|
Post by htgawm on Feb 28, 2015 20:09:42 GMT -8
C:\FRST\Quarantine\C\ProgramData\Windows Genuine Advantage\{C3C0D075-1585-46D4-9831-5DADCAEDCAF2}\msiexec.exe a variant of Win32/Injector.BVDM trojan C:\FRST\Quarantine\C\Users\One\AppData\Local\Temp\01423089035499.exe.xBAD a variant of Win32/Injector.BTZV trojan C:\FRST\Quarantine\C\Users\One\AppData\Local\Temp\oynpyai.exe.xBAD a variant of Win32/Injector.BVDM trojan C:\FRST\Quarantine\C\Users\One\AppData\Local\YgPack\01423089035499.exe.xBAD a variant of Win32/Injector.BTZV trojan C:\FRST\Quarantine\C\Users\One\Documents\!Decrypt-All-Files-ivwmxpf.txt.xBAD Win32/Filecoder.DA.Gen trojan C:\Users\One\.digilabs\londondrugs\data\backgrounds\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\.digilabs\londondrugs\data\layouts\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\AppData\Local\Adobe\Lightroom\Caches\Video\Media Cache Files\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll a variant of Win32/Boaxxe.CO.gen trojan C:\Users\One\AppData\Local\Microsoft\OIS\thumbnails\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\AppData\Local\YgPack\Compare.dll a variant of Win32/Boaxxe.CO.gen trojan C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3d260f82-7a8402c3 a variant of Java/Exploit.Agent.RZZ trojan C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-591ff18c a variant of Java/Exploit.Agent.RZZ trojan C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-76325355 a variant of Java/Exploit.Agent.RZZ trojan C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\Low\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\Desktop\us 4 print\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\Desktop\zerba cd\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\Music\marks music\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\Pictures\New folder\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\Pictures\New folder (2)\lucy\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan C:\Users\One\Pictures\winston\!Decrypt-All-Files-ivwmxpf.txt Win32/Filecoder.DA.Gen trojan
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 28, 2015 20:17:42 GMT -8
Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start C:\Users\One\.digilabs\londondrugs\data\backgrounds\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\.digilabs\londondrugs\data\layouts\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Local\Adobe\Lightroom\Caches\Video\Media Cache Files\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll C:\Users\One\AppData\Local\Microsoft\OIS\thumbnails\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Local\YgPack\Compare.dll C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3d260f82-7a8402c3 C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-591ff18c C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-76325355 C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\Low\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Desktop\us 4 print\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Desktop\zerba cd\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Music\marks music\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Pictures\New folder\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Pictures\New folder (2)\lucy\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Pictures\winston\!Decrypt-All-Files-ivwmxpf.txt end Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
|
Post by htgawm on Feb 28, 2015 20:33:13 GMT -8
fixlog
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-02-2015 Ran by One at 2015-02-28 20:26:35 Run:2 Running from C:\Users\One\Desktop Loaded Profiles: One (Available profiles: One) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start C:\Users\One\.digilabs\londondrugs\data\backgrounds\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\.digilabs\londondrugs\data\layouts\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Local\Adobe\Lightroom\Caches\Video\Media Cache Files\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll C:\Users\One\AppData\Local\Microsoft\OIS\thumbnails\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Local\YgPack\Compare.dll C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3d260f82-7a8402c3 C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-591ff18c C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-76325355 C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\Low\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Desktop\us 4 print\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Desktop\zerba cd\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Music\marks music\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Pictures\New folder\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Pictures\New folder (2)\lucy\!Decrypt-All-Files-ivwmxpf.txt C:\Users\One\Pictures\winston\!Decrypt-All-Files-ivwmxpf.txt end *****************
C:\Users\One\.digilabs\londondrugs\data\backgrounds\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\.digilabs\londondrugs\data\layouts\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\AppData\Local\Adobe\Lightroom\Caches\Video\Media Cache Files\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\AppData\Local\Ilcsoft\PDFPrevHndlrShim.dll => Moved successfully. C:\Users\One\AppData\Local\Microsoft\OIS\thumbnails\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\AppData\Local\YgPack\Compare.dll => Moved successfully. C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3d260f82-7a8402c3 => Moved successfully. C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-591ff18c => Moved successfully. C:\Users\One\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4170f37b-76325355 => Moved successfully. C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\AppData\Roaming\Microsoft\Windows\Cookies\Low\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Desktop\us 4 print\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Desktop\zerba cd\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Music\marks music\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Pictures\New folder\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Pictures\New folder (2)\lucy\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully. C:\Users\One\Pictures\winston\!Decrypt-All-Files-ivwmxpf.txt => Moved successfully.
==== End of Fixlog 20:26:35 ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 28, 2015 20:36:24 GMT -8
The TEMP folders and caches. (use the tool linked below) Download TFC www.bleepingcomputer.com/download/tfc/ the instrctions are on that page below the blue download button and screenshots. Quads
|
|
|
Post by htgawm on Feb 28, 2015 21:02:39 GMT -8
done
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 28, 2015 21:04:08 GMT -8
Tools and Quarantines we used to be removed Please download DelFix by Xplode to your Desktop. toolslib.net/downloads/viewdownload/2-delfix/Double-click to run the program; Note: Windows Vista/7/8 users right-click and choose Run as administratorMake sure the Remove Disinfection tools is ticked / selected in the list Click RunA log will be opened after the operation is finished Copy and Paste it in your next reply Quads
|
|
|
Post by htgawm on Feb 28, 2015 23:22:14 GMT -8
] # DelFix v10.9 - Logfile created 28/02/2015 at 23:21:51 # Updated 27/02/2015 by Xplode # Username : One - ONE-PC # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
~ Removing disinfection tools ...
Deleted : C:\FRST Deleted : C:\AdwCleaner Deleted : C:\Users\One\Desktop\FRST-OlderVersion Deleted : C:\Users\One\Desktop\mbar Deleted : C:\Users\One\Desktop\Addition.txt Deleted : C:\Users\One\Desktop\esetsmartinstaller_enu.exe Deleted : C:\Users\One\Desktop\Fixlog.txt Deleted : C:\Users\One\Desktop\FRST.txt Deleted : C:\Users\One\Desktop\FRST64.exe Deleted : C:\Users\One\Desktop\logfile.txt Deleted : C:\Users\One\Desktop\TFC.exe Deleted : HKLM\SOFTWARE\OldTimer Tools
########## - EOF - ##########
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 28, 2015 23:52:27 GMT -8
I have left this file,
C:\ProgramData\lxnntnc.html
It should be actually the list the Ransomcrypt has created of the files it has encrypted so you can go about finding backup copies on portable Hard Drives, Flash Drives, CD, DVD's or from other people.
You are free to go on your merry way. You are now fixed / Solved.
Quads
|
|
|
Post by htgawm on Mar 1, 2015 21:27:04 GMT -8
I know your busy, you have lots of other people asking for your help, but if you have a second I have a question for you, I do not have an anti virus program on my computer (never thought I would need it) if I did would it have prevented both the viruses that I got? I would like to continue looking for donations from craigslist. do you think if I buy an anti virus program that I should be ok? or would you recommend that I stay away from that site? if an anti virus program is the way to go, do you have a recommendation?
I want to thank you so much again for your help. you are god sent. there is no words to explain how grateful I am to you. thank you
|
|