Jump to content

Help, my PC is infected


Recommended Posts

Hi,

 

My wife's machine is having an issue stemming from the tor project ransomware.

 

I went through some cleanup steps before I found this site, so some traces are gone. Obviously need help with the cleanup. The bigger issue is file recovery, not sure what you can suggest there.

 

I've attached the request log files and a couple other files:

  • The bitmap image set as the profile background
  • An encrypted PDF file. Oops, check that. Can't attached the encrypted file. They all have a cryp1 extension.

All encrypted folders had one each of the two files types below and all the relevant data files appended to a .cryp1 extension.

!*.txt

!*.html

 

I've removed all the extra !* files (above).

 

Appreciate any help or suggestions you can provide.

 

Thanks

scan_160526-144856.txt

Addition_26-05-2016_14-58-26.txt

FRST_26-05-2016_14-58-26.txt

!813015878BB5.bmp

  • Upvote 1
Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\...\Policies\Explorer: [NoRecycleFiles] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
Startup: C:\Users\HK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!813015878BB5B.lnk [1899-12-30]
ShortcutTarget: !813015878BB5B.lnk -> C:\ProgramData\!813015878BB5.bmp (No File)
Startup: C:\Users\HK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!813015878BB5H.lnk [1899-12-30]
ShortcutTarget: !813015878BB5H.lnk -> C:\ProgramData\!813015878BB5.html (No File)
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO-x32: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
Toolbar: HKLM - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
Toolbar: HKLM-x32 - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @mcafee.com/SAFFPlugin -> C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\NPMcFFPlg.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Identity Force\IDF Online Identity Protection Tools\ffext => not found
CHR HKLM\...\Chrome\Extension: [feobgjncdknhelkhjpiejdbpliekmfaj] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [feobgjncdknhelkhjpiejdbpliekmfaj] - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McChPlg.crx <not found>
C:\Users\GK\AppData\Local\Temp\ammemb.dll
C:\Users\GK\AppData\Local\Temp\ammemb64.dll
C:\Users\gkuenzi\AppData\Local\Temp\ammemb.dll
C:\Users\gkuenzi\AppData\Local\Temp\ammemb64.dll
C:\Users\gkuenzi\AppData\Local\Temp\ANPDApi.dll
C:\Users\gkuenzi\AppData\Local\Temp\fs_DeviceControl.exe
C:\Users\HK\AppData\Local\Temp\ammemb.dll
C:\Users\HK\AppData\Local\Temp\ammemb64.dll
AlternateDataStreams: C:\ProgramData\TEMP:FCA8C9CD [127]
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...