Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Trojan, confidental / sensitive information


  • Please log in to reply
17 replies to this topic

#1 speer

speer

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 13 April 2015 - 08:13 PM

I have a computer which has been badly infected with several viruses and java exploit trojans. Essentially makes the computer almost unusable. Any attempt to open any administratibe tools or programs brings up a windows explorer tab with the programs name asking if you would like to download. Restore and backup are all restricted.

I booted the computer with a Kaspersky disk to scan the computer and ask I suspected there was many infections. I removed them and rebooted the computer but the issues still persist so im assuming their are still viruses on the computer.hAj6c1q.jpgMwgKLzj.jpg

 

The persons computer is used in their business and its used to store documents and file taxes with. I am currently making a img copy of the hard drive with Clonezilla since these documents are very important. I am going to reinstall a clean copy of Windows 7 home premium on the computer. Now my question is how can I saftley extract these imporant files from the infected HDD copy without reinfecting the clean install? Im not going to personally spend all day going through this persons documents but would like to provide them with a copy of it to do themselves.

 

If I was to create a folder to put the old image file in on the clean install do you suspect that to cause issues?

 

Much appreciated.


Edited by hamluis, 14 April 2015 - 05:04 PM.
Moved from Am I Infected to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 07:18 PM

Get a sector-by-sector copy in case you have to try undeleting the files, or a sector by sector backup (via Acronis boot disk or the like). Looks like you've got some type of ransomware on there and it may have encrypted the data files. If you reinstall before you get a sector-by-sector copy, you'll lose your chance to undelete.

 

As far as putting the data back goes, it may well depend on exactly what trojans are involved here.


Edited by Fremont PC, 14 April 2015 - 07:18 PM.


#3 speer

speer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 14 April 2015 - 07:23 PM

Scanned with Kaspersky (as in the pics), removed them and rebooted. Still had the symptoms on the system.

 

Reinstalled Windows (no virus symptoms) and installed Avira and scanned. It detected the viruses and removed them. Scanned again and there was nothing detected.

 

Clients important files were kept in the old.windows folder.



#4 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 07:42 PM

Can the files be opened ok? This might have been in the middle of encryption, so some might be alright, some encrypted. I mention this because I see "trojan-ransom.win32.blocker" in the list, which afik is the fake Cryptolocker aka PCLock. If you didn't get a ransom note, then it likely wasn't done yet (or hopefully, hadn't even begun encrypting). 

 

What did Avira come up with? 



#5 speer

speer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 14 April 2015 - 08:01 PM

I cant recall what the list said, but it looked essentially the same as the one above. I just clicked quarintene for them all.

 

I actually didnt open any of the files, although I looked through a few of the folders to make sure they were there and transferred over.



#6 speer

speer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 14 April 2015 - 08:03 PM

Do you personally have recomendations for a free anti-virus scanner to use? Avira has never let me down, but id like to hear what others use.

 

The client did have an activated norton anti-virus on the computer at the time while it was still infected.



#7 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 08:07 PM

You might have a look in quarantine to see if there's one you can ID. Even though the filenames might not have changed, some of the files could be encrypted. If you can figure out which trojan did it, you have a shot at decrypting them.

 

If you've still got the system restore points intact in the Clonezilla image, you might be able to get some of the files out of it, so hold on to that image for awhile. Get your customer to go over the files and see if they're working ok for him. Might be a tall order to find the encrypted ones, if they're even there.



#8 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 08:13 PM

Kaspersky is good and Avira is one of my faves,  but with a zero-day version of any given trojan, it's kind of designed to slip past the top names in A/V. That's why you need offsite backups or at least an external drive that gets disconnected when the backups are complete. These guys are getting pretty good at encrypting files rather quickly and they even go after network drives, external drives and backup archives. 

 

It would be a good idea to put HitmanPro Alert 3 on the system. There are some others out there,  Cryptoprevent is one. 


Edited by Fremont PC, 14 April 2015 - 08:14 PM.


#9 speer

speer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 14 April 2015 - 08:19 PM

Never ended up taking a Clonezilla copy since it said it had bad sectors and wanted to try and fix them while transferring the files and I didnt want to risk anything. I installed the HDD in a new computer and transferred the C:/ contents using another piece of software and have it still.

 

I no longer have the computer and haven it back to the client. But do you suspect there still to be hidden viruses / ransom/encrypters hidden on the image even after the Avira clean-up?



#10 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 08:29 PM

I typically scan with 5 or so tools to try to catch everything, but with the newest malware you can't really be sure. The only sure way is to backup, then nuke and pave. As active infections don't usually operate out of the User's data folders (Documents, Photos, Music, etc) you would have to rely on updates to weed out the ones that weren't caught the first time, unless the User tells you "Yeah, I clicked on this PDF or that file and then..."



