Ian3469

.Mordor infection - Partially disinfected

Recommended Posts

Wow, where to start, I guess I'll quickly outline why I couldn't completely comply with the "Start here" instructions. So you know I read them and attempted to follow them. First, I had already cleaned several infected files off my computer with both Avast and Emsisoft (EEK) I exported those infos and have attached them. Second, I was NOT able to launch FRST or even go to their website in normal mode. So safe mode scans are attached despite instructions saying to run them in normal mode.

***Short Version*** Just the facts with minimal story added)****

Ransomware found on computer.

Installed Avast, Avast not working properly couldn't load GUI used command line to schedule a boot time scan, found 4 malicious programs. Moved to chest.

Avast still not working. Uninstall.

Download EEK - Use - Find 4 viri - Quarantine

Go to ID-Ransomware.com - Download Amnesia2 decrytor - works - somewhat.

Unable to go to FRST website - closes every window instantly on every attempt from any browser Chrome, Firefox, Safari

No longer have Write, Modify or Full Control access to D: drive and all subfolders with any user. (C: Drive is windows /system drive)

Suspect still infected.

*****Verbose timeline of events which lead me here. If you need more details.*****

Yesterday, I became aware of an infection and so I immediately installed Avast anti-virus. It did not function properly, I had to go into safe mode and use the command line to schedule a boot time scan. Which uncovered about 2-4 viruses. Which were all moved to chest. I came back online, still couldn't get Avast to work, so I did some searching on the net, and found and used EEK. Which found 4 other viruses & I quarantined those. And yet Avast still wasn't working so I uninstalled that and did some more searching for .mordor and came up with nothing meaningful. It seems .mordor does not have any decryptor BUT then I found id-ransomware.com and they ID'd the encrypted files as Amnesia2 & Scarab and said Scarab had no fix, however, Amnesia2 is decryptable! - Click here! Which brought me back to YOUR fantastic team at Emsisoft! So I downloaded "decrypt_Amnesia2.exe" by Fabian Wosar, Version1.0.0.54. AND - SUCCESS!!! It was able to decrypt my files!!

So... Why am I here? Firstly: Well as I said, Avast was acting odd, and I clicked on the "I need removal help" on the Amnesia decrypter page, and read the whole "START HERE" page and thought, well I'll try Farbar so I clicked on that link and BOOM every browser window that was open, CLOSED instantly. I tried again, and again, and I tried other browsers, Firefox, Chrome, Safari, all the same thing. No luck with Farbar link. I can open any other page, but that one. I tried other methods of getting to that page, IE search engines etc NO LUCK. I was able to open the page on my tablet and throw the file on a thumb drive. Then I tried to run it on my computer, and it closed as quickly as I opened it. I then tried "Run As Administrator" and it opened longer, (1 second) I was able to see the splash screen briefly, not able to read it though. I then tried safe mode, and I was able to run FRST with no problems at all. I apologize at this time, I wanted to be as thorough as possible so I checked off every single type of scan. It wasn't until hours later when I came back to this site to actually ask for help when I thoroughly read the instrucs  and it said not to change the options and also not to run in safe mode. So, I figure I would wait for instrucs if you want me to go back to safe mode and do a regular scan or if it doesn't work with safe mode no matter what type of scan. I have included the results regardless.

Second, the decrypter runs for a few minutes, and then stops decrypting. Everything I've tested is decrypted properly however, it just stops after decrypting between 5-15 files. It still shows 60%-100%  processor usage for the decrypt program, but it just stays decrypting the same file forever.

Third: My D: Drive security tab shows all users have read only access I've included a screen shot. I've been able to work around it somewhat using computer management/ disk management but not much. I have been able to allow myself write/control access on some folders, but it is slow going because even system or admin has read only access.

All this odd behaviour leads me to believe I still have a virus.

*Forensics & Quarantine.txt are from EEK because I couldn't upload first few scan results they were missing/deleted
 

 

Thank you so much! I'm just blown away by the amount of effort you put in, both in all the other threads I read and in the software itself! And all of it for free!  I can't thank you enough!
Best Regards,

Ian Hogg

Forensics_171215-163336.txt

Quarantine_171215-163435.txt

Scan_171215-163420.txt

Addition_15-12-2017 11.34.06.txt

FRST_15-12-2017 11.34.06.txt

Read permissions.jpg
Download Image

Edited by Ian3469
Typo (said above when i meant below) Shortened the sentence entirely in the end.

