|
Post by lbnoire on Jan 11, 2015 18:17:18 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 11, 2015 18:27:07 GMT -8
The addition.txt is missing
I would say and updated version of CTB Locker / Critroni,. Don't Plug in any backup drive until your system is clean because if the Ransomcrypt is running, which looks like it is, it may be a variant that will find the plugged in backup drive(s) and encrypt files in the backups also.
This is why you do not now go ahead at this point connect a backup drive to the computer that is on the Bookshelf or wherever Connecting the drive to the system system infected means that the ransom sees the newly connected drive for instance "G:\My Backed Up Files" and scans though that drive now and encrypts personal files on "G:\My Backed Up Files" so now say BYE to those.
Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CTB Locker Site. Brute forcing the decryption key is not realistic due to the length of time required to break this type of cryptography. (absolute donkey's years) Also any decryption tools that have been released by various companies for other malware will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies. To be tried AFTER the system is cleaned.
For this system it looks like
C:\Users\Daniel\Documents\Decrypt All Files [UNKNOWN].bmp <<=== wallpaper for Ransom (Unknown because I can't spot it in the log) C:\Users\Daniel\Documents\Decrypt All Files [UNKNOWN].txt <<=== Ransom Instructions (Unknown because I can't spot it in the log
Not sure yet but
2014-12-26 19:05 - 2014-12-26 19:41 - 02021878 _____ () C:\ProgramData\wfxebqd.html <<<====== Ransom has created list of personal files it has encrypted??
Quads
Quads
|
|
|
Post by lbnoire on Jan 12, 2015 2:27:37 GMT -8
Apologies, here's the addition...
http:wikisend.com/download/135580/Addition.txt
Please advise on next steps, thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 12, 2015 9:36:38 GMT -8
You may want to read carefully all of this message first before starting the steps. NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemDownload the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe, DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do. Start FRST that is on the desktop
When the tool opens click Yes to disclaimer. (if it still does) Press the Fix button just once and wait.The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste) Quads Attachments:fixlist.txt (2.59 KB)
|
|
|
Post by lbnoire on Jan 12, 2015 12:42:44 GMT -8
Results from the fixlist scan. Thank you.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-01-2015 Ran by admin at 2015-01-12 12:34:42 Run:1 Running from C:\Users\admin\Desktop Loaded Profile: admin (Available profiles: admin) Boot Mode: Normal ==============================================
Content of fixlist: ***************** Start HKLM-x32\...\Run: [] => [X] Winlogon\Notify\vimanna-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\vimanna.dll () C:\Windows\SysWOW64\config\systemprofile\AppData\Local\vimanna.dll HKU\S-1-5-21-3459818468-2257786748-3591224986-1000\...A8F59079A8D5}\localserver32: <==== ATTENTION! HKU\S-1-5-18\...\Run: [vimanna] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\vimanna.dll",vimanna <===== ATTENTION 2014-12-27 18:12 - 2014-12-27 18:12 - 00209512 ____T () C:\Windows\SysWOW64\00026794.tmp 2014-12-27 18:12 - 2014-12-27 18:12 - 00209512 ____T () C:\Windows\SysWOW64\00011185.tmp 2014-12-27 18:12 - 2014-12-27 18:12 - 00209512 ____T () C:\Windows\SysWOW64\00008906.tmp 2014-12-26 21:03 - 2014-12-26 21:03 - 00209512 ____T () C:\Windows\SysWOW64\00030535.tmp 2014-12-26 21:03 - 2014-12-26 21:03 - 00209512 ____T () C:\Windows\SysWOW64\00025938.tmp 2014-12-26 21:03 - 2014-12-26 21:03 - 00209512 ____T () C:\Windows\SysWOW64\00025595.tmp 2014-12-26 20:10 - 2014-12-26 20:10 - 01188456 ____T () C:\Windows\SysWOW64\00030333.tmp 2014-12-26 20:10 - 2014-12-26 20:10 - 01188456 ____T () C:\Windows\SysWOW64\00025667.tmp 2014-12-26 20:10 - 2014-12-26 20:10 - 01188456 ____T () C:\Windows\SysWOW64\00014771.tmp 2014-12-26 20:10 - 2014-12-26 20:10 - 01188456 ____T () C:\Windows\SysWOW64\00005447.tmp 2014-12-26 20:10 - 2014-12-26 20:10 - 01188456 ____T () C:\Windows\SysWOW64\00001869.tmp 2014-12-26 20:09 - 2014-12-26 20:09 - 01188456 ____T () C:\Windows\SysWOW64\00032391.tmp 2014-12-26 20:09 - 2014-12-26 20:09 - 01188456 ____T () C:\Windows\SysWOW64\00000292.tmp 2014-12-26 20:09 - 2014-12-26 20:09 - 01188456 ____T () C:\Windows\SysWOW64\00000153.tmp 2014-12-26 20:09 - 2014-12-26 20:09 - 00209512 ____T () C:\Windows\SysWOW64\00028145.tmp 2014-12-26 20:09 - 2014-12-26 20:09 - 00209512 ____T () C:\Windows\SysWOW64\00023281.tmp 2014-12-26 20:09 - 2014-12-26 20:09 - 00209512 ____T () C:\Windows\SysWOW64\00016827.tmp 2014-12-26 18:17 - 2014-12-27 18:13 - 00000000 ____D () C:\Users\admin\AppData\Roaming\Etgyig 2014-12-26 18:06 - 2014-12-26 18:06 - 00002828 _____ () C:\Windows\System32\Tasks\weqajte C:\Users\admin\AppData\Local\Temp\ph8o7oud.dll C:\Users\admin\AppData\Local\Temp\UpdateFlashPlayer_19a23c32.exe C:\Users\admin\AppData\Local\Temp\{99DB7F80-21C5-4524-BFD7-29F18FC75E89}-chrome_updater.exe CustomCLSID: HKU\S-1-5-21-3459818468-2257786748-3591224986-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path Task: {14C1B235-1681-4063-8428-ABD919B6C9D9} - System32\Tasks\weqajte => C:\Windows\TEMP\cygmqfj.exe C:\Windows\TEMP\cygmqfj.exe Reboot: end
