Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall with unusual behaviors. Please help confirm removal.


  • This topic is locked This topic is locked
4 replies to this topic

#1 pandafusion

pandafusion

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 05 June 2014 - 04:54 PM

First post. Hope it isn't too long :) Thank you for your expertise. I have run hijack this instead of dds - hope that is ok?

 

Background:

 

I have a relatively new client. This client has a server and a client machine. The server is running SBS 2011 and the client is running Windows 7. The server is the domain controller for the environment. This is an inherited system setup by someone else.

We had barely gotten into working on the server: setting up the drives, restricting access based on membership in various security groups, etc.

 

The office manager is an Administrator on the client machine and the server. The office manager logs onto the server directly in order to start an enterprise application and connect it to Quickbooks. The enterprise application must be started by someone who is a member of the Administrator’s group (I know, right?).

 

I happened to be working on the server this morning without incident between about 7:00 am and 8:30 am. Coincidentally, this included a fully updated quick Malware Bytes (MBAM) scan that detected nothing. I then logged off. The office manager logged on a little after 8:30am and the server was hit with CryptoWall. Server files were encrypted beginning at 8:36am, concluding at 8:58am based on ‘Date Modified’ in Explorer. Unaware of the issue, the office manager logged onto her desktop. Her desktop files were encrypted starting at 8:54am, concluding at 8:58am based on ‘Date Modified’ in Windows Explorer. I have read elsewhere that the time stamp file may be changed. However, that has not occurred since the initial observation. A new, full MBAM scan detects nothing.

 

It appears the problem originated with the server (I still want it to be the desktop’s fault). The office manager did not browse the internet or open emails on the server. It is possible a marketing intern opened their gmail account over the internet while on the server about a week ago. The same intern visited one hvac site and downloaded jpeg files from the manufacturer for use in marketing materials. There is no email client on the server and the browser histories appear to be intact. The only browser usage recorded was the intern to gmail and the hvac manufacturer’s site. The folder in which the downloaded jpegs were placed was not encrypted (see R: drive below). The infection appears to be through the office manager’s account only. Some folders on the server do not allow access (through NTFS permissions) for either the Administrators group or the office manager’s account. These folders were universally not affected in any way.

 

Unusual Behaviors:

 

I have observed the following unusual behaviors that I did not see documented elsewhere for CryptoWall and its varients:

 

1.       The server has a number of data drives. In the Q: drive, the encryption went down three levels, then stopped. In the D: drive, encryption bottomed out at 4-6 levels and affected every file in one folder. Another folder on the same drive was entirely unaffected. NTFS permissions were the same for both folders. In the R: drive, the DECRYPT_INSTRUCTION files are listed at the top level, but no files in any folder were affected (there are no top level files in the R: drive to have been encrypted, only folders).

2.       For the office manager’s account, the following control panel applets appear to have been removed and cannot be run from an elevated command prompt using canonical naming: User Accounts, Programs and Features, System, Network and Sharing Center (Network Connections can be run through ncpa.cpl), Internet Options, Folder Options.

3.       Interestingly, all of the above control panel items are visible and useable by me on the server and desktop both as a super administrator.

4.       It has been alluded to elsewhere that this program may encrypt files and uninstall itself. That may be the case here. I do not find any evidence of random.exe files, processes, etc. currently running. Additionally, I have looked in a variety of registry keys reported elsewhere and not found anything listed at all.

5.       I thought I saw this elsewhere, so may not be something new. The desktop C: drive has 12 newly created folders from 8:51 am, that appear to be empty, named DD20.4.8201XXXXXXXXX.

 

Help Needed:

 

One of the things we did for this client was to implement good backup protections. I am fairly confident our data is good and can be easily restored.

However, before I begin restoring data:

A.      I want to make sure this thing is really gone.

B.      Then I need to make sure I remove any last traces, including the DECRYPT_INSTRUCTIONS files.

C.      Then I’ll feel like I can restore data and move forward. We have volume shadow copies, nightly backups, etc. to work with – though I haven’t touched any of those yet.

D.      Lastly, I would like to figure out how this got into the system. Any event logging was set up by the other guy (we literally just started digging into the server a few days ago).

 

Additional Item:

My Administrator account, which has access to the User Accounts control panel applet on the server, has an encryption key. I saw the following instructions to restore encrypted files elsewhere (scroll to end of post) http://www.411-spyware.com/remove-cryptowall-virus. Should I move forward with this?

