Belle28 0 Posted May 24, 2016 Report Share Posted May 24, 2016 Hi, I work for a small family owned business and our marketing person got infected with ransomware. I followed your instructions and ran the Emsisoft Emergency Kit and then the Farbar recovery scan tool. Neither one would update - kept getting could not connect to server... It didn't look like the Emsisoft Emergency kit found the problem, I've attached the required files. the encryption infection is under user jdm. I've also attached the ransome text file and one of the encrypted files. Note: it won't let me attache the infected (the .cyprt) file. Please let me know what my options are. Thanks much for what you guys are doing. Dee also - i did run the Petyextractor and it found nothing. Update: I just ran Kaspersky RannohDecryptor.exe and got the error "...this variant of Trojan-Ransom.Win32.CryptXXX is not supported." the log says 'CryptXXX v3 decryption not supported. Can't init decryptor another update: I got the decrypt_gomasom.exe to run. Will let you know if it works! I hope...I hope....I hope... !Recovery_3C779BE5DEE8.txt Addition.txt FRST.txt scan_160524-071940.txt Link to post Share on other sites
Kevin Zoll 309 Posted May 24, 2016 Report Share Posted May 24, 2016 Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [] => [X] SearchScopes: HKU\S-1-5-21-1068725011-614884919-483988704-500 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 1899-12-30 00:00 - 1899-12-30 00:00 - 3528054 ____T () C:\ProgramData\3C779BE5DEE8.bmp 1601-03-12 06:17 - 1601-03-12 06:17 - 0014193 _____ () C:\ProgramData\3C779BE5DEE8.html C:\Users\administrator\AppData\Local\Temp\nvSCPAPI.dll C:\Users\administrator\AppData\Local\Temp\nvStInst.exe C:\Users\administrator\AppData\Local\Temp\nvvm2frr.dll C:\Users\administrator\AppData\Local\Temp\ScriptHelper.exe C:\Users\administrator\AppData\Local\Temp\UNINSTALL.EXE C:\Users\shh\AppData\Local\Temp\avguidx.dll C:\Users\shh\AppData\Local\Temp\CommonInstaller.exe C:\Users\shh\AppData\Local\Temp\contentDATs.exe C:\Users\shh\AppData\Local\Temp\en_lync_2010_x86_598490.exe C:\Users\shh\AppData\Local\Temp\MachineIdCreator.exe C:\Users\shh\AppData\Local\Temp\oi_{8365D086-F7A7-4365-8135-A0F6D5FB1170}.exe C:\Users\shh\AppData\Local\Temp\SecurityScan_Release.exe C:\Users\shh\AppData\Local\Temp\ToolbarInstaller.exe Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}" /f Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}" /f Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{13ABD093-D46F-40DF-A608-47E162EC799D}" /f Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO" /f Reg: reg delete"HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1" /f C:\Users\administrator\AppData\Local\Temp\ICReinstall\cnet2_PrintKey-Pro-v105_exe.exeClose Notepad.NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. What would really be helpful are logs from the infected user account. Link to post Share on other sites
Belle28 0 Posted May 24, 2016 Author Report Share Posted May 24, 2016 Hi, the decrypt_gomasom.exe is still running. it's really slow and I'm letting it run. you asked about log files. what logs files are you looking for/where can I find them? also in your code, it's the jdm user that was infected. I don't see that user mentioned in your code. Link to post Share on other sites
Kevin Zoll 309 Posted May 24, 2016 Report Share Posted May 24, 2016 I would like to get scan logs from EKK and FRST from the infected user account. Link to post Share on other sites
Belle28 0 Posted May 24, 2016 Author Report Share Posted May 24, 2016 the text docs I attached where from the infected machine. when I tried to update the EKK i kept getting a message saying it couldn't connect to the server. I can re-run those two, EKK and FRST, in the morning. i going to let the decrypt_gomasom.exe finish - which will probably be several more hours. Link to post Share on other sites
Belle28 0 Posted May 25, 2016 Author Report Share Posted May 25, 2016 Ok, i've re-run the EEK and FRST and have attached the files. also ran the fixlist, as instructed above and attached. Next step? the decrypt_gomasom.exe didn't work. Addition.txt Fixlog.txt FRST.txt scan_160525-061525.txt Link to post Share on other sites
Kevin Zoll 309 Posted May 25, 2016 Report Share Posted May 25, 2016 Have you tried the CryptoBoss decryption tools? https://decrypter.emsisoft.com/crypboss I need the scans to be ran from the infected account. Link to post Share on other sites
Belle28 0 Posted May 25, 2016 Author Report Share Posted May 25, 2016 ok, ran from infected user, attached files. trying the decrypt_crypboss.exe now. it asked about an email address in the randsomeware note and there was no email address - I used the default. Addition.txt FRST.txt scan_160525-110808.txt Link to post Share on other sites
