peachcreek

pc infected please help

Recommended Posts

John,

Your logs do not show encrypted files.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [AutorunReload] => Autoload.exe D
HKU\S-1-5-21-3125221910-641666407-1738830726-1004\...\MountPoints2: {52890473-7b2a-11e6-8e8b-80ee739d598b} - "F:\DT4000_Launcher.exe" 
HKU\S-1-5-18\...\Run: [Bomgar_Cleanup_ZD1717812442] => cmd.exe /C rd /S /Q "C:\ProgramData\bomgar-scc-0x57e74005" & reg.exe delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD1717812442 /f
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {D63DE24A-3E2A-4F44-932B-6BE1588FF0CB} URL = 
Toolbar: HKLM - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} -  No File
Toolbar: HKLM-x32 - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} -  No File
Toolbar: HKU\.DEFAULT -> No Name - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} -  No File
2016-11-16 18:35 - 2016-11-01 08:59 - 00000000 ____D C:\Users\Peaches\Documents\FedEx_00618464
2016-11-03 08:25 - 2016-09-24 21:30 - 0038952 _____ (Bomgar) C:\Users\Peaches\AppData\Local\[email protected]!-25510240692775608010-32.tmp
2016-11-03 08:25 - 2016-09-24 21:30 - 0044072 _____ (Bomgar) C:\Users\Peaches\AppData\Local\[email protected]!-25510240692775608010-64.tmp
2015-02-25 11:35 - 2015-02-25 11:35 - 0507904 _____ () C:\ProgramData\DRV10.tmp
C:\Users\John\AOLComputerCheckupDM.exe
C:\Users\John\emssetup1910.exe
C:\Users\John\FreeCAD-0.15.4671_x86_setup.exe
C:\Users\John\AppData\Local\Temp\install.dll
C:\Users\John\AppData\Local\Temp\progupd.dll
Task: {1D0C9841-3D80-4EA1-8A45-DC9CCA5C5131} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {1DE8F271-3B05-4C48-987E-09854DA5D521} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {2AA20EF3-D570-45AE-B3BE-63F3B19F1227} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {3F27B375-9287-4FAF-81FD-796C9D8C5A0D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {804FD5DA-C93C-4A18-AC2C-7F0C4F5F1611} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION
Task: {8F849975-3830-451A-8E69-484FE0545E91} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {A69A1902-EA29-4523-908F-5FA50021AC86} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BD525270-D9D8-4C2F-AA7B-F640FA267245} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {C00A9BD2-BDFB-4C55-A5B6-E4777F17B245} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {CCA75E59-3F5A-4542-ABEA-5435D0B7BDAC} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {CE163163-4EE1-4F23-BD75-9739D7F17515} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {DEC201A5-A4A7-469F-B8A7-29C6624B08FC} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {ED9F2EE5-A148-4CB7-94AE-840E93DDB86D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {EE886540-0B45-422E-8394-253773F0B552} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:612B5BD9 [148]
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\AOL TOOLBAR" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites

John,

I have merged your original and new threads.

Just 1 issue to clear up.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

AlternateDataStreams: C:\ProgramData\TEMP:612B5BD9 [148]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Kevin:

 

Nothing has changed!  All my files are still encrypted!   What should I expect to see?

I am very disappointed.

 

Best Regards,

 

John Glaab.

as part of this message is the text from the ransom source and two identical files from my computer.  One encrypted, the other pure.

ATTENTION!

All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.71119 BTC (bitcoins).
Please follow this manual:

1. Create Bitcoin wallet here:

      https://blockchain.info/wallet/new

2. Buy 0.71119 BTC with cash, using search here:

      https://localbitcoins.com/buy_bitcoins

3. Send 0.71119 BTC to this Bitcoin address:

      16sX2UjQco5Q2dRBos4PppM9fB5D6iawci

4. Open one of the following links in your browser to download decryptor:

      http://angiarreda.it/counter/?a=16sX2UjQco5Q2dRBos4PppM9fB5D6iawci
      http://swissipa.com/counter/?a=16sX2UjQco5Q2dRBos4PppM9fB5D6iawci
      http://argon.remontporezov.ru/counter/?a=16sX2UjQco5Q2dRBos4PppM9fB5D6iawci
      http://purpletigeruk.com/counter/?a=16sX2UjQco5Q2dRBos4PppM9fB5D6iawci
      http://greenlandherbal.com/counter/?a=16sX2UjQco5Q2dRBos4PppM9fB5D6iawci

5. Run decryptor to restore your files.

PLEASE REMEMBER:

      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
      - Nobody can help you except us.
      - It`s useless to reinstall Windows, update antivirus software, etc.
      - Your files can be decrypted only after you make payment.
      - You can find this manual on your desktop (DECRYPT.txt).
western maryland.jpg
Download Image

 

western maryland.jpg
Download Image

western maryland.jpg.crypted

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.