Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: jpeg, pdf, excel, word and video files modified/corrupted.


  • This topic is locked This topic is locked
7 replies to this topic

#1 Seisdoble

Seisdoble

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 April 2015 - 04:39 PM

Hi everybody,

 

I have got a big trouble. Last week I've been infected by a pack of several trojans. As a result, all of my jpeg, pdf, word, excel and video files have been modified/corrupted in such way it cannot be opened.

I think I have get rid of the trojans by using Adwcleaner, Malwarebytes Anti-Malware and Hitman Pro 3.7. These damaged files are not encrypted and there have not  been showed any message asking for money at all.

 

Well, I am very concerned about my files since I have not made any backup of my system and the trojan disabled the system restore option. I have been able to activate it again but all the restoration points have been deleted and the shadow copies as well.

 

I've got the three log files generated by the programs described above. Here you are an advance of the trojans founded:

 

Mbam: Sathurbot, Hijack.SecurityRun, Agent.ED, Tinba

Hitman Pro: Injector, VBKryjetor, Zusy.

 

Please, help me. I am lost and do not know what to do.

 

Thanks.

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 AM

Posted 27 April 2015 - 04:43 PM

Hello there,

This sounds like a ransomware infection. The corruption that you mentioned might indeed be encryption after all.

Do your files have any new extensions added onto them?

You might want to look around for any ransom notes that the infection might have dropped.

Regards,
Alex

#3 Seisdoble

Seisdoble
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 April 2015 - 04:54 PM

Hi Alexstrasza,

 

No new extension at any file. The names remain the same. I have not seen at the moment any ransom note.

 

Thanks for answering so quickly.



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 AM

Posted 27 April 2015 - 05:04 PM

Can you retrieve the logs from Malwarebytes and HitmanPro? Perhaps I can get something out from them.

Malwarebytes Anti-Malware scan log
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.
I do not know if you saved the log from HitmanPro, but it would be useful if you still keep it.

Regards,
Alex

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:09 AM

Posted 27 April 2015 - 05:10 PM

Ransomware infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt
RECOVERY_KEY.txt
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Seisdoble

Seisdoble
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 April 2015 - 05:16 PM

Sure!

 

Here you are:

 

Mbam:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Fecha del Análisis: 22/04/2015
Tiempo de Análisis: 1:02:54
Archivo de registro: 
Administrador: Si
 
Versión: 2.01.4.1018
Base de datos de Malwares: v2015.04.21.07
Base de datos de rootkits: v2015.04.21.01
Licencia: Premium
Protección contra el Malware: Desactivado
Protección de Webs  Maliciosas: Desactivado
Autoprotección: Desactivado
 
SO: Windows 7 Service Pack 1
CPU: x64
Archivos del Sistema: NTFS
Usuario: Jose
 
Tipo de Análisis: Análisis Estándar
Resultado: Completado
Objetos Analizados: 352994
Tiempo Transcurrido: 4 min, 52 seg
 
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Desactivado
Heurística: Activado
PUP: Advertir
PUM: Activado
 
Procesos: 0
(Sin elementos maliciosos detectados)
 
Modulos: 0
(Sin elementos maliciosos detectados)
 
Llaves del Registro: 6
Trojan.Sathurbot, HKLM\SOFTWARE\CLASSES\CLSID\{F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637},  Cuarentena, [e7543f303b4fc076b3c7a7d89b689e62], 
Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{4DA064A9-2580-46C7-B9C7-9F24429A2CFE},  Cuarentena, [ec4faac5503a181e810e99baf70ec739], 
Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{C7F34354-1782-48AD-BC22-29A33330BC9F},  Cuarentena, [df5caec1d2b860d6cccc79da17ee619f], 
PUP.Optional.BubbleDock.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\kbjlipmgfoamgjaogmbihaffnpkpjajp,  Cuarentena, [0c2fc1aebfcb5adcd2907e71cc379f61], 
Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{4DA064A9-2580-46C7-B9C7-9F24429A2CFE},  Cuarentena, [3605fb745f2b072ffd9279daca3b4bb5], 
Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{C7F34354-1782-48AD-BC22-29A33330BC9F},  Cuarentena, [211aa2cd5c2e13231682460d6e973ac6], 
 
