|
Post by ostrich on Apr 9, 2015 9:53:03 GMT -8
I apologize again for the delay! Yes, absolutely (or at least I can attempt to). What method do you recommend for the uninstall?
I will await your respone!
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Apr 9, 2015 10:57:03 GMT -8
Just the usual uninstall method
Quads
|
|
|
Post by ostrich on Apr 9, 2015 11:33:01 GMT -8
Oh boy. I am able to navigate to a normal Explorer window to view files, but I can not open the Control Panel. It also will not let me open the command prompt. When I attempt, it responds with nothing. No action is performed and I've waited more than 5 minutes for it to respond. I have task manager and system restore open from a few days ago. What would you suggest?
I will await your response. Thanks!
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Apr 9, 2015 14:42:57 GMT -8
I will just script to break that also, you will see processes terminate possibly, that is to allow me to more easily deal to items
ADDED: Addition.txt is empty
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Apr 9, 2015 15:01:07 GMT -8
Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start CloseProcesses: (Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe (Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe C:\Program Files\Enigma Software Group\SpyHunter HKU\S-1-5-21-4184889873-2203547507-3233453745-1001\...\Run: [tyfyga] => C:\Users\ADMIN\AppData\Local\tyfyga\tyfyga.exe [366647 2015-04-06] (LingeriePeriod) C:\Users\ADMIN\AppData\Local\tyfyga\tyfyga.exe Startup: C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML () Startup: C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG () Startup: C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT () InternetURL: C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.icepaytor.com/1fkUNdg SearchScopes: HKU\S-1-5-21-4184889873-2203547507-3233453745-1001 -> DefaultScope {40DD5DD4-1147-4083-8F0E-FF9CAA2B3B08} URL = SearchScopes: HKU\S-1-5-21-4184889873-2203547507-3233453745-1001 -> {40DD5DD4-1147-4083-8F0E-FF9CAA2B3B08} URL = R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1026432 2015-04-07] (Enigma Software Group USA, LLC.) R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2015-04-07] (Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2015-04-07] () C:\Windows\System32\DRIVERS\EsgScanner.sys 2015-04-07 14:17 - 2015-04-07 14:17 - 00003338 _____ () C:\Windows\System32\Tasks\SpyHunter4Startup 2015-04-07 14:17 - 2015-04-07 14:17 - 00000000 ____D () C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter 2015-04-07 14:17 - 2015-04-07 14:17 - 00000000 ____D () C:\Users\ADMIN\AppData\Roaming\Enigma Software Group 2015-04-07 14:16 - 2015-04-07 14:17 - 00001105 _____ () C:\Users\ADMIN\Desktop\SpyHunter.lnk 2015-04-06 23:16 - 2015-04-06 23:16 - 00008598 _____ () C:\Users\Public\HELP_DECRYPT.HTML 2015-04-06 23:16 - 2015-04-06 23:16 - 00008598 _____ () C:\Users\Public\Documents\HELP_DECRYPT.HTML 2015-04-06 23:16 - 2015-04-06 23:16 - 00008598 _____ () C:\Users\ADMIN\HELP_DECRYPT.HTML 2015-04-06 23:16 - 2015-04-06 23:16 - 00008598 _____ () C:\Users\ADMIN\Desktop\HELP_DECRYPT.HTML 2015-04-06 23:16 - 2015-04-06 23:16 - 00004242 _____ () C:\Users\Public\HELP_DECRYPT.TXT 2015-04-06 23:16 - 2015-04-06 23:16 - 00004242 _____ () C:\Users\Public\Documents\HELP_DECRYPT.TXT 2015-04-06 23:16 - 2015-04-06 23:16 - 00004242 _____ () C:\Users\ADMIN\HELP_DECRYPT.TXT 