Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Ramsomware + tr/dropper.gen


  • This topic is locked This topic is locked
8 replies to this topic

#1 SuperSayanPikachu

SuperSayanPikachu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 08 December 2015 - 09:55 PM

Hi guys,

It all started with mfc100.dll missing for AVG anti virus. After few days of the error I start getting a problem much like this one except the files are changing to ".vvv". I have the same problems with task manager and msconfig but can run them with admin powers. I lost all my previous system recoveries even though I never accepted to delete the shadow copy. Honestly it feels like this thing is eating my computer slowly as everytime I come back some thing new happens.

I also just deleted the trojen tr/dropper.gen with avira antivirus which i just installed since avg stopped working without that .dll. And I would like to know if I need to delete anything else to correct it.

 

I think I posted the appropriate files with this post (they are in Portuguese though, didn't find how to do it otherwise).

 

Thank You,
SuperSayanPikachu

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 10 December 2015 - 10:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You understand that there is nothing we can do to restore your files.
This fix will remove all I have identified as not being required on your system.
If you agree then proceed, otherwise let me know what your concern is.

Remove these programs in bold via the Control Panel > Programs and Features applet.
IB Updater Service (HKLM\...\WNLT) (Version: 3.0.4.6 - ) <==== ATTENTION
Yontoo Layers 1.10.01 (HKLM\...\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}) (Version: 1.10.01 - ) <==== ATTENTION

