Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI/DOJ Ransomware - Nasty New Version?


  • This topic is locked This topic is locked
9 replies to this topic

#1 winsucks

winsucks

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 11 August 2014 - 06:02 PM

Attempting to remove a FBI ransomware from a Windows 7 machine and am completely at a loss. All the usual tricks aren't working for jack. Malwarebytes, Kasperksy (hard drive plugged into another machine as well as with the rescue disc), Bitdefneder rescue disc, hitman pro kickstart. I'm locked out of all of the safe modes (regular, w/network, w/command prompt), I used Farbar but I didn't see anything that stood out to me as unordinary all but one driver of which I removed, but still no luck. The restore points seem to all be removed or the service was never running in the first place. In my concession to this nasty new iteration of the virus, I'm coming to you guys.


Edited by winsucks, 11 August 2014 - 06:04 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 PM

Posted 12 August 2014 - 07:46 AM


Hello winsucks

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 winsucks

winsucks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 12 August 2014 - 11:40 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:11-08-2014
Ran by SYSTEM on MININT-5M31R4P on 12-08-2014 09:38:26
Running from F:\
Platform: Windows 7 Home Premium (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/  
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/  
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\Owner\...\Run: [KGShareApp] => C:\Program Files\Kodak\KODAK Share Button App\KGShare_App.exe [394752 2012-10-11] (Eastman Kodak Company)
HKU\Owner\...\Policies\Explorer: [NoSetActiveDesktop] 0
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk
ShortcutTarget: Event Reminder.lnk -> C:\pmw\PMREMIND.EXE ()
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AffinegyService; C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe [566688 2011-02-24] (Affinegy, Inc.)
S2 iComment Upgrade Service; C:\Program Files\iComment 2.1.4\UpgradeService.exe [122368 2010-07-07] (iComment, Inc.)
S2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe [308656 2010-09-13] (Eastman Kodak Company)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
S2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] ()
S2 HitmanPro37CrusaderBoot; "E:\HitmanPro.exe" /crusader:boot [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
S3 JRAID; C:\Windows\system32\DRIVERS\jraid.sys [89048 2009-05-21] (JMicron Technology Corp.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S1 RapportCerberus_69108; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_69108.sys [358040 2014-07-07] ()
S3 smbusp; C:\Windows\System32\DRIVERS\intelsmb.sys [22528 2010-06-10] (Intel Corporation)
S1 MpKslcabca391; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9DEAFA6D-60F2-4A21-832D-80BA9EC41E1F}\MpKslcabca391.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-11 15:15 - 2014-08-12 09:38 - 00000000 ____D () C:\FRST
2014-08-11 09:59 - 2014-08-11 09:59 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2014-08-11 09:59 - 2014-08-11 09:59 - 00008818 _____ () C:\Windows\System32\.crusader
2014-08-11 08:23 - 2014-08-11 09:59 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-08-05 15:58 - 2014-08-05 16:38 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-08-02 08:29 - 2014-05-14 08:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2014-08-02 08:29 - 2014-05-14 08:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2014-08-02 08:29 - 2014-05-14 08:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2014-08-02 08:29 - 2014-05-14 08:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\System32\wups2.dll
2014-08-02 08:29 - 2014-05-14 08:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\System32\wups.dll
2014-08-02 08:29 - 2014-05-14 08:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2014-08-02 08:29 - 2014-05-14 08:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2014-08-02 08:28 - 2014-05-14 08:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2014-08-02 08:28 - 2014-05-14 08:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2014-07-17 15:30 - 2014-08-09 15:22 - 00000370 _____ () C:\Windows\setupact.log
2014-07-17 15:30 - 2014-07-17 15:30 - 00000000 _____ () C:\Windows\setuperr.log
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-12 09:38 - 2014-08-11 15:15 - 00000000 ____D () C:\FRST
2014-08-11 09:59 - 2014-08-11 09:59 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2014-08-11 09:59 - 2014-08-11 09:59 - 00008818 _____ () C:\Windows\System32\.crusader
2014-08-11 09:59 - 2014-08-11 08:23 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-08-11 09:41 - 2010-10-17 13:13 - 01651140 _____ () C:\Windows\WindowsUpdate.log
2014-08-11 08:24 - 2009-11-25 08:19 - 00786514 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-08-11 05:45 - 2010-05-03 14:45 - 00000000 ____D () C:\users\Owner
2014-08-09 15:51 - 2013-08-02 09:32 - 00000000 ____D () C:\Temp
2014-08-09 15:29 - 2009-07-13 20:34 - 00014240 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-09 15:29 - 2009-07-13 20:34 - 00014240 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-09 15:22 - 2014-07-17 15:30 - 00000370 _____ () C:\Windows\setupact.log
2014-08-09 15:22 - 2010-05-04 08:14 - 00000000 ____D () C:\ProgramData\Kodak
2014-08-09 12:43 - 2013-12-18 07:48 - 00000000 ____D () C:\Program Files\appbario13
2014-08-05 16:38 - 2014-08-05 15:58 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-08-02 11:32 - 2014-01-08 18:09 - 01062912 _____ () C:\Users\Owner\Desktop\Expense  Report 2014.xls
2014-08-01 20:30 - 2010-05-04 19:23 - 00001633 _____ () C:\Windows\yahtzee.ini
2014-07-29 07:44 - 2009-11-25 08:22 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-28 23:26 - 2010-07-24 15:42 - 00000000 ____D () C:\Users\Owner\AppData\Local\CrashDumps
2014-07-18 12:34 - 2012-12-28 10:05 - 00002131 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-07-17 15:30 - 2014-07-17 15:30 - 00000000 _____ () C:\Windows\setuperr.log
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2011-05-23 13:01] - [2014-03-04 01:17] - 0850944 ____A (Microsoft Corporation) 900F943E96BDE24B9BC12AAF253CDF83
 
