Jump to content

Help removing Trojan.Ransom and PUM.UserWLoad


Recommended Posts

hi, i'm a newbie and am not a computer savvy.

last night while using my laptop, i found out that since March 24th, my Avira antivirus automatically update has failed to update and till now wont do the automatic update. since i just got a BSoD on the same day, i thought maybe because i was did the system Recovery. so then i did the update manually and for safety, i ran it.

It came back with 2 virus, which i really forgot the name since i just clicked remove. Then i ran Malwarebytes and found 2 trojan/virus: Trojan.Ransom and PUM.UserWLoad. I removed right away. after restarted my computer, i ran HitmanPro and Malwarebytes again. HitmanPro came back clean, but in Malwarebytes, those 2 were back again. i removed and restart my computer and scanned it again, and both Trojan.Ransom and PUM.UserWLoad keep coming back. i have done it for 3 times.

i've done the steps mentioned here : http://www.techspot.com/vb/topic58138.html. and i have uninstall Avira (since it still failed to automatically update) and instal Avast. here are the result :

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.29.01

Windows 7 x86 NTFS

Internet Explorer 8.0.7600.16385

maria :: MARIA-PC [administrator]

3/29/2013 12:20:07 PM

mbam-log-2013-03-29 (12-20-07).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 191348

Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\maria\LOCALS~1\Temp\msoufzi.bat -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\maria\LOCALS~1\Temp\msoufzi.bat -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I ran RogueKiller, here's the result :

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : maria [Admin rights]

Mode : Scan -- Date : 03/29/2013 12:28:55

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Insomnia Live (C:\Users\maria\qzcxotl.exe) [x] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : QzcxOTlGRkZFNjg4RjVGQ0 (C:\ProgramData\kmmmoanh.exe) [x] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3632183951-932135029-350098339-1000[...]\Run : Insomnia Live (C:\Users\maria\qzcxotl.exe) [x] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3632183951-932135029-350098339-1000[...]\Run : QzcxOTlGRkZFNjg4RjVGQ0 (C:\ProgramData\kmmmoanh.exe) [x] -> FOUND

[sHELL][sUSP PATH] HKCU\[...]\Windows : Load (C:\Users\maria\Local Settings\Temp\msoufzi.bat) [x] -> FOUND

[sHELL][sUSP PATH] HKUS\S-1-5-21-3632183951-932135029-350098339-1000[...]\Windows : Load (C:\Users\maria\Local Settings\Temp\msoufzi.bat) [x] -> FOUND

[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{756A48EC-DCE8-4153-B027-94306FA03BCE} : NameServer (202.134.0.155,208.67.222.222) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{756A48EC-DCE8-4153-B027-94306FA03BCE} : NameServer (202.134.0.155,208.67.222.222) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS ATA Device +++++

--- User ---

[MBR] 428f8d519c5427dc22265cec51d1a069

[bSP] c8496c40e90cbc7dfd19b1c9015414c6 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 49900 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 102402048 | Size: 188472 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_03292013_02d1228.txt >>

RKreport[1]_S_03292013_02d1228.txt

Please help me. and pardon me for my poor English.

dds.txt

attach.txt

Link to post
Share on other sites

Hy

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • I am currently visiting an evening school and working nightshift only which might be evening for you. In this time I am mostly online with my mobile devices and won't be able to reply.

Please go to: VirusTotal

  • In the middle of the page you'll find a "Browse" button.
    VIRUSTOTAL3.jpg
  • Click the Browse Button and Copy/Paste the following red text into the File name: field

    c:\users\maria\appdata\roaming\microsoft\windows\start menu\programs\startup\A366641351.exe

  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
    NOTE: If you get a message saying File already submitted: click Reanalyze
  • Once scanned, copy and paste the results in your next reply.

Do not delete any files unless I told you to do so

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.