Need help removing Homeland Security Ransomware

So I got this virus about a week ago. Thought I got rid of it myself, and about a week later it popped back (so I either never got rid of it and it laid dormant OR I got it again).

So, what I have done so far…

Re-booted in Safe Mode.

Ran rkill

Ran Spy-bot

Ran MalwareBytes

Ran HitmanPro (not the boot-up, just normal)

Ran Avast! (which is my main virus protection)

and finally… Ran ComboFix.

I just want to be sure this thing is gone (I think HimManPro really got rid of it, but just to be sure).

Attached is my ComboFix log (this was after I ran rkill)

You should not run Combofix on your own + this is the second CF log.

Please download Farbar Recovery Scan Tool x86 and save it to a flash drive.

[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

Thank you for trying to help…

I am running into an issue even getting this started…

When I re-boot, F8 does not seem to do anything. During boot up (before Windows Vista starts) I only see two options…

F2 which is for System Setup (goes into CMOS) and then F12 which has a small menu:

F12
*Hard Drive
*Optical Drive
*USB-Zip

*System Setup (goes to CMOS, same as F2)
*Diagnostics
*Boot Partition

I WAS able to somehow get to a System Repair screen at one point (I think simply from booting and rebooting the PC so many times) but I never got any of the options you suggested. It was at System Repair for like 10 minutes, then just rebooted my system on its own…

Any other advice here?

F12Boot Options

Ok, then run FRST from normal mode. It’s not necessary to run diagnosis in RE in this case. :wink:

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Great, thanks for the quick reply… Here are the items you requested…

I had to put them as both attachements, as the FRST.txt exceeded the maximum amount of characters I am allowed to post here…

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


START
HKCU\...\Run: [SSync] - C:\Users\James\AppData\Roaming\SSync\SSync.exe [41984 2012-12-18] ()
HKCU\...\Run: [SCheck] - C:\Users\James\AppData\Roaming\SCheck\SCheck.exe [36864 2013-04-09] ()
HKCU\...\Run: [Intermediate] - C:\Users\James\AppData\Roaming\Intermediate\Intermediate.exe [41984 2012-12-18] ()
SearchScopes: HKLM - DefaultScope {5D57F309-FC2C-42CF-8ADB-394FD2ACAA2D} URL = 
SearchScopes: HKCU - DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://searchqm.com/search.php?channel=msus200fbdgy6&q={searchTerms}
SearchScopes: HKCU - {5D57F309-FC2C-42CF-8ADB-394FD2ACAA2D} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3291325&CUI=UN30606003202646417&UM=2
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://searchqm.com/search.php?channel=msus200fbdgy6&q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465} URL = 
Task: {00B3E2AB-7E8E-4B01-8076-84B1F4662096} - System32\Tasks\4677 => C:\Windows\System32\wscript.exe [2009-04-11] (Microsoft Corporation)
Task: {44B100C6-2C0E-46BA-9392-CDF774936C14} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2412800826-1674594253-1344594430-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe No File
Task: {4C3E9186-DAA0-4075-9792-7CBA79947C3E} - System32\Tasks\AVG\PC Tuneup\Integrator\Start On James Logon => C:\Program Files\AVG\AVG PC Tuneup\BoostSpeed.exe No File
Task: {5166C57E-8FC6-457F-8EF0-1CDB9696BE5C} - System32\Tasks\FixCleaner Startup => C:\Program Files\FixCleaner\FixCleaner.exe No File
Task: {53EDB7F0-3464-481D-AB87-1148DEF36951} - System32\Tasks\FixCleaner Scan => C:\Program Files\FixCleaner\FixCleaner.exe No File
Task: {EA438217-F2DA-4B2A-8E28-7AEDE52B9719} - System32\Tasks\Game_Booster_AutoUpdate => C:\Program Files\IObit\Game Booster 3\AutoUpdate.exe No File
Task: {F8F964FA-FC65-4A88-BADD-8B83DAAA6BD7} - System32\Tasks\LyricsSing Update => C:\Program Files\LyricSing\lSing.exe No File
C:\Users\James\AppData\Roaming\SSync
C:\Users\James\AppData\Roaming\SCheck
C:\Users\James\AppData\Roaming\Intermediate
C:\Users\James\AppData\Local\d3d8caps.dat
C:\Program Files\Conduit
C:\Program Files\AVG
C:\Program Files\FixCleaner
C:\Program Files\LyricSing
File: C:\Windows\System32\C2MP\UpdateChecker.exe
Folder: C:\Users\James\AppData\Roaming\library_dir
CMD: ipconfig /flushdns
END


  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

=========== THEN ============

Re-run FRST.exe ;
Put checkmark on box for options “Addition.txt
Press Scan button …

Please attach here bouth fresh created FRST and Addition.txt logs

Ok, here we go :slight_smile:

Hi,
You forgott to attach fresh FRST.txt log too.