 

What are my next steps (hijack this log posted below, Server as SuperAdmin first and Desktop as office manager second)?

 

 


Server, Under SuperAdmin Account:

 

Logfile of Trend Micro HijackThis v2.0.5

Scan saved at 2:13:34 PM, on 6/5/2014

Platform: Windows 7 SP1 (WinNT 6.00.3505) - (Poster’s Note – SBS 2011)

MSIE: Internet Explorer v11.0 (11.00.9600.17041)

 

 

Boot mode: Normal

 

Running processes:

C:\Users\SysAdmin\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe

C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

T:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [SkyDrive] "C:\Users\SysAdmin\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background

O4 - HKCU\..\RunOnce: [Uninstall C:\Users\SysAdmin\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\SysAdmin\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64"

O4 - HKCU\..\RunOnce: [Uninstall C:\Users\SysAdmin\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\SysAdmin\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_202_ActiveX.exe -update activex

O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O15 - ESC Trusted Zone: http://*.intuit.com

O15 - ESC Trusted Zone: http://login.live.com (HKLM)

O15 - ESC Trusted Zone: http://accountservices.passport.net (HKLM)

O16 - DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} (IntuitRecurPayCom2009.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab

O16 - DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} (QBMASSyncCom1_2009.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab

O16 - DPF: {788539E8-002D-4E59-9089-40B694A99C9A} (QBMASSyncCom2_2008.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T28L10NSP5-15074/support/ieatgpc1.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SMARTHOUSE.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SMARTHOUSE.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SMARTHOUSE.local

O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O23 - Service: AcowinBackup - Team Management Systems - C:\Program Files (x86)\Acowin\AcowinBackup\AcowinBackup.exe

O23 - Service: AcowinGPS - Team Management Systems - C:\Program Files (x86)\Acowin\AcowinGPS.exe

O23 - Service: Acowin Happy Call Survey (AcowinHappyCallSurvey) - Hewlett-Packard Company - C:\Program Files (x86)\Acowin\HappyCallSurveyService.exe

O23 - Service: Acowin Intercall (AcowinIntercall) - Hewlett-Packard Company - C:\Program Files (x86)\Acowin\AcowinIntercallService.exe

O23 - Service: AcowinRemote - Unknown owner - C:\Program Files (x86)\Acowin\AcowinRemote.exe

O23 - Service: AcowinUpdater - Team Managment Systems, Inc - C:\Program Files (x86)\Acowin\AutoUpdater\AcowinUpdater.exe

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-35 (AddInInfrastructureSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atashost.exe

O23 - Service: @%systemroot%\system32\certocm.dll,-347 (CertSvc) - Unknown owner - C:\Windows\system32\certsrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-15 (DevicesProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)

O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)

O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-31 (DomainManagerProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-7 (HealthAlertsSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-39 (IdentitySvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-43 (initMonitor) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)

O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-33 (NetworkingHelperSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-21 (NotificationsProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe

O23 - Service: QuickBooksDB22 - Intuit, Inc. - C:\PROGRA~2\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-29 (RAAdminProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)

O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-37 (ServerBackupSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-19 (ServiceProviderRegistry) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\ProviderRegistryService.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-25 (SettingsProvider) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SettingsProvider.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-5 (SqmProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\storageservice.exe,-1000 (storageservice) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\storageservice.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: WD Drive Manager (WDDriveService) - Western Digital - C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-13 (WSSUPnPDevice) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\UPnPDevice.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-3 (WSS_ComputerBackupProviderSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\SharedServiceHost.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Server\Bin\wssbackup.exe,-1 (WSS_ComputerBackupSvc) - Unknown owner - C:\Program Files (x86)\Windows Server\Bin\WSSBackup.exe (file missing)

 

--

End of file - 13092 bytes


Desktop as office manager:

 

Logfile of Trend Micro HijackThis v2.0.5

Scan saved at 2:24:03 PM, on 6/5/2014

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v11.0 (11.00.9600.17041)

 

FIREFOX: 29.0.1 (en-US)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE

C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe

C:\Program Files (x86)\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

C:\Program Files\salesforce.com\Salesforce for Outlook\SfdcMsOl.exe

C:\Users\sseemiller\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

D:\HijackThis.exe

C:\Temp\HijackThis.exe

                         

