US Dept of Just Virus Will Not Go Away

Status
Not open for further replies.
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
If you can't boot, we are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again. You will need access to another computer and a CD to perform the following. If you rather use an USB for this, please follow the instructions here

If you choose to use a CD,

Download the OTLPE Standard REATOGO Windows Recovery Environment.
  • Place a blank CD-R disc in to your CD burning drive.
  • Download OTLPEStd.exe and double-click on it to burn to a CD using ISO Burner.
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.

<hr />
 
M

mbaynes

New Member
Thread author
Verified
May 31, 2013
36
Under Drivers I have the following options

None
Use SafeList
All

I don't see an option for Non-Microsoft
 
M

mbaynes

New Member
Thread author
Verified
May 31, 2013
36
kuttus said:
Select All.
Click to expand...

Here are the log files from running the OTLPE scan
 

Attachments

  • OTL.Txt
    224.1 KB · Views: 116
  • Extras.Txt
    75.6 KB · Views: 157
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
How many Operating system you are having? In all log files I am getting Different Different system information's...


STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL
Code: 
:OTL
[2013/04/25 14:54:09 | 000,000,154 | ---- | C] () -- R:\ProgramData\ejododof.reg_old
[2013/04/25 14:54:09 | 000,000,058 | ---- | C] () -- R:\ProgramData\ejododof.bat_old
[2013/04/25 14:53:57 | 095,023,320 | ---- | C] () -- R:\ProgramData\ejododof.pad_old
[2013/03/05 11:26:41 | 000,204,896 | -H-- | C] () -- R:\Windows\SysWow64\mlfcache.dat
[2011/12/12 16:25:39 | 000,000,774 | ---- | C] () -- R:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc_old
[2011/11/07 21:59:29 | 315,299,322 | -H-- | C] () -- R:\Windows\cbufsscansysdmp.bin
[2011/05/18 23:23:37 | 000,007,760 | ---- | C] () -- R:\Users\MichaelB\AppData\Local\recently-used.xbel
[2011/05/18 18:23:49 | 000,003,584 | ---- | C] () -- R:\Users\MichaelB\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/27 10:35:46 | 000,009,962 | -HS- | C] () -- R:\Users\MichaelB\AppData\Local\68571b4ny4sdctt477oi27fy1m441868l
[2010/10/27 17:53:25 | 000,000,000 | ---- | C] () -- R:\Users\MichaelB\AppData\Roaming\wklnhst.dat
[2010/08/19 19:51:47 | 001,528,361 | ---- | C] () -- R:\Users\MichaelB\AppData\Local\tmpDSCF1153.JPG
[2010/04/24 18:24:03 | 000,007,597 | ---- | C] () -- R:\Users\MichaelB\AppData\Local\Resmon.ResmonCfg
[2012/12/04 17:33:13 | 000,000,000 | ---D | M] -- R:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2012/09/06 07:47:23 | 000,000,000 | ---D | M] -- R:\ProgramData\7531CC96E70B6025DB497545F875EF60


:commands
[emptytemp]
[reboot]
<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />
 
Last edited by a moderator:
M

mbaynes

New Member
Thread author
Verified
May 31, 2013
36
I only have windows 7 on the system.

I performed the suggested procedures using the script provided. I'm attaching the resulting log file.

Still getting the ransom screen when booting into normal mode.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Please send me a New OTL log... If there is any External Hard Disks connected to the computer disconnect all of them...
 
M

mbaynes

New Member
Thread author
Verified
May 31, 2013
36
kuttus said:
Please send me a New OTL log... If there is any External Hard Disks connected to the computer disconnect all of them...
Click to expand...

Here is the otl log with all external hard disk disconnected.
 

Attachments

  • OTL_061120013.txt
    162.4 KB · Views: 111
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix
Please read and follow very carefully the below instructions

Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------

How to run the Combofix scan :
  1. Double click on ComboFix.exe & follow the prompts.
  2. Accept the disclaimer and allow to update if it asks
  3. When finished, it shall produce a log for you.
    [*]Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>



<hr />
 
Last edited by a moderator:
M

mbaynes

New Member
Thread author
Verified
May 31, 2013
36
Ran combo fix and attaching the log file created.

Still getting ransom screen both on Normal start up and SafeMode with networking.

However, I can boot into Standard SafeMode without getting the ransom screen.
 

Attachments

  • ComboFix.txt
    9.4 KB · Views: 128
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 
M

mbaynes

New Member
Thread author
Verified
May 31, 2013
36
ran the scan and no malware was found. I have attached the logs.

Still getting Ransom Screen on normal boot and safemode with networking boot option.

Not getting ransom screen with standard safemode boot option.
 

Attachments

  • mbar-log-2013-06-11 (19-42-41).txt
    2.1 KB · Views: 94
  • system-log.txt
    116.3 KB · Views: 116
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Go to FRST and type user32.dll in the search box. Then press search. Post the log that will be create on the USB
 
Status
Not open for further replies.

Similar threads

L
  • Locked
Waiting for reply I have my first virus
Replies
1
Views
159
Windows Malware Removal Help & Support
nasdaq
nasdaq
Lymphocyte
    • Like
Security News LockBit ransomware affiliate gets four years in jail, to pay $860k
Replies
0
Views
716
Security News
Lymphocyte
Lymphocyte
marteis
  • Locked
Chrome Extension 'AzaleaRhododendron', Unable to Remove, Bing Redirecting
Replies
4
Views
581
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top