Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ACCDFISA


  • Please log in to reply
3 replies to this topic

#1 aimnano

aimnano

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 16 July 2012 - 10:35 AM

I'm infected with what appears to be a new variant of ACCDFISA. The screen unlock method for the 4th variant (from http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/) doesn't appear to work.

I'm attempting to boot Hiren's Boot CD to run Mini XP and delete the offending reg key. Safe mode is also unavailable. Any suggestions appreciated.

Edited by aimnano, 16 July 2012 - 11:48 AM.


BC AdBot (Login to Remove)

 


#2 aimnano

aimnano
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 16 July 2012 - 12:08 PM

Loaded Mini XP, Mapped remote drive (C:), launched registry editor PE, deleted offending registry entry and file, but screen locker remains.

This is a Windows Server 2003 terminal server, so none of the files on it are particularly important. Just want to remove lock screen, clean offending files, and resume normal operations (after of course changing domain PW's and editing the RDP port).

#3 aimnano

aimnano
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 16 July 2012 - 01:15 PM

Was able to stop the lock screen by following:

http://blog.nfocustech.com/2012/02/accdfisa-ransomware-removal-notes-more/

Once Mini Windows Xp has loaded, navigate to C:\ProgramData (which is a hidden folder) using My Computer. Right-click on the “local” folder and select properties. Next, select the Security tab and select “Advanced”. Now, uncheck “Inherit from parent the permission entries…”, click “Copy” when the next dialog box pops up, and then click “OK” to save these changes. You can now remove all users except for “SYSTEM”. For the user “SYSTEM”, select “Deny” for the “Full Control” setting. This should prevent the splash screen from loading, as this folder contains the file that the splash screen loads from.

#4 aimnano

aimnano
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 16 July 2012 - 03:09 PM

Since this is the 5th variant...I would like some assistance tracking down which of the services are responsible for encryption, etc - since I do believe the names and whatever else have been changed. Any assistance would be appreciated. This is a 32 bit Windows 2003 Terminal Server.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users