Jump to content

Ransomware--Al-Namrood 2.0 believed-Removal verify


Recommended Posts

I have uploaded a file to https://id-ransomware.malwarehunterteam.com/ and it is coming back as AI-Namrood.  The system was scanned using the paid version of Malewarebytes which did not find anything. A large amount of the files are encrypted like the attached file. My question is what do I need to do to make sure it's really gone. I did notice a large amount of attempts to log in from an unknown IP with no PID with a ton of user name guesses in the security log.  I have since turned off the IIS server and it seems to have stopped the flood of attempts but the machine went off-line and is currently unreachable. It appears to have encrypted a large amount of pdf/doc/excel files but it also seems to have stopped my BackupExec because the services will no longer start and various other programs are now broken as well.  All files are marked with the [email protected] address.The services for BackupExec were also marked as disabled when I went into see why it wouldn't start but I haven't seen anything online about this happening to other people. This is machine is running Server 2008 and I cannot run the Emergency kit because of the OS level but theFRST log is attached. What other info would be needed to be sure I have gotten rid of this Ransomware? Our backups should be good from a few days back I am hoping. We do not plan on paying this criminals off. I would like to not have to rebuild the server from scratch.

Any help is greatly appreciated

Rob

 

FTB_folder.pdb.ID-DC9A265DUS[[email protected]].mga5adiamga4aa

FRST.txt

Edited by Robtrench
added file
Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

