Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ransomware KEYHolder, need help to remove it and decrypt the files


  • This topic is locked This topic is locked
13 replies to this topic

#1 george@pan

george@pan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 06 January 2015 - 09:28 PM

I am not sure if it is a new Cryptolocker variant or a Ransomware. According to the ransomware, all of my files(.doc, .PDF, .xls, ppt, etc.) were protected(encrypted) with RSA-2048 KEYHolder. It means that the structure and data within my files have irrevocably changed, i am not be able to work with them, read them or see them, it is the same thing as losing then forever, but with their help , I can restore(decrypt) them. They deleted all my files(.doc, .PDF, .xls, ppt, etc.)  after they encrypted them with public key. Decrypting of my files is only possible with the help of the private key and decrypt program, which is on their secret server. If I do not take necessary for the specified time then the conditions for obtaining the private key will be changed. The decryption cost $500.

 

The ransomware came to shared  drive(we did not know when,how, why...)  in our  Windows server(2011 Essential) and  infected .Doc files first, then, extend to .xls, .ppt, and PDF files, then, some of our business application programs ,such as, AME(AMEsoftware.com), Ultra Tax 2013 CS could not run in client PCs. I think that these application programs need to read files stored in our file server, while the files were encrypted , could not be read by the programs. Up to now, we only found ransomware infected files in the shared drive in our server, we did not find ransomware infected files in our client PCs.

 

I saw many virus popup in one client PC(no screenshot) last night, but only saw one popup from our AntiVirus software this morning(see attached .jpg) in the same client PC as last night. I ran DDS to capture logs in this  client PC this morning after I ran Microsoft Windows Defender Offline last night in the PC. MS WDO found one severe threat and recommended us to remove it and I did not remove it. I did not see any virus popup in other client PCs and file sever. All local MS Office files and PDFs can be opened normally. 

 

Could you please help us to remove the ransomware  from our system and decrypt the files encypted by the ransomware?

 

