Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus renamed and encrypted my files


  • This topic is locked This topic is locked
5 replies to this topic

#1 Eugen

Eugen

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 January 2015 - 02:35 AM

Hi all,

 

The user doesn't have Administrator rights so the system isn't damaged just all the files aren't accesible. I've deleted the virus very quickly is just a stupid file, now the system 100% free of any virus.

The only thing I need help with is to recover my files. Need some help.

 

Thank you.

 

The virus renamed files files and added this extention: *.mmvkhja

 

oS1I6GZ.jpg

 

What utility to use so I could decrypt and recover my files? Thank you.

 

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-01-2015
Ran by Anna (ATTENTION: The logged in user is not administrator) on ANNA on 20-01-2015 09:30:35
Running from D:\Profiles\Anna\Desktop
Loaded Profiles: Anna & Administrator (Available profiles: Philips & Anna & Administrator)
Platform: Microsoft Windows 7 Максимальная  Service Pack 1 (X86) OS Language: Английский (США)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SolarWinds) C:\Windows\dwrcs\DWRCST.EXE
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
(Microsoft Corporation) C:\Windows\System32\mstsc.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [947176 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:\Windows\dwrcs\DWRCST.exe [379752 2012-08-16] (SolarWinds)
HKLM\...\RunOnce: [*Restore] => C:\Windows\System32\rstrui.exe [262656 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-21-2197350577-2633824870-2415355702-1001\...\Run: [tzyrcin] => D:\Profiles\Anna\AppData\Local\Temp\ifxzcbg.exe <===== ATTENTION
Startup: D:\Profiles\Anna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Outlook 2010.lnk
ShortcutTarget: Microsoft Outlook 2010.lnk -> C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2197350577-2633824870-2415355702-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2197350577-2633824870-2415355702-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
URLSearchHook: [S-1-5-21-2197350577-2633824870-2415355702-500] ATTENTION ==> Default URLSearchHook is missing.
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{44EC3A70-7051-4020-A0E9-78EF226FF582}: [NameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: D:\Profiles\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\wzccjbco.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_43.dll ()
FF Plugin: @java.com/DTPlugin,version=10.21.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.21.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-01-31]

Chrome:
=======
CHR StartupUrls: Default -> "https://www.google.md/"
CHR Profile: D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Документы Google) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-31]
CHR Extension: (Диск Google) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-31]
CHR Extension: (Google Voice Search Hotword (Beta)) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-08]
CHR Extension: (YouTube) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-31]
CHR Extension: (Поиск Google) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-31]
CHR Extension: (Adobe Acrobat – Создать файл PDF) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2014-01-31]
CHR Extension: (Google Кошелек) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-31]
CHR Extension: (Gmail) - D:\Profiles\Anna\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-31]
CHR HKLM\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2013-05-11]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [277616 2012-12-14] (Intel Corporation)
S3 defragsvc; C:\Windows\System32\defragsvc.dll [218624 2009-07-14] (Корпорация Майкрософт)
R2 dwmrcs; C:\Windows\dwrcs\DWRCS.EXE [705384 2012-08-16] (SolarWinds)
R2 lmhosts; C:\Windows\system32\svchost.exe [21504 2014-01-22] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20472 2012-09-12] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [287824 2012-09-12] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [21504 2014-01-22] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [21504 2014-01-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2014-01-22] (Microsoft Corporation)
S3 WPCSvc; C:\Windows\System32\wpcsvc.dll [10752 2009-07-14] (Корпорация Майкрософт)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [243128 2014-01-31] (Disc Soft Ltd)
R3 DwMirror; C:\Windows\System32\DRIVERS\DamewareMini.sys [3712 2008-03-14] (DameWare Development, LLC)
R1 dwvkbd; C:\Windows\System32\DRIVERS\dwvkbd.sys [26624 2008-03-13] (DameWare)
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD.sys [40936 2013-01-19] ()
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [13592 2012-02-26] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [348440 2012-02-26] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [792856 2012-02-26] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-17] (Intel Corporation)
R0 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [78208 2010-11-20] (Корпорация Майкрософт)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [297040 2009-07-14] (Корпорация Майкрософт)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 09:30 - 2015-01-20 09:30 - 00000000 ____D () C:\FRST
2015-01-19 16:27 - 2015-01-19 16:33 - 00849886 _____ () C:\ProgramData\pwytjzb.html