Kevin Zoll 309 Posted May 25, 2016 Report Share Posted May 25, 2016 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKU\S-1-5-21-1068725011-614884919-483988704-4081\...\Run: [AdobeBridge] => [X] URLSearchHook: [S-1-5-21-1068725011-614884919-483988704-500] ATTENTION => Default URLSearchHook is missing URLSearchHook: [S-1-5-21-2920324891-2499781388-2088501239-1003] ATTENTION => Default URLSearchHook is missing FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin HKU\S-1-5-21-1068725011-614884919-483988704-4081: @tools.google.com/Google Update;version=3 -> C:\Users\jdm\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File] FF Plugin HKU\S-1-5-21-1068725011-614884919-483988704-4081: @tools.google.com/Google Update;version=9 -> C:\Users\jdm\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File] Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => <==== ATTENTION Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => <==== ATTENTION Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1068725011-614884919-483988704-1569Core.job => <==== ATTENTION Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1068725011-614884919-483988704-1569UA.job => <==== ATTENTION Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{13ABD093-D46F-40DF-A608-47E162EC799D}" /fClose Notepad.NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
Belle28 0 Posted May 25, 2016 Author Report Share Posted May 25, 2016 fixlog file attached. Next step? Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted May 26, 2016 Report Share Posted May 26, 2016 OK, switch back to the Administrators account. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
Belle28 0 Posted May 26, 2016 Author Report Share Posted May 26, 2016 I've attached the files. the machine seems to be running ok. I have it completely off the network now. have tried several of the decryptors to recover all the files and nothing has worked so far. the marketing person - the user that got infected - is freaking out becasue all her docs and spreadsheets were on that machine, and no backup of course. told her to be patient. Addition.txt FRST.txt scan_160526-105412.txt Link to post Share on other sites
Kevin Zoll 309 Posted May 26, 2016 Report Share Posted May 26, 2016 I need FRST logs from an account with administrator privileges. The next step will not work from a limited user account. Unfortunately, it does not look like we can decrypt the encrypted files. Link to post Share on other sites
Belle28 0 Posted May 26, 2016 Author Report Share Posted May 26, 2016 I'll try to log in to the local machine as admin. stand by. sorry, apparently I was logged in as the user last time. will get the correct files to you in a bit Link to post Share on other sites
Kevin Zoll 309 Posted May 26, 2016 Report Share Posted May 26, 2016 OK Link to post Share on other sites
Belle28 0 Posted May 26, 2016 Author Report Share Posted May 26, 2016 ok, file run from admin attached. Addition.txt FRST.txt scan_160526-115145.txt Link to post Share on other sites
Kevin Zoll 309 Posted May 26, 2016 Report Share Posted May 26, 2016 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKU\S-1-5-21-2920324891-2499781388-2088501239-1003\...\Run: [ROC_JAN2013_TB] => "C:\Program Files\AVG Secure Search\ROC_JAN2013_TB.exe" /PROMPT /CMPID=JAN2013_TB FF Plugin: @microsoft.com/GENUINE -> disabled [No File] Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{13ABD093-D46F-40DF-A608-47E162EC799D}" /fClose Notepad.NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
Belle28 0 Posted May 26, 2016 Author Report Share Posted May 26, 2016 ok, here ya go Fixlog.txt Link to post Share on other sites
Belle28 0 Posted May 26, 2016 Author Report Share Posted May 26, 2016 I do have a question about this ransomware stuff. from what I've read they can encrypt docs on a mapped drive. can it (the ransomeware) get to docs through a shortcut to a shared folder on the network? also would it make a different if the file extension are hidden - since they look for particular file extension? Link to post Share on other sites
Kevin Zoll 309 Posted May 27, 2016 Report Share Posted May 27, 2016 Some ransomware variants are capable of encrypting files on a mapped networked drive. It is not possible to hide file extensions, you can hide them from being viewed in a GUI, but you cannot hide them from the system. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
Belle28 0 Posted May 27, 2016 Author Report Share Posted May 27, 2016 ok, will re-run and post. will be a bit Link to post Share on other sites
Kevin Zoll 309 Posted May 30, 2016 Report Share Posted May 30, 2016 Once you had the logs I will look over them, after I get them. Link to post Share on other sites
Kevin Zoll 309 Posted June 2, 2016 Report Share Posted June 2, 2016 Thread ClosedReason: Lack of ResponsePM either Kevin, Elise, or Arthur to have this thread reopened.All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts