Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Virus, Cannot get passed Splash Screen to Desktop.


  • This topic is locked This topic is locked
6 replies to this topic

#1 JSnell

JSnell

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 22 February 2012 - 03:16 PM

I have a Server 2008R2 computer that has a new virus, that for the LIFE of me I cannot get rid of.
MalwareBytes finds it as Backdoor.Bot:

First off it changes IP Address to a 172.x.x.x, even if 192.168.1.XXX is set to static.
It also changes Default Gateway to 0.0.0.0

I have to change to remove the 172.x.x.x from IP table and then commandline: ROUTE DELETE 0.0.0.0


It finds a hidden- C:\Decrypt\decrypt.exe and C:\Program Data\local\ .... with 4 files it finds and deletes.

After a full scan (in safe mode) it removes the malware and prompts for reboot.

After ALL that, it goes right back to the same infections.

I have MSConfiged everything out. If I CTRL+ALT+DEL I can start a TaskMan, but its still hidden by the splash screen... I cannot ALT+TAB or ALT+F4, passed the screen.

Attached is the SCreenShot of the SplashScreen... Literally with a Camera as I cannot get passed the Splash...

I am BEGGING for help... Kasp wont even detect it and I am down now.
ACCDFISA

Snell

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,217 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:31 PM

Posted 24 February 2012 - 01:07 PM

Hello and :welcome: to BleepingComputer.

As this seems to be a corporate computer, please consider the following:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for lawsuits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

If despite the above you wish to continue with this topic, please do the following:

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-latest.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/xPUD_userinit_fix to your USB (without a file extension, you may have to right click on the link and click on Save Target As, and make sure that "All Files" is selected)
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 right as the computer is initially starting up, and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your hard drive
  • sdb1 is likely your USB
  • Click on sdb1 (this is your USB drive)
  • Confirm that you see xPUD_userinit_fix on your USB drive (sdb1)
  • Double click on xPUD_userinit_fix
  • After it has finished a report will be located on your USB drive named UserinitReport.txt
  • Click on the Home tab, click on Power Off, and then click on Turn Off
  • Remove the USB drive and insert back in your working computer and navigate to UserinitReport.txt

    Please note - all text entries are case sensitive
Please copy and paste the UserinitReport.txt for my review.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 JSnell

JSnell
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 24 February 2012 - 02:17 PM

I was able to remove the virus via manual and MalwareBytes removal... the IP Address still reverts back to 172.xxx.xxx.xxx after reboot, so there is obviously some residual I am not finding. HOWEVER, many files are still encrypted with AES extensions and I will be doing a wipe and reload this weekend.

This is a new client, because the previous IT Firm, obviously had not done their work to protect the network. They called us after the previous company couldnt even get passed the Splash Screen.

I appreciate the above information and would have used those tools, had we had other problems we couldnt get passed.

We used a "Cleaner" machine (dedicated Antivirus/AntiMalware box) to slave hard drives and remove virus'. Kasp, BitDef and SuperMalware did not find anything. Malware Bytes only found one file and one reg entry. I manually found 4 other files and an edited host file.

In 17yrs of IT, I have not seen such a bad (destructive) virus. Melissa and AnnaK Virii were bad but this virus encrypted our SQL Databases and made them useless. Whats more sad is the previous IT company had not been doing a good job on backups.

In closing, I cannot stress to anyone reading this, strongly enough how important it is to not only invest in a good Server AV solution, but also a good offsite backup services. I dont want to plug any companies directly, but I use IDrive.com for my clients, there are also Mozy.com, Carbonite.com etc. (that should be ok to post multiple options right?)

I can assist with the basic bypass as follows:

Boot into safe mode
In Folder Options Uncheck Hide all files and folders
MSCONFIG and uncheck the SVCHOST.DLL startup.
Navigate and delete that file
Delete the C:\decrypt\decrypt.exe File and Folder
Delete the C:\Program Data\local folder (4 files insides)
There is a reg entry that Malware Bytes can find and delete related to a svchost.dll (I cant recall the exact key as I am not at office now)

Next, you will see you have an IP of 172.xxx.xxx.xxx, and a default gateway of 0.0.0.0. You will need to delete all IPs from the IP table in the NIC properties page.
Next, CMD line a ROUTE DELETE 0.0.0.0
Next, change your static to desired or release/renew your DHCP.
You should be back up on net now.

I have not found that Internet Connectivity auto syncs or downloads the virus again. But after reboot it WILL reset the 172.xxx IP. I havent searched further to see where that is coming from.


Good luck to you guys, if any of you have any questions you can PM me.

JSnell

PS. Thanks Elise for the help.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,217 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:31 PM

Posted 24 February 2012 - 03:26 PM

Thank you for sharing your solution, glad to hear it was resolved.

This topic will now be closed. If you need it reopened please send me a PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,201 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:31 AM

Posted 26 February 2012 - 05:01 PM

Hi Jsnell,

Thanks for sharing your info. The password to decrypt the rar files is: 1a2vn57b348741t92451sst0a391ba72

I have a lot of notes from testing this, but have not had a chance to write it up. Will do so today.

The run key is actually called svchost and there are also two services that are created. I created a batch file that will remove the two services and remove the Run key.

This batch file can be found here:

http://download.bleepingcomputer.com/bats/kill-accdfisa.bat

The files that are created are:

c:\how to decrypt aes files.lnk
C:\ProgramData\local\aescrypter.exe
C:\ProgramData\local\crdfoftrs.dll
C:\ProgramData\local\svchost.exe
C:\ProgramData\local\undxkpwvlk.dll
C:\ProgramData\local\vpkswnhisp.dll
C:\Decrypt\Decrypt.exe
%System%\wcmtstcsys.sss
%Systen%\dcomcnfgui.exe
%System%\ucsvcsh.exe
%System%\csrsstub.exe
%System%\dcomcnfgui.exe
%System%\tcpsvcss.exe
%System%\tracerpts.exe
%System%\ucsvcsh.exe
%System%\wcmtstcsys.sss

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,201 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:31 AM

Posted 27 February 2012 - 10:43 AM

Added this guide. Hope it helps:

http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

#7 JSnell

JSnell
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:31 AM

Posted 28 February 2012 - 09:35 AM

I have used the above password to unlock the ZIPped files flawlessly. Using the password did not have any adverse affect on the rest of the system. It simply unlocked the ZIP.

Id like to thank Timothy 'ServerKiller' for his perserverance on the password unlock and Grinler for his detailed walkthrough of full virus removal.

Id like to see reports of other IT Admins on how they acquired the virus. I have nothing in my logs showing any internet surfing or anythingat time of infection. Server was pretty much dormant at 4:20:17am....????

So Im still at a loss regarding source of infection.

Thanks and I hope some of my initial virus removal steps helped others.
JSnell




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users