Ransomware - PCEU virus

[Fiery]

Which program saids there's integrity problem? What is the exact error message? Does it say combofix has been compromised?

 

[Fryern]

Combo-Fix.exe double click then the message. Downloaded as Combofix from your links

So I downloaded it again copied it and renamed it. I now get the message it contains an illegal instruction option close or ignore. Ignore brings up the same message immediately. The instructions were listed but long.


CS:12a5 IP.24al 0P:66 0f 02 c0 66 is the first


Bed time

 

[Fiery]

Did you run TDSSkiller and deleted the \Device\Harddisk3\DR3 ( Rootkit.Win32.BackBoot.gen ) detection?

Hmm, try downloading a new version here: <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>

Rename it to iexplore.com before transferring it to the PC's Desktop. The click Start > Run (Alternatively, you can press the Windows key + R). In the box, type:

"%userprofile%\desktop\iexplore.com" /killall

Press Enter. See if that gets Combofix to run.

 

[Fryern]

Good morning

TDSS killer:-

Now comes up all clear and I did delete the suspect items.

The errors on Combofix came up immediately and I was noy prepared to ignoremore than once.

I'll try method 2 - thanks.

btw I have changed the default browser to explorer

 

[Fryern]

Press Start>Run

Type "%userprofile%\desktop\iexplore.com" /killall

I have to give permission to run

Then get the message:-

Integrity fail. For more info http://nsis.sf.net/NSIS_Error

 

[Fiery]

Ok, don't run combofix.

Please a new FRST scan. And when OTL hangs, how long do you wait before exiting OTL? The scan should take 5 minutes atleast.

Also, download MiniToolBox save it to your desktop and run it.

Place a check in the following boxes:

• Flush DNS
  Report IE Proxy Settings
  Reset IE Proxy Settings
  Report FF Proxy Settings
  Reset FF Proxy Settings
  List content of Hosts
  List IP configuration
  List Winsock Entries
  List last 10 Event Viewer log
  List Installed Programs
  List Devices
  List Users, Partitions and Memory size.
  List Minidump Files

Close your browsers and click Go. Post the Result.txt located in the same directory as the tool.

 

[Fryern]

Please find the attached scan text. I've got a small issue that I am not booting to desktop. I was looking at other issues with PCEU and changed the SHELL from Explorer to iexplore.exe I have changed it back. The boot goes to a file list and not the desktop - sorry.


I'll give OTL plenty of time and see if that makes a difference.

Post you results text soon

Keep

 

[Fryern]

OTL - it loads and starts as expected. Files flash through at the bottom of the screen. After 30 secs it hit Firefox. At this point it freezes. I left it for 30 mins and it made no difference. I had the settings as you asked.

results txt attached for Minitoolbox

 

[Fiery]

Please find the attached scan text. I've got a small issue that I am not booting to desktop. I was looking at other issues with PCEU and changed the SHELL from Explorer to iexplore.exe I have changed it back. The boot goes to a file list and not the desktop - sorry.

Hi,

You can still boot to safemode right? I can see the Explorer entry that you made, we will have to correct that entry.

Download RSIT and run it in safe mode. Please post the contents of log.txt which will be maximized.

If you are not able to run RSIT, try running DDS - Link 1 or DDS - Link 2

 

[Fryern]

Hi

The .com one worked and produced two files. It said post the one attached. I have the other one if you need it.

Hope that helps - sorry about the explorer cock up..............

Fry

 

[Fiery]

Let's try to fix it Delete the old fixlist.txt from your USB

Open notepad and copy & paste the following:

start
HKLM\...\Runonce: [37508A2C-86E4-438E-993B-FD04DC49E0A9] cmd.exe /C start /D "C:\Users\Chris\AppData\Local\Temp" /B 37508A2C-86E4-438E-993B-FD04DC49E0A9.exe -activeimages -postboot [x]
HKLM\...\Winlogon: [Shell] Explorer [x ] ()
nointegritychecks on:
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

---

Download a new copy of combofix <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a> and head to safe mode

and save it as DDDS.com before transferring it to the PC's Desktop. The click Start > Run (Alternatively, you can press the Windows key + R). In the box, type (including the quotes):

"%userprofile%\desktop\DDDS.com" /nombr

 

[Fryern]

Part 1 completed desktop back - bless you.

 

[Fryern]

Not sure what to do. All programs show on desktop. None appear to load as expected/normal.

txt file attached. The program ran for 20mins +

 

[Fiery]

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to step 3 and allow it to run SFC by clicking do it

Go to start repairs tab and click start.

Note: If it prompts you to make a system restore point and backup your registries, allow it to do so.

Check all the boxes on the list

Check the box besides Restart System When Finished then click Start

 

[Fryern]

There appear to be several versions of the s/w on the site?

Please can you tell me the one I need.

 

[Fiery]

You can use this one: http://majorgeeks.com/Tweaking.com_-_Windows_Repair_d7141.html

Any link for v1.9.7 Installer will work.

 

[Fryern]

So I have the setup.exe

How do you want me to run it? I don't think I can from Desktop.

 

[Fiery]

Try running it normally and see if you can. Also try in safe mode. In addition, attempt a OTL scan as well since combofix removed some bad files

 

[Fryern]

Thanks will take me a while to come back to you 2 hrs ish

 

[Fryern]

Started it from Desktop select Computer then highlighted the flash and found the program. Double click and off it went. However I have the following error

Unknown decompression error. Option Retry, Abort, Ignore. Chose Retry came up with the same error.