Ok, I added the attachment to post above

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


START
C:\Users\James\AppData\Roaming\library_dir
Task: {5102181C-8531-4856-827A-010FE228907A} - System32\Tasks\VisualBeeRecovery => C:\Users\James\AppData\Local\VisualBeeExe\VisualBeeRecovery.exe No File
C:\Users\James\AppData\Local\VisualBeeExe
C:\Users\James\AppData\Roaming\library_dir
c:\program files\Conduit
File: C:\Users\James\Desktop\sqlite3.dll
File: c:\windows\system32\bootdelete.exe
Folder: C:\Users\James\AppData\Roaming\Raptr
Folder: C:\Program Files\RIFT
Folder: C:\Users\James\AppData\Roaming\Mumble
END

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

============ NEXT =============

Delete old Combofix and download new, fresh copy from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable AntiVirus,

C:\Users\James[b]Downloads[/b]\ComboFix.exe
Combofix need to be on Desktop.

Open notepad and copy/paste the text present inside the code box below:



DDS::
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: verizon.net\activate
Trusted Zone: verizon.net\activatemydsl
Trusted Zone: verizon.net\activatemyfios
Trusted Zone: verizon.net\activatemyhsi
Trusted Zone: verizon.net\activatemywifi
Trusted Zone: verizon.net\wbadownload

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )Open notepad and copy/paste the text present inside the code box below:

Also, you need to attach here C:\Qoobox[b]ComboFix-quarantined-files.txt.[/b]
Since you have been running CF few times I have to see what CF has worked in the past …

Ok, I think I got what you asked for… Just a couple of things I was confused on in your last instructions…

I took this to mean, when I download Combofix, it saves it in my downloads, and you wanted me to move it to Desktop. Which is what I did. Actually, it was a Shortcut from Desktop (the root file was still under \Downloads). Hopefully that didn’t affect anything. I was still able to run it by drag-dropping as your icon suggested.

Secondly, you mentioned…

I only ran ComboFix once in your instructions, so I was confused when you said it will re-run. If I missed something and you wanted me to run ComboFix more than once, let me know…

Here are the attachements you requested…

I took this to mean, when I download Combofix, it saves it in my downloads, and you wanted me to move it to Desktop. Which is what I did. Actually, it was a Shortcut from Desktop (the root file was still under \Downloads). Hopefully that didn't affect anything. I was still able to run it by drag-dropping as your icon suggested.

I see everything. ;D It is recommended that Combofix before launching is on the desktop, not in the download folder.

Running from: c:\users\James[b]Downloads[/b]\ComboFix.exe
Command switches used :: c:\users\James[b]Desktop[/b]\CFScript.txt

Shortcut does not count. :slight_smile:

I only ran ComboFix once in your instructions, so I was confused when you said it will re-run

When you drag notepad ( CFScript.txt ) over Combofix.exe icon, Combofix will re-run. You have run Combofix regularly (Shortcut does not count. ;D)


All logs looks clean. How’s your computer running now? Any ransomware traces? 8)

So far so good, nothing has popped up in a couple days now actually. I’ll be back if it does

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended you to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Here is the DelFix.txt file

You have been very helpful, thank you very much.

Can you recommend a program that might help “speed up” my computer. Some times it runs a it sluggish, specifically when attempting to open IE, it can sometimes take a few seconds top launch IE, and sometimes multiple instances of IE pop open at once (even though I hit the icon just once). Just as an example of what I mean. I think I might have old files or old registry items on my system that are no longer in use and might be bogging it down.

Not sure if you know of any tests I can run or programs that will look at my system and recommend on how to improve speed?

Thank you for your kind words. :slight_smile:

I don’t use IE. And if you have a desire to use IE, wait and update and install IE11.

You may use Google Chrome or Mozilla Firefox as default browser.
https://www.google.com/intl/en/chrome/browser/
http://www.mozilla.org/en-US/firefox/fx/

Related to the acceleration of the computer, my programs are cleaned temp files and cache files which eventually may slow down your computer. For this purpose, you can use the TFC by OldTimer:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

As for the registry cleaner and “tune up” tools and simular like them, this is a pretense. Don’t use thouse …
There’s a lot of things well explained here, please read this blogs:
http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html
http://www.edbott.com/weblog/2005/04/why-i-dont-use-registry-cleaners/

I only use CCleaner ( aka CrapCleaner ) capable of cleaning temp and cache and superficial scanning registry.
http://www.piriform.com/ccleaner

How to speed up your PC? There is good and valid tutorial here:
http://www.techsupportforum.com/forums/f50/is-your-pc-running-slow-532075.html