Please help me remove Win32:Ransom-WH[Trj]

Please help, cant remove Win32:Ransom-WH[Trj]. Infected file is Notepad.exe.
First it was in C:\Winsows, i ran boot time scan and remove it.
Now is in C:\Winsows\system32.

Updated windows, scaned with Malwarebytes under safe mode - didnt find enething.
But avast found it again.
Pls help get rid of it, OS is Windows 7 x64

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Monitoring

Could not scan with AdwCleaner, once i press delete the progres bar start filing and the program stoped working.
Here are the other two logs, OTL saved only one. And MBAM say im clear.
And to mention, before i started to scan with these programs, the last two boot time scans didn detect any virus?

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.25.02

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Blood :: BLOOD-PC [administrator]

25.10.2012 г. 18:18:47 ч.
mbam-log-2012-10-25 (18-18-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205226
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

and AdwCleaner also…

Doesn’t work. :wink:

OBS…missed that ::slight_smile:

I tried AdwCleaner under save mode and it worked
but restared normaly and theres was no log.
Maybe if i run AdwCleaner in safe mode and restart it again in safe mode?

Don’t worry about AdwCleaner too much, it’s not that important. :wink:

Looks like Avast killed most of it

How is the computer running now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-1117447876-4001363412-1104953183-1001\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
O3 - HKU\S-1-5-21-1117447876-4001363412-1104953183-1001\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - No CLSID value found.
@Alternate Data Stream - 5120 bytes -> C:\ProgramData:gs5sys
@Alternate Data Stream - 1536 bytes -> C:\Users\Public\Documents\desktop.ini:gs5sys
@Alternate Data Stream - 1536 bytes -> C:\Users\Blood\Documents\desktop.ini:gs5sys
@Alternate Data Stream - 1536 bytes -> C:\Users\Blood\Desktop\desktop.ini:gs5sys

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here is the new OTL log.
The computer run better, but will see. Ill run another full scan with avast and hope i wont see that damn file.
But sisnce i deleted the infected Notepad.exe now when i want to open .txt windows ask me with what to open the file.
Eny idea how to fix that :-\

Yep, run an elevated command prompt

Go Start > All Programs > Accessories
Right click Command prompt and select run as administrator
In the black box that opens type :

sfc /scannow

That should allow windows to replace the file

hi promi,

I know you did not mean to cause an error like that. Intentions were good here.

If one of our malware experts were to recommend you perform this action, they would be banished from this forum forever.

Do no harm to a victim’s computer is our motto here.

Just wait for a malware expert to repair an infected file in the future. They all are fully certified and trained, and know how to fix and repair errors such as this one. The goal here is to fix, not damage, your system any further than it already is. We mean to repair it back to the way it was, before the infection, if possible.

All is clean. Scanin ot the system drive didnt show any infection, it showed some archives that it couldnt scan in Program Files\Adobe, but i dont thik its something to worry about.
All the infected notepad.exe (3 of them) are in the virus chest. And thank you for the comand, windows recovered the missing notepad,
which was my stupid mistake sorry.

First time here and damn this forum is awesome. Thank you very much for the help.

+1