Ransomware Trojan

[eddyb]

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg not found.
========== FILES ==========
File/Folder C:\Users\Ed and Lou 2\AppData\Roaming\toip0_tmp.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57472 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ed and Lou 2
->Temp folder emptied: 250118 bytes
->Temporary Internet Files folder emptied: 251816860 bytes
->Java cache emptied: 18464061 bytes
->FireFox cache emptied: 80060535 bytes
->Google Chrome cache emptied: 27961709 bytes
->Flash cache emptied: 10505382 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 769740 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 83618 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 68274 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
RecycleBin emptied: 239204719 bytes

Total Files Cleaned = 600.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 07292014_215904

Files moved on Reboot...
C:\Users\Ed and Lou 2\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
File move failed. C:\Windows\temp\logishrd\LVPrcInj02.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[ken545]

How is your system behaving now ?

[eddyb]

Everything seems good. I was wondering what toip0_tmp.exe might have been if MSConfig said it had been disabled in 2012 (or is that erroneous?). I had an avast warning from a normal/safe/trusted webpage (bank I think) saying it had blocked a script or something, but it has kept no log of it as far as I can tell. I think I know the website that caused this and the previous problem, so I'll steer clear from now on.

Should I keep the Tweaking registry backup or delete the program and backup?

Thanks,

[ken545]

As far as that file, how it got disabled I really don't know so at this point its harmless so lets not worry about it.

As far as Tweeking , your call to keep or remove it, it could come in handy someday if you backup your registry maybe once a month or so.

Please download DelFix and save the file to your Desktop.

• Double-click DelFix.exe to run the program.
• Place a checkmark next to the following items:

*Activate UAC
*Remove disinfection tools
*Create registry backup
*Reset System Settings


Click the Run button

This will remove the specialised tools we used to clean your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually



==========================================================

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

[eddyb]

Just to be complete...

Thanks for help. It is very much appreciated.



# DelFix v10.8 - Logfile created 31/07/2014 at 18:13:00
# Updated 29/07/2014 by Xplode
# Username : Ed and Lou 2 - EDANDLOU2-PC
# Operating System : Windows 7 Home Premium (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\_OTM
Deleted : C:\Combofix
Deleted : C:\FRST
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Resetting system settings ... OK

########## - EOF - ##########

[ken545]

Great, looks like your on your way, glad I was able to help you

Ken