Ransomware with no known traces?

Hi,

I'm currently trying to fix my parents' computer. And the fact that it isn't my own complicates things a bit; I'm not sure what they have on it and where they went to catch it. It runs on Windows XP media center edition 2005.

The first instance of this malware/virus was this last August. There was the police ransom page at start up. That's when I learnt how to boot using safe mode. I updated MBAM through the backdoor and ran the scan, found some suspect files, fixed them and everything was fine.

Now, 3 days ago (Dec. 8th) the malware was back. But it seems that they've now caught the new and improved version of the damn Ukash ransomware. I say that because I searched all over the web, on forums such as this one (have to mention I admire this one the most and it's why I registered), and we exhibit none of the usual symptoms.

Of course, through my research I ended up following a lot of different expert advice. I hope I didn't mess things up, but I was as careful as possible, considering.

Retracing my (significant) steps:

(All in safe mode, mind you, because I can't access the computer any other way)

1) I ran MBAM scan, found nothing wrong;
2) I ran AVG scan, found nothing either;
3) I ran Ad-Aware scan, it found 2 instances of Trojan Generic!BT, quarantined;
4) Took the computer to my plave to have internet access on my own PC;
5) I looked for mspmsnsv.dll and replaced it with the file downloaded from Originaldll.com;
6) In Windows/temp, I cleaned up files that had been modified on or since Dec. 8th, but didn't find any that bore a random 6-digits name.dat;
7) I tried to run System File Checker (scannow) by it didn't work;
8) I went into Event viewer and witnessed Remote connections happened minutes before my dad saw the malware page;
9) I then disabled remote access connections;
10) I went into regedit to see if "[HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN] had been changed to 3, but no it was still at 2;
11) I ran RogueKiller which found a few things (log attached) - this was before I had decided to write my own thread, I was using the help you gave in this thread: http://forums.majorgeeks.com/showthread.php?t=262044;

At the end of my wits, I registered to post a thread and then saw the READ AND RUN ME FIRST, which I did all the way until step 4; I was still having problems.

The computer has 2 accounts, the Administrator I made for myself, and the family account for my parents to play in.

If I boot in Normal mode, I get the desktop image of the family account, bypassing the login page, there are no icons, it takes minutes and then I get a white screen. It's not plugged in the internet, so the ransomware page doesn't appear, just the white page.

If I boot in safe mode, with or without network, and choose the family account, windows shuts down. If I choose the Administrator account, it's fine but then I don't have access to everything to scan and/or fix.

I attached all my logs here. It includes the past logs I made of the first instances in August, and the logs I made before all my steps.

I sure hope someone can help me. If not, my only option left will be to buy a new drive, which I'd very much like to avoid.

Thanks a lot,

Jen

 

These are the rest of the logs.

Forgot to mention, they're running on 32-bits, SP3.

Thanks again.

 

update, thanks.

 

Hi Chaslang, thanks for the instructions. I was puzzled as to what I should do. After you wrote to me that those changes would only touch the non-infected account, I realized the three days of work I had done for almost nothing. I couldn't log in the family account at all, let alone run a scan in it.

With my parents at the other end worrying about their computer, I offered them 2 options; either leave it with me for an undetermined amount of time in the hope something could be done to fix it; or cash out the 60$ to buy a new uninfected drive.

They decided to pay up, so I installed the new drive. I'm having some bugs and things to fix with that too, but at least I know I'm not wasting my time. There was so much that had gone wrong with their old drive...

I feel really bad for having asked your support, maybe too quickly, as my parents reached a decision shortly after, before I had gotten an answer from you guys. So I apologize for that.

Also, if you find that some comments made through my login are beyond my apparent computer knowledge, that's because my computer-savvy friend came to help and used my login to ask a question.

Sincerely thanks,

Jen