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Users\Fatima\AppData\Roaming\lognq-bc.exe
HKU\S-1-5-21-1428692257-2881576881-3923381168-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=PT&userid=5d45ec0d-ef67-4b6b-9598-63caf2332f7e&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
HKU\S-1-5-21-1428692257-2881576881-3923381168-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=PT&userid=5d45ec0d-ef67-4b6b-9598-63caf2332f7e&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
URLSearchHook: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 - (No Name) - {e0301295-ab3e-4af3-979f-3d453c5f9f48} -  No File
SearchScopes: HKLM -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKLM -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=PT&userid=5d45ec0d-ef67-4b6b-9598-63caf2332f7e&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://search.babylon.com/?q={searchTerms}&affID=113480&babsrc=SP_ss&mntrId=7e2972aa000000000000001b774f9654
SearchScopes: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={F69B32A0-C827-4BA2-9621-B0AE5770951E}&mid=2d7dcf5b8e4347d19360d15f95fa6d55-81480d23719a733949b179c488315bb48fe83f45&lang=pt&ds=AVG&coid=avgtbavg&cmpid=0715av&pr=fr&d=2015-07-29 21:42:20&v=4.1.5.143&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 -> {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = hxxp://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=6OyHEQuzcf&i=26
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-1428692257-2881576881-3923381168-1001 -> No Name - {E0301295-AB3E-4AF3-979F-3D453C5F9F48} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml [2013-05-23]
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2012-07-11]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-02-03]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\ffxtlbr@babylon.com [2013-07-12] [not signed]
FF HKLM\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] - C:\Program Files\Web Assistant\Firefox => not found
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\Web Assistant\source.crx <not found>
CHR HKLM\...\Chrome\Extension: [jcdgjdiieiljkfkdcloehkohchhpekkn] - C:\Users\Fatima\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetFB.crx <not found>
CHR HKLM\...\Chrome\Extension: [mdebcffgnijbblbinknkbefciofebcda] - C:\Users\Fatima\AppData\Local\CRE\mdebcffgnijbblbinknkbefciofebcda.crx <not found>
CHR HKLM\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Users\Fatima\AppData\Local\Temp\YontooLayers.crx <not found>
CHR HKU\S-1-5-21-1428692257-2881576881-3923381168-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mdebcffgnijbblbinknkbefciofebcda] - C:\Users\Fatima\AppData\Local\CRE\mdebcffgnijbblbinknkbefciofebcda.crx <not found>
S4 IBUpdaterService; C:\Windows\system32\dmwu.exe [1156400 2013-04-07] ()
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {E668A1CD-3119-469E-A25A-254DA04314A0} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{F7B87D10-45F5-45E5-B339-B5DF74E2C817}.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{F7B87D10-45F5-45E5-B339-B5DF74E2C817}.exe <==== ATTENTION
AlternateDataStreams: C:\Users\Fatima\Local Settings:init
MSCONFIG\startupreg: AVG_TRAY => "C:\Program Files\AVG\AVG2012\avgtray.exe"
C:\Users\Fatima\AppData\Roaming\lognq-bc.exe
C:\Users\Fatima\Documents\how_recover+ohm.html
C:\Users\Fatima\Documents\how_recover+ohm.txt
C:\Users\Fatima\AppData\Roaming\how_recover+ohm.html
C:\Users\Fatima\AppData\how_recover+ohm.html
C:\Users\Fatima\AppData\Roaming\how_recover+ohm.txt
C:\Users\Fatima\AppData\how_recover+ohm.txt
C:\Users\Fatima\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\how_recover+ohm.html
C:\Users\Fatima\AppData\Roaming\Microsoft\Windows\Start Menu\how_recover+ohm.html
C:\Users\Fatima\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\how_recover+ohm.txt
C:\Users\Fatima\AppData\Roaming\Microsoft\Windows\Start Menu\how_recover+ohm.txt
C:\Users\Fatima\AppData\LocalLow\how_recover+ohm.html
C:\Users\Fatima\AppData\LocalLow\how_recover+ohm.txt
C:\Users\Fatima\AppData\Local\how_recover+ohm.html
C:\Users\Fatima\AppData\Local\how_recover+ohm.txt
C:\Users\Public\Documents\how_recover+ohm.html
C:\Users\Public\Documents\how_recover+ohm.txt
C:\ProgramData\how_recover+ohm.html
C:\ProgramData\how_recover+ohm.txt
C:\Users\Fatima\Documents\recover_file_dlohimaas.txt
C:\Users\Public\Documents\how_recover+kqm.html
C:\Users\Public\Documents\how_recover+kqm.txt
C:\ProgramData\how_recover+kqm.html
C:\ProgramData\how_recover+kqm.txt
C:\Users\Fatima\Documents\recover_file_xeenrlnsg.txt
C:\Users\Fatima\AppData\LocalLow\how_recover+qqa.html
C:\Users\Fatima\AppData\LocalLow\how_recover+qqa.txt
C:\Users\Fatima\AppData\Local\how_recover+qqa.html
C:\Users\Fatima\AppData\Local\how_recover+qqa.txt
C:\ProgramData\how_recover+qqa.html
C:\ProgramData\how_recover+qqa.txt
C:\Users\Public\Documents\how_recover+qqa.html
C:\Users\Public\Documents\how_recover+qqa.txt
C:\Users\Fatima\Documents\recover_file_agekxbqvi.txt
C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
C:\Users\Fatima\AppData\Roaming\lognq-bc.exe
C:\Users\Fatima\Documents\recover_file_nnpncbmbl.txt
C:\Windows\Minidump\120315-67751-01.dmp
C:\Users\Fatima\AppData\Local\{61D3B106-F665-4C6C-B69B-1D99D791249C}
C:\Users\Fatima\Desktop\Gonçalo Seabra_European_CVPT2.docx.vvv
C:\Windows\Minidump\112515-53274-01.dmp
C:\Windows\Minidump\112215-54023-01.dmp
C:\Windows\Minidump\112215-60996-01.dmp
C:\Windows\Minidump\112115-66612-01.dmp
C:\Windows\Minidump\111815-59405-01.dmp
C:\Users\Fatima\Desktop\Gonçalo Seabra_European_CVEN.doc.vvv
C:\Users\Fatima\Documents\Cartao docidadao copia.docx.vvv
C:\Users\Fatima\Desktop\Gonçalo Seabra_European_CVPT.docx.vvv
C:\Users\Fatima\AppData\Roaming\how_recover+ohm.html
C:\Users\Fatima\AppData\Roaming\how_recover+ohm.txt
C:\Users\Fatima\AppData\Local\how_recover+ohm.html
C:\Users\Fatima\AppData\Local\how_recover+ohm.txt
C:\Users\Fatima\AppData\Local\how_recover+qqa.html
C:\Users\Fatima\AppData\Local\how_recover+qqa.txt
C:\ProgramData\how_recover+kqm.html
C:\ProgramData\how_recover+kqm.txt
C:\ProgramData\how_recover+ohm.html
C:\ProgramData\how_recover+ohm.txt
C:\ProgramData\how_recover+qqa.html
C:\ProgramData\how_recover+qqa.txt

