I ran the boot time scan on my pc (Windows 7) then it found Win32 file (I did not write down the exact file name) so, I first tried repairing it, but could not be repaired.
So, I select “deleted it” and then it took a few minutes. Next thing I knew was there was nothing. I see the computer is on because the light is on, but the OS does not start… In fact, it doesn’t even show the “VAIO” logo.
Can someone please tell me if there’s anything I can do? Please help!
Are you able to boot into safe mode and try a restore ?
It didn’t even show the vaio logo (the start screen before Windows is launched) and nothing was working except for the turn on/off button. But I left it for a while and then I could finally see the VAIO logo. So I followed the instruction and restored. Thank god for that!
Do you know if I should do anything about the Win32 file?
As you didn’t note which file exactly was detected you can run the scan’s here http://forum.avast.com/index.php?topic=53253.0 then attach the logs in this thread when completed and one of the malware guys will be able to check them out to see if you have any issues that need dealing with.
I ran all three programs on the website you gave me the link of.
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org
Database version: v2013.02.10.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kana :: KANA-PC [administrator]
Protection: Enabled
11/02/2013 00:34:33
mbam-log-2013-02-11 (00-34-33).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 286995
Time elapsed: 7 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:$Recycle.Bin\S-1-5-21-1261323728-3818668845-12475887-1000$R4S00FR\dynamics.exe (Trojan.Ransom.ANC) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-21-1261323728-3818668845-12475887-1000$R4S00FR\mpaclean.exe (Trojan.Ransom.ANC) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-21-1261323728-3818668845-12475887-1000$R4S00FR\wavsplit.exe (Trojan.Ransom.ANC) → Quarantined and deleted successfully.
The second one, OTL log and the third aswMBR log have been attached.
Thanks for your help!
malware removers are notified…check back later today
also run AdwCleaner…this will remove any browser/toolbar crap…post log
Actually looks quite clean… There are some old AVG reg entries which I will tidy up. Are you experiencing any problems ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL File not found
O2:64bit: - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll File not found
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll File not found
O4 - HKLM..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" File not found
[2013/02/08 22:04:31 | 000,000,000 | ---D | C] -- C:\Users\Kana\AppData\Local\Avg2013
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I first ran the adwCleaner. The log is as below
***** [Services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
***** [Internet Browsers] *****
-\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
-\ Google Chrome v24.0.1312.57
File : C:\Users\Kana\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
AdwCleaner[R1].txt - [1406 octets] - [11/02/2013 20:34:22]
AdwCleaner[S1].txt - [1355 octets] - [11/02/2013 20:34:44]
########## EOF - C:\AdwCleaner[S1].txt - [1415 octets] ##########
I will run the OTL now. About the AVG reg, I had problems uninstalling the program. It wouldn’t completely uninstall itself, and I looked for solutions online but it looked too complicated that I gave up since it didn’t seem to interfere with anything else. I will post the OTL log again.
Thanks!
Here is the OTL log. Is there anything else I should do? I wonder what happened to that “infected file” found in boot time scan…
All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVG_TRAY not found.
C:\Users\Kana\AppData\Local\Avg2013\log folder moved successfully.
C:\Users\Kana\AppData\Local\Avg2013 folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 108512853 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 58264 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes
User: Guest
->Temp folder emptied: 472898 bytes
->Temporary Internet Files folder emptied: 44327498 bytes
->Flash cache emptied: 57859 bytes
User: Kana
->Temp folder emptied: 854914367 bytes
->Temporary Internet Files folder emptied: 89018740 bytes
->Java cache emptied: 7927 bytes
->Google Chrome cache emptied: 403731637 bytes
->Flash cache emptied: 123964 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 429856662 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 263066 bytes
RecycleBin emptied: 4515660978 bytes
Total Files Cleaned = 6,149.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.69.0 log created on 02122013_015515
Files\Folders moved on Reboot…
C:\Users\Kana\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
PendingFileRenameOperations files…
Registry entries deleted on Reboot…
As it was ransome ware it was probably a file appended to winlogon, hence the black screen
How is the computer behaving now ?
The computer is working fine thanks to all of you guys. I regularly run Avast quick/full scan, but does this mean having Avast is not sufficient? Should I be running these three programs every now and then? (though I have no idea as to what the scan result shows…)
Unfortunately all antivirus companies are playing catchup, most malware is changed on a daily basis particularly the ransom type. The malware authors then check for detection against the major AV’s and tweak the programme until it is not detected… Then it is released