|
Post by cricket on Jan 24, 2016 15:49:53 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jan 25, 2016 23:31:28 GMT -8
Yes, run ChkDsk on your system. Let me know the results.
|
|
|
Post by cricket on Jan 26, 2016 19:19:07 GMT -8
Here is the location of the CHKDSK log: wikisend.com/download/940294/CHKDSKResults.txtI'm still having some issues with my PC, and I don't know if they are related to the malware. For instance, as I was preparing this reply, MS Word stopped responding and I cannot end the task using Task Manager. Please let me know what the next steps in the cleanup are. Should I start deleting the encrypted files on my computer? Thank you for your help.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jan 26, 2016 23:26:14 GMT -8
It is time to see if we can recover your files. The first step would be to see if any of the following work for you. Start with the Previous Version steps and move to the next one is that does not work for you (not every system is set up to keep track of previous versions of files but since your system still has System Restore points on it, this would be a great place to start).: Previous Versions[/b] the file/folder and click Properties. Click Previous Versions. This tab will list all copies of the file and the date they were backed up. To restore a particular version of the file, click Copy and select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click Restore. If you wish to view the contents of the file before restoring, click Open. [/ul] ShadowExplorer[/b][/a] and save the file to your Desktop. Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract. Right-Click ShadowExplorer.exe and select Run as administrator to run the programme. You will see a drop-down menu with the shadow copies of all partitions and disks present. Click C:\ from the drop-down menu. To the right, pick a date prior to the infection from the drop-down menu. To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to. [/ul] File Recovery SoftwareFile Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files. [/a] Photorec Recuva[/ul]
|
|
|
Post by cricket on Jan 27, 2016 22:34:30 GMT -8
Using the 'Previous Versions' feature, I was able to restore nearly all of my files. However, it seems that I'm missing some. For instance, there are 223 encrypted files in my Word documents folder, but there's just 207 restored files, so it seems that there might be 16 Word files that are missing. The restored files are from January 4, 2016, whereas the encrypted files are from January 13th, so that may account for the difference.
I thought I'd try Shadow Explorer to see if I could get a few more files, but I didn't have the 'Extract All' option when I right-clicked on the ShadowExplorer-0.9-portable.zip file, probably because I have WinZip. When I checked what executables were extracted using WinZip, I found I had the following two: sesvc.exe and ShadowExplorerPortable.exe. I did not have ShadowExplorer.exe. Are either of the two executables I have correct?
Also, how can I get rid of the window that pops up whenever I turn on my machine which has the title RunDLL and contains the following message:
There was a problem starting C:\Users\Liz\AppData\Roaming\Microsoft\Crypto\RSA\RSA1377 544647.dll
The specified module could not be found.
What do you recommend I have installed on my machine to prevent (or minimize) the chance of getting malware again or a virus?
Thank you!!
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jan 27, 2016 23:05:54 GMT -8
There should be four files in the ShadowExplorer zip file. If you need to see about using PeaZip ; it is free and works very well. The download I had you use only has ShadowExplorerPortable.exe in it so don't worry too much. This way nothing gets installed on your system and you can take the utility to other systems if you need to. I thought that the RSA dll thing was handled with FRST Fixlist a while back; let me see again. Read Slowly and all of it.If you still have a Addition.txt log file on your desktop, please delete it now. Start FRST64 that is on your Desktop by right clicking and selecting "Run as Administrator". The tool will start to run. When the tool opens click Yes to disclaimer. (if it does) Select Additional.txt in the Optional Scans section of FRST64. Press Scan button. It will make two logs ( FRST.txt and addition.txt) on your Desktop. Please attach the logs in your reply back. Or open the logs in notepad and copy the logs and paste back in a message as a reply. ( Ask if you don't know how to do either of these). Notes:
If your Security software blocks the running or download of FRST / FRST64, please disable the security software or make an exception for this file. FRST is updated very frequently and is safe to run but because of the frequent changes (to keep up with newest malware techniques) most Security Software does not approve of the unknown file. Right now the forum will not allow one to attach the Addition.txt file so please use wikisend.com or pastebin.com to upload the file and then post the download link here in your reply post.
|
|
|
Post by cricket on Jan 28, 2016 20:14:10 GMT -8
I have attached the image (a jpg) of the RunDLL popup that appears when my computer starts up. I've rerun FRST64. Here is the location of the Addition.txt file: wikisend.com/download/681928/Addition.txt Here is the location of the FRST.txt file: wikisend.com/download/471922/FRST.txt I ran ShadowExplorer and found that there weren't any shadow copies from the period between the files I restored (using a 'Previous Version') and when the malware encrypted the files. I haven't restored any of my Outlook pst files because it seems that they were never encrypted -- all of my emails come up as always. Does that sound correct? Thanks, as always, for your continuing help! Attachments:
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jan 28, 2016 22:16:19 GMT -8
Looks like something came back so let us see if this removes all of it this time. FIRST >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. SECOND >>>>Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed): opensource (x32 Version: 1.0.14960.3876 - Your Company Name) To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software. LAST >>>>How is the system running now? Are you not connecting this to the internet for now? The logs say you are not connected so I am just checking. Can you run a scan with Malwarebytes Anti-malware and see if it finds anything now? Thanks.
|
|
|
Post by cricket on Jan 29, 2016 22:32:48 GMT -8
Thank you again for your help. I ran the Fix as instructed, and the fixlog.txt is attached. I also uninstalled the opensource program. I continued to get the RunDLL popup window on system restarts, but it was finally eliminated after the Malwarebytes Anti-malware app was run and it removed 3 threats it found. I have also attached an image of the 3 threats that were detected. I hope my computer will be more stable now moving forward. MS Word and Chrome has been crashing a lot (including MS Word today). Do you think my machine is clean now? Is there anything else that I need to do? Also, is there any antivirus or malware prevention SW you recommend I have on my machine to prevent future problems? Thanks! Attachments:Fixlog.txt (6.14 KB)
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jan 30, 2016 0:06:14 GMT -8
If Norton is expired (not a current subscription) then remove it and put Microsoft Security Essentials or Avast Free Antivirus on there. Once one of these are installed, run a full scan and report the results. Also, after you install a new AV, please install CryptoPrevent. CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here. Install the program and then run and set it to either Default or Maximum Protection levels.
Malwarebytes seems to have removed what I was trying to do manually (and may have also worked some other 'magic' behind the scenes) so we need to keep an eye on those locations and files. I would like to see the log from the removal please. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
|
|