Please see the following DDS capture and attach.zip form DDS.com and attached AVG screenshots:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17496
Run by Administrator at 13:26:13 on 2015-01-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8143.5293 [GMT -8:00]
.
AV: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
c:\PROGRA~2\AVG\AVG2015\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\AVG\AVG2015\avgui.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2015\avgui.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\urlredir.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2015\avgui.exe" /TRAYONLY
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\onbttnie.dll
IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP12EP16-17634/event/ieatgpc1.cab
TCP: NameServer = 192.168.9.1
TCP: Interfaces\{1C409F77-03AC-465C-A9E6-1C3C08562749} : DHCPNameServer = 192.168.9.1
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\urlredir.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnie.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Notify: GoToAssist Express Customer - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\758\g2ax_winlogonx64.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2014-6-18 190744]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2014-7-18 313624]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2014-10-5 124184]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2014-6-18 31512]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2014-6-3 652784]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2014-6-3 28656]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2014-6-3 20464]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2014-6-18 153368]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2014-10-29 263960]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2014-8-28 243480]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2014-10-10 274200]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [2014-11-9 3488784]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [2014-11-9 298080]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2014-8-2 2449592]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2014-10-31 16056]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2014-12-9 72216]
R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2012-12-27 30848]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2014-6-3 368112]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2014-6-3 786416]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2014-6-3 263896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2014-6-3 805088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 McAPExe;McAfee AP Service;"C:\Program Files\McAfee\MSC\McAPExe.exe" --> C:\Program Files\McAfee\MSC\McAPExe.exe [?]
S3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2012-12-27 36480]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2012-12-27 341120]
S3 btath_avdt;Atheros Bluetooth AVDT Service;C:\Windows\System32\drivers\btath_avdt.sys [2012-12-27 111232]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2012-12-27 168064]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2012-12-27 68736]
S3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2012-12-27 281728]
S3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2012-12-27 551552]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-20 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-9 114688]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-20 168448]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-20 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-7-21 1255736]
S4 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2014-6-3 98208]
S4 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe [2012-12-27 204928]
S4 CSAPrintService;Creative Solutions Accounting Print Service;C:\Windows\csasvc.exe [2014-8-7 115712]
S4 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\758\g2ax_service.exe [2014-10-3 610888]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-2-6 15344]
S4 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2014-1-31 887232]
S4 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2014-2-19 131544]
S4 iumsvc;Intel® Update Manager;C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-1-17 174368]
S4 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2014-2-19 154584]
S4 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2014-10-31 376168]
S4 RtkAudioService;Realtek Audio Service;C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [2014-6-3 224840]
S4 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [2014-5-2 1915920]
S4 TeamViewer9;TeamViewer 9;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [2014-7-23 4799760]
S4 ZAtheros Bt and Wlan Coex Agent;ZAtheros Bt and Wlan Coex Agent;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [2012-12-27 327296]
S4 ZAtheros Wlan Agent;ZAtheros Wlan Agent;C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [2014-6-3 81536]
.
=============== Created Last 30 ================
.
2015-01-06 21:18:28 -------- d-sh--w- C:\Users\Administrator\AppData\Local\EmieUserList
2015-01-06 21:18:28 -------- d-sh--w- C:\Users\Administrator\AppData\Local\EmieSiteList
2015-01-06 21:18:28 -------- d-sh--w- C:\Users\Administrator\AppData\Local\EmieBrowserModeList
2015-01-06 02:27:38 -------- d-----w- C:\Windows\Microsoft Antimalware
2015-01-06 02:14:25 -------- d-----w- C:\Windows\pss
2015-01-06 02:09:39 -------- d-----w- C:\cd871ceb1dc9e339b4fc59bb388a
2015-01-04 04:40:19 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Intel Corporation
2015-01-04 04:39:25 -------- d-----w- C:\Users\Administrator\AppData\Roaming\AVG2015
2015-01-04 04:39:23 -------- d-----w- C:\Users\Administrator\AppData\Local\Avg2015
2015-01-04 04:39:20 -------- d-----w- C:\Users\Administrator\AppData\Local\LogMeIn
2015-01-04 04:39:19 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Atheros
2015-01-03 15:43:43 163504 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-12-25 04:33:45 -------- d-----w- C:\ProgramData\lmyrj
2014-12-25 04:29:47 -------- d-----w- C:\ProgramData\AojahEzfec
2014-12-17 19:01:11 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-12-17 19:01:11 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-12-10 11:16:54 -------- d-----w- C:\Windows\System32\appraiser
2014-12-10 11:00:47 24576 ----a-w- C:\Windows\System32\mfpmp.exe
2014-12-10 11:00:47 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
2014-12-10 11:00:47 2048 ----a-w- C:\Windows\System32\mferror.dll
2014-12-10 11:00:46 55808 ----a-w- C:\Windows\System32\rrinstaller.exe
2014-12-10 11:00:46 50176 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
2014-12-10 11:00:46 4121600 ----a-w- C:\Windows\System32\mf.dll
2014-12-10 11:00:46 3209728 ----a-w- C:\Windows\SysWow64\mf.dll
2014-12-10 11:00:46 23040 ----a-w- C:\Windows\SysWow64\mfpmp.exe
2014-12-10 11:00:46 206848 ----a-w- C:\Windows\System32\mfps.dll
2014-12-10 11:00:46 103424 ----a-w- C:\Windows\SysWow64\mfps.dll
2014-12-09 20:59:44 165888 ----a-w- C:\Windows\System32\charmap.exe
2014-12-09 20:43:49 72216 ----a-w- C:\Windows\System32\drivers\LMIRfsDriver.sys
2014-12-09 20:43:49 60776 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\LMIproc.dll
2014-12-09 20:43:49 35688 ----a-w- C:\Windows\System32\LMIport.dll
2014-12-09 20:43:49 107392 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2014-12-09 20:43:47 92520 ----a-w- C:\Windows\System32\LMIinit.dll
2014-12-09 20:43:39 -------- d-----w- C:\Program Files (x86)\LogMeIn
.
==================== Find3M  ====================
.
2014-12-04 02:50:55 413184 ----a-w- C:\Windows\System32\generaltel.dll
2014-12-04 02:50:45 741376 ----a-w- C:\Windows\System32\invagent.dll
2014-12-04 02:50:40 396800 ----a-w- C:\Windows\System32\devinv.dll
2014-12-04 02:50:38 830976 ----a-w- C:\Windows\System32\appraiser.dll
2014-12-04 02:50:37 227328 ----a-w- C:\Windows\System32\aepdu.dll
2014-12-04 02:50:37 192000 ----a-w- C:\Windows\System32\aepic.dll
2014-12-04 02:44:48 1083392 ----a-w- C:\Windows\System32\aeinv.dll
2014-12-01 23:28:44 1232040 ----a-w- C:\Windows\System32\aitstatic.exe
2014-11-22 03:06:23 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39 66560 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10 580096 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:29 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07 6039552 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58 2125312 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21 2358272 ----a-w- C:\Windows\System32\wininet.dll
2014-11-22 01:22:49 2052096 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-11-11 03:09:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-11-11 03:08:52 241152 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-11 02:44:45 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44:32 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-11-11 01:46:26 119296 ----a-w- C:\Windows\System32\drivers\tdx.sys
2014-11-08 03:16:08 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-11-08 02:45:09 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-10-31 19:15:32 35616 ----a-w- C:\Windows\System32\lmimirr.dll
2014-10-31 19:15:32 14624 ----a-w- C:\Windows\System32\lmimirr2.dll
2014-10-31 19:15:32 11552 ----a-w- C:\Windows\System32\drivers\lmimirr.sys
2014-10-30 05:35:16 263960 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2014-10-30 01:45:43 155136 ----a-w- C:\Windows\SysWow64\charmap.exe
2014-10-25 01:57:59 77824 ----a-w- C:\Windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-10-18 02:05:23 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06 683520 ----a-w- C:\Windows\System32\termsrv.dll
2014-10-14 02:13:00 3241984 ----a-w- C:\Windows\System32\msi.dll
2014-10-14 02:12:57 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31 146432 ----a-w- C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31 681984 ----a-w- C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
2014-10-10 22:14:32 274200 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2014-10-10 00:57:42 3198976 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 13:26:39.84 ===============
 

