ransom ware

win32:malware-gen

sorry, double post for some reason, mods please delete

Please provide the Farbar logs.

The main FRST log (FRST.txt) si what Eddy is looking for.

Please resave the OTL file as ANSI because it’s corrupted.

ok

otl

You can edit posts.

2014-12-04 08:43 - 2014-12-04 08:46 - 00003506 _____ () C:\Users\Wes\Desktop\Rkill.txt
Attach the RKill log wqhile you’re at it.

Find this file:
C:\ProgramData\B0A32576.cpp

Upload @ www.virustotal.com

Post results back.

Edit2: Please do not run any tools without supervision (Like RKill). They can be quite dangerous. That includes Combofix!!!

  • Open notepad
  • Copy/paste the underneath code in it
  • Safe the file as fixlist.txt in the same folder as where you have Farbar
  • Start Farbar
  • Click the Fix button
  • Reboot
  • Let us know how the system is behaving.

start
ShortcutTarget: program.lnk -> C:\ProgramData\B0A32576.cpp ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-374137342-4144886069-880947197-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-374137342-4144886069-880947197-1001 -> {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = 
SearchScopes: HKU\S-1-5-21-374137342-4144886069-880947197-1001 -> {B9C7CE32-DA91-43C2-B7E9-0E9AAFC675CD} URL = http://www.ask.com/web?l=dis&o=APN10280&gct=sb&qsrc=2869&apn_dtid=^YYYYYY^YY^CA&apn_ptnrs=^A9T&apn_uid=6729715939424320&p2=^A9T^YYYYYY^YY^CA&q={searchTerms}
BHO: Ask Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKU\S-1-5-21-374137342-4144886069-880947197-1001 -> Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKU\S-1-5-21-374137342-4144886069-880947197-1001 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
FF SelectedSearchEngine: Ask.com
FF Homepage: hxxp://www.ask.com/web?l=dis&o=APN10280&gct=hp&apn_dtid=^YYYYYY^YY^CA&apn_ptnrs=^A9T&apn_uid=6729715939424320&p2=^A9T^YYYYYY^YY^CA
FF Keyword.URL: hxxp://www.ask.com/web?l=dis&o=APN10280&gct=kwd&qsrc=2869&apn_dtid=^YYYYYY^YY^CA&apn_ptnrs=^A9T&apn_uid=6729715939424320&p2=^A9T^YYYYYY^YY^CA&q=
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\ask.xml
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\24.0.1312.57\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\24.0.1312.57\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\24.0.1312.57\gcswf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
S2 Winmgmt; C:\PROGRA~2\77C26FDD.cpp [X]
EmptyTemp:
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
end

i uploaded that file and had it scanned, said it was probable harmless, currently running that fix for farbar

Follow Eddy. The file I had you upload I believe is malicious. Random name and in a startup folder w/ an unknown extension means usually it’s harmful.

(.cpp is a source code file for C++, most likely the language used to create the bug)

laptop ran the fix and rebooted and sits at there was a problem starting boa32576.cpp. the specified module could not be found. i have not clicked on ok yet

Click ok
Run Farbar again and post a new log.

ok

Ok, it is looking better already.
Please do the same but this time with this code:


start
ShortcutTarget: program.lnk -> C:\PROGRA~2\B0A32576.cpp (No File)
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\24.0.1312.57\pdf.dll No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files\Google\Chrome\Application\24.0.1312.57\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\24.0.1312.57\gcswf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
C:\ProgramData\6871571.pad
EmptyTemp:
end

attach the log that farbar create after running to your next post here.

ok, it ran

Did you reboot ?

yes

Ok, get and run this tool:
http://www.bleepingcomputer.com/download/adwcleaner/

running it now

it finished

still have the rundll error after boot