Ransomware Twice....please Check Logs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by insan_art, Oct 2, 2016.

  1. insan_art

    insan_art Private First Class

    Hello Major Geeks, long time no see. :)

    Posting for a friend's computer. They had a "ransomware" issue about a year ago and I never had a chance to clean it. They just stopped using the computer all together. About 2 weeks ago they decided to turn on the system again to look at a card from a game camera....2 days later, ransomware hit again. I can only assume from the same infection as before. (from what I understand, they paid for the ransomware both times! UGH!!!) At this point, I wouldn't even connect their computer to my network because I'm afraid it will infect my household.

    So. I ran the Run and Read....of course! (from both a local free network and the household that this infected system originated from). I'm sorry, I've been less than my diligent self and may have missed something. I know that they have no anti-virus running at this point (except for maybe the sh*t that comes with windows now - I'm sorry, not familiar with it, I refuse to use Windows 10 and this is only the second time I've dealt with it) - I will install a free AV as soon as I'm instructed....I didn't earlier because I assumed that this infection would block it.

    Anyways, the logs I've been able to get are attached. I'm pretty sure any log that is not attached came up with nothing found....but, I can't say for certain because I'm so stuffy right now with an allergic reaction to their dogs....i'm not quite sure what I missed if I did miss something!

    Lemme know what you think. Thank you, as always!!!!
     

    Attached Files:

    insan_art, Oct 2, 2016
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome.

    This PC has less than 10% free space remaining on the harddrive.
    Please download and run this tool to remove remnants of AVG2015:
    AVG Remover 1.0.1.2

    Using Windows Explorer, delete this folder:
    C:\Program Files (x86)\AVG Web TuneUp

    Note: I see no signs of remaining malware. If you wish, you can run this online scanner as a final check.
    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, Win 7/8/10 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Go to the C:\MGtools folder and find the MGclean.bat file. Double-click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work through the below link:
    Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif
     
    dr.moriarty, Oct 2, 2016
    #2
  3. insan_art

    insan_art Private First Class

    Hi dr.moriarty, thank you for the reply. Sorry I haven't had a chance to work on this until today.

    "This PC has less than 10% free space remaining on the harddrive."

    Interesting. Since there really aren't many personal files on this system, I can only assume that the bulk of this is the old windows files that were held over when the system was upgraded to Win 10? I asked a friend and she said they are supposed to be purged within 30 days of install? Also, that I can just manually delete? Well, I tried that and it fails. Saying I don't have permissions to do that, when I am on full admin?!?!

    Anyways, I got rid of the leftover AVG stuff.

    However, I am still seeing remnants of the "ransomware" tech support crap. There's text saying "Protech Elevate 1-855-953-2262" still embedded on the taskbar down in the right corner, to the left of the clock. There are still some mundane documents from them sitting on the desktop as well - I left those on purpose so I could remember the name of the "tech support service", only because I assumed the phone number thing would go away when I removed the program. Any thoughts on this?

    Thanks again!
     
    insan_art, Oct 8, 2016
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    What were the results of the eSet Online scan?
     
    dr.moriarty, Oct 8, 2016
    #4
  5. insan_art

    insan_art Private First Class

    My apologies, I forgot to run the eSet scan. Ran it last night. No results.

    Attached is a shot of the "protech elevate" text I'm referring to that's on the taskbar....

    Thanks!
     

    Attached Files:

    insan_art, Oct 10, 2016
    #5
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
*protech*
:folderfind
*protech*
:regfind
protech
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please upload this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    dr.moriarty, Oct 10, 2016
    #6
  7. insan_art

    insan_art Private First Class

    OK, ran SystemLook. Txt is attached. :)
     

    Attached Files:

    insan_art, Oct 12, 2016
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please delete that file and let me know what problems remain.
     
    dr.moriarty, Oct 12, 2016
    #8
  9. insan_art

    insan_art Private First Class

    So, I deleted the file......restarted. That damn text is still there. I don't seem to be seeing any other issues with the system right now, but I'm just weirded out by that "protech" text still embedded there. I did some googling about that "service" and I know it's obviously a scam....just have a bad feeling about something still sitting on the system, but I can't see how all of the scans and such don't find anything else wrong?
     
    insan_art, Oct 14, 2016
    #9
  10. insan_art

    insan_art Private First Class

    Also, should I install a stand-alone free anti-virus (I'm partial to Avast right now).......or is Defender enough? These folks could probably use an extra layer of protection, and from what I understand, I can install another AV and not have it compete with Defender?

    Thanks!
     
    insan_art, Oct 14, 2016
    #10
  11. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Go HERE and download Microsoft Process Explorer 16.12.
    • Save it to your desktop
    • It does not require installation, just right-click to run
    • Once opened, select Options
      • Ticks by "Verify Image Signatures", VirusTotal.com > Check VirusTotal.com, Confirm Kill
    • At the far right you will see the VirusTotal column
    • Look under that column for anything showing other than 0/56-57
      See something? INVESTIGATE IT
    • Now under the far left column labeled Process, see if you find a process relating to protech. If so - hover your mouse over it.
      • You will be shown Command Line - Path - Services <= if any involved
      • To see what process started protech, right-click it and choose Properties, under the "Image" tab - look under Parent.
    • You should now have the information you need to remove the problem.

    *A link to a guide for recommended software will be given when the removal is completed.
     
    dr.moriarty, Oct 14, 2016
    #11
  12. insan_art

    insan_art Private First Class

    Well, that didn't see anything weird. No references to Protech, and the only items that came up outside of the 56/57 parameters were legit (a card reader, etc).

    Guess I'm just going to have to leave this as is for now.....they want the computer back so they can look at the photos on their game camera. I'm going to install Avast free before I give the system back. And, remind them that they do not need to pay anyone to install software to "fix" stuff. They still think something was wrong with the computer (according to the fake tech support guy), when I keep explaining that it was all a scam and there never was anything wrong to begin with! UGH!

    Thank you for your help!
     
    insan_art, Oct 16, 2016
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds