element03

Detecting ransomware location (emergency)

Recommended Posts

I've been infected with Cry36. Stupid I know. I logged in while it was happening and changed passwords and ports. But Malwarebytes and Avast do not seem to have found the actual process/show no sign of having done so. Instructions both here and elsewhere on removal are a vague 'use your malware removal utility to quarantine'. In the meantime, I've shut down, but I need guidance, in case it's still actually there. **I'm not sure if it's safe to boot again, whether specifically I should boot to safe mode, or what.** I am afraid they have the ability to continue encrypting files or else delete them entirely.

Share this post


Link to post
Share on other sites

Let's try getting a log from FRST, and see if it shows any sign of infection. You can find instructions for downloading and running FRST at the following link:
https://helpdesk.emsisoft.com/en-us/article/274-running-a-scan-with-frst

Note that we also have a free (for home use) scanner called Emsisoft Emergency Kit (EEK), and you can get it from the following link:
http://dl.emsisoft.com/EmsisoftEmergencyKit.exe

By default it extracts to the following location, and you can open it by navigating there and double-clicking on "Start Emergency Kit Scanner":

  • C:\EEK

Note that EEK is completely portable, so you can download it on a clean computer and extract it to a USB flash drive, and then even run it and update it from the clean computer. After that you can connect the USB flash drive to the infected computer and run the scanner directly from the USB flash drive. The log from the scan will be saved in a folder named "Reports" which can be found in the same location as the "Start Emergency Kit Scanner" file, so if you do run a scan with EEK then you can attach the log here for me to review as well.

  • Like 1

Share this post


Link to post
Share on other sites

I don't see any evidence of an infection in those logs, however feel free to run a scan with EEK and see if it picks up something that doesn't have a loadpoint. Anything without a loadpoint is a minor threat (unless you run it manually), but it's still best to get rid of them.

Share this post


Link to post
Share on other sites
15 hours ago, GT500 said:

I don't see any evidence of an infection in those logs, however feel free to run a scan with EEK and see if it picks up something that doesn't have a loadpoint. Anything without a loadpoint is a minor threat (unless you run it manually), but it's still best to get rid of them.

I just ran a 'Malware scan' with EEK and it found nothing. My guess is I'm missing something and should have run some kind of custom scan instead?

Share this post


Link to post
Share on other sites

The Malware Scan only checks locations that active malware will be.

If you want to be thorough, then yes, the Custom Scan is recommended. By default it will scan everything on your computer, so you shouldn't need to do any configuration before running the scan.

Share this post


Link to post
Share on other sites
15 hours ago, GT500 said:

The Malware Scan only checks locations that active malware will be.

If you want to be thorough, then yes, the Custom Scan is recommended. By default it will scan everything on your computer, so you shouldn't need to do any configuration before running the scan.

I decided to scan one drive at a time. As of now it's gotten stuck, for hours, on this file (see attached screenshot) and done nothing since - no I/O showing up in Resource Monitor. Shutting down Plex and restarting the scan had no effect. Maybe the filename is invalid/too long or something?

eek_stuck.PNG
Download Image

Share this post


Link to post
Share on other sites

Have you tried checking the drive for errors? In Windows 7 just click on the Start button, click on Computer, right-click on the drive you want to check for errors, select Properties from the list, switch to the Tools tab, and click the Check button. If there is an option to fix errors, then be sure to select it before starting the error check.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.