*****************
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully. "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vimanna" => Key deleted successfully. C:\Windows\SysWOW64\config\systemprofile\AppData\Local\vimanna.dll => Moved successfully. "HKU\S-1-5-21-3459818468-2257786748-3591224986-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully. "HKU\S-1-5-21-3459818468-2257786748-3591224986-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\vimanna => value deleted successfully. Could not move "C:\Windows\SysWOW64\00026794.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00011185.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00008906.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00030535.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00025938.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00025595.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00030333.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00025667.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00014771.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00005447.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00001869.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00032391.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00000292.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00000153.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00028145.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00023281.tmp" => Scheduled to move on reboot. Could not move "C:\Windows\SysWOW64\00016827.tmp" => Scheduled to move on reboot. C:\Users\admin\AppData\Roaming\Etgyig => Moved successfully. C:\Windows\System32\Tasks\weqajte => Moved successfully. C:\Users\admin\AppData\Local\Temp\ph8o7oud.dll => Moved successfully. C:\Users\admin\AppData\Local\Temp\UpdateFlashPlayer_19a23c32.exe => Moved successfully. C:\Users\admin\AppData\Local\Temp\{99DB7F80-21C5-4524-BFD7-29F18FC75E89}-chrome_updater.exe => Moved successfully. HKU\S-1-5-21-3459818468-2257786748-3591224986-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{14C1B235-1681-4063-8428-ABD919B6C9D9}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{14C1B235-1681-4063-8428-ABD919B6C9D9}" => Key deleted successfully. C:\Windows\System32\Tasks\weqajte not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\weqajte" => Key deleted successfully. "C:\Windows\TEMP\cygmqfj.exe" => File/Directory not found.
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-01-12 12:38:07)<=
C:\Windows\SysWOW64\00026794.tmp => Is moved successfully. C:\Windows\SysWOW64\00011185.tmp => Is moved successfully. C:\Windows\SysWOW64\00008906.tmp => Is moved successfully. C:\Windows\SysWOW64\00030535.tmp => Is moved successfully. C:\Windows\SysWOW64\00025938.tmp => Is moved successfully. C:\Windows\SysWOW64\00025595.tmp => Is moved successfully. C:\Windows\SysWOW64\00030333.tmp => Is moved successfully. C:\Windows\SysWOW64\00025667.tmp => Is moved successfully. C:\Windows\SysWOW64\00014771.tmp => Is moved successfully. C:\Windows\SysWOW64\00005447.tmp => Is moved successfully. C:\Windows\SysWOW64\00001869.tmp => Is moved successfully. C:\Windows\SysWOW64\00032391.tmp => Is moved successfully. C:\Windows\SysWOW64\00000292.tmp => Is moved successfully. C:\Windows\SysWOW64\00000153.tmp => Is moved successfully. C:\Windows\SysWOW64\00028145.tmp => Is moved successfully. C:\Windows\SysWOW64\00023281.tmp => Is moved successfully. C:\Windows\SysWOW64\00016827.tmp => Is moved successfully.
==== End of Fixlog 12:38:08 ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 12, 2015 14:28:30 GMT -8
Poweliks is not gone, although that is not the nasty one compared to the Ransomcrypt NOTE: Screensots below are missing due to the fact they were running off the old Norton Forum Server(s) Step 1. Download Malwarebytes Anti-Rootkit from www.malwarebytes.org/products/mbar/ - The download is just a .exe It should create a folder that as default goes onto the Desktop, It will list the path
- MBAR should start to load and run mbar.exe after
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats. After it should look similar to below (Screenshots are of an older version)
If any Malware is interfering with the placement of the drivers (and I didn't even with my multiple infection) you will see a dialog box appear asking that the DDA driver was not installed and that you should reboot your computer to install it. Please do so and the System will be restarted After the restart and you log into Windows MBAR should automatically start and you will now be at the start screen. Above is the first UI for MBAR that appears just giving the user information, Click the Next button. The next screenshot below opens, Click the Update button. MBAR will check its database version and update it if requied. It is not the same database or database location as MBAM When the Update completes, click the Next button In the above UI (Scan System) make sure all the Scan Targets are ticked. Then click the Scan button Above is my results, you shouldn't have 500+ items like me I test malware on my system, would be worried if you did, DON'T CLICK THE CLEANUP BUTTON, instead click the Exit button. Then go into the mbar folder and find the 2 logs,
System - logMbar - log Date and time of scan will also be shown To paste or attach back here Quads
|
|
|
Post by lbnoire on Jan 13, 2015 16:31:10 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 13, 2015 17:15:25 GMT -8
You can have MBAR delete all of the listed items
Quads
|
|
|
Post by lbnoire on Jan 13, 2015 19:57:28 GMT -8
Sorry, please direct how I have mbar delete. I exited and shut down computer. Thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 13, 2015 20:17:53 GMT -8
Run MBAR like you did before and when it is finished its scan this time you can click the cleanup button.
Quads
|
|