2015-04-06 23:16 - 2015-04-06 23:16 - 00004242 _____ () C:\Users\ADMIN\Desktop\HELP_DECRYPT.TXT 2015-04-06 23:16 - 2015-04-06 23:16 - 00000280 _____ () C:\Users\Public\HELP_DECRYPT.URL 2015-04-06 23:16 - 2015-04-06 23:16 - 00000280 _____ () C:\Users\Public\Documents\HELP_DECRYPT.URL 2015-04-06 23:16 - 2015-04-06 23:16 - 00000280 _____ () C:\Users\ADMIN\HELP_DECRYPT.URL 2015-04-06 23:16 - 2015-04-06 23:16 - 00000280 _____ () C:\Users\ADMIN\Desktop\HELP_DECRYPT.URL 2015-04-06 16:03 - 2015-04-06 16:03 - 00008598 _____ () C:\Users\ADMIN\Downloads\HELP_DECRYPT.HTML 2015-04-06 16:03 - 2015-04-06 16:03 - 00004242 _____ () C:\Users\ADMIN\Downloads\HELP_DECRYPT.TXT 2015-04-06 16:03 - 2015-04-06 16:03 - 00000280 _____ () C:\Users\ADMIN\Downloads\HELP_DECRYPT.URL 2015-04-06 15:44 - 2015-04-06 15:44 - 00008598 _____ () C:\Users\ADMIN\Documents\HELP_DECRYPT.HTML 2015-04-06 15:44 - 2015-04-06 15:44 - 00004242 _____ () C:\Users\ADMIN\Documents\HELP_DECRYPT.TXT 2015-04-06 15:44 - 2015-04-06 15:44 - 00000280 _____ () C:\Users\ADMIN\Documents\HELP_DECRYPT.URL 2015-04-06 15:40 - 2015-04-06 15:40 - 00008598 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.HTML 2015-04-06 15:40 - 2015-04-06 15:40 - 00008598 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.HTML 2015-04-06 15:40 - 2015-04-06 15:40 - 00008598 _____ () C:\Users\ADMIN\AppData\HELP_DECRYPT.HTML 2015-04-06 15:40 - 2015-04-06 15:40 - 00004242 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.TXT 2015-04-06 15:40 - 2015-04-06 15:40 - 00004242 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.TXT 2015-04-06 15:40 - 2015-04-06 15:40 - 00004242 _____ () C:\Users\ADMIN\AppData\HELP_DECRYPT.TXT 2015-04-06 15:40 - 2015-04-06 15:40 - 00000280 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.URL 2015-04-06 15:40 - 2015-04-06 15:40 - 00000280 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.URL 2015-04-06 15:40 - 2015-04-06 15:40 - 00000280 _____ () C:\Users\ADMIN\AppData\HELP_DECRYPT.URL 2015-04-06 15:37 - 2015-04-06 15:37 - 00008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML 2015-04-06 15:37 - 2015-04-06 15:37 - 00004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT 2015-04-06 15:37 - 2015-04-06 15:37 - 00000280 _____ () C:\ProgramData\HELP_DECRYPT.URL 2015-04-06 15:06 - 2015-04-06 15:32 - 00000000 ____D () C:\Users\ADMIN\AppData\Local\tyfyga 2015-04-06 15:06 - 2015-04-06 15:06 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0} 2015-04-06 15:06 - 2015-04-06 15:06 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage 2015-04-06 15:40 - 2015-04-06 15:40 - 0008598 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.HTML 2015-04-06 15:40 - 2015-04-06 15:40 - 0045626 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.PNG 2015-04-06 15:40 - 2015-04-06 15:40 - 0004242 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.TXT 2015-04-06 15:40 - 2015-04-06 15:40 - 0000280 _____ () C:\Users\ADMIN\AppData\Roaming\HELP_DECRYPT.URL 2015-04-06 15:40 - 2015-04-06 15:40 - 0008598 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.HTML 2015-04-06 15:40 - 2015-04-06 15:40 - 0045626 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.PNG 2015-04-06 15:40 - 2015-04-06 15:40 - 0004242 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.TXT 2015-04-06 15:40 - 2015-04-06 15:40 - 0000280 _____ () C:\Users\ADMIN\AppData\Local\HELP_DECRYPT.URL 2015-04-06 15:37 - 2015-04-06 15:37 - 