Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

child porno spam virus


  • Please log in to reply
1 reply to this topic

#1 trevcor

trevcor

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 04 September 2012 - 05:00 PM

i have been working on cleaning up server in the corporate office were i work i have cleaned all virus activity out using some of the items listed on the
forum i now need to get a generated password to unlock the files that are decrypted. I had read were one of the guys that wrote in said to send him the id number and he would give the password to help out here is the id number: 1751109888


EDIT:Moved from Intros to the Am I Infected forum.~~ GMod boopme

Edited by boopme, 04 September 2012 - 06:08 PM.


BC AdBot (Login to Remove)

 


#2 gaunger

gaunger

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 06 September 2012 - 11:02 PM

Hi Trevcor...
I came across this nasty this week. It disabled "control-alt-delete", safe mode, and the ability to right click. It also displayed a splash screen giving the ransom message once it was logged in to. My customer was running windows 2003 server. The normal desktop showed up for several seconds when logging in and when shutting down the system. Not alot of time to do anything....

After spending several hours on this thing (using a bootcd amongst other things) I did a normal shutdown and somehow got a window pop up that asked to answer a prompt... I didn't respond to it and just moved it out of the way... the ransomeware screen had disappeared and it allowed me to fire up malwarebytes. I had downloaded a fresh copy of it from download.com from another system and moved it over using a thumb drive. It fortunately found the culprit and could boot up normally.

I found all docs had been encrypted (also I might add the file names had added the message id to it) Fortunately the customer had a recent backup external that was not connected at the time of the infection. So we were able to recover the files from there ... bout 70k of 'em.

I might add that the backup external that was connected at the time was wiped out of all backups. It also messed up the network settings for the nic.

pretty nasty. This guy needs to go away! And above all do not pay anything for this... it will just make our problems worse.

I think this thing got infected by a hack using rdp. My customer had the rdp set to use the standard port 3889 and used a very simple password. So it probably wasn't hard to crack. I informed him if he is going to use rdp from an external system to use a non standard port and to use strong passwords. Hopefully it will help protect in the future.

good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users