#11 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 08:31 PM

So Clonezilla was complaining about bad sectors on the User's HDD? Might want to check that with Crystal Disk Info. His HDD might be getting ready to fail.



#12 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 14 April 2015 - 08:33 PM

Some others you might want to consider:

 

MalwareBytes Pro

MalwareBytes Anti Exploit



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 14 April 2015 - 08:39 PM

Since no one asked for it yet, I'll ask it: is it possible for you to give us the Kaspersky Rescue CD log so we can see what infections were present on the drive and what preventive measures you should take when will come the time to deal with the data backup you are making of it?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 speer

speer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 15 April 2015 - 02:22 AM

I wont be able to show the logs since it was done on the clients computer and its no longer here. Although after copying the drive and scanning it on a second computer this is what Avira's report gives back.

 

Let me know if its the correct information you'd like to see, or if theres anything else you'd like to see.

 

Start of the scan: Tuesday, April 14, 2015  07:59
 
Starting the file scan:
 
Begin scan in 'C:\Users\Mustardtiger\Desktop\Mary infeced hdd'
    [0] Archive type: Runtime Packed
    --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u20-windows-i586-iftw-rv.exe
        [1] Archive type: Runtime Packed
      --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
          [2] Archive type: Runtime Packed
        --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
            [3] Archive type: Runtime Packed
          --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
              [4] Archive type: Runtime Packed
            --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
                [5] Archive type: Runtime Packed
              --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
                  [6] Archive type: Runtime Packed
                --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
                    [7] Archive type: Runtime Packed
                  --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
                      [8] Archive type: Runtime Packed
                    --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-7u10-windows-i586-iftw.exe
                        [9] Archive type: Runtime Packed
                      --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
                          [10] Archive type: Runtime Packed
                        --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
                            [11] Archive type: Runtime Packed
                          --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
                              [12] Archive type: Runtime Packed
                            --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
                                [13] Archive type: Runtime Packed
                                  [DETECTION] Contains patterns of software PUA/Linkury.Gen2
                                  [WARNING]   Infected files in archives cannot be repaired
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\Update_01fb.exe
  [DETECTION] Contains patterns of software PUA/Linkury.Gen2
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\ICReinstall\Setup-MsgPlus-501.exe
  [DETECTION] Contains patterns of software PUA/InstallCore.Gen
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\PB3G38FB\cust[1].htm
  [DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen2 HTML script virus
                              --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\LocalLow\Sun\Java\JRERunOnce.exe
                                  [14] Archive type: Runtime Packed
                                --> C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\f7902f8-5bf81a13
                                    [15] Archive type: ZIP
                                  --> MJjmeN.class
                                      [DETECTION] Contains recognition pattern of the EXP/CVE.2013.2465.2 exploit
                                      [WARNING]   Infected files in archives cannot be repaired
                                  --> QybXLnyob.class
                                      [DETECTION] Contains recognition pattern of the EXP/CVE.2013.2465.2 exploit
                                      [WARNING]   Infected files in archives cannot be repaired
                                  --> vGYGqniE.class
                                      [DETECTION] Contains recognition pattern of the JAVA/Obfus.gfv.1 Java virus
                                      [WARNING]   Infected files in archives cannot be repaired
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\f7902f8-5bf81a13
  [DETECTION] Contains recognition pattern of the JAVA/Obfus.gfv.1 Java virus
 
Beginning disinfection:
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\f7902f8-5bf81a13
  [DETECTION] Contains recognition pattern of the JAVA/Obfus.gfv.1 Java virus
  [NOTE]      The file was moved to the quarantine directory under the name '51b19273.qua'!
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\PB3G38FB\cust[1].htm
  [DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen2 HTML script virus
  [NOTE]      The file was moved to the quarantine directory under the name '49e0bdea.qua'!
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\ICReinstall\Setup-MsgPlus-501.exe
  [DETECTION] Contains patterns of software PUA/InstallCore.Gen
  [NOTE]      The file was moved to the quarantine directory under the name '1bbee705.qua'!
C:\Users\Mustardtiger\Desktop\Mary infeced hdd\Users\Mary\AppData\Local\Temp\Update_01fb.exe
  [DETECTION] Contains patterns of software PUA/Linkury.Gen2
  [NOTE]      The file was moved to the quarantine directory under the name '7db9a82f.qua'!
 
 
End of the scan: Tuesday, April 14, 2015  11:24
Used time:  1:25:43 Hour(s)
 
The scan has been done completely.
 
  37506 Scanned directories
 1096588 Files were scanned
      8 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 Files were deleted
      0 Viruses and unwanted programs were repaired
      4 Files were moved to quarantine
      0 Files were renamed
      0 Files cannot be scanned
 1096580 Files not concerned
  11574 Archives were scanned
      4 Warnings
      4 Notes


#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:47 AM

Posted 15 April 2015 - 02:57 AM

Do you have the Avira scan log as well? It can be useful to know what we are dealing with here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users