Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Ransomware, HitmanPro did not help


  • Please log in to reply
4 replies to this topic

#1 Punkrulz

Punkrulz

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 01 July 2013 - 12:15 AM

Hello all,

 

My friends computer has gotten the FBI Ransomware listed here. This computer is a Windows 7 x64 OS. I attempted to follow the instructions explicitly but ran into the following issues:

 

1) Creating the kickstart drive worked however I began getting issues about a non-NTFS volume or that it was encrypted.

2) Last known good configuration doesn't do anything.

3) There are two login accounts on the computer. The ransomware only appears on one of them. The other account seems to be relatively normal.

4) I was able to run Hitman Pro while logged into the good account, however it made changes to the MBR. I was able to fix this using the bootrec command and several tries later (note: This computer (emachines) may have had the backup restore partition. I'm worried if it did, bootrec wiped it out. Is there any way to get this back?)

5) After resolving the MBR issues, I attempted to do the kickstart again. This time I could progress a bit further but I began getting a screen requesting that winlogon was not a verified file. When pressing enter to choose my Windows installation, then attempting to press F8 to temporarily disable the verification, it just goes right back to the winlogon not verified screen.

6) I ran a full scan of HitmanPro, however this did not take care of the ransomware.

 

Please point me in the right direction so that I can eliminate this from the computer. I'm hoping we can do this w/o reformatting, as there is no partition listed nor can they find any backup CD's at this time.

 

Thanks!



BC AdBot (Login to Remove)

 


#2 Eat_Babies

Eat_Babies

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:26 AM

Posted 01 July 2013 - 01:43 AM

Were you able to go on Safe Mode with Networking or command prompt by any chance?



#3 Punkrulz

Punkrulz
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 01 July 2013 - 02:41 PM

Babies,

Sorry for that lack of info that's a good question.

Safe mode with command prompt loaded the command prompt but did not load explorer after that. I am unsure if that's normal behavior.

Safe mode with networking loaded fine it appears. I did get a message from rundll which states c:\users\christ~1\appdata\local\temp\sqxojsu\srptqio\wow.dll the specified module could not be found.

#4 Eat_Babies

Eat_Babies

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:26 AM

Posted 01 July 2013 - 11:34 PM

So the best way to eliminate the virus is by going to Safe Mode with Networking. Then go open c:\users\christ\appdata\local\temp and delete everything in there. there may be some files that wont be deleted but delete as much as you can. If you cant see AppData make sure you change your folder options to show hidden files and folders. Then I suggest running RKill then TDSSKiller, then Malwarebytes Anti Malware then SuperAntiSpyware then RogueKiller then MalwareBytes Anti Rootkit in that order.



#5 Punkrulz

Punkrulz
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 02 July 2013 - 03:11 AM

Babies,

 

I followed /most/ of the instructions. Only thing I didn't run was RogueKiller and that's due to it being on the list in this forum to not be posted by regular members as that needs to be walked through.

 

Status:

rkill would stop at checking miscellaneous items.

tdsskiller found 0 items.

MBAM log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.02.02

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16521
Christine :: CHRISTINE-PC [administrator]

Protection: Disabled

7/2/2013 3:27:15 AM
MBAM-log-2013-07-02 (03-34-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249024
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 9
HKCR\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401} (Adware.Yontoo) -> No action taken.
HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401} (Adware.Yontoo) -> No action taken.
HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967} (Adware.Yontoo) -> No action taken.
HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> No action taken.
HKCR\YontooIEClient.Layers.1 (Adware.Yontoo) -> No action taken.
HKCR\YontooIEClient.Layers (Adware.Yontoo) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> No action taken.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\CHRIST~1\AppData\Local\Temp\csrss.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Agent) -> Data: C:\Users\CHRIST~1\AppData\Local\Temp\csrss.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|047a8b96-bde4-4e0e-9eb4-0f2587d30dce (Trojan.FakeAlert) -> Data: C:\Users\Christine\AppData\Local\Temp\system23.exe -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Program Files (x86)\Yontoo Layers Client\YontooIEClient.dll (Adware.Yontoo) -> No action taken.
C:\Windows\System32\config\systemprofile\0.7726556845229372.exe (Trojan.Agent) -> No action taken.
C:\Windows\Installer\{aa0edf15-250c-a2cd-cdb4-b9d6eff73bb6}\U\00000001.@ (RootKit.0Access.H) -> No action taken.
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\config\systemprofile\0.38648072886052354.exe (Exploit.Drop.UR.2) -> No action taken.
C:\Windows\System32\config\systemprofile\0.9850833057942507.exe (Exploit.Drop.UR.2) -> No action taken.

(end)

 

Super Antispyware Log:

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/02/2013 at 03:47 AM

Application Version : 5.6.1020

Core Rules Database Version : 10576
Trace Rules Database Version: 8388

Scan type       : Quick Scan
Total Scan Time : 00:10:34

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned      : 344
Memory threats detected   : 0
Registry items scanned    : 62061
Registry threats detected : 1
File items scanned        : 22865
File threats detected     : 17

Malware.Trace
 (x86) HKU\S-1-5-21-227282301-4064179831-1344497322-1001\Software\Microsoft\Windows\CurrentVersion\Run#conhost [ C:\Users\Christine\AppData\Roaming\Microsoft\conhost.exe ]

Adware.Tracking Cookie
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\I9GL7J3I.txt [ /invitemedia.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\XS2XKVIZ.txt [ /kontera.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\SBGQJ9J1.txt [ /lucidmedia.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\TXVJYNGG.txt [ /imrworldwide.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\UW3Q3MYJ.txt [ /questionmarket.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\AUY118WW.txt [ /serving-sys.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\6LCF2IN1.txt [ /www.hrsaccount.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\8Y1VPY0P.txt [ /ru4.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\0RX25BWG.txt [ /apmebf.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\HMK3TNPS.txt [ /atdmt.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\ZNI0H2KW.txt [ /ads.bleepingcomputer.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\A5C4WNWK.txt [ /mediaplex.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\DFD9F0SP.txt [ /ad.mlnadvertising.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\MY8ORMS2.txt [ /ads.blubster.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\I1DUP1YB.txt [ /www.googleadservices.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\ADRJ7RGN.txt [ /ad.yieldmanager.com ]
 C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\X7MN4VVV.txt [ /doubleclick.net ]

 

MBAR Log:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.02.02

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16521
Christine :: CHRISTINE-PC [administrator]

7/2/2013 3:52:17 AM
mbar-log-2013-07-02 (03-52-17).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 260456
Time elapsed: 9 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
c:\Windows\Installer\{aa0edf15-250c-a2cd-cdb4-b9d6eff73bb6}\U (Backdoor.0Access) -> Delete on reboot.

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

End Result:

 

The FBI Ransomware appears to be gone as I am logged into this profile and nothing showed up. However, there is SmartPCFix, but I am unsure at this hour if it's malware or not... going to bed will research that tomorrow. So far thank you for the help that you provided, this appears to be a big step forward.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users