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 09:31 - 2014-01-31 01:45 - 01881914 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 09:27 - 2009-07-14 06:34 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-20 09:27 - 2009-07-14 06:34 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-20 09:24 - 2014-01-30 17:01 - 00727000 _____ () C:\Windows\system32\perfh019.dat
2015-01-20 09:24 - 2014-01-30 17:01 - 00151078 _____ () C:\Windows\system32\perfc019.dat
2015-01-20 09:24 - 2010-11-20 23:01 - 01655454 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-20 09:23 - 2009-07-14 06:52 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-01-20 09:20 - 2014-01-31 10:04 - 00000266 _____ () C:\Windows\Tasks\AutoKMS.job
2015-01-20 09:19 - 2014-01-31 11:50 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-20 09:19 - 2009-07-14 06:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 09:19 - 2009-07-14 06:39 - 00039328 _____ () C:\Windows\setupact.log
2015-01-20 09:19 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\system32\wfp
2015-01-20 09:18 - 2014-01-31 10:04 - 00000000 ____D () C:\Windows\AutoKMS
2015-01-20 09:18 - 2014-01-31 09:16 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-20 09:18 - 2014-01-31 09:16 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-20 09:18 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\registration
2015-01-20 09:18 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\AppCompat
2015-01-19 16:26 - 2014-01-31 09:16 - 00000000 ____D () C:\ProgramData\Mozilla
2015-01-18 21:38 - 2014-01-31 11:50 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-14 05:40 - 2014-01-31 11:50 - 00002137 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-12-31 13:13 - 2014-01-30 16:28 - 00249488 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======
2015-01-19 16:27 - 2015-01-19 16:33 - 0849886 _____ () C:\ProgramData\pwytjzb.html

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Attached Files


Edited by Eugen, 20 January 2015 - 02:36 AM.


BC AdBot (Login to Remove)

 


#2 Eugen

Eugen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 January 2015 - 02:59 AM

Here is the message found in My Documents:

 

FSOq5Uj.jpg

Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

Open http://ohmva4gbywokzqso.onion.cab or http://ohmva4gbywokzqso.tor2web.org
in your browser. They are public gates to the secret server.

If you have problems with gates, use direct connection:

1. Download Tor Browser from http://torproject.org

2. In the Tor Browser open the http://ohmva4gbywokzqso.onion/
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

Copy and paste the following public key in the input form on server. Avoid missprints.
6FVRTLM-VM5THLL-SL3GLTU-MQPG5CK-7BSQTQG-WWCVKVT-OPDAYP5-FLCHVP4
XBCSKYO-V4UK66L-3OWDXJZ-MDCBJGG-PSOG4CG-CZVECJD-6ANOZP3-OFIC7HO
R6FU5LF-LLSIQFE-JTDRM5Q-SEIHGN3-5URJO5M-M5NT7CO-DXSOQ5S-LLB5XNM


Follow the instructions on the server.

 



#3 Eugen

Eugen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 January 2015 - 07:40 AM

400 views and not even a reply, as I understand there is no way to decrypt the files am I right?



#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:08:37 PM

Posted 20 January 2015 - 10:24 AM

You have posted in Malware Removal Logs.

At the top of the main Malware Removal Logs page is this

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. However, please be assured that your topic will be looked at and responded to. Your patience is appreciated.


While the average is 5 days there is a possibility that it could be sooner.

#5 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:37 PM

Posted 20 January 2015 - 11:40 AM

Hey,
your system isn't clean. :)

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:37 PM

Posted 24 January 2015 - 06:35 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users