Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Partially Infected with CryptoLocker


  • This topic is locked This topic is locked
8 replies to this topic

#1 CoastalData

CoastalData

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 19 September 2014 - 12:31 AM

Hello, this is from a computer at the office. The user said she started seeing popups on her computer yesterday, but I didn't have time to address it right away. Today, I found a folder full of "decrypt" ransom notices, and they were created by her username, so I pulled that computer to the workbench to clean it up. I think that my GFI (Vipre) antivirus prevented a full-blown infection, but even after installing MBAM and removing everything found, the computer is very slow and the mouse is messed up; the cursor only wants to be down by the task bar, though I can still use the computer pretty good using the keyboard only.

 

Below is the DDS file, and Attach is attached.

 

Thanks in advance for your help!

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.5.1
Run by Administrator at 1:16:52 on 2014-09-19
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.2046.960 [GMT -4:00]
.
AV: Windows Intune Endpoint Protection *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Managed Antivirus Managed Antivirus *Enabled/Updated* {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
SP: Windows Intune Endpoint Protection *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Managed Antivirus Managed Antivirus *Enabled/Updated* {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Advanced Monitoring Agent GP\winagent.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Windows\System32\ASGT.exe
C:\Program Files\Microsoft\BingDesktop\BingDesktopUpdater.exe
C:\Program Files\DYMO\DYMO Label Software\DymoPnpService.exe
C:\Program Files\Advanced Monitoring Agent GP\patchman\lnssatt.exe
C:\Program Files\System Center Operations Manager 2007\HealthService.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\STacSV.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\System Center Operations Manager 2007\MonitoringHost.exe
C:\Program Files\System Center Operations Manager 2007\MonitoringHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
c:\program files\teamviewer\version7\TeamViewer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Advanced Monitoring Agent GP\systray\SysTray.exe
C:\Program Files\Microsoft\BingDesktop\BingDesktop.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\PROGRA~1\ADVANC~2\managedav\SBAMSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Microsoft\BingDesktop\BDExtHost.exe
C:\Program Files\Microsoft\BingDesktop\BDAppHost.exe
C:\Program Files\Microsoft\BingDesktop\BDRuntimeHost.exe
C:\Program Files\Microsoft\BingDesktop\BDSurrogateHost.exe
C:\Program Files\Microsoft\OnlineManagement\Common\omsvchost.exe
C:\PROGRA~1\ADVANC~2\managedav\SBAMTray.exe
c:\program files\teamviewer\version7\TeamViewer_Desktop.exe
C:\Windows\system32\migwiz\migwiz.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\migwiz\mighost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070425
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070425
mDefault_Page_URL = hxxp://server1/
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5825.1100\swg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AdvancedMonitoringSysTray] "c:\progra~1\advanc~2\systray\Launcher.exe"
mRun: [SBAMTray] "c:\progra~1\advanc~2\managedav\SBAMTray.exe"
mRun: [SBRegRebootCleaner] "c:\program files\advanced monitoring agent gp\managedav\SBRC.exe"
mRun: [BingDesktop] c:\program files\microsoft\bingdesktop\BingDesktop.exe /fromkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.4 192.168.1.10 192.168.1.1
TCP: Interfaces\{E0F6E0EA-906F-449F-ACE4-1B4558B4F7EC} : DHCPNameServer = 192.168.1.4 192.168.1.10 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.120\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 192.168.1.6 SERVER1
Hosts: 0.0.0.0 localhost 
.
================= FIREFOX ===================
.
FF - ProfilePath - 
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-9-5 13560]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl629e199e;MpKsl629e199e;c:\programdata\microsoft\microsoft antimalware\definition updates\{0fa59ab7-0918-4d0a-b41c-cc040e90b880}\MpKsl629e199e.sys [2014-9-18 39464]
R2 Advanced Monitoring Agent;Advanced Monitoring Agent;c:\program files\advanced monitoring agent gp\winagent.exe [2013-3-3 7685120]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-12 79432]
R2 ASGT;ASGT;c:\windows\system32\ASGT.exe [2012-1-17 55296]
R2 BingDesktopUpdate;Bing Desktop Update service;c:\program files\microsoft\bingdesktop\BingDesktopUpdater.exe [2014-6-3 173792]
R2 DymoPnpService;DYMO PnP Service;c:\program files\dymo\dymo label software\DymoPnpService.exe [2011-8-10 32336]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2013-5-7 68904]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2008-3-26 5120]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-9-18 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-18 110296]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-9-18 51928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-9-5 43368]
S3 gfiutil;gfiutil;c:\windows\system32\drivers\gfiutil.sys [2013-9-5 24040]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S4 AdtAgent;Operations Manager Audit Forwarding Service;c:\windows\system32\AdtAgent.exe [2009-5-8 269696]
.
=============== Created Last 30 ================
.
2014-09-19 01:14:54 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-19 01:14:38 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-19 01:14:38 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-19 01:14:38 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-19 01:14:38 -------- d-----w- c:\programdata\Malwarebytes
2014-09-19 01:14:38 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-19 01:14:10 -------- d-----w- c:\users\administrator.kellytours\appdata\local\Programs
2014-09-19 01:00:12 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0fa59ab7-0918-4d0a-b41c-cc040e90b880}\MpKsl629e199e.sys
2014-09-18 23:37:50 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0fa59ab7-0918-4d0a-b41c-cc040e90b880}\offreg.dll
2014-09-18 21:09:38 -------- d-----w- c:\users\administrator.kellytours\appdata\local\Google
2014-09-18 16:50:14 8806800 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0fa59ab7-0918-4d0a-b41c-cc040e90b880}\mpengine.dll
2014-09-16 18:08:28 -------- d-sh--w- c:\programdata\USB Adapter Updater
2014-09-16 17:46:07 -------- d--h--w- C:\f1866a3
2014-08-29 21:18:23 12864 ----a-w- c:\windows\system32\drivers\nvflash.sys
2014-08-29 21:16:42 -------- d-----w- c:\users\administrator.kellytours\appdata\roaming\Managed Antivirus
.
==================== Find3M  ====================
.
2014-09-10 18:21:21 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-10 18:21:20 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH:  1:21:07.28 ===============
 

