Jump to content

Trojan-Ransom.win32.linkup


Recommended Posts

Hello,

 

For a customer of mine I found out after installing Emsisoft Anti-Malware that this customer has the ransome virus.

The customer doesn't have any problems with the computer yet, but I don't know for how long it will take before the virus goes active.

 

So If you can help me remove this virus, because it's in the registry, but I can't find it.

 

These are the three hits the virus scanner can't remove. And I don't know how to remove them either.

Key: HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1156\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{006EE092-9658-4FD6-BD8E-A21A348E59F5}      Application.Win32.WSearch (A)
Key: HKEY_USERS\S-1-5-21-3816885835-2970824877-3548249396-1009\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}      Application.Win32.WSearch (A)
Value: HKEY_USERS\S-1-5-21-3816885835-2970824877-3548249396-1009\IDENTITIES -> IDENTITY_TDN      Trojan-Ransom.Win32.Linkup (A)
 

Hopefully you can help me.

 

regards,

D. Meijer

Link to post
Share on other sites

Hello,

I would like to get a couple more logs before proceeding.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\DeviceNP-x32: DeviceNP.dll [X]
AppInit_DLLs-x32: c:\progra~3\bitguard\261694~1.246\{c16c1~1\bitguard.dll => Geen bestand
GroupPolicyScripts: Restrictie <======= AANDACHT
HKU\S-1-5-21-4124405607-3776124019-3871074412-1166\SOFTWARE\Policies\Microsoft\Internet Explorer: Restrictie <======= AANDACHT
HKU\S-1-5-21-4124405607-3776124019-3871074412-1166\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = hxxp://www.delta-search.com/?babsrc=HP_ss&mntrId=1EAC6C626D57F277&affID=119557&tt=02102013_ctrl1&tsp=5035
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166 -> bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => Geen bestand
Toolbar: HKLM - Geen Naam - {0BF43445-2F28-4351-9252-17FE6E806AA0} -  Geen bestand
Toolbar: HKLM - Geen Naam - {ae07101b-46d4-4a98-af68-0333ea26e113} -  Geen bestand
Toolbar: HKLM-x32 - Geen Naam - {0BF43445-2F28-4351-9252-17FE6E806AA0} -  Geen bestand
Toolbar: HKLM-x32 - Geen Naam - {ae07101b-46d4-4a98-af68-0333ea26e113} -  Geen bestand
S3 Program Manager; C:\Program Files (x86)\Common Files\ProgramManager\ProgramManager.exe [X]
2015-11-03 00:16 - 2010-10-06 15:21 - 00000000 __HDC C:\ProgramData\{1658E2D6-AC14-4F9E-BC84-72EB08DF7C9D}
2013-09-23 14:29 - 2013-10-09 07:21 - 0001917 ___SH () C:\ProgramData\8fe35684-ce25-4684-bf67-8c248f152f3f
C:\Users\sandra\AppData\Local\Temp\Extract.exe
C:\Users\sandra\AppData\Local\Temp\uninstall.exe
Reg: reg delete "HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1156\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{006EE092-9658-4FD6-BD8E-A21A348E59F5}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3816885835-2970824877-3548249396-1009\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3816885835-2970824877-3548249396-1009\IDENTITIES" /v "IDENTITY_TDN" /f
CustomCLSID: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166_Classes\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D1884}\InprocServer32 -> C:\ProgramData\408\msseedir.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166_Classes\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188E}\InprocServer32 -> C:\ProgramData\408\msseedir.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\sandra\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\sandra\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\sandra\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\sandra\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => Geen bestand
Task: {08DBB924-0F4F-4944-820A-E393DFD08610} - System32\Tasks\BitGuard => Sc.exe start BitGuard <==== AANDACHT
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

  • Upvote 1
Link to post
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-4124405607-3776124019-3871074412-1166\SOFTWARE\Policies\Microsoft\Internet Explorer: Restrictie <======= AANDACHT
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-4124405607-3776124019-3871074412-1166 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
2015-11-03 22:21 - 2015-11-03 22:21 - 00006200 ____H C:\Users\@dungryklsjtmjklwkxegp\$dcaklsjtmjklwkxevvwat.tiff
2015-11-03 22:21 - 2015-11-03 22:21 - 00000000 ___HD C:\Users\sandra\Downloads\!ozwklsjtmjklwkxemqcbs
2015-11-03 22:21 - 2015-11-03 22:21 - 00000000 ___HD C:\Users\sandra\AAODFdungryklsjtmjklwkxegp
2015-11-03 22:21 - 2015-11-03 22:21 - 00000000 ___HD C:\Users\@dungryklsjtmjklwkxegp
2015-11-03 22:21 - 2015-11-03 22:21 - 00000000 ___HD C:\%jxewklsjtmjklwkxerade
2015-11-03 22:21 - 2015-11-03 22:21 - 00000000 ___HD C:\!spjhklsjtmjklwkxewaie
Reg: reg delete "HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1166\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1166\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1156\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{006EE092-9658-4FD6-BD8E-A21A348E59F5}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3816885835-2970824877-3548249396-1009\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3816885835-2970824877-3548249396-1009\IDENTITIES" /v "IDENTITY_TDN" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Changing tools.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
Link to post
Share on other sites

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Registry Tab and select the following items:
      [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Application Updater ("C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe") -> Found

      [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

      [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

      [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1166\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found

      [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4124405607-3776124019-3871074412-1166\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found

    • Click the Delete button.
  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete
Link to post
Share on other sites

Your RogueKiller log looks good, the targeted items were removed.

Without debug logs there is no way I can tell you why Emsisoft failed to remove any item. Once something is allowed to install by the end user or it successfully bypasses active protection, it can sometimes prove difficult to remove. The makers of this stuff do not want it removed from the system, and take measures to protect their foistware.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running?

Link to post
Share on other sites

Without debug logs and several sytem logs there is absolutely know why for me to determine how and why this was able to execute.

Before we go proceed, I need to determine al the user accounts on this system.

Download to your Desktop UserInfo.zip

Extract the contents of UserInfo.zip to your Desktop.

You should now have UserInfo.vbs on the Desktop.

Double-click on UserInfo.vbs to run it.

After a few seconds you should have a new file, output.txt, on your Desktop.

Attach output.txt to your reply.

Link to post
Share on other sites

Run,

AdwCleaner in these2 accounts:

Name: domadmin
SID: S-1-5-21-3816885835-2970824877-3548249396-1009

Name: domadmin
SID: S-1-5-21-4124405607-3776124019-3871074412-1156
Attach the AdwCleaner cleaning log, from both accounts.
Link to post
Share on other sites

hello Kevin,

 

One of the accounts is local, but because the computer is now part of a domain, I can't login easily into that account.

I login everytime remotely, because during the day the customer is still using this machine, during the evening I can get control of this machine remotely,

So if it's really important to login locally, just let me know, than I have to make an appointment with the client when I can get over there and use her machine.

So I just have one account ready for you to look into. that's the account that is part of the domain.

Here's the logfile you requested.

AdwCleanerC2.txt

Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

If EEK is still detecting under one SID, then it may be necessary to log on the machine locally and run AdwCleaner.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...