Share this post


Link to post
Share on other sites

Please tell me what to do to get you more info? We can start with possible reasons / solutions why FRST program & webpage close as soon as they are opened I can browse any other page of the FRST website and I also signed up to be a member. It starts fine in safe mode, so there  must be some way I can find out what is  stopping it from loading/browsing

Share this post


Link to post
Share on other sites

I've managed to run farbar! Partially.  in normal mode!! If I have it on desktop, and start it THE INSTANT the desktop loads at boot then it runs for about 25 seconds -60 seconds. At some point something loads that shuts it down before addition.txt gets created. However FRST.txt gets created! I've included it here. Along with rkill log AND a bizarre link in the start menu startup folder. I've tried everything to delete it and it won't delete, the link or the file it points to. I'm about ready to boil my computer.

Now E: drive is almost completely read only SYSTEM still has write, read and list (no control or modify) ability but no other user has more than read ability. Just like the D: drive yesterday. All other drives retain their normal security permissions.

FRST.txt

lgudug.lnk

Rkill.txt

Share this post


Link to post
Share on other sites

Not sure why this was moved to ransomware first aid. The ransomeware is decryptable, in blocks of 4-10 files at a time. That could be faster and more efficient but I think the virus is slowing it down.

The main issue is the infection that is tearing apart my system. The latest symptom: I can no longer connect to the internet, the virus keeps deleting my WiFi connection (and wired) every time I rebuild a WiFi connection in network connections it is deleted before I can load a webpage fully. I'm up to WiFi adapter (5) before I gave up and turned off the computer.

Share this post


Link to post
Share on other sites

I've decided to just keep the Computer in safe mode until the virus is taken care of. Interestingly when I booted safe mode with networking, wifi worked fine in fact it went back down to WiFi(4) in 'Control Panel\Network and Internet\Network Connections\' It deleted WiFi 1-2-3 & 4 in normal mode, and I just shut down before rebuilding the wifi a 5th time.

I managed to delete the file that "lgudug.lnk" points to - "iwxuj.ligi", and I'm working on accessing the start menu to delete it from the Startup folder. I also uploaded that file before deleting it.

I've run FRST and EEK again, this time with no options changed in FRST.

FRST.txt

Addition.txt

scan_171217-144335.txt

Share this post


Link to post
Share on other sites

Before I do or say anything else, note that the Amnesia ransomwares are usually installed by an attacker who gains access to the system through some form of remote access software (usually by brute forcing the RDP password of an administrator account). Here's my recommendations for dealing with this type of remote access breach:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open.

After that, change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Please download the following fixlist.txt file and save it to the Desktop:
https://www.gt500.org/emsisoft/frst/12-18-2017/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

  • Like 1

Share this post


Link to post
Share on other sites

Absolutely! Great advice, I actually did that first thing. I upgraded my system firewall and set my router firewall to max. One of the softwares I DLed from here or Bleeping computer, said I had a port open and a SMB vulnerability and recommended I get a patch from Microsoft, which I did. The only port I Have open is for my home network sharing and I don't think that's in my router, just on my computer. I'll be honest, I'm a pro at computers, but my network knowledge is really minimal, it's definitely my achilies heel. But I am absolutely certain I've got these barn doors shut now that the horses have escaped ;)

That is also when I checked the "Sharing" and "Security" tabs and found the strange permission conditions on E: and D:

Share this post


Link to post
Share on other sites

Nevermind I was able to run it in Normal mode!! I'm guessing my deletion of iwxuj.ligi in safe mode earlier held on through this boot and it wasn't loaded to interfere with FRST.

Either way, here's the log. I checked the startup folder it's empty :)

Fixlog.txt

Share this post


Link to post
Share on other sites

It looks like most of what I scripted for removal was successfully removed, with the exception of a few files that were already missing. Go ahead and run another scan with FRST, and attach the new FRST and Addition logs to a reply so that I can make sure that everything looks OK now.

Share this post


Link to post
Share on other sites

Yes thanks I think so too. I just ran FRST and glanced at the log I was curious about these 3 entries in "Installed Programs" list:

Συλλογή φωτογραφιών (HKLM-x32\...\{A19A8C25-272A-4CD6-8BA8-3772321A021B}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
影像中心 (HKLM-x32\...\{631C4E4F-6FDC-4CC0-A067-E9876A9BA7FD}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
照片库 (HKLM-x32\...\{017E337D-D709-437C-83DB-71F82AA78BF6}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden

Are they safe? Do you know what they are?

