1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

[Solved] Oh Terrific, now Power Locker Ransomware

Discussion in 'Malware Removal Help' started by Freehold Fred, Jan 23, 2014.

  1. Freehold Fred

    Freehold Fred Registered Members

    Joined:
    Jan 8, 2014
    Messages:
    35
    Operating System:
    Windows 7
    Hey, Rich et al,

    I just witnessed 1st hand FBI Ransomware appearing from a bad site. I've downloaded a ton of misc audio ware last few days and hit some videos that I probably shouldn't have. What a sinking feeling. Alt+F4 wouldn't close site, but I escaped with a Ctrl+Alt+Del and gracefully shutdown. I guess I was lucky. I rebooted in safe mode and did a System Restore. Running a full scan of MBAM in SafeMode. This is scary stuff. Move to Malware Removal if you think I should run some other scans and post logs.

    On another machine, I ran MBAM and inadvertently chose only a partial 'Remove Selected' at the end of the run. Is there any way to get back to the detected list w/o redoing the scan? I can get to the log, but can't get back to the removal step. Bummer.

    FF
     
  2. DSTM (Dougie)

    DSTM (Dougie) Registered Members

    Joined:
    May 3, 2009
    Messages:
    8,270
    Location:
    SYDNEY AUSTRALIA
    Operating System:
    Windows 7
    Hi FF. I moved your post to Malware Removal as suggested so our Malware Specialist can advise you further.
     
  3. Rich M

    Rich M Guest

    Joined:
    Dec 24, 2013
    Messages:
    4,580
    Location:
    NE Pa USA
    Operating System:
    Windows 7
    Computer Brand or Motherboard:
    MSI Z97 PC Mate LGA 1150 Intel Z97
    CPU:
    Intel i7 4790K 4.0Ghz
    Memory:
    Corsair Vengeance 16GB (2x8GB) DDR3 2133
    Hard Drive:
    Crucial 256 Gb SSD+ WD Raptor 300 Gb Sata III
    Graphics Card:
    Radeon R9 280 2GB HDMI
    Power Supply:
    Seasonic 750 watt
    It is a sinking feeling Fred I was just where you were a few weeks ago and probably a good idea to run some other tests here so we alerted the Pros you are here!
     
  4. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Fred,

    Unfortunately the only way to get to the removal stage again is by running another scan.
    But a quick scan will suffice.

    It's best to be safe than sorry.

    Step 1
    Start Malwarebytes AntiMalware.
    Click on the logs tab.
    The logs are date stamped ... double click on the log that showed the infection items.

    [​IMG]

    It'll open in notepad.

    Please copy/paste the report in your next reply.


    Step 2
    Note:

    There are both 32-bit and 64-bit versions of Farbar Recovery Scan Tool available. Please pick the version that matches your operating system's bit type.

    If you are unsure what you're system bit type is..... click Here for help.

    For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop.

    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.

    • Double-click the downloaded icon to run the tool.

      [​IMG]
    • When the tool opens click Yes to disclaimer.

      [​IMG]
    • Press Scan button.

      [​IMG]
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.


    In your next reply, please submit:
    MBAM scan report
    Both reports from FRST


    Thanks.
     
  5. Freehold Fred

    Freehold Fred Registered Members

    Joined:
    Jan 8, 2014
    Messages:
    35
    Operating System:
    Windows 7
     
  6. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Fred,

    Apart from some small adware entries, there isn't much to worry about.
    So just a few small things to clean up the report.
    It may seem a lot to do, but the steps are quite small really.

    Step 1

    Windows Defender should have been disabled by Avast when it installed, due to possible conflicts.
    Please disable Windows Defender.
    • Click Start >> Programs >> Windows Defender or launch from the system tray icon.
    • Click on Tools & Settings >> Options.
    • Under Real-time protection options, uncheck the "Real-time protection" check box.
    • Click Save.
    • Go to Start >> Control Panel >> Security >> Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.

    Step 2
    Please download the attached fixlist.txt file.
    NOTE.
    It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
    NOTICE: This script was written specifically for this user, for use on that particular machine.
    Running this on another machine may cause damage to your operating system


    Re-run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.


    Step 3
    Let's make sure that all of the Adware has now been removed.

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator.
    • Click on the Scan button.
    • AdwCleaner will begin to scan your computer.
    • After the scan has finished...
    • Click on the Clean button.
    • Press OK when asked to close all programs and follow the onscreen prompts.
    • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.


