Ransomware - PCEU virus

[Fiery]

When you are in FRST, are you pressing Scan or Fix?

 

[Fryern]

When you are in FRST, are you pressing Scan or Fix?

I do FIX and when that has finished I do Scan to get the results.

Scan as of a few mis ago 5:30 ish UK attached

 

[Fiery]

Ok. Delete all the FRST logs, including FRST itself from the USB. Download a new copy of FRST and place it onto the USB. As well, make a new fixlist.txt.

Open notepad and copy & paste the following:

start
HKU\Chris\...\Winlogon: [Shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [62976 2011-11-18] ()
2013-02-07 18:38 - 2013-02-08 07:57 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log and attempt to boot to normal mode again

 

[Fryern]

Ok. Delete all the FRST logs, including FRST itself from the USB. Download a new copy of FRST and place it onto the USB. As well, make a new fixlist.txt.

Open notepad and copy & paste the following:

start
HKU\Chris\...\Winlogon: [Shell] explorer.exe,C:\Users\Chris\AppData\Roaming\skype.dat [62976 2011-11-18] ()
2013-02-07 18:38 - 2013-02-08 07:57 - 00000004 ____A C:\Users\Chris\AppData\Roaming\skype.ini
end

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log and attempt to boot to normal mode again

Please be a sport and attach a copy of FRST.exe that you want me to use. The Mac is very slow and most routines.

 

[Fiery]

Here you go:

<a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a>

 

[Fryern]

Here you go:

<a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a>

Thanks,

And now for the good news:-

The scan results are nothing like the earlier ones. I gave them a whirl and my desktop is back.

I don't have an internet connection I believe. Now it was wireless but I do have ethernet if I need that to reset it. Next move - at least it wasn't check mate?

 

[Fiery]

I just want to clarify, you can boot to normal mode now? Is that correct?

 

[Fryern]

I just want to clarify, you can boot to normal mode now? Is that correct?

Yep - you're a star

Running malawarebytes - just can't make the internet. I've not really tried as I don't want to screw up the good work. Hence the scan. I'll save any results. It's been running 1 hr plus

 

[Fiery]

Good to hear . After your malwarebytes scan, do the following in the order I presented them.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

---

Download OTL by Old Timer from here and save it to your Desktop.

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Change Standard Registry to All
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please attach the contents of these 2 Notepad files in your next reply.

 

[Fryern]

Thanks again,

You are looking at tomorrow or worst case Sunday for the analysis. I will also send the fixlist final log


How do you suggest I connect my PC to the internet to do the download? If I use this mac I go for a walk and just hope something turns up. It is very old with lots of version conflicks.If I plug it in via ethernet will it see the connection. I can play with wireless in my own time.

 

[Fiery]

Thanks again,

You are looking at tomorrow or worst case Sunday for the analysis. I will also send the fixlist final log

No problem Just note that your computer isn't fully disinfected yet so I would not recommend you entering any banking or personal information on it.

 

[Fryern]

malwarebytes found a couple of 'rats'.

Saved to log

from above......

How do you suggest I connect my PC to the internet to do the download? If I use this mac I go for a walk and just hope something turns up. It is very old with lots of version conflicks.If I plug it in via ethernet will it see the connection. I can play with wireless in my own time.

 

[Fiery]

You can try to connect to the internet via wired connection and see if you can download those tools.

If you are unable to connect, then you'll have to use your Mac to download the files and transfer them to the infected PC

 

[Fryern]

You can try to connect to the internet via wired connection and see if you can download those tools.

If you are unable to connect, then you'll have to use your Mac to download the files and transfer them to the infected PC

Hi,

Well I can't connect and I can't download for some reason to the Mac. Bt have gone to bed. I tried their CD setup disk which says I don't have any ethernet or usb!!!

Time for bed it's Saturday.....

 

[Fiery]

Do you have access to another PC in which you can download the tools? Can you download the tools directly onto the USB using the Mac by selecting the download folder to the USB drive?

 

[Fryern]

Thanks again,

You are looking at tomorrow or worst case Sunday for the analysis. I will also send the fixlist final log


How do you suggest I connect my PC to the internet to do the download? If I use this mac I go for a walk and just hope something turns up. It is very old with lots of version conflicks.If I plug it in via ethernet will it see the connection. I can play with wireless in my own time.

 

[Fiery]

Good!

Try getting roguekiller and OTL on to the machine

 

[Fryern]

Good!

Try getting roguekiller and OTL on to the machine

As I said it is very slow and complex even the local library blocked Roguekiller access

OTL starts off ith a bang but hangs up on Scanning Firefox settings


Over to you not sure what to do now - are the analysis files ok? I'll run some scans but I can't see them showing anything as I canot get internet.

 

[Fiery]

Did you click delete in roguekiller? if not, that first. Also in roguekiller, click fix host

Then let's try this.

Download OTH from here to your PC.

• Start OTH and click Kill All Processes
• Click Start OTL
• Click the Scan All Users checkbox.
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• Please post the contents of the logs in your next reply.

 

[Fryern]

Did you click delete in roguekiller? if not, that first. Also in roguekiller, click fix host

Yes, I then did another log and it was empty. I'll doit again to be sure



Then let's try this.

Download OTH from here to your PC.

• Start OTH and click Kill All Processes
• Click Start OTL
• Click the Scan All Users checkbox.
  
  *]Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• Please post the contents of the logs in your next reply.

Got a problem my Vista says it cannot initialise the program. Quit is the only option?!

That will take a while.......I've found one issue with the MAC the date was set to 1945. Totally confused some sites.