Valores del Registro: 8
Trojan.Agent.ED, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|mepabo, "C:\Users\Jose\AppData\Local\mepabo\mepabo.exe",  Cuarentena, [16252d427f0bdb5b0a6a093f3cc6718f]
Trojan.Agent.ED, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|mepabo, "C:\Users\Jose\AppData\Local\mepabo\mepabo.exe",  Cuarentena, [16252d427f0bdb5b0a6a093f3cc6718f]
Trojan.Agent.ED, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|mepabo, "C:\Users\Jose\AppData\Local\mepabo\mepabo.exe",  Cuarentena, [16252d427f0bdb5b0a6a093f3cc6718f]
Trojan.Agent, HKU\S-1-5-21-3139242256-2731441878-890169894-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|wincl, C:\Users\Jose\AppData\Roaming\WinSkd\winskd.exe,  Cuarentena, [88b3d29d26649d99088b4dfd81814fb1]
Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{4DA064A9-2580-46C7-B9C7-9F24429A2CFE}|ItemData, C:\Documents and Settings\All Users\Application Data\McAfee,  Cuarentena, [ec4faac5503a181e810e99baf70ec739]
Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{C7F34354-1782-48AD-BC22-29A33330BC9F}|ItemData, C:\Documents and Settings\All Users\Application Data\Malwarebytes,  Cuarentena, [df5caec1d2b860d6cccc79da17ee619f]
Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{4DA064A9-2580-46C7-B9C7-9F24429A2CFE}|ItemData, C:\Documents and Settings\All Users\Application Data\McAfee,  Cuarentena, [3605fb745f2b072ffd9279daca3b4bb5]
Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{C7F34354-1782-48AD-BC22-29A33330BC9F}|ItemData, C:\Documents and Settings\All Users\Application Data\Malwarebytes,  Cuarentena, [211aa2cd5c2e13231682460d6e973ac6]
 
Datos del Registro: 2
Windows.Tool.Disabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Bueno: (0), Malo: (1),Sustituido,[e259e58a7a104cead8178180a06630d0]
Windows.Tool.Disabled, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Bueno: (0), Malo: (1),Sustituido,[d86399d6c3c779bdba35837ef80e629e]
 
Carpetas: 0
(Sin elementos maliciosos detectados)
 
Archivo: 8
Trojan.Agent.ED, C:\Users\Jose\AppData\Local\mepabo\mepabo.exe,  Cuarentena, [16252d427f0bdb5b0a6a093f3cc6718f], 
Trojan.Agent, C:\Users\Jose\AppData\Roaming\WinSkd\winskd.exe,  Cuarentena, [88b3d29d26649d99088b4dfd81814fb1], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Security\Client\SecurityProvider.dll, Se eliminará al Reiniciar, [e7543f303b4fc076b3c7a7d89b689e62], 
Trojan.Sathurbot, C:\Users\Jose\AppData\Local\Temp\tmp1084.tmp,  Cuarentena, [94a77af5e1a9c1752c018ee451af9c64], 
Trojan.Tinba, C:\Users\Jose\AppData\Local\Temp\UpdateFlashPlayer_761687cc.exe,  Cuarentena, [df5c0d62216984b293150149c2406a96], 
PUP.Optional.Bubbledock.A, C:\Users\Jose\AppData\Roaming\Bubble Dock.installation.log,  Cuarentena, [0437e58afa9055e1f4a44193ec17f20e], 
PUP.Optional.QuickStart.A, C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pelmeidfhdlhlbjimpabfcbnnojbboma_0.localstorage,  Cuarentena, [ce6d3b348efc38fe54f9360e36cf7e82], 
Trojan.Sathurbot, C:\ProgramData\Microsoft\Security\Client\SecurityHelper.dll, Se eliminará al Reiniciar, [d16a145b058548ee9d6cf75c7d88e31d], 
 
Sectores Físicos: 0
(Sin elementos maliciosos detectados)
 
 
(end)
 
 
 
Hitman Pro log:
 
HitmanPro 3.7.9.240
www.hitmanpro.com
 
   Computer name . . . . : JOSE-WS
   Windows . . . . . . . : 6.1.1.7601.X64/8
   User name . . . . . . : JOSE-WS\Jose
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (29 days left)
 
   Scan date . . . . . . : 2015-04-22 01:14:15
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 20s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 6
   Traces  . . . . . . . : 130
 
   Objects scanned . . . : 2.287.655
   Files scanned . . . . : 120.789
   Remnants scanned  . . : 733.574 files / 1.433.292 keys
 