    Step 4
    Your Java is out of date.
    Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) 7 Update 51 and save it to your desktop.
    • Scroll down to where it says "Java SE 7 Update 51".
    • Click the "Download JRE" button.
    • Accept the license agreement.
    • select 'Windows x64.exe' from the list.
    • Save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
      .
      Java 7 Update 25
      Java 7 Update 45

      .
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on downloaded icon to install the newest version.


    Step 5
    Download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista/Win7, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


    In your next reply, please submit:
    Fixlog.txt
    AdwCleaner report



    Thanks.
     

    Attached Files:

  7. Freehold Fred

    Freehold Fred Registered Members

    Joined:
    Jan 8, 2014
    Messages:
    35
    Operating System:
    Windows 7
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-01-2014 01
    Ran by Fred at 2014-01-26 02:16:40 Run:1
    Running from C:\Users\Fred\Downloads
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    SearchScopes: HKLM-x32 - DefaultScope {8CF2C295-B2D0-4E22-9EE8-B00336890A3E} URL =
    SearchScopes: HKLM-x32 - {A797851D-92CE-46FB-B33A-90E5EAE73837} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
    SearchScopes: HKCU - {706575DA-49CC-4A1C-B663-AFA64FCFF232} URL = http://websearch.ask.com/redirect?c...pn_sauid=3591699B-6522-4A5A-A345-FEA3D9E51D08
    SearchScopes: HKCU - {8CF2C295-B2D0-4E22-9EE8-B00336890A3E} URL = http://search.conduit.com/ResultsEx...4&ctid=CT3289847&CUI=UN81066710016842176&UM=2
    SearchScopes: HKCU - {A797851D-92CE-46FB-B33A-90E5EAE73837} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
    Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    Toolbar: HKCU - No Name - {4D594333-0076-A76A-76A7-7A786E7484D7} - No File
    Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    ShellExecuteHooks-x32: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
    FF SearchEngineOrder.1: Ask.com
    FF SearchPlugin: C:\Users\Fred\AppData\Roaming\Mozilla\Firefox\Profiles\hr5msr5m.default\searchplugins\askcom.xml
    FF SearchPlugin: C:\Users\Fred\AppData\Roaming\Mozilla\Firefox\Profiles\hr5msr5m.default\searchplugins\conduit.xml
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
    AlternateDataStreams: C:\ProgramData\TEMP:890CC2F3
    AlternateDataStreams: C:\ProgramData\TEMP:BD36345D


    *****************

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{A797851D-92CE-46FB-B33A-90E5EAE73837} => Key deleted successfully.
    HKCR\Wow6432Node\CLSID\{A797851D-92CE-46FB-B33A-90E5EAE73837} => Key not found.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{706575DA-49CC-4A1C-B663-AFA64FCFF232} => Key deleted successfully.
    HKCR\CLSID\{706575DA-49CC-4A1C-B663-AFA64FCFF232} => Key not found.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8CF2C295-B2D0-4E22-9EE8-B00336890A3E} => Key deleted successfully.
    HKCR\CLSID\{8CF2C295-B2D0-4E22-9EE8-B00336890A3E} => Key not found.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A797851D-92CE-46FB-B33A-90E5EAE73837} => Key deleted successfully.
    HKCR\CLSID\{A797851D-92CE-46FB-B33A-90E5EAE73837} => Key not found.
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Value deleted successfully.
    HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4D594333-0076-A76A-76A7-7A786E7484D7} => Value deleted successfully.
    HKCR\CLSID\{4D594333-0076-A76A-76A7-7A786E7484D7} => Key not found.
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value not found.
    HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
    HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Value deleted successfully.
    HKCR\Wow6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Key not found.
    Firefox SearchEngineOrder.1 deleted successfully.
    "C:\Users\Fred\AppData\Roaming\Mozilla\Firefox\Profiles\hr5msr5m.default\searchplugins\askcom.xml" => not found.
    "C:\Users\Fred\AppData\Roaming\Mozilla\Firefox\Profiles\hr5msr5m.default\searchplugins\conduit.xml" => not found.
    HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
    C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
    C:\ProgramData\TEMP => ":890CC2F3" ADS removed successfully.
    C:\ProgramData\TEMP => ":BD36345D" ADS removed successfully.