I am looking forward your kind reply. Thank you very much!

 

George

Attached Files



BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 11 January 2015 - 12:25 AM

Hi george@pan :)

 

My name is polskamachina and I will be assisting you with your malware problems. Please give me some time to review your situation and I will get back to you with further instructions.

 

polskamachina



#3 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 14 January 2015 - 06:33 PM

Hi george@pan :)

 

Sorry for the delay, I'm still investigating your situation.

 

Thank you for your patience.

 

polskamachina



#4 george@pan

george@pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 15 January 2015 - 12:50 AM

Polskamachina,

 

It was very nice to hear forom you! Please let me know if you need further information from us.

 

Thank you!

 

George



#5 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 15 January 2015 - 01:41 AM

Hi george@pan :)
 
My name is polskamachina and I will be assisting you with your malware problems. What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Let's get started:
 
The first thing that needs to be determined is they type of ransomware that has attacked your system. Is it possible for you to take a screenshot of the ransom note or any windows that are associated with the ransomware and post it in your next reply to me?
 
Next:

  • Download this infection identification tool to your desktop.
  • Double-click the idtool.zip file to open it. Then extract the IDTool.exe file to your desktop.
  • Run the IDTool.exe program.
  • It will display a summary of the descriptions of the infections. Sample images of the program are shown here.
  • Click on the Generate Text Friendly Reports for Forums, then copy and paste that report in your next reply to me.

