Vista hijacked with ransomeware that looks like antivirus.

system · October 14, 2013, 10:48pm

The computer is currently isolated and I am using a thumb drive and a Mac to pass reports and programs back and forth.

Here is the AdwCleaner log:

AdwCleaner v3.007 - Report created 14/10/2013 at 18:32:29

Updated 09/10/2013 by Xplode

Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)

Username : joaquina - JOAQUINA-PC

Running from : G:\adwcleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Found : C:\Users\Public\Desktop\eBay.lnk
Folder Found C:\Program Files\Common Files\Software Update Utility
Folder Found C:\Users\joaquina\AppData\LocalLow\FunWebProducts
Folder Found C:\Users\joaquina\AppData\LocalLow\MyWebSearch

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Found : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Found : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\incredibar
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467E-B8D4-7786EDA79AE0}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Found : HKLM\SOFTWARE\Classes\AppID{B27D9527-3762-4D71-963D-FB7A94FDD678}
Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\CLSID{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Found : HKLM\SOFTWARE\Classes\CLSID{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\dnUpdate
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Found : HKLM\SOFTWARE\Classes\Interface{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\Interface{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : HKLM\SOFTWARE\Classes\Interface{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\TypeLib{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [ Browsers ] *****

-\ Internet Explorer v9.0.8112.16514

-\ Google Chrome v30.0.1599.69

[ File : C:\Users\joaquina\AppData\Local\Google\Chrome\User Data\Default\preferences ]

AdwCleaner[R0].txt - [4888 octets] - [14/10/2013 18:32:29]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4948 octets] ##########

system · October 14, 2013, 11:23pm

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.14.12

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
joaquina :: JOAQUINA-PC [administrator]

10/14/2013 6:52:21 PM
mbam-log-2013-10-14 (18-52-21).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Security (Trojan.FakeAV) → Data: C:\Users\joaquina\AppData\Roaming\awsecurity.exe → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|{7E6CD9D8-FAB7-D8C9-C496-B77C2B046430} (Rootkit.0Access.ED) → Data: C:\Users\joaquina\AppData\Local\Temp\zjxzuznc.exe → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\joaquina\AppData\Roaming\awsecurity.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
C:\Users\joaquina\AppData\Local\Temp\zjxzuznc.exe (Rootkit.0Access.ED) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-21-3036101792-3533086794-3871197891-1000$RZTXBKL.exe (PUP.Optional.Bandoo) → Quarantined and deleted successfully.
C:\Users\joaquina\AppData\Local\Temp\7CA0.tmp (Trojan.Inject.RRE) → Quarantined and deleted successfully.
C:\Users\joaquina\Downloads\iLividSetup-r563-n-bi.exe (PUP.Optional.Bandoo) → Quarantined and deleted successfully.
C:\Users\joaquina\Local Settings\Temporary Internet Files\Content.IE5\5BPEEPDJ\flashplayer11_7r59020_221_win[1].exe (Trojan.Inject.RRE) → Quarantined and deleted successfully.
C:\Users\joaquina\Local Settings\Temporary Internet Files\Content.IE5\R6UG0LPA\flashplayer11_7r59020_211_win[1].exe (Trojan.Dropper) → Quarantined and deleted successfully.

(end)

system · October 14, 2013, 11:48pm

OTL and Extras logs.

system · October 15, 2013, 12:42am

aswMBR Log:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-10-14 19:41:00

19:41:00.413 OS Version: Windows 6.0.6002 Service Pack 2
19:41:00.413 Number of processors: 2 586 0xF0D
19:41:00.413 ComputerName: JOAQUINA-PC UserName: joaquina
19:41:01.692 Initialize success
19:42:28.132 AVAST engine defs: 13101401
19:48:17.049 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
19:48:17.064 Disk 0 Vendor: ST350063 3.CH Size: 476940MB BusType: 3
19:48:17.127 Disk 0 MBR read successfully
19:48:17.127 Disk 0 MBR scan
19:48:17.142 Disk 0 unknown MBR code
19:48:17.142 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 467477 MB offset 63
19:48:17.173 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9460 MB offset 957393675
19:48:17.173 Disk 0 scanning sectors +976768065
19:48:17.220 Disk 0 scanning C:\Windows\system32\drivers
19:48:26.159 Service scanning
19:48:43.662 Modules scanning
19:48:46.455 Disk 0 trace - called modules:
19:48:46.470 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
19:48:46.969 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86900ac8]
19:48:46.969 3 CLASSPNP.SYS[8b19f8b3] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x85579030]
19:48:48.171 AVAST engine scan C:\Windows
19:48:51.712 AVAST engine scan C:\Windows\system32
19:51:16.885 AVAST engine scan C:\Windows\system32\drivers
19:51:30.769 AVAST engine scan C:\Users\joaquina
20:04:19.965 AVAST engine scan C:\ProgramData
20:06:13.939 Scan finished successfully
20:31:54.793 Disk 0 MBR has been saved successfully to “G:\Reports\MBR.dat”
20:31:54.949 The log file has been saved successfully to “G:\Reports\aswMBR.txt”

Pondus · October 15, 2013, 12:45am

would be much easier to just attach all logs in one post.

removal experts are notified…but are in bed now, so check back tomorrow

magna86 · October 15, 2013, 1:33am

Hi,
Malwarebytes has killed ransomware. Your Windows should be free now. We need to kill some remains.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-aolmailtb-chromesbox-en-us
IE - HKLM\..\SearchScopes\{E99DC6E7-CB69-4E42-B25D-615D9955F9F7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-aolmailtb-chromesbox-en-us
IE - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..\SearchScopes\{E99DC6E7-CB69-4E42-B25D-615D9955F9F7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
CHR - Extension: Chrome In-App Payments service = C:\Users\joaquina\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0\
O2 - BHO: (AOL Email Toolbar Loader) - {fbea8524-8c72-4208-9d12-7fb73e9926eb} - C:\Program Files\AOL Email Toolbar\aolmailtb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (AOL Email Toolbar) - {a3704fa3-dbf6-46b5-b95e-0677dfd39577} - C:\Program Files\AOL Email Toolbar\aolmailtb.dll (AOL LLC)
O3 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..\Toolbar\WebBrowser: (AOL Email Toolbar) - {A3704FA3-DBF6-46B5-B95E-0677DFD39577} - C:\Program Files\AOL Email Toolbar\aolmailtb.dll (AOL LLC)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..Trusted Domains: //@mail.mar@/ ([]msn in Local intranet)
O15 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..Trusted Domains: //@signup.mar@/ ([]msn in Computer)
O15 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..Trusted Domains: rhapsody.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-3036101792-3533086794-3871197891-1000\..Trusted Domains: rhapsody.com ([rhapreg] https in Trusted sites)
O33 - MountPoints2\{1f233a13-3b57-11df-a51e-001fc604b161}\Shell\AutoRun\command - "" = K:\DPF_V211.exe

:FILES
ipconfig /flushdns /c
C:\Users\joaquina\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Program Files\AOL Email Toolbar

:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

----- Next ------

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

system · October 15, 2013, 4:59am

Hehehe, sorry about all the posts, when it said post I followed verbatim

Thanks for all your help.

magna86 · October 15, 2013, 12:44pm

Please download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

------ next -------

Open notepad and copy/paste the text present inside the code box below:

FileLook::
c:\windows\system32\bootdelete.exe

ClearJavaCache::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

system · October 15, 2013, 3:43pm

Combofix and TDSKiller logs.

magna86 · October 15, 2013, 4:35pm

How is your computer behavior now?