0008598 _____ () C:\ProgramData\HELP_DECRYPT.HTML 2015-04-06 15:37 - 2015-04-06 15:37 - 0045626 _____ () C:\ProgramData\HELP_DECRYPT.PNG 2015-04-06 15:37 - 2015-04-06 15:37 - 0004242 _____ () C:\ProgramData\HELP_DECRYPT.TXT 2015-04-06 15:37 - 2015-04-06 15:37 - 0000280 _____ () C:\ProgramData\HELP_DECRYPT.URL C:\Users\ADMIN\AppData\Local\Temp\0240561419879436mcinst.exe C:\Users\ADMIN\AppData\Local\Temp\9ead20a2-2c13-4a51-a27e-8ec13f768596.exe C:\Users\ADMIN\AppData\Local\Temp\Abspdf.exe C:\Users\ADMIN\AppData\Local\Temp\acfpdfu.dll C:\Users\ADMIN\AppData\Local\Temp\acfpdfuamd64.dll C:\Users\ADMIN\AppData\Local\Temp\acfpdfui.dll C:\Users\ADMIN\AppData\Local\Temp\acfpdfuia64.dll C:\Users\ADMIN\AppData\Local\Temp\acfpdfuiamd64.dll C:\Users\ADMIN\AppData\Local\Temp\acfpdfuiia64.dll C:\Users\ADMIN\AppData\Local\Temp\cdintf.dll C:\Users\ADMIN\AppData\Local\Temp\jna6506130002513904919.dll C:\Users\ADMIN\AppData\Local\Temp\jna9149461310646158399.dll C:\Users\ADMIN\AppData\Local\Temp\PDFPRT400.exe C:\Users\ADMIN\AppData\Local\Temp\xmllite.dll Reboot: end Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
|
Post by ostrich on Apr 10, 2015 7:17:12 GMT -8
Thank you!
I've gone ahead and created that file and copied it to the Desktop (same location as FRST64.exe). I am now faced with a different problem. I am unable to access my Desktop files. I am no longer able to open a browser window either. There is no response from Desktop links or files. It seems as if the Desktop is an image file (like a PNG or JPG) and none of the links can be clicked on or highlighted. It has a constant blue spinning circle on the top right of the cursor as if it is going to process a command, but nothing happens. It appears frozen.
I will not restart the system without your instruction. I will await your response.
Thanks again!
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Apr 10, 2015 10:36:11 GMT -8
The Desktop is not an image file otherwise you would not have anything after you Logon
It may be Spyhunter playing havoc with the system (and Browser) The User "Lucky" had the same problem in Normal Mode, So we used Safe Mode With Networking, although getting to Safe Mode is different with Windows 8 and 8.1 unless you have altered Windows 8 or 8.1 with set {default} bootmenupolicy legacy
Trouble is also I think one file that is running is for the Ransomcrypt so when you Restart the system it may encrypt the fixlist.txt as .txt is for most of the Ransomcrypt variants a personal file type.
Quads
|
|
|
Post by ostrich on Apr 10, 2015 10:41:28 GMT -8
I am willing to follow through with any and all of your recommendations. What do you suggest as a best approach?
Thanks again and I will await your instruction.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Apr 10, 2015 10:46:12 GMT -8
You can try a Restart, after you will have to open fixlist.txt to make sure the Ransomcrypt is intact and no encrypted (if encrypted you will not be able to open fixlist.txt.).
Quads
|
|
|
Post by ostrich on Apr 10, 2015 14:19:25 GMT -8
After restarting the PC, I was able to boot into Safe Mode with Networking. I followed your instructions and ran FRST64.exe per your direction. It produced "Fixlog.txt" and I've attached it to a wikisend. The link is: wikisend.com/download/316294/Fixlog.txtI can see a substantial difference so far. I will await your instruction before proceeding to any further action. Thanks!
|
|