 
Let me know if you have any questions.
 
polskamachina



#6 george@pan

george@pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 16 January 2015 - 01:42 PM

Polskamachina,

 

I am also in California. First of all, I would like to update the condition of the PC. This PC is running with several other PCs and one data server in a LAN. Only this PC was infected. Only .pdf, .mdb, .txt, and MS Office .doc, .xls, .ppt were encrypted. The original files disappeared. The name of the infected files were added a suffix "wymfrlk". The infected files looks like *.pdf.wymfrlk, *.doc.wymfrlk, etc. The files were infected around 08:30pm, Dec 24, 2014. Please see the following ransom note:

KEYHolder

What happened to your files ?

All of your files were protected by a strong encryption with RSA-2048 using KEYHolder.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work 
with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1.https://mwyigd4n52mkbyhe.onion2web.com/xxx 
2.https://mwyigd4n52mkbyhe.tor2web.org/xxx
3.https://mwyigd4n52mkbyhe.onion.to/xxx

If for some reasons the addresses are not available, follow these steps:

1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: mwyigd4n52mkbyhe.onion/xxx
4.Follow the instructions on the site.

IMPORTANT INFORMATION:

Your personal page: https://mwyigd4n52mkbyhe.onion/xxx
Your personal identification number (if you open the site (or TOR 's) directly): xxx

 

I replaced my personal ID number with xxx in the above note. If you really need the ID, I can send a message to you.


Edited by george@pan, 16 January 2015 - 02:11 PM.


#7 george@pan

george@pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 16 January 2015 - 02:08 PM

We had AVG antivirus software installed in the PC. Please see the screenshots from AVG. Unfortunately, I was not allowed to upload more files.

 

I ran Windows Defender Offline in the infected PC last week. WDO found one severe threat and removed it. I also had screenshots from WDO.
 
Here is the IDTools capture:
  • IDTool log
  • Infection Detection Tool v1.6 - Nathan Scott
    --------------------------------------------
    Date/Time: 1/7/2015 1:50:30 PM
    Operating System: Windows 7
    Service Pack: Service Pack 1
    Version Number: 6.1
    Product Type: Workstation
    --------------------------------------------
    [Detected Flags]

Edited by george@pan, 16 January 2015 - 02:11 PM.


#8 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 18 January 2015 - 12:01 PM

Hi george@pan :)
 
As you have already surmised, your infection appears to be the KEYHolder ransomware. Here is a link to the current discussion topic.
 
Regarding your receipt of another user's offer to decrypt your files:
My job in this forum is to help you remove the malware that encrypted your files. I cannot remove your encryption for a fee or for free. If you have a backup system in place, you should restore the deleted/encrypted files from that backup. If you do not have a backup system in place, then I would suggest you make that one of your top priorities.
 
Let me know if you have any questions.
 
polskamachina



#9 george@pan

george@pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 20 January 2015 - 05:43 PM

Polskamachina,

Do you know if there is any forum I can find information to help me to decrypt the files or professional who can help me to decrypt the files?

Thanks and regards,
George

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:37 AM

Posted 20 January 2015 - 06:21 PM

polskamachina referred you to the appropriate support and discussion topic with the most current information in regards to decrypting files but that link mistakenly redirected back here.

 

This is the topic he intended to link to...KEYHolder Support and Discussion Topic


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 george@pan

george@pan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 21 January 2015 - 08:55 PM

quietman7,

 

I can browse the link you sent to me. Thank you!

 

George



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:37 AM

Posted 21 January 2015 - 09:12 PM

You're welcome and good luck.

Please let polskamachina know if you want to continue with help to remove the malware itself. If not, then we will close this topic.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 26 January 2015 - 01:26 PM

Hi George :)

 

Did you need any more help with this issue? If not, this topic will be closed in 48 hours.

 

polskamachina



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:37 AM

Posted 29 January 2015 - 03:11 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users