Malware _____________________________________________________________________
 
   C:\ProgramData\Microsoft\Security\Client\temp\tmp5ACE.exe -> Quarantined
      Size . . . . . . . : 143.284 bytes
      Age  . . . . . . . : 1.2 days (2015-04-20 21:09:04)
      Entropy  . . . . . : 7.3
      SHA-256  . . . . . : B63E075AF960A32008F470FCAF50D4FA6B3293AD2230E6A03A7B7E79A0E6D585
    > Kaspersky  . . . . : Trojan-Dropper.Win32.Injector.lwfe
      Fuzzy  . . . . . . : 108.0
      Forensic Cluster
         -0.8s C:\ProgramData\Microsoft\Security\Client\temp\tmp5ACE.tmp
          0.0s C:\ProgramData\Microsoft\Security\Client\temp\tmp5ACE.exe
 
   C:\ProgramData\Microsoft\Security\Client\temp\tmp5C83.exe -> Deleted
      Size . . . . . . . : 126.900 bytes
      Age  . . . . . . . : 3.2 days (2015-04-18 19:27:58)
      Entropy  . . . . . : 7.4
      SHA-256  . . . . . : 243C5C502000840AA26FB0ACCD095EC92F1D186A131B7E68FB49AD08C7367A0B
    > Bitdefender  . . . : Gen:Variant.Graftor.184352
    > Kaspersky  . . . . : Trojan-Dropper.Win32.Injector.lvuf
      Fuzzy  . . . . . . : 105.0
      Forensic Cluster
         -0.8s C:\ProgramData\Microsoft\Security\Client\temp\tmp5C83.tmp
          0.0s C:\ProgramData\Microsoft\Security\Client\temp\tmp5C83.exe
 
   C:\ProgramData\Microsoft\Security\Client\temp\tmp9A8B.exe -> Deleted
      Size . . . . . . . : 204.800 bytes
      Age  . . . . . . . : 1.2 days (2015-04-20 20:54:02)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : E74AE1706D4DE42A1CB2DF14790CE368B57EA5195E091AEFB445AE317634C205
      Product  . . . . . : Strato
      Publisher  . . . . : Strato
      Description  . . . : Strato
      Version  . . . . . : 2.03.0007
      LanguageID . . . . : 1126
    > Bitdefender  . . . : Trojan.GenericKD.2312316
    > Kaspersky  . . . . : Trojan.Win32.VBKryjetor.vlu
      Fuzzy  . . . . . . : 94.0
      Forensic Cluster
         -0.7s C:\ProgramData\Microsoft\Security\Client\temp\tmp9A8B.tmp
          0.0s C:\ProgramData\Microsoft\Security\Client\temp\tmp9A8B.exe
 
   C:\ProgramData\Microsoft\Security\Client\temp\tmpD8A2.exe -> Quarantined
      Size . . . . . . . : 323.637 bytes
      Age  . . . . . . . : 3.3 days (2015-04-18 18:57:55)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 0C4D6E109DBF9EB0B146650E48B2C8CA6363A310D1D8299BDC4CFD823656694D
    > Bitdefender  . . . : Gen:Variant.Zusy.137948
      Fuzzy  . . . . . . : 108.0
      Forensic Cluster
         -2.3s C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\002763.log
         -0.9s C:\ProgramData\Microsoft\Security\Client\temp\tmpD8A2.tmp
          0.0s C:\ProgramData\Microsoft\Security\Client\temp\tmpD8A2.exe
          1.1s C:\Users\Jose\AppData\Local\Temp\{4FFFDD30-66B2-48BE-9243-A2133BB10AC6}
 
   C:\ProgramData\Microsoft\Security\Client\temp\tmpD92E.exe -> Deleted
      Size . . . . . . . : 368.027 bytes
      Age  . . . . . . . : 1.2 days (2015-04-20 20:39:01)
      Entropy  . . . . . : 7.4
      SHA-256  . . . . . : E0F134CA1345F62AF3A2F45BE28A3E99E099F7B5303229C937934F19ABB702A2
    > Bitdefender  . . . : Gen:Variant.Mikey.11821
    > Kaspersky  . . . . : Trojan.Win32.Inject.usxw
      Fuzzy  . . . . . . : 104.0
      Forensic Cluster
         -1.0s C:\ProgramData\Microsoft\Security\Client\temp\tmpD92E.tmp
         -0.1s C:\Users\Jose\AppData\Local\Temp\{6EF90C17-1915-4B32-8BC4-0E53DCE23D0A}
          0.0s C:\ProgramData\Microsoft\Security\Client\temp\tmpD92E.exe
 
