Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CSIS Virus Canadian Security Intelligence Notice


  • Please log in to reply
19 replies to this topic

#1 dirkdigs

dirkdigs

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 November 2014 - 04:05 PM

Server 2012 Standard. How Do i clean this? I have tried RKill.exe and malware bytes in safe mode w/ networking but it keeps coming back after I reboot the server.


Edited by dirkdigs, 05 November 2014 - 04:21 PM.


BC AdBot (Login to Remove)

 


#2 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 November 2014 - 04:07 PM

i would love to upload a screen shot but cant figure out how.



#3 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 November 2014 - 04:54 PM

each time i log into safe mode w/ networking it tells me i am logging in with a temp profile. not sure if this is causing malware bytes problems cleaning or not.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:07 PM

Posted 05 November 2014 - 08:56 PM

Hello, look at this guide and run the tool there .. L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 November 2014 - 10:31 PM

this is different then the picture . how do i upload a sceenshot. i would like to show you what it looks like.


Edited by dirkdigs, 05 November 2014 - 10:52 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:07 PM

Posted 06 November 2014 - 12:40 PM

Inserting An Image Within A Post
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 06 November 2014 - 05:22 PM

XAGjdi.png



#8 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 06 November 2014 - 08:40 PM

i dont know what this software hitman pro is but it found a couple things and it will not quarantine them unless i activate the software.



#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:07 PM

Posted 06 November 2014 - 09:19 PM

Ok.. I have asked my colleagues about the find and am awaiting a reply.

In the meantime DO NOT run a registry or Temp file cleaner.


Can you open Hitman ... click on drop-down menu of the found entries and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.

Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

6-scanfin-choose.jpg

Navigate to C:\Documents and Settings\All Users\Application Data\HitmanPro\Logs (for Windows XP) or to C:\ProgramData\HitmanPro\Logs (for Windows Vista/7) open the report and copy and paste it to your next reply.
1.Please download [b][color=#0000ff]HitmanPro[/color][/b]
[LIST]
[*]For [b]32-bit[/b] Operating System - [url=http://dl.surfright.nl/HitmanPro.exe][img=http://i.imgur.com/dEMD6.gif][/url].[/*]
[*]For [b]64-bit[/b] Operating System - [url=http://dl.surfright.nl/HitmanPro_x64.exe][img=http://i.imgur.com/dEMD6.gif][/url][/*]
[/LIST]

2.Launch the program by double clicking on the [img=http://i.imgur.com/5vo5F.jpg] icon.

[b]Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.[/b]

3.Click on the [b]next[/b] button. You must agree with the terms of [b]EULA[/b]. (if asked)

4.Check the box beside "[b]No, I only want to perform a one-time scan to check this computer[/b]".

5.Click on the [b]next[/b] button.

6.The program will start to scan the computer. The scan will typically take no more than [b]5-10[/b] minutes.

7.When the scan is done [b]click on drop-down menu of the found entries[/b] (if any) and choose - [b]Apply to all => Ignore[/b] [b]<= IMPORTANT!!![/b]

8.Click on the [b]next[/b] button.

9.Click on the [b]"Save Log"[/b] button.

10.Save that file to your desktop and post the content of that file in your next reply.

[color=#ff0000][b]Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro[/b][/color]

[url=http://forums.majorgeeks.com/chaslang/images/Hitman/6-scanfin-choose.jpg][img=http://forums.majorgeeks.com/chaslang/images/Hitman/6-scanfin-choose.jpg][/url]

Navigate to [b]C:\Documents and Settings\All Users\Application Data\HitmanPro\[color=#ff0000]Logs[/color][/b] ([b]for Windows XP[/b]) or to [b]C:\ProgramData\HitmanPro\[color=#ff0000]Logs[/color][/b] ([b]for Windows Vista/7[/b]) open the report and copy and paste it to your next reply.

Edited by boopme, 06 November 2014 - 09:26 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 07 November 2014 - 12:19 AM

HitmanPro 3.7.9.232
www.hitmanpro.com
 
   Computer name . . . . : SERVER
   Windows . . . . . . . : 6.2.0.9200.X64/4
   User name . . . . . . : DOMAIN\administrator
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2014-11-07 00:09:28
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 46s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 1
   Traces  . . . . . . . : 3
 
   Objects scanned . . . : 5,726,754
   Files scanned . . . . : 9,902
   Remnants scanned  . . : 204,108 files / 5,512,744 keys
 
Malware _____________________________________________________________________
 
   C:\ProgramData\BSwsEoEY\OaQAUYsc.exe
      Size . . . . . . . : 195,584 bytes
      Age  . . . . . . . : 1.2 days (2014-11-05 18:39:20)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : D8901A51B272EF5299BFCA34B8B4490D455AABC3E921D370AC97E424223ADFDC
    > Bitdefender  . . . : Trojan.Obfus.3.Gen
      Fuzzy  . . . . . . : 123.0
      Forensic Cluster
         -5.2s C:\ProgramData\BSwsEoEY\
         -5.2s C:\ProgramData\BSwsEoEY\OaQAUYsc
          0.0s C:\ProgramData\BSwsEoEY\OaQAUYsc.exe
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
          0.3s C:\ProgramData\BSwsEoEY\OaQAUYsc.inf
 
 
Potential Unwanted Programs _________________________________________________
 
   ask.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data
 
   HKLM\SOFTWARE\Classes\s\ (Softonic)
 
 

Edited by dirkdigs, 07 November 2014 - 12:19 AM.


#11 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 07 November 2014 - 10:38 AM

it only shows up for some profiles. in full desktop mode (this is a remote desktop server)

I need to check "show protected system files"

if i login with an affected profile. leave it logged in. then login to the server with a non affected profile i am able to see it. but i cant remove the files even after taking full ownership and full ntfs control.

 

TP46AF.png



#12 SeniorFrogg

SeniorFrogg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 07 November 2014 - 12:25 PM

I have 7 computers all with this. It seems to have infected all of the .bmp and .jpg files on the computers and added .exe at the end. I am in the same boat as you, I have used Malwarebytes and SUPERAntiSpyware, they both found and cleaned up a lot of files. But the lock screen still pops up after a reboot.

 

I have tried to remove the regkey in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ but it keeps on coming back.

 

This one seems to not want to get out of my computers!!!

 



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:07 PM

Posted 07 November 2014 - 12:55 PM

It appears to be a screenlocker so lets try the Kickstart /Hitman tool here
http://www.bleepingcomputer.com/virus-removal/remove-fbi-cybercrime-division-ransomware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 SeniorFrogg

SeniorFrogg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 07 November 2014 - 01:33 PM

Thanks, I am going to try that right now. It has also locked a lot of picture files, but I am going to consider those as gone!

 

I will keep you posted on the KickStart method. 



#15 dirkdigs

dirkdigs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 07 November 2014 - 01:39 PM

as i mentioned previous hitman pro does not clean anything unless you pay for it. this is a paid tool

 

your guide at step 12-13 is wrong. once you hit next you are directed to enter an activation key.


Edited by dirkdigs, 07 November 2014 - 01:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users