Also, is there any way to get "decrypt_Amnesia2.exe" to learn as it goes so it actually gets faster not slower as it decrypts? I've managed to decrypt about 50 files out of thousands or tens of thousands. Which is definitely better than nothing so I am grateful for that. But at this rate, It'll take about a year in total.

 

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites
On 12/19/2017 at 1:31 PM, Ian3469 said:

I just ran FRST and glanced at the log I was curious about these 3 entries in "Installed Programs" list:

Συλλογή φωτογραφιών (HKLM-x32\...\{A19A8C25-272A-4CD6-8BA8-3772321A021B}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
影像中心 (HKLM-x32\...\{631C4E4F-6FDC-4CC0-A067-E9876A9BA7FD}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
照片库 (HKLM-x32\...\{017E337D-D709-437C-83DB-71F82AA78BF6}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden

They appear to be Greek and Chinese versions of Windows Photo Gallery. It's possible that they were installed as part of a language pack.

 

On 12/19/2017 at 1:31 PM, Ian3469 said:

Also, is there any way to get "decrypt_Amnesia2.exe" to learn as it goes so it actually gets faster not slower as it decrypts?

Unfortunately, with Amnesia 2 a different key is used for each encrypted file, so the decryption tool has to brute force the decryption key again for every file that needs to be decrypted. It's highly CPU intensive, and it can take a lot of time on older or slower CPU's (note that what I'm thinking of as "fast" would be newer Intel Core i7 and Core i9 CPU's, or the new AMD Ryzen CPU's).

 

Note that you may want to configure Firefox not to restore your last session when you open it. Certain scam websites (tech support scam sites for instance) will take advantage of that to keep your browser hijacked after you close it.

Aside from that, your new FRST log is looking OK to me, so I think the infection is pretty much cleaned up. If the Custom Scan in Emsisoft Anti-Malware is coming up clean, then you should be OK.

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

They appear to be Greek and Chinese versions of Windows Photo Gallery. It's possible that they were installed as part of a language pack.

Is there any way to delete them? They don't come up in the add/remove progs dialogue.

1 hour ago, GT500 said:

Aside from that, your new FRST log is looking OK to me, so I think the infection is pretty much cleaned up. If the Custom Scan in Emsisoft Anti-Malware is coming up clean, then you should be OK

Actually, Anti-malware: Norton, Avast, Emsisoft Anti-Malware AND EEK, have all been saying all clean for a week now. So that's no indication, but the odd behaviour has stopped. So I'm going to chalk it up as a win. Thank you so much!!!

OH Any ideas how to change permission settings on D: drive. "Edit" permissions button is clickable, but on the following screen all the options (Full control, Read, Write, etc) are greyed out because not even system or admin has "Write" or "Full Control" permission.  I just used administrative tools/computer management to completely boil the E: drive that was having the same issue. D: However, is 1TB and it's almost full backing it up to delete it would be impossible

 

THANKS AGAIN!!! <3

Share this post


Link to post
Share on other sites
20 hours ago, Ian3469 said:

Is there any way to delete them? They don't come up in the add/remove progs dialogue.

Normally you'd have to uninstall whatever installed them. It is possible to have FRST unhide them, however I can't say whether or not the Windows Photo Gallery would continue to work as expected if you uninstalled those without first uninstalling whatever installed them.

 

20 hours ago, Ian3469 said:

OH Any ideas how to change permission settings on D: drive. "Edit" permissions button is clickable, but on the following screen all the options (Full control, Read, Write, etc) are greyed out because not even system or admin has "Write" or "Full Control" permission.  I just used administrative tools/computer management to completely boil the E: drive that was having the same issue. D: However, is 1TB and it's almost full backing it up to delete it would be impossible

You probably need to take ownership of the drive. That usually allows you to edit the permissions, unless the permission for editing permissions has been set to "Deny". If that's happened, then you may need a boot disk to fix permissions.

  • Like 1

Share this post


Link to post
Share on other sites

If taking ownership didn't work, then you may have to use a boot disk.

Note that Windows Repair (All In One) has a permissions repair, and might be able to help, although I'm not certain if it works on anything other than your primary hard drive.

Microsoft also has a tool capable of fixing permissions issues, however I'm not certain if it works on drives other than the primary hard drive either.

 

Also, I just realized that you have Windows 8. Microsoft stopped updating Windows 8 about 2 years ago, and I highly recommend that you install the Windows 8.1 update so that you can receive the latest security updates from Microsoft.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.