    ==== End of Fixlog ====
    # AdwCleaner v3.017 - Report created 26/01/2014 at 02:21:31
    # Updated 12/01/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : Fred - WIN7
    # Running from : C:\Users\Fred\Downloads\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    File Found : C:\Windows\System32\Tasks\NCH Software

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****


    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.16428


    -\\ Mozilla Firefox v26.0 (en-US)

    [ File : C:\Users\Fred\AppData\Roaming\Mozilla\Firefox\Profiles\hr5msr5m.default\prefs.js ]


    -\\ Google Chrome v32.0.1700.76

    [ File : C:\Users\Fred\AppData\Local\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [13735 octets] - [25/01/2014 13:48:14]
    AdwCleaner[R1].txt - [1064 octets] - [25/01/2014 14:35:20]
    AdwCleaner[R2].txt - [925 octets] - [26/01/2014 02:21:31]
    AdwCleaner[S0].txt - [13647 octets] - [25/01/2014 14:23:36]
    AdwCleaner[S1].txt - [1128 octets] - [25/01/2014 15:12:21]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [1105 octets] ##########
     
  8. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Fred,

    How's the system running?
    Any problems?
     
  9. Freehold Fred

    Freehold Fred Registered Members

    Joined:
    Jan 8, 2014
    Messages:
    35
    Operating System:
    Windows 7
    Working fine. To be honest, it never seemed to have a problem except for flash of the "FBI Warning" right before my eyes, which scared the bejuses out of me!.

    Thanks for your to-be-sure assistance, and BTW, what is the bias that MBAM has against Apple app's, which were flagged and removed?
     
  10. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Fred,

    To be honest, after a lot of searching i still can't find a definitive answer.
    All i can do is offer what i suspect is the reason:
    This is one of the entries from your MBAM report:
    C:\Users\Fred\AppData\Roaming\Apple Computer\MobileSync\Backup\0a51249f1ad627097400a96f5640049639ebce2b\4331bbf652f169927d2d5fae961dfcf63863657b

    These are typical Trojan.Lameshield entries:
    C:\Users\booboo\AppData\Local\Apps\2.0\Y4ZW095D.5NN\CJR9JJ1V.64H\goog...app_f84b370c827b5c7a_0001.0002_3153a04d2ba1813d
    C:\Users\Max\AppData\Local\Temp\wxv8rqnbiv1b58qmkq7ok4.exe


    All of these entries are found in the Application Data folder and all finish with a long number.
    I suspect that MBAM recognised the similarity and suspected it was caused by 'Lameshield'.
    As you do have Apple Mobile Sync installed, this may well be a false positive, but i can't get any concrete confirmation of this even from the MalwareBytes site.

    You could actually check this out for yourself if you wanted.
    You know the path to the file in question.
    MBAM will not have deleted this file, it will have put it into quarantine ( so you can easily move it back to the correct file position.
    Once it's back in position you could check the file out at Jotti or Virus Total.
    Here are some instructions if you want to check the file yourself:

    Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\Users\Fred\AppData\Roaming\Apple Computer\MobileSync\Backup\0a51249f1ad627097400a96f5640049639ebce2b\4331bbf652f169927d2d5fae961dfcf63863657b

    If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
     
  11. Freehold Fred

    Freehold Fred Registered Members

    Joined:
    Jan 8, 2014
    Messages:
    35
    Operating System:
    Windows 7
    GTK: Jotti and VirusTotal. Thanks.
    FF
     
  12. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi Fred,

    If everything is ok we can finish off the cleaning procedure now.

    Step 1
    Restart MBAM.
    Click on the Quarantine tab

    [​IMG]

    If there are items in quarantine.....
    Make sure everything is selected and then click Delete All.
    Close MBAM.


    Step 2
    Double click on AdwCleaner.exe to run the tool again.
    • Click on the Uninstall button.
    • Click Yes when asked are you sure you want to uninstall.
    • Both AdwCleaner.exe, its folder and all logs will be removed.

    JRT and FRST can now be removed also. ( just right click on the icons and select delete. )

    It's up to you if you want to remove TFC (right click and delete)
    I personally run it once a week to keep the temp files, caches etc cleaned out.

    Step 3
    Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Select the drive for cleaning then click OK (usually 'C' drive)
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


    To find out how you may have been infected....read this topic:
    How did i get infected?

    Glad I was able to help.

    Safe surfing. [​IMG]
     
  13. Freehold Fred

    Freehold Fred Registered Members

    Joined:
    Jan 8, 2014
    Messages:
    35
    Operating System:
    Windows 7
    I am surprised that you rely on System Restore.

    Also, seems like my cookies all got clobbered; I am being asked to very my id with new codes: mybank, Yahoo mail. Is this normal or is this something new going on?
     
  14. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    We don't say that we rely on it.
    It's also not up to us to say how a user should backup their system.
    A lot do use the system restore to recover from recent changes to the system, so we give a blanket speech about the possibility of infected restore points.
    If a user doesn't use System Restore then they just ignore that part.

    None of the programs used will have removed the cookies.
    TFC will clear out the temp files, but doesn't remove any cookies.
    So i'm unable to say why they have been removed.
     

Share This Page