Ransomware Zeus

Discussion in 'Malware Help (A Specialist Will Reply)' started by jdoginc, Oct 2, 2016.

Tags:
  1. jdoginc

    jdoginc Private E-2

    Helping out a friend who fell prey to ransomware. she went so far as to give a credit card number to someone before she realized what she had done, hung up and called her bank. she has several OS systems. 10.1, 8.1, xp, and 7. I ran malwarebytes on safe mode with networking and installed their ransomware prevention. it came back. I am about to go through the cleaning procedure. I ran adaware and I am attaching those results, with a few others. thank you for your help in advance.
     

    Attached Files:

    jdoginc, Oct 2, 2016
    #1
  2. jdoginc

    jdoginc Private E-2

    couldn't use tddskiller
     

    Attached Files:

    jdoginc, Oct 3, 2016
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    What is the name of the ransomware? Your friend needs to be instructed on safe surfing habits.

    Re-run RogueKiller.exe. (Vista/Windows7/8/10 users should right-click and select "Run as Administrator")
    After it finishes the scan, select the following tabs and then select any of the below that exist and then click the Remove Selected button.
    Registry
    • [PUP] (X64) HKEY_LOCAL_MACHINE\Software\Conduit -> Found
    • [PUP] (X86) HKEY_LOCAL_MACHINE\Software\MaxPower -> Found
    • [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564 -> Found
    • [Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\akngji (System32\drivers\mhsgowlk.sys) -> Found
    Tasks
    • [PUP] \UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 -- C:\Windows\TEMP\DeleteFolderTask.exe -> Found
    Then immediately reboot your PC.

    Now run a new scan with RogueKiller, save a log as in the original instructions and upload that new log.

    Next please download Junkware Removal Tool to your desktop.
    • Make sure to shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Upload JRT.txt to your next message.
    Using Windows Explorer, delete this folder-
    C:\ProgramData\0d416a86-54bb-4703-a595-f29fb170661e

    Go here ==> https://www.eset.com/us/online-scanner/ and click on the SCAN NOW radio button > save the esetonlinescanner_enu.exe Binary file to your Desktop > disable your anti-virus program > then right-click and choose "Run as Administrator". *Be patient! The scan can take 2hours or more.

    Upload the scan results log and tell me how the PC is running.
     
    dr.moriarty, Oct 4, 2016
    #3
    jdoginc likes this.
  4. jdoginc

    jdoginc Private E-2

    it has taken me all week to run this. I cannot! get her computer to stop sleeping!! I ran the log and I do not know where it saves. and NOW I notice a ESP (F:) that is not accessible. I will attach the jrt log and continue to look for the eset log. I am afraid to log onto my wifi at my house as if I did not remove the ransomeware, it may infect my system, correct? I used my cell as a hotspot to run the eset on her computer. Thank you so much for the help!
     

    Attached Files:

    • JRT.txt
      File size:
      1.4 KB
      Views:
      2
    jdoginc, Oct 8, 2016
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Explain this fully without using abbreviations! It is wise NOT to connect this machine to your network unless you're certain that your computers are well protected.

    EDIT: Download and run the FIXTOOL offered on this page - scroll halfway down to find the download..
    https://www.symantec.com/en/uk/outbreak/?id=takedown-gameover-and-cryptolocker-cybercrime

    *Another online scanner to try but it's not sounding good for the infected machine...
    Kaspersky Security Scan
    http://free.kaspersky.com/us?_ga=1.266376776.793029247.1475449675
     
    Last edited: Oct 8, 2016
    dr.moriarty, Oct 8, 2016
    #5
    jdoginc likes this.
  6. jdoginc

    jdoginc Private E-2

    Dr. Moriarty,
    my "this pc" icon brings up; desktop, downloads, OS (C:) and now..one I haven't noticed...ESP (F:). I am not sure if the (F) drive was there before or not. This isn't my computer, so I may have just missed it, but I don't think so. As far as hooking it up to the network..i just used the 4G on my droid turbo and connected the infected PC to the internet. I have been downloading things to a thumb drive and then putting them on the infected PC. Again, I know I am running a risk by doing so, just crossing my fingers that AVG catches it on the thumb if it makes it on there. I will follow this link, dload the program and put it on the other comp. She is running Trend Micro Maximum Security. Thank you for your continued assistance. I did manage to get the computer to stop shutting down, going into sleep, etc. I reran the ESET program, but it has an error near to, or when it finishes. There is no code, just "stops working". And I cannot find a log.
    thank you
     
    jdoginc, Oct 8, 2016
    #6
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome, jdoginc.

    Recently I've had a couple of members experiencing eSET "stop working" and don't know what conflict is causing that. Please try the Kaspersky scan.

    *Note: Adding CrytoPrevent to your own protection scheme is a good idea. ;)
     
    dr.moriarty, Oct 8, 2016
    #7
    jdoginc likes this.
  8. jdoginc

    jdoginc Private E-2

    I ran the fix tool and afterwards it wanted to run the Norton Power Eraser, I said yes. Do I still run the Kaspersky? I'm so relieved! My friend's mom will be, Too! Now just three more to go!! she has three more laptops. yay
     

    Attached Files:

    jdoginc, Oct 8, 2016
    #8
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Yes, now run the Kaspersky scan.
     
    dr.moriarty, Oct 8, 2016
    #9
    jdoginc likes this.
  10. jdoginc

    jdoginc Private E-2

    i ran Kaspersky. And again, I cannot seem to find the log. I don't know if it is saving or just unnecessary because it says if found nothing. so...where do I go from here If not the internet? lol
     
    jdoginc, Oct 9, 2016
    #10
  11. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please describe how the PC is running now.
     
    dr.moriarty, Oct 9, 2016
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds