Malware Removal Logs PLease HELP

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by shannonschow, Apr 7, 2014.

  1. shannonschow

    shannonschow Private E-2

    I have ran read me run first here are my files.
    Other people have tried to clean this computer and found Rootkits and Trojan Win32 crilock.B I am not sure what they have done to this computer but the crilock or ??? is preventing files to open. Such as a pdf file. I am not sure if Malware is the problem or virus ?
    Please advise
     

    Attached Files:

    shannonschow, Apr 7, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. :)

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

    Do you know what this file is?

    • C:\WINDOWS\system32\Bed Roster14.ps



    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Erura ("C:\Documents and Settings\Lisa\Local Settings\Temp\Ilza\erura.exe" [-]) -> FOUND
    • [RUN][SUSP PATH] HKCU\[...]\Run : ulmistyn (C:\Documents and Settings\Lisa\ulmistyn.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\.DEFAULT\[...]\Run : SearchProtect (C:\Documents and Settings\UpdatusUser\Application Data\SearchProtect\bin\cltmng.exe [x]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-1123561945-854245398-725345543-1003\[...]\Run : Erura ("C:\Documents and Settings\Lisa\Local Settings\Temp\Ilza\erura.exe" [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-1123561945-854245398-725345543-1003\[...]\Run : ulmistyn (C:\Documents and Settings\Lisa\ulmistyn.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-18\[...]\Run : SearchProtect (C:\Documents and Settings\UpdatusUser\Application Data\SearchProtect\bin\cltmng.exe [x]) -> FOUND

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    ...also try and find this entry to remove:




    Next, rerun Hitman Pro and have it remove all that it finds.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    
:files
C:\Documents and Settings\Lisa\Local Settings\Application Data\ACCCx2_1_0_213.zip.aamdownload
C:\Documents and Settings\Lisa\Local Settings\Application Data\ACCCx2_1_0_213.zip.aamdownload.aamd
C:\Documents and Settings\Lisa\Local Settings\Application Data\Conduit
C:\Documents and Settings\Lisa\Application Data\Opit
C:\Documents and Settings\Lisa\Application Data\Oqysat
C:\WINDOWS\system32\drivers\vucjlv.sys

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ulmistyn"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ulmistyn"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"{81297A40-C306-4993-BE21-B248AC309B5B}"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtect"=-
[HKEY_USERS\S-1-5-21-1123561945-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\run]
"ulmistyn"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DB749824-0917-405E-98D3-0319F187198B}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Re run RogueKiller again and attach new log.


    Now (in NORMAL boot mode not safe mode) run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Apr 7, 2014
    #2
  3. shannonschow

    shannonschow Private E-2

    I am trying to do the first step and I don't see those file names listed on the registry tab. Can you be more specific.
     
    shannonschow, Apr 7, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    They should be on the registry tab and I have listed them exact as they show. I cannot be more specific than that.

    If you really cannot see them then continue on with the other steps.
     
    Kestrel13!, Apr 7, 2014
    #4
  5. shannonschow

    shannonschow Private E-2

    I do not know what that file is ? :\WINDOWS\system32\Bed Roster14.ps

    i didn't see any of those files on the registry tab so I continued the steps.
    I deleted the

    :Browser Addons : 1 ¤¤¤
    [FF][PUP] dkr17d93.default : Default Tab


    The computer is running ok but we are having problems opening files due to trojan win 32 crilock.B
    Can you help with this also ?
    I have tried to find a restore point but it keeps saying that it can not restore to a previous point before infection. During cleaning process the programs found the following trojans. I think all are deleted but not sure if that matters/??
    rootkit.win32.necurs.gen
    pws win 32zbot genI
    trojan win 32/crilock.b
     

    Attached Files:

    shannonschow, Apr 8, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    C:\WINDOWS\system32\Bed Roster14.ps <<< delete this. Let me know if you have problems doing so.

    What files? Explain please.
     
    Kestrel13!, Apr 8, 2014
    #6
  7. shannonschow

    shannonschow Private E-2

    Trojan Crilock.B or a ransom virus was on this computer. I am not sure if the sever needs to be cleaned. I ran scans and server seems to be fine.
    this network has 2 pc desktops running xp and windows 7. A red box came up saying they had to pay 400 to unlock files. This is known as a ransom virus.
    Of course I told them not to pay and I will clean the computer. As far as I know I have deleted all virus but all files on computer can not be opened.

    The files are encrypted. How do we unencrypt the files ??? I don't think that is a word lol.

    They have a back up company who is backing up files and restoring them. I am assuming this is the solution to the problem. I would like to know what I could do on my own just in case this ever happens to my personal laptop, since I am often working with their network on my personal laptop.
    Thank you so much for your help.

    Question: do you think that computer is clean now? referencing the malware and virus logs posted previously.

    sorry for delay in answering
     
    shannonschow, Apr 17, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    For these types of infections we try to have users run a tool called FRST then there is an alternative for people running XP.

    So on this machine that we've been working on files are still encrypted? If so run this:

    Kaspersky Windows unlocker.
     
    Kestrel13!, Apr 17, 2014
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds