Help, my PC is infected

[gklv 1]

Hi,

 

My wife's machine is having an issue stemming from the tor project ransomware.

 

I went through some cleanup steps before I found this site, so some traces are gone. Obviously need help with the cleanup. The bigger issue is file recovery, not sure what you can suggest there.

 

I've attached the request log files and a couple other files:

• The bitmap image set as the profile background
• An encrypted PDF file. Oops, check that. Can't attached the encrypted file. They all have a cryp1 extension.

All encrypted folders had one each of the two files types below and all the relevant data files appended to a .cryp1 extension.

!*.txt

!*.html

 

I've removed all the extra !* files (above).

 

Appreciate any help or suggestions you can provide.

 

Thanks

scan_160526-144856.txt

Addition_26-05-2016_14-58-26.txt

FRST_26-05-2016_14-58-26.txt

!813015878BB5.bmp

[Kevin Zoll 309]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\...\Policies\Explorer: [NoRecycleFiles] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
Startup: C:\Users\HK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!813015878BB5B.lnk [1899-12-30]
ShortcutTarget: !813015878BB5B.lnk -> C:\ProgramData\!813015878BB5.bmp (No File)
Startup: C:\Users\HK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!813015878BB5H.lnk [1899-12-30]
ShortcutTarget: !813015878BB5H.lnk -> C:\ProgramData\!813015878BB5.html (No File)
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO-x32: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
Toolbar: HKLM - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
Toolbar: HKLM-x32 - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @mcafee.com/SAFFPlugin -> C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\NPMcFFPlg.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Identity Force\IDF Online Identity Protection Tools\ffext => not found
CHR HKLM\...\Chrome\Extension: [feobgjncdknhelkhjpiejdbpliekmfaj] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [feobgjncdknhelkhjpiejdbpliekmfaj] - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McChPlg.crx <not found>
C:\Users\GK\AppData\Local\Temp\ammemb.dll
C:\Users\GK\AppData\Local\Temp\ammemb64.dll
C:\Users\gkuenzi\AppData\Local\Temp\ammemb.dll
C:\Users\gkuenzi\AppData\Local\Temp\ammemb64.dll
C:\Users\gkuenzi\AppData\Local\Temp\ANPDApi.dll
C:\Users\gkuenzi\AppData\Local\Temp\fs_DeviceControl.exe
C:\Users\HK\AppData\Local\Temp\ammemb.dll
C:\Users\HK\AppData\Local\Temp\ammemb64.dll
AlternateDataStreams: C:\ProgramData\TEMP:FCA8C9CD [127]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.