New Al-Namrood infection

Recommended Posts

Trying to run the Emsisoft Emergency kit, but it is on Server 2008, non R2, so get an error can't run on system prior to Windows 7.  What do I run to get you the logs?



Share this post

Link to post
Share on other sites

Windows Server 2008 is not supported by our software. Server 2008 is based on the Vista kernel and Server 2008 R2 is based on the Windows 7 kernel.

Skip EEK and send me the logs from FRST.

Share this post

Link to post
Share on other sites

Since the forum has been under attack for the past few days, I am extending the response deadline by another 48 hours.

Share this post

Link to post
Share on other sites

The server was likely compromised via a successful RDP attack. Make sure the RDP is properly secured and change all passwords on this server.

Al-Namrood implements the Windows CryptoAPI in a flawed manner, resulting in a 1-in-3 chance that thave been files have been encrypted using garbage data. If that is the case then the files cannot be decrypted.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-128953846-1763445864-522703363-1129\...\MountPoints2: {b2d798e7-f6d2-11dd-8140-806e6f6e6963} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\StartHere.hta
HKU\S-1-5-21-128953846-1763445864-522703363-500\...\Run: [Decryption Instructions] => C:\Windows\system32\notepad.exe [151040 2015-07-09] (Microsoft Corporation)
HKU\S-1-5-21-128953846-1763445864-522703363-500\...\Run: [MSPANCentralViewerPreLoad] => C:\Users\Administrator\AppData\Local\MSP Anywhere for N-central\Viewer\NCentralRDLdr.exe [4261600 2016-07-05] (Solarwinds N-able)
HKU\S-1-5-21-128953846-1763445864-522703363-500\...\Policies\system: [DisableLockWorkstation] 1
GroupPolicyScripts: Restriction <======= ATTENTION
2016-11-28 14:55 - 2016-11-30 09:46 - 0001356 _____ () C:\Users\technique\AppData\Local\d3d9caps.dat
2016-11-28 19:32 - 2016-11-28 19:33 - 0361832 _____ () C:\Users\technique\AppData\Local\dd_vcredistMSI03DB.txt
2016-11-28 18:40 - 2016-11-28 18:41 - 0457450 _____ () C:\Users\technique\AppData\Local\dd_vcredistMSI5B99.txt
2016-11-28 19:32 - 2016-11-28 19:33 - 0011690 _____ () C:\Users\technique\AppData\Local\dd_vcredistUI03DB.txt
2016-11-28 18:40 - 2016-11-28 18:42 - 0348794 _____ () C:\Users\technique\AppData\Local\dd_vcredistUI5B99.txt
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post

Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.