	HKLM\...\Winlogon: [LegalNoticeCaption] Attention!
HKLM\...\Winlogon: [LegalNoticeText] All your files were encrypted with strong algorithm AES256 and unique key.
Do not worry, all your files in the safety, but are unavailable at the moment.
To recover the files you need to get special decryption software and your personal key.
	You can contact us via Email:
[email protected]
	Your Personal ID: DC9A265DUS
	Please use public mail service like gmail or yahoo to contact us, because your messages can be not delivered.
	For fast communication, you can write us to Jabber (It is not Email !!!): [email protected]
How to register a jabber account: http://www.wikihow.com/Create-a-Jabber-Account
	You have 3 working days to contact us, otherwise recovering may be harder for you.
	Regards.
	HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-909944493-1040520737-2181451333-500\...\Policies\system: [DisableLockWorkstation] 1
2017-03-06 12:54 - 2017-03-06 12:54 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET1C08.tmp
2017-03-06 12:54 - 2017-03-06 12:54 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET1BC9.tmp
2017-03-06 12:54 - 2017-03-06 12:54 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET1489.tmp
2017-03-06 12:54 - 2017-03-06 12:54 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET1303.tmp
2017-03-06 12:53 - 2017-03-06 12:53 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFDBE6.tmp
2017-03-06 12:53 - 2017-03-06 12:53 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETEE63.tmp
2017-03-06 12:53 - 2017-03-06 12:53 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET62C7.tmp
2017-03-06 09:29 - 2017-03-06 09:29 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETEB38.tmp
2017-03-06 09:29 - 2017-03-06 09:29 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETEB09.tmp
2017-03-06 09:29 - 2017-03-06 09:29 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETE455.tmp
2017-03-06 09:29 - 2017-03-06 09:29 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETE34C.tmp
2017-03-06 09:29 - 2017-03-06 09:29 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETBE8D.tmp
2017-03-06 09:28 - 2017-03-06 09:28 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFC62A.tmp
2017-03-06 09:28 - 2017-03-06 09:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET5781.tmp
2017-03-06 00:01 - 2017-03-06 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETD3DB.tmp
2017-03-06 00:01 - 2017-03-06 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETD37E.tmp
2017-03-06 00:01 - 2017-03-06 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETCE8E.tmp
2017-03-06 00:01 - 2017-03-06 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETCE6F.tmp
2017-03-06 00:01 - 2017-03-06 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETC886.tmp
2017-03-05 14:57 - 2017-03-05 14:57 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DFCD4C.tmp
2017-03-05 14:57 - 2017-03-05 14:57 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET530E.tmp
2017-03-05 12:28 - 2017-03-05 12:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETF3FE.tmp
2017-03-05 12:28 - 2017-03-05 12:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETF3D0.tmp
2017-03-05 12:28 - 2017-03-05 12:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETED2B.tmp
2017-03-05 12:28 - 2017-03-05 12:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETEC04.tmp
2017-03-05 12:28 - 2017-03-05 12:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETD068.tmp
2017-03-05 12:27 - 2017-03-05 12:27 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF159A.tmp
2017-03-05 12:27 - 2017-03-05 12:27 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET672B.tmp
2017-03-05 00:01 - 2017-03-05 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA7F6.tmp
2017-03-05 00:01 - 2017-03-05 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA7C9.tmp
2017-03-05 00:01 - 2017-03-05 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA1CF.tmp
2017-03-05 00:01 - 2017-03-05 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA171.tmp
2017-03-05 00:01 - 2017-03-05 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET7331.tmp
2017-03-04 19:25 - 2017-03-04 19:25 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF1C83.tmp
2017-03-04 19:25 - 2017-03-04 19:25 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET337E.tmp
2017-03-04 18:28 - 2017-03-04 18:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETFD13.tmp
2017-03-04 18:28 - 2017-03-04 18:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETFC96.tmp
2017-03-04 18:28 - 2017-03-04 18:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA88D.tmp
2017-03-04 18:28 - 2017-03-04 18:28 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA83F.tmp
2017-03-04 18:27 - 2017-03-04 18:27 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF1869.tmp
2017-03-04 18:27 - 2017-03-04 18:27 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETD355.tmp
2017-03-04 18:27 - 2017-03-04 18:27 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET6FD2.tmp
2017-03-04 18:03 - 2017-03-04 18:03 - 00114688 _____ C:\Users\Administrator\AppData\Local\Temp\~DFBC52.tmp
2017-03-04 17:19 - 2017-03-04 17:19 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETF508.tmp
2017-03-04 17:19 - 2017-03-04 17:19 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETF2C6.tmp
2017-03-04 17:19 - 2017-03-04 17:19 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETCF8D.tmp
2017-03-04 17:19 - 2017-03-04 17:19 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET9B18.tmp
2017-03-04 17:19 - 2017-03-04 17:19 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET9AE8.tmp
2017-03-04 17:18 - 2017-03-04 17:18 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF1CE4.tmp
2017-03-04 17:18 - 2017-03-04 17:18 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET6AF2.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00016384 _____ C:\Users\Administrator\AppData\Local\Temp\~DF4ED0.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA14D.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETA0FF.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET9B17.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET9A4B.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET8B6D.tmp
2017-03-04 14:13 - 2017-03-04 14:13 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JET3DDA.tmp
2017-03-04 14:04 - 2017-03-04 14:05 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\26697
2017-03-04 00:01 - 2017-03-04 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETF477.tmp
2017-03-04 00:01 - 2017-03-04 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETF439.tmp
2017-03-04 00:01 - 2017-03-04 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETED75.tmp
2017-03-04 00:01 - 2017-03-04 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETEC6C.tmp
2017-03-04 00:01 - 2017-03-04 00:01 - 00000000 ____T C:\Users\Administrator\AppData\Local\Temp\JETBC96.tmp
2017-02-28 06:26 - 2017-03-04 06:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\25402
2017-02-21 05:47 - 2017-03-04 06:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\22903
2017-03-06 14:52 - 2011-03-09 03:12 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1
2017-03-04 06:32 - 2015-03-18 12:37 - 00000000 ____D C:\Users\rob\AppData\Local\Temp\3
2017-03-04 06:32 - 2011-07-13 10:37 - 00000000 ____D C:\Users\rob\AppData\Local\Temp\1
2017-03-04 06:32 - 2011-03-29 13:26 - 00000000 ____D C:\Users\rob\AppData\Local\Temp\2
2017-03-04 06:30 - 2011-03-01 16:07 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\{0BBBA9A9-02E8-467D-BE57-4797A50F7861}
2017-03-04 06:29 - 2016-10-31 09:41 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\8213
2017-03-04 06:29 - 2016-10-31 05:04 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\7609
2017-03-04 06:29 - 2016-10-14 09:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\856
2017-03-04 06:29 - 2016-10-14 04:25 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\616
2017-03-04 06:29 - 2016-09-30 08:45 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\8488
2017-03-04 06:29 - 2016-09-29 03:23 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\6237
2017-03-04 06:29 - 2016-09-27 05:40 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5961
2017-03-04 06:29 - 2016-09-27 04:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5365
2017-03-04 06:29 - 2016-09-26 05:21 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3524
2017-03-04 06:29 - 2016-09-23 05:14 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3305
2017-03-04 06:29 - 2016-09-16 05:34 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\895
2017-03-04 06:29 - 2015-12-02 06:10 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5
2017-03-04 06:29 - 2014-03-25 04:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\6
2017-03-04 06:29 - 2014-01-21 06:12 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\4
2017-03-04 06:29 - 2011-04-21 01:38 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3
2017-03-04 06:29 - 2011-03-09 04:34 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\2
2017-03-04 06:29 - 2011-03-01 16:08 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\627313.tmp
2017-03-04 06:28 - 2017-01-03 06:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1893
2017-03-04 06:28 - 2016-10-18 02:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1798
2017-03-04 06:28 - 2016-09-19 09:13 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1966
2017-03-04 06:28 - 2016-09-19 04:59 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\1064
2017-03-04 06:28 - 2016-09-15 05:51 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\108
	

Close Notepad.

Link to comment
Share on other sites

Some things have improved on the server for which I am very thankful. I now just need to figure out why my Backup Exec won't start or why repair/uninstall doesn't work. Still hoping I won't have to reinstall time will tell.

Thanks again

Rob

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...