Jump to content

Help, my PC is infected!


Recommended Posts

Hi,

I work for a small family owned business and our marketing person got infected with ransomware.  I followed your instructions and ran the Emsisoft Emergency Kit and then the Farbar recovery scan tool.  Neither one would update - kept getting could not connect to server...

It didn't look like the Emsisoft Emergency kit found the problem, I've attached the required files.  the encryption infection is under user jdm.  I've also attached the ransome text file and one of the encrypted files. 

 

Note:  it won't let me attache the infected (the .cyprt) file.

 

Please let me know what my options are.

 

Thanks much for what you guys are doing.

Dee

 

also - i did run the Petyextractor and it found nothing.

 

Update:  I just ran Kaspersky RannohDecryptor.exe and got the error "...this variant of Trojan-Ransom.Win32.CryptXXX is not supported."

the log says 'CryptXXX v3 decryption not supported.  Can't init decryptor

 

another update:  I got the decrypt_gomasom.exe to run.  Will let you know if it works!  I hope...I hope....I hope...

!Recovery_3C779BE5DEE8.txt

Addition.txt

FRST.txt

scan_160524-071940.txt

Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Run: [] => [X]
SearchScopes: HKU\S-1-5-21-1068725011-614884919-483988704-500 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
1899-12-30 00:00 - 1899-12-30 00:00 - 3528054 ____T () C:\ProgramData\3C779BE5DEE8.bmp
1601-03-12 06:17 - 1601-03-12 06:17 - 0014193 _____ () C:\ProgramData\3C779BE5DEE8.html
C:\Users\administrator\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\administrator\AppData\Local\Temp\nvStInst.exe
C:\Users\administrator\AppData\Local\Temp\nvvm2frr.dll
C:\Users\administrator\AppData\Local\Temp\ScriptHelper.exe
C:\Users\administrator\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\shh\AppData\Local\Temp\avguidx.dll
C:\Users\shh\AppData\Local\Temp\CommonInstaller.exe
C:\Users\shh\AppData\Local\Temp\contentDATs.exe
C:\Users\shh\AppData\Local\Temp\en_lync_2010_x86_598490.exe
C:\Users\shh\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\shh\AppData\Local\Temp\oi_{8365D086-F7A7-4365-8135-A0F6D5FB1170}.exe
C:\Users\shh\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\shh\AppData\Local\Temp\ToolbarInstaller.exe
Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}" /f
Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}" /f
Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f
Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{13ABD093-D46F-40DF-A608-47E162EC799D}" /f
Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO" /f
Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1" /f
C:\Users\administrator\AppData\Local\Temp\ICReinstall\cnet2_PrintKey-Pro-v105_exe.exe
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

What would really be helpful are logs from the infected user account.

Link to post
Share on other sites

Hi,

the decrypt_gomasom.exe is still running.  it's really slow and I'm letting it run.  you asked about log files.  what logs files are you looking for/where can I find them?

 

also in your code, it's the jdm user that was infected.  I don't see that user mentioned in your code.

Link to post
Share on other sites

the text docs I attached where from the infected machine.  when I tried to update the EKK i kept getting a message saying it couldn't connect to the server. 

 

I can re-run those two, EKK and FRST, in the morning.  i going to let the decrypt_gomasom.exe finish - which will probably be several more hours. 

Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1068725011-614884919-483988704-4081\...\Run: [AdobeBridge] => [X]
URLSearchHook: [S-1-5-21-1068725011-614884919-483988704-500] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-2920324891-2499781388-2088501239-1003] ATTENTION => Default URLSearchHook is missing
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\S-1-5-21-1068725011-614884919-483988704-4081: @tools.google.com/Google Update;version=3 -> C:\Users\jdm\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-1068725011-614884919-483988704-4081: @tools.google.com/Google Update;version=9 -> C:\Users\jdm\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job =>  <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job =>  <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1068725011-614884919-483988704-1569Core.job =>  <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1068725011-614884919-483988704-1569UA.job =>  <==== ATTENTION
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{13ABD093-D46F-40DF-A608-47E162EC799D}" /f
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

OK, switch back to the Administrators account.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Link to post
Share on other sites

I've attached the files.  the machine seems to be running ok.  I have it completely off the network now.  have tried several of the decryptors to recover all the files and nothing has worked so far.  the marketing person - the user that got infected - is freaking out becasue all her docs and spreadsheets were on that machine, and no backup of course.  told her to be patient.     

Addition.txt

FRST.txt

scan_160526-105412.txt

Link to post
Share on other sites

I need FRST logs from an account with administrator privileges. The next step will not work from a limited user account.

Unfortunately, it does not look like we can decrypt the encrypted files.

Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-2920324891-2499781388-2088501239-1003\...\Run: [ROC_JAN2013_TB] => "C:\Program Files\AVG Secure Search\ROC_JAN2013_TB.exe"  /PROMPT /CMPID=JAN2013_TB
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{13ABD093-D46F-40DF-A608-47E162EC799D}" /f
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

I do have a question about this ransomware stuff.  from what I've read they can encrypt docs on a mapped drive.  can it (the ransomeware) get to docs through a shortcut to a shared folder on the network?  also would it make a different if the file extension are hidden - since they look for particular file extension?

Link to post
Share on other sites

Some ransomware variants are capable of encrypting files on a mapped networked drive. It is not possible to hide file extensions, you can hide them from being viewed in a GUI, but you cannot hide them from the system.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...