Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Corrupted excel, word & jpeg files


  • Please log in to reply
12 replies to this topic

#1 par195

par195

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 07 December 2008 - 06:51 PM

I have a Dell Inspiron E1505 laptop. A couple of days ago I tried to open an excel file that I regularly use and when I opened it, all cells were blank except A1. In it was "FileError_22001. I start to investigate and every excel file is the same. Furthermore, all of my word & picture files have the same problem. All my excel files are 18 KB, all my word files are 20 KB. They are all time stamped with the exact same time.

I have McAfee that is provided by my employer but I discovered that it had not been updated in some time for some unknown reason. I called our IT folks yesterday morning and they tried to get me fixed but were unable to and had to pass the ticket up to the next level. They were unable to get the virus stuff working again either.

Whatever I got infected with turned off my McAfee firewall, then started corrupting all of my excel, word and picture files. It did not corrupt any files in my recycle bin. I tired to do a system restore to the day before the problems started but it didn't help. Turns out whatever got loaded probably happened the day before all the bad stuff started happening. So, I unrestored the restore that I did the first time and did a system restore to December 1st instead. It did not help and created more problems for me. I keep getting these pop ups, one after another.

I would attach screen shots of the errors but I can't figure out how to do it.

Debbie

Edited by par195, 07 December 2008 - 06:52 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 22,947 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 07 December 2008 - 06:55 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 par195

par195
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 07 December 2008 - 09:16 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 3

12/7/2008 9:15:08 PM
mbam-log-2008-12-07 (21-15-08).txt

Scan type: Quick Scan
Objects scanned: 96664
Time elapsed: 2 hour(s), 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Log.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie Richmond\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 22,947 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 07 December 2008 - 10:17 PM

Reboot your computer, run the Malwarebytes Full Scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 par195

par195
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 08 December 2008 - 10:48 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 3

12/8/2008 10:46:42 AM
mbam-log-2008-12-08 (10-46-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 209057
Time elapsed: 3 hour(s), 15 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Is there any way I can recover my documents that were ruined by the virus? Specifically, there is 1 excel file that I'd really like to recover.

Thanks

Edited by par195, 08 December 2008 - 03:04 PM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 22,947 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 08 December 2008 - 10:07 PM

Is there any way I can recover my documents that were ruined by the virus? Specifically, there is 1 excel file that I'd really like to recover.

I spoke to one of our Malware removal experts and unfortunately the diagnosis is not good. It appears likely the files have actually been overwritten, and as such are not recoverable.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 paul.netmonk

paul.netmonk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 09 December 2008 - 08:20 AM

Reboot your computer, run the Malwarebytes Full Scan and post the new log.



Hi,

This malware on execution overwrites all .txt, .jpeg, .doc, .xls on the infected system.

I have a question:
It doesn't drop/create any file and deletes itself. So do we still need cleaning?

Thanks
Netmonk

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 22,947 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 09 December 2008 - 03:56 PM

Some more information:

The original files should be stored in these two folders

%UserProfile%\Local Settings\Application Data\CDD
%UserProfile%\Local Settings\Application Data\FLR

Unfortunately, they are encrypted and as yet we don't know how to recover them.

This one appears to trash all Office (.doc .txt .xls ) and picture files.

Do you have any new files on your desktop or have had any strange e-mails asking for money to return the files?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 par195

par195
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 09 December 2008 - 10:07 PM

I do run Office 2003.

I have not noticed any new files on my desktop nor have I received any strange e-mails. I use spam blocker provided by Earthlink and I have it set high enough to keep out spam and some legitimate e-mails.

#10 paul.netmonk

paul.netmonk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 09 December 2008 - 11:57 PM

Hi

What could be the purpose of overwriting .txt, .jpeg, .doc, .xls files? Yes it creates two folders, CDD & FLR. Furthermore, it makes DNS request for sub.bigporno.eu but doesn't do anything once name is resolved.

Could this be another ransomware?

Thanks
Netmonk

#11 wmiller

wmiller

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 11 December 2008 - 03:18 PM

Was steered here from a post on Experts Exchange:
willcomp:There's a similar thread on BleepingComputer.

Here's a link to Experts Exchange so al are in a loop on who looking into this:
http://www.experts-exchange.com/Virus_and_....html#a23151254

This is one of those challanges that needs collaberation to get a resolution , I myself have a user who has lost critical data that needs recovered asap.

Wes

#12 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:07:04 AM

Posted 11 December 2008 - 03:34 PM

A copy of some encrypted files have been uploaded for analysis, but it will be difficult without having a copy of the malware file itself.

Edited by katana, 11 December 2008 - 03:35 PM.

Posted Image

#13 Morten NiQ

Morten NiQ

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 17 December 2008 - 08:02 AM

We have a client who was infected on the 5th and when I noticed on his system was that a hidden service was also installed on his system alongside the corruption/encryption of his files.

The service I found was located in HKLM\SYSTEM\CurrentControlSet\Services and the name was DE4594C24F00474A.

The service cannot be seen from the services windows in Administrative tools and when you try to expand the key in the registry you will get a permission denied. You must take ownership of the key to view settings.

The service has created a folder on the infected users Desktop named the same as the service. This folder is hidden and you do not have permission to access it unless you take ownership of the folder.

In the folder I found a log (text) file for every single service/program that had run in the client computer where network traffic was involved. These files include all actions taken from the user.

Can anyone else confirm that they also have this service present on their systems that is infected by the virus with no name so far.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users