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

O4 - HKLM\..\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files (x86)\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProcess.exe

O4 - HKCU\..\Run: [Driver Detective] C:\Program Files (x86)\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe /applicationMode:systemTray /showWelcome:false

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: DDHelper.lnk = C:\Program Files (x86)\DD20.4.8201402131355\DDHelper.exe

O4 - Startup: Dropbox.lnk = sseemiller\AppData\Roaming\Dropbox\bin\Dropbox.exe

O4 - Startup: DualDesk.lnk = C:\Program Files (x86)\DD20.4.8201402131355\DualDesk.exe

O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

O4 - Global Startup: Salesforce for Outlook.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SMARTHOUSE.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SMARTHOUSE.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SMARTHOUSE.local

O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: HP SI Service (HPSIService) - Unknown owner - C:\Windows\system32\HPSIsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NitroPDFDriverCreatorReadSpool8 (NitroDriverReadSpool8) - Nitro PDF Software - C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe

O23 - Service: NitroPDFDriverCreatorReadSpool9 (NitroDriverReadSpool9) - Nitro PDF Software - C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe

O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV32.EXE

O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe

O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe

O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe

O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe

O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 14011 bytes



BC AdBot (Login to Remove)

 


m

#2 pandafusion

pandafusion
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 06 June 2014 - 07:51 AM

Thank you to the many people who have looked at this issue. I apologize for the length of the post. Please let me know if I have misposted in anyway :)

I am not an expert in malware/logs. The following notes are from conversations/emails I have exchanged:

 

The user can view files in unaffected directories (not all folders and files were encrypted, see number 1 above) and they are not encrypted upon viewing. This includes existing files that were not encrypted as well as newly created files placed in folders with and without encrypted contents.

The encrypted files do not appear to have been placed in a special folder on the desktop. Each encrypted file remains in its original location.

 

The client PC was immediately removed from the network. The only notifications are coming from copies of DECRYPT_INSTRUCTION.txt and DECRYPT_INSTRUCTION.html located in the office manager's \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup path on the client. Those files were not located in the startup menu of the user's profile on the server - possibly because C: was not a visible drive for the office manager (although I'm just guessing).

 

sfc /scannow on the server found corrupted files that cannot be fixed. That will be part of this morning's focus (see also: missing control panel applets for the office manager). Also, I backed up the backup (Windows Server Backup), and then successfully restored the corrupted volumes last night. All the data is no longer encrypted and appears usable.

 

My goal at this point is to ensure the infection is gone, fix the corrupted files on the server and then restore the client insofar as possible (or re-install from scratch). The client was not backed up, but does not appear to have critical data. This is a new client, so here's hoping they have all their disks :)

Is there anything I should do to make sure the active infection is gone?
I cannot find any malware .dll's, registry keys, etc. - just the DECRYPT files. This makes me suspicious. Thoughts on making sure any other traces are gone?
Any thoughts on the unusual behaviors noted in the first post or ways to determine how this got into the system?

 

Thank you.



#3 pandafusion

pandafusion
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 07 June 2014 - 08:55 AM

Post-Mortem:

 

We were able to trace the infection to the client computer. This was confirmed by:

1. On the client computer, when logged in as the office manager, finding the following registry key: HKCU\Software\[RandomLetters]\Cryptlist. This key contained a list of all the encrypted files.

2. Finding, in the office manager's email on the client computer from the previous week, a fax email from inbound.efax.com (spoofed) with a j2.com / jconnect fax message. Naturally, the link for the fax was actually a randomly named file you do not want to open.

 

It appears the time stamp issue was due to the encryption of the user's mapped drives first, followed by the local drives.

These two indicators left us feeling comfortable that the infection did not originate on the server. There was no sign of an active infection on the client computer.

 

Our solution to the control panel issues, etc., having restored the important server files, was:

 

A. Wipe the client computer and reinstall from scratch.

B. Rename the office manager's server account to [User] Old and then create a new account [User], add to the same security groups, etc.

 

Thank you for those who took a look, and a special shout out to user Toivoja, who did not post, but had key input. Again, Thank you.


Edited by pandafusion, 07 June 2014 - 08:56 AM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,550 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 AM

Posted 10 June 2014 - 04:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/536790 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,550 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 AM

Posted 15 June 2014 - 05:00 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users