 

Attached Files


Edited by CoastalData, 19 September 2014 - 01:15 AM.


BC AdBot (Login to Remove)

 


#2 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:19 PM

Posted 23 September 2014 - 01:48 PM

Hello,

 

My name is Dave and I'll be helping you with your issues here.  Before we begin, I'll need to review the materials you've provided.  In the mean time, please refrain from making additional changes to the machine as this can make it difficult for me to help you.


//Dave

#3 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 23 September 2014 - 03:36 PM

Thanks Dave! The computer is/has been standing by. Just let me know what you need.



#4 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:19 PM

Posted 24 September 2014 - 08:03 PM

CoastalData,
 

this is from a computer at the office.

 
Given that this is a company computer, I first need to verify that you have permission to perform these repairs.  If your company has an internal IT department, I would advise bringing your questions to them first.  In general though, it would be a good idea to keep the infected computer disconnected from the network in order to prevent further problems. 
 
Once you post back here with verification, we can get started. :)


//Dave

#5 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 25 September 2014 - 09:44 AM

Hello, I am the company IT department, and I am authorized to maintain these computers. I have moved the computer from the production floor/network to my separate workbench/network for repairs. The affected user has already been assigned a new computer, and this one will be assigned to someone else after it is fully cleaned.

 

Given that this is my role, and that I do need assistance in this regard from time to time, is there anything extra that I should be doing to improve/maintain my relationship with these forums?


Edited by CoastalData, 25 September 2014 - 09:49 AM.


#6 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:19 PM

Posted 28 September 2014 - 09:25 AM

CostalData,

 

Sorry for the delay, I am still working to build some instructions for you and will reply with them here as soon as possible.  Thanks for your patience.


//Dave

#7 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:19 PM

Posted 29 September 2014 - 11:43 PM

Alright, here we go.  Sorry for the delay :)
 

I am the company IT department

 
I thought this might be the case, I just had to make sure :).  I've got a few things to go over here, so bear with me!
 
Your DDS log is looking almost clean.  Two entries caught my attention though, both of which are minor.

  • Your hosts file on this machine has a strange entry in it.  Maybe this is some configuration you've deployed (maybe not).  If you don't know what this is, I'd advise editing it out of the hosts file (if you need help with this, let me know).
    Hosts: 0.0.0.0 localhost
  • There is one directory (listed below) that is associated with the malware you had.  It is possible that MBAM simply did not remove the empty directory, so this is not hugely important.  If you'd like, you can remove this too.
    c:\programdata\USB Adapter Updater

There are a number of oddities in the system's logfiles too, I'd like to make sure things are OK by running Farbar Service Scanner.
To do so, please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure all checkboxes are checked!
  • Press the "Scan" button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.

Now we come to the question of the strange mouse behavior.  Nothing in this log would explain why that is happening.  The malware that was on this computer does not produce that effect either.  As a general troubleshooting step, I would advise trying a couple things to see if they change the problem:

If these things change the behavior, we can reasonably assume that some other piece of software is causing the problem.
 
You also seem to have a number of different security related programs on this computer.  As I'm sure you know, running multiple antivirus programs can cause problems.  Perhaps there is some conflict between some of the protection software that is present on this machine that is producing the strange mouse behavior.
 
One more thing.  If you have recovery images for these computers and this computer is being re-deployed after cleaning, you might consider just re-imaging the workstation.  Usually, doing this is a last resort, but if you have images that you can use easily, then it makes it more of an attractive option.


//Dave

#8 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:19 PM

Posted 03 October 2014 - 10:57 AM

CostalData,

 

It's been over 48 hours since my last post, are you still in need of my assistance?  If so, please post back here.  If no response is given, this topic will be closed.


//Dave

#9 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,050 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:03:19 PM

Posted 06 October 2014 - 12:08 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users