Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Teslacrypt 3.0; waiting for solution to decrypt files


  • This topic is locked This topic is locked
22 replies to this topic

#1 dojmaster

dojmaster

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 February 2016 - 10:59 AM

Hi,

 

My PC was infected by Teslacrypt 3.0 yesterday; ran ESET online scanner and tried to clean all traces of the loader.  Awaiting solution for decryption.

 

Attached are the files generated by FRST (ran FRST after ESET).

 

I'm curious as to HOW I got infected, since I normally do not open suspicious email attachments; I definitely did not do so yesterday.

 

Please recommend a good firewall to prevent future attack.

 

Thanks in advance :D

Attached Files



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 02 February 2016 - 02:50 PM

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.

Please allow me some time to review your logs and I will be back with instructions.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:38 PM

Posted 02 February 2016 - 06:16 PM

While Sintharius will help you with malware removal and ways to protect yourself from future infection, be aware that there currently is no way of decrypting TeslaCrypt 3.0 .xxx, .ttt, or .micro variants since they use a different protection/key exchange algorithm, a different method of key storage and the key for them cannot be recovered. The .xxx, .ttt and .micro variants do not have a SharedSecret*PrivateKey so they are not supported by the current version of TeslaViewer. If infected with any of these extensions, backup all your encrypted files, send BloodDolly a private message with a link to few encrypted files after uploading them to SendSpace (see instructions in Post #1) and wait for solution.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 03 February 2016 - 02:47 AM

Hello dojmaster,

Below are some rules that you will need to follow while receiving my assistance:
  • I am currently in training, so my responses might be delayed. I will generally reply within 48 hours - if this is not possible, I will let you know.
  • Please do not seek assistance elsewhere without letting me know, as "Too many cooks can spoil the soup".
  • Please do not run any tools without being instructed to, as this makes my job much harder in trying to figure out what you have done.
  • If you wish to do other interventions, please let me know. I will assist you if possible.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the Follow this topic button, and make sure a tick is in the receive notifications and is set to Instantly. Any replies should be made in this topic by clicking the Reply to this topic button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. Please inform me if you need more time.
  • Please stay with me until I have confirmed that you are clean. Absence of symptoms does not mean that the computer is clean.
If you do not agree with any of the above, please let me know so I can have this topic closed.

===

I can only help you clean your machine. Please do know that currently there is no solution for TeslaCrypt 3.0 - the best you can do is to backup the encrypted files somewhere and wait.

Regarding the method of infection: My hypothesis is that you got infected via a drive-by download while visiting torrent or porn sites. These locations tend to have exploit kits containing malware lying in wait for visitors to infect them, and TeslaCrypt is one of the more popular payloads.

Please take note of the following warning.

:step1: Peer-to-peer software

Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Programs and Features.
If you wish to keep it, please do not use it until your computer is cleaned.

===

:step2: Multiple antivirus software present

You have two antivirus software installed - Ad-Aware and Microsoft Security Essentials. Please uninstall one and keep the other.

Let me know which one you decided to keep.

===

:step3: Search with Farbar Recovery Scan Tool
  • Double-click on FRST.exe/FRST64.exe to open it.
  • In the search box, type the following: *recover*
  • Press the Search Files button, allow FRST to run.
  • A log file Search.txt will appear when complete, please post it in your next reply.

Edited by Sintharius, 03 February 2016 - 02:48 AM.


#5 dojmaster

dojmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 03 February 2016 - 11:57 PM

1) I will be keeping bittorrent, will not use it until the computer is clean.

 

2) removed ad-aware and microsoft security essentials and installed avast.

 

3) search.txt attached.

 

Thank you :D

Attached Files



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 05 February 2016 - 05:11 PM

Hi dojmaster,

I will be keeping bittorrent, will not use it until the computer is clean.

I respect your decision, but please do know that if you plan to continue downloading pirated material then we will not be able to help you in the future, should you become infected again.

Here in Bleeping Computer we do not condone the practice of using pirated material - not only it is illegal, but it also carries the risk of malware.

Please follow the instructions below - remember to follow them in order.

:step1: Malware sample submission

Please search and submit the file below to this link.
C:\Users\Admin\jonqhvza.exe
===

:step2: Fix with Farbar Recovery Scan Tool
  • Please download the attached fixlist.txt and save it to your Desktop.
    Note: It's important that both FRST64.exe and fixlist.txt are in the same location or the fix will not work!
    WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system!
  • Run FRST64.exe and press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log named Fixlog.txt on the Desktop, please post it to your reply.
===

:step3: Search with Farbar Recovery Scan Tool
  • Double-click on FRST.exe/FRST64.exe to open it.
  • In the search box, type the following: help_recover_instructions*
  • Press the Search Files button, allow FRST to run.
  • A log file Search.txt will appear when complete, please post it in your next reply.

Attached Files



#7 dojmaster

dojmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 06 February 2016 - 12:45 AM

Thank you. I will avoid using bittorrent as much as possible. Most of the time I just use it to download tv shows.

 

1) C:\Users\Admin\jonqhvza.exe -> this file does not exist.

2) fixlog.txt attached

3) search.txt attached

Attached Files



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 09 February 2016 - 04:19 PM

Hello dojmaster,

Please run this to remove the ransom notes on your computer.

Fix with Farbar Recovery Scan Tool
  • Please download fixlist.txt from here and save it to your Desktop.
    Note: It's important that both FRST/FRST64.exe and fixlist.txt are in the same location or the fix will not work!
    WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system!
  • Run FRST/FRST64.exe and press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log named Fixlog.txt on the Desktop, please post it to your reply.


#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 12 February 2016 - 07:03 PM

Are you still with me? It has been two days since my last post.

#10 dojmaster

dojmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 14 February 2016 - 04:26 PM

Yes I'm still here :D ... will post the file after the fix...



#11 dojmaster

dojmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 15 February 2016 - 01:16 AM

Fixlog.txt attached.

 

Also, I have found the source of infection.  The free version of Bittorrent comes with a webhelper called utorrentie.exe, its purpose is to generate ads for the program.  Many of the ads have the teslacrypt trojan (as detected by my AV).  I have managed to block the utorrentie.exe process and so far I have remained clean to date.

 

 

Attached Files



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 15 February 2016 - 02:39 PM

Hello dojmaster,

Please create a new set of FRST logs for me - FRST.txt and Addition.txt.

Let me know if there are any other problems. 

#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 18 February 2016 - 12:03 PM

Are you still with me? It has been three days since my last post.

#14 dojmaster

dojmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 20 February 2016 - 08:51 AM

Yes.

Attached Files


Edited by dojmaster, 20 February 2016 - 09:43 AM.


#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:38 AM

Posted 22 February 2016 - 02:21 PM

Hello dojmaster,

Please do this to clean up some remains before we proceed.

:step1: Fix with Farbar Recovery Scan Tool
  • Please download the attached fixlist.txt and save it to your Desktop.
    Note: It's important that both FRST64.exe and fixlist.txt are in the same location or the fix will not work!
    WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system!
  • Run FRST64.exe and press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log named Fixlog.txt on the Desktop, please post it to your reply.
===

:step2: Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objectsNote, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users