TV Device Arbitration Service ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0918 1576 VAIO Entertainment TV Device Arbitration Service ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0918 1576 VzCdbSvc ( UnsignedFile.Multi.Generic ) - skipped by user

15:58:56.0918 1576 VzCdbSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip

15:58:56.0918 1576 \Device\Harddisk3\DR3 ( Rootkit.Win32.BackBoot.gen ) - skipped by user

15:58:56.0918 1576 \Device\Harddisk3\DR3 ( Rootkit.Win32.BackBoot.gen ) - User select action: Skip

15:59:58.0319 1612 Deinitialize success

 

[Fryern]

Attempt to run a OTL scan now in safe mode now

Same problem - stalls at Firefox.

Is it worth uninstalling Firefox and defaulting to Explorer?

 

[Fiery]

No need to reinstall firefox, we found the problem.

I hope you backed up all your important files since the steps we will take now may be dangerous. I encourage you to backup important files to an external hard-drive or USB just in case.

Download List Parts and save it to the flash drive.

Boot to System recovery (like you did when you ran FRST). In the command prompt, type <><span style="color: #ff0000;">e</span>:\listparts.exe</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>ListParts will start to run. Check the box beside List BCD and click Scan
<li>When finished scanning it will make a log Result.txt on the flash drive
<li>Type exit</li>
<li>Please copy the content in Result.txt in your next reply</li>

 

[Fryern]

Results:angel:

 

[Fryern]

ListParts by Farbar Version: 16-01-2013

Ran by SYSTEM (administrator) on 10-02-2013 at 20:44:16

Windows Vista (X86)

Running From: F:\

Language: 0409

************************************************************



========================= Memory info ======================



Percentage of memory in use: 10%

Total physical RAM: 2924.45 MB

Available physical RAM: 2604.85 MB

Total Pagefile: 2717 MB

Available Pagefile: 2593.22 MB

Total Virtual: 2047.88 MB

Available Virtual: 1987.18 MB



======================= Partitions =========================



1 Drive c: () (Fixed) (Total:455.27 GB) (Free:401.78 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (BTHomeHub) (CDROM) (Total:0.1 GB) (Free:0 GB) CDFS

3 Drive e: (Recovery) (Fixed) (Total:10.49 GB) (Free:0.83 GB) NTFS ==>[System with boot components (obtained from reading drive)]

4 Drive f: (HITMANPRO) (Removable) (Total:3.71 GB) (Free:3.47 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS



Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 466 GB 0 B

Disk 1 Online 3819 MB 0 B



Partitions of Disk 0:

===============



Disk ID: 3B14E91E



Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 10 GB 1024 KB

Partition 2 Primary 455 GB 10 GB



======================================================================================================



Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E Recovery NTFS Partition 10 GB Healthy Hidden



======================================================================================================



Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 455 GB Healthy



======================================================================================================



Partitions of Disk 1:

===============



Disk ID: F2D1C359



Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3812 MB 32 KB



======================================================================================================



Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 F HITMANPRO FAT32 Removable 3812 MB Healthy



======================================================================================================



Windows Boot Manager

--------------------

identifier {bootmgr}

device partition=C:

description Windows Boot Manager

locale en-US

inherit {globalsettings}

default {default}

resumeobject {b4eeeb97-59d7-11dd-8aaa-888888888788}

displayorder {default}

toolsdisplayorder {memdiag}

timeout 30

resume No



Windows Boot Loader

-------------------

identifier {current}

device ramdisk=[E:]\sources\boot.wim,{ramdiskoptions}

path \windows\system32\boot\winload.exe

description Windows Recovery Environment

osdevice ramdisk=[E:]\sources\boot.wim,{ramdiskoptions}

systemroot \windows

nx OptIn

detecthal Yes

winpe Yes



Windows Boot Loader

-------------------

identifier {default}

device partition=C:

path \Windows\system32\winload.exe

description Microsoft Windows Vista

locale en-US

inherit {bootloadersettings}

recoverysequence {current}

recoveryenabled Yes

osdevice partition=C:

systemroot \Windows

resumeobject {b4eeeb97-59d7-11dd-8aaa-888888888788}

nx OptIn

bootlog Yes



Resume from Hibernate

---------------------

identifier {b4eeeb97-59d7-11dd-8aaa-888888888788}

device partition=C:

path \Windows\system32\winresume.exe

description Windows Resume Application

locale en-US

inherit {resumeloadersettings}

filedevice partition=C:

filepath \hiberfil.sys

pae Yes

debugoptionenabled No



Windows Memory Tester

---------------------

identifier {memdiag}

device partition=C:

path \boot\memtest.exe

description Windows Memory Diagnostic

locale en-US

inherit {globalsettings}

badmemoryaccess Yes



Windows Legacy OS Loader

------------------------

identifier {ntldr}

device unknown

path \ntldr

description Earlier Version of Windows



EMS Settings

------------

identifier {emssettings}

bootems Yes



Debugger Settings

-----------------

identifier {dbgsettings}

debugtype Serial

debugport 1

baudrate 115200



RAM Defects

-----------

identifier {badmemory}



Global Settings

---------------

identifier {globalsettings}

inherit {dbgsettings}

{emssettings}

{badmemory}



Boot Loader Settings

--------------------

identifier {bootloadersettings}

inherit {globalsettings}



Resume Loader Settings

----------------------

identifier {resumeloadersettings}

inherit {globalsettings}



Setup Ramdisk Options

---------------------

identifier {ramdiskoptions}

description Ramdisk options

ramdisksdidevice partition=E:

ramdisksdipath \boot\boot.sdi





****** End Of Log ******

 

[Fryern]

Just so you know I am having great problems attaching files to posts just loops on upload

 

[Fiery]

Ok, rerun TDSSkiller again but this time, select delete for:

\Device\Harddisk3\DR3 ( Rootkit.Win32.BackBoot.gen )

Then go into safemode:

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<>* IMPORTANT !!! Save ComboFix to your Desktop as Combo-Fix.exe</>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[Fryern]

try again upload

 

[Fiery]

try again upload

That's ok, I got the file. Attempt the steps above

 

[Fryern]

I am having problems getting a good version of Combofix, PC says integrity problems - any ideas


btw as I do not have internet I will not be able to download Microsoft Windows Recovery Console before I get rid of the virus will I?