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
 
==================== Memory info ===========================  
 
Percentage of memory in use: 21%
Total physical RAM: 2012.99 MB
Available physical RAM: 1577.8 MB
Total Pagefile: 2012.99 MB
Available Pagefile: 1579.66 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.41 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:134.32 GB) (Free:36.41 GB) NTFS
Drive f: (HITMANPRO) (Removable) (Total:1.86 GB) (Free:1.83 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:11.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 149 GB) (Disk ID: 7740BF64)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=134 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 6168A74B)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)
 
 
LastRegBack: 2014-04-19 11:52
 
==================== End Of Log ============================



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 PM

Posted 13 August 2014 - 06:30 AM

Hello winsucks

Ok lets see if we can find a replacement for the infected file

Boot back into the recovery Environment and run FRST like you did before

Type the following in the edit box after "Search:".

User32.dll

It then should look like:

Search: User32.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo

Edited by gringo_pr, 13 August 2014 - 06:30 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 winsucks

winsucks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 13 August 2014 - 12:08 PM

Farbar Recovery Scan Tool (x86) Version:11-08-2014
Ran by SYSTEM at 2014-08-13 10:03:49
Running from F:\
Boot Mode: Recovery
 
================== Search: "User32.dll" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[2011-05-23 13:01][2010-11-20 04:21] 0811520 ____A (Microsoft Corporation) F1DD3ACAEE5E6B4BBC69BC6DF75CEF66
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2009-07-13 15:24][2009-07-13 17:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
C:\Windows\System32\user32.dll
[2011-05-23 13:01][2014-03-04 01:17] 0850944 ____A (Microsoft Corporation) 900F943E96BDE24B9BC12AAF253CDF83
 
X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2009-07-13 15:24][2009-07-13 17:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
X:\Windows\System32\user32.dll
[2009-07-13 15:24][2009-07-13 17:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
=== End Of Search ===



#6 winsucks

winsucks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 13 August 2014 - 12:33 PM

Alright, thanks for pointing me in the right direction, I recovered the user32.dll from the winsxs backup of it with the same date and a known good hash (the one starting with F1DD3A, looked that up on google) and now I'm able to get to the desktop to continue the cleanup. Thanks a million!



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 PM

Posted 13 August 2014 - 01:27 PM

If you want me to help with the cleanup then send me a new FRST report from normal mode

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 winsucks

winsucks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 13 August 2014 - 03:40 PM

I've got it covered and the machine is nice and clean now. I normally don't need assistance in removing many viruses (I do this often for others), but this one threw me for a loop, and I've never had to go as far as using FRST so I'd not much experience with just what to look for, I was unsure about the user32.dll given the hash discrepency so I wanted a second opinion. Turns out I was right to be wary about it. I appreciate the assist.



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 PM

Posted 14 August 2014 - 11:20 AM

No problem and you are more than welcome

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:03 PM

Posted 17 August 2014 - 06:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users