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Please post the logs and let me know what problem persists with this computer.

#3 SuperSayanPikachu

SuperSayanPikachu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 13 December 2015 - 02:12 PM

Hi Nasdaq, thank you so much for the quick reply. Very glad you're with me since you fixed that other user problem before.

I've been terribly busy these days. Tomorrow I'll run all the steps and post the reports. Just checking in to show I'm still here.

Thank you,

SSP



#4 SuperSayanPikachu

SuperSayanPikachu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 17 December 2015 - 03:41 PM

Sorry for the time once again. I did run the steps 3 days ago though and since then it seem pretty ok. Not everything seems back the way it was but from what I understand many settings were changed or reset with the virus. Such as losing all passwords, favorites and all in chrome (dont wanna sync again) or the place holders in the windows bottom bar. 

Before running the fixes the virus had already stopped but I had some windows programs running wild as crazy per turns but that seems to have stopped meanwhile to.

Which anti virus do you recommend? Anything else I should run?

I noticed in msconfig in startup I have two checked off "how_recover+ohm" but find nothing in its location.


Thank you very much.

Attached Files


Edited by SuperSayanPikachu, 17 December 2015 - 03:42 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 18 December 2015 - 08:49 AM

favorites and all in chrome (dont wanna sync again) or the place holders in the windows bottom bar.


Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en


Re-install Chrome.

You may get your Bookmarks and passwords back. Not sure.
<<<>>>


I noticed in msconfig in startup I have two checked off "how_recover+ohm" but find nothing in its location.

They are still listed in the registry.

Please run the Farbar Recovery Scan Tool. Enter how_recover+ohm in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

I might be able to give you a fix to remove them.

#6 SuperSayanPikachu

SuperSayanPikachu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 19 December 2015 - 11:18 AM

Nothing was found. Its located in another place other than the registry I believe. "c:\users\fatima\appdata\roaming\microsoft\windows\start menu\programs\startup"

 

I have deleted all files "how_recover+xxx" however and nothing's there.

Regarding chrome I dont mind losing all. I can always sync again with the account. Just chose not to cos this scared me a bit regarding my personal data. 

Which free antivirus do you recomend? I'm with Avira now and seems to be doing way better job than AVG was.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 20 December 2015 - 09:39 AM

Just got a notice today about your type of infection.

Read about it.
http://www.spywareinfoforum.com/topic/118846-spam-frauds-fakes-and-other-malware-deliveries/page-33#entry796878

A new variant of the CryptoWall ransomware distributed via spam
Watch what you are opening. If from an unknown source delete it without opening the message.
To delete it completely place the cursor on the message press SHIFT + DEL keys and click OK.
This way it will not be saved in your deleted file folder and gone for ever.
===


Check your version of Java and update if advised.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.

Java 8 Update 45
---

Which free antivirus do you recomend? I'm with Avira now and seems to be doing way better job than AVG was.

All Antivirus programs are good. They must be kept up to date.

In the Case of you infection if you have open a SPAM message and connected to one of the suggested links no Antivirus programs will detect anything.

Remove Chrome and reinstall the application.

What are the remaining issues.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 25 December 2015 - 10:41 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 31 December 2015 - 08:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users