   C:\Users\Jose\AppData\Local\Temp\Rar$EXa0.862\Installer__7934_il22841.exe -> Deleted
      Size . . . . . . . : 756.240 bytes
      Age  . . . . . . . : 5.2 days (2015-04-16 19:35:38)
      Entropy  . . . . . : 7.7
      SHA-256  . . . . . : 89A156519842A47FCF53CFEA0791A61597AA1636C8B4C2A2506AEF34B77601C4
      Product
      Publisher
      Description
      Version  . . . . . : 1.1.5.90
      Copyright
      RSA Key Size . . . : 2048
      LanguageID . . . . : 1033
      Authenticode . . . : Valid
    > Bitdefender  . . . : Gen:Variant.Adware.Strictor.83379
    > Kaspersky  . . . . : not-a-virus:AdWare.Win32.Amonetize.ajso
      Fuzzy  . . . . . . : 106.0
      Forensic Cluster
         -0.0s C:\Users\Jose\AppData\Local\Temp\Rar$EXa0.862\
          0.0s C:\Users\Jose\AppData\Local\Temp\Rar$EXa0.862\Installer__7934_il22841.exe
 
 
Potential Unwanted Programs _________________________________________________
 
   HKU\S-1-5-21-3139242256-2731441878-890169894-1001_Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo) -> Deleted
 
Cookies _____________________________________________________________________
 
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:247realmedia.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.adserver01.de
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.letsbonus.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.zanox.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.betweendigital.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.elplural.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.mediade.sk
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.moto1.es
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.publicidad.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.road.cc
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.servebom.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.stickyadstv.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.travelaudience.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:adserver.bigboxnet.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtech.de
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:aimfar.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:bankinteres.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:cajalaboral.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:capsaes.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:carrefoures.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:chitika.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:citiintl.122.2o7.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:datvantagevolumes.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:emjcd.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:endesa.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:fundacioneveris.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleadservices.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:herba.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:hotlog.ru
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ico.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:lexuscars.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:lineadirectaes2.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:mm.chitika.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:nationalenederlanden.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:omegapharma2.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:omgpremium.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:onooctubre2010.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:oracle.112.2o7.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:pg.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:prisacom.112.2o7.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:redbull.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:securitasdirectes.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:server.cpmstar.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:simyo.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:simyo2.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:solutions.tradedoubler.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:spylog.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:stat.onestat.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.complex.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.paypal.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:survey.g.doubleclick.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:toyotaes2.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.12trackway.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adtual.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.click4stat.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.effiliation.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:trackalyzer.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:tradedoubler.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:universidadeuropeademadrid2.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:wileypublishing.112.2o7.net
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:wrigleyes.solution.weborama.fr
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:ww251.smartadserver.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.etracker.de
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.smartadserver.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:www2.smartadserver.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:www4.smartadserver.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:www6.smartadserver.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:yadro.ru
   C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\00EA0SEY.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\0MKZN1U2.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\17V0X9DI.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\1XTGNOQG.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\1Y9V45NH.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\7XCHL22D.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\APX271D7.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\AQDMILL8.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\C7I1GZ46.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\CIVJX05E.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\CUPGV221.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\F04X3GWJ.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\GE6FRCVK.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\HM5F2B1M.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\J00ULA78.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\JUUAE03I.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\LMLKOK3C.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\MG3NR25Z.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\MJ5T68JZ.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\N3S51B1Z.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\OHFQN8JO.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\UJ62HSW7.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\V46D1PAI.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\V6U7CR59.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\WUW6SZ78.txt
   C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Cookies\ZVD5AK4B.txt
 
 
 
 
 
Thank you very much indeed!


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 AM

Posted 27 April 2015 - 05:25 PM

From the Malwarebytes log, it appears that you are infected with a recent version of PClock.

Trojan.Agent, HKU\S-1-5-21-3139242256-2731441878-890169894-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|wincl, C:\Users\Jose\AppData\Roaming\WinSkd\winskd.exe, Cuarentena, [88b3d29d26649d99088b4dfd81814fb1]

There is currently an ongoing discussion in here: New PClock CryptoLocker Ransomware discovered (discussion for your variant starts from page 62).

You might want to consult the topic for more information. Please post any questions related to PClock in that topic.

To avoid confusion, I have asked a Moderator to close this topic.

Regards,
Alex

#8 Seisdoble

Seisdoble
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 April 2015 - 05:44 PM

Ok, Alex. Thank you very much again for your support. I will switch to the PClock discussion topic.

 

Best regards,

 

Jose






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users