Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Teslacrypt 3.0 infection from "1channel" via "Kodi"


  • This topic is locked This topic is locked
9 replies to this topic

#1 herb420

herb420

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 18 February 2016 - 08:22 AM

Hey, I was recently infected by the Teslacrypt 3.0 while streaming a T.V show on the 1channel repository via Kodi.

 

I tried to stream a show and I got the "working..." tab pop up stating it was trying to buffer the stream. After the first link wouldn't load, I selected the second link on the list of available sites (that the show was being streamed on.) After I selected the second site, I got a pop-up on my laptop saying something along the lines of the firewall is restricted and asking if I wanted to allow access, naively I clicked okay and the stream started to play the episode. After a few minutes of watching the show I could hear an advertisement being played simultaneously as the show was playing. Instantly I had my heart sink as I knew I had allowed malware on my CPU by giving the website access through my firewall. I exited Kodi and disconnected from the internet and ran the malwarebytes scanner, and while the scan was completing I discovered the .micro file name on all of my files. After a bit of research (with my laptop in safe mode w/networking) I found out I got the teslacrypt 3.0 infection my system. of course I did not have a restore point to go back to and as of now my data is GONE!?!

 

Sorry for the long winded story, just figured the more information out there; the better we can prevent this from happening to others.

 

Thanks in advance for your help!

-herb420

Attached File  FRST.txt   55.44KB   6 downloads Attached File  Addition.txt   27.49KB   3 downloads

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 18 February 2016 - 10:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Create a restore point. Windows 7.
http://windows.microsoft.com/en-ca/windows7/create-a-restore-point

Turn System Restore ON or OFF - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===

This is a very damaging infection. Unless you have a good backup of all your important files there is nothing we can do to restore them.
Read about it.
http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
http://www.bleepingcomputer.com/news/security/teslacrypt-3-0-released-with-new-encryption-algorithm-and-xxx-file-extensions/
===

This filx wll remove any traces of this infection.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(BitTorrent Inc.) C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
(BitTorrent Inc.) C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\...\Winlogon: [Userinit] [[%%INSTALLTIME%%]]
HKU\S-1-5-19\...\Winlogon: [Shell] [[%%INSTALLTIME%%]] <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Userinit] [[%%INSTALLTIME%%]]
HKU\S-1-5-20\...\Winlogon: [Shell] [[%%INSTALLTIME%%]] <==== ATTENTION
HKU\S-1-5-21-3719977574-258012898-1556798280-1000\...\Run: [MSConfig] => "C:\Users\Admin\jonqhvza.exe"
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => No File
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll => No File
SearchScopes: HKU\S-1-5-21-3719977574-258012898-1556798280-1000 -> {015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3333004&octid=EB_ORIGINAL_CTID&ISID=E4E55AE6-96A7-4114-8280-D42A6DA811D4&SearchSource=58&CUI=&UM=8&UP=SP79BFFCF2-493F-4463-8D51-14D2BBA38ACC&D=072915&q={searchTerms}&SSPV=
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7m38qazu.default\Extensions\artur.dubovoy@gmail.com [2016-02-02]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [X]
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [X]
S2 avgntflt; system32\DRIVERS\avgntflt.sys [X]
S1 avipbb; system32\DRIVERS\avipbb.sys [X]
S1 avkmgr; system32\DRIVERS\avkmgr.sys [X]
S2 avnetflt; system32\DRIVERS\avnetflt.sys [X]
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7m38qazu.default\Extensions\artur.dubovoy@gmail.com
C:\Users\Admin\jonqhvza.exe
Task: {8734D01D-4180-445F-BC25-8C0D75D73448} - \ProPCCleaner_Start -> No File <==== ATTENTION
Task: {CCB28E1F-704A-4F88-9042-1B0B4EFAAF82} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
C:\Users\Admin\AppData\Local\help_recover_instructions+usr.html
C:\Users\Admin\AppData\Local\Apps\help_recover_instructions+usr.html
C:\Users\Admin\Documents\recover_file_knnfuxyyo.txt
C:\Users\Public\help_recover_instructions+csb.html
C:\Users\Public\Downloads\help_recover_instructions+csb.html
C:\Users\Public\Documents\help_recover_instructions+csb.html
C:\ProgramData\help_recover_instructions+csb.html
C:\Users\Admin\help_recover_instructions+csb.html
C:\Users\Admin\Downloads\help_recover_instructions+csb.html
C:\Users\Admin\Documents\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\help_recover_instructions+csb.html
C:\Users\Admin\AppData\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\help_recover_instructions+csb.html
C:\Users\Admin\AppData\LocalLow\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Local\Apps\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Local\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\help_recover_instructions+csb.png
C:\Users\Admin\AppData\Roaming\Microsoft\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\Microsoft\help_recover_instructions+csb.png
C:\Users\Admin\AppData\Local\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Local\help_recover_instructions+csb.png
C:\Users\Admin\AppData\Local\help_recover_instructions+usr.html
C:\Users\Admin\AppData\Local\help_recover_instructions+usr.png
C:\ProgramData\help_recover_instructions+csb.png
C:\Users\Admin\Documents\recover_file_fqtqqberj.txt
C:\Program Files (x86)\MyPC Backup

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If present remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)

#3 herb420

herb420
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 18 February 2016 - 01:52 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Create a restore point. Windows 7.
http://windows.microsoft.com/en-ca/windows7/create-a-restore-point

Turn System Restore ON or OFF - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===

This is a very damaging infection. Unless you have a good backup of all your important files there is nothing we can do to restore them.
Read about it.
http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
http://www.bleepingcomputer.com/news/security/teslacrypt-3-0-released-with-new-encryption-algorithm-and-xxx-file-extensions/
===

This filx wll remove any traces of this infection.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(BitTorrent Inc.) C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
(BitTorrent Inc.) C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\...\Winlogon: [Userinit] [[%%INSTALLTIME%%]]
HKU\S-1-5-19\...\Winlogon: [Shell] [[%%INSTALLTIME%%]] <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Userinit] [[%%INSTALLTIME%%]]
HKU\S-1-5-20\...\Winlogon: [Shell] [[%%INSTALLTIME%%]] <==== ATTENTION
HKU\S-1-5-21-3719977574-258012898-1556798280-1000\...\Run: [MSConfig] => "C:\Users\Admin\jonqhvza.exe"
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => No File
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll => No File
SearchScopes: HKU\S-1-5-21-3719977574-258012898-1556798280-1000 -> {015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3333004&octid=EB_ORIGINAL_CTID&ISID=E4E55AE6-96A7-4114-8280-D42A6DA811D4&SearchSource=58&CUI=&UM=8&UP=SP79BFFCF2-493F-4463-8D51-14D2BBA38ACC&D=072915&q={searchTerms}&SSPV=
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7m38qazu.default\Extensions\artur.dubovoy@gmail.com [2016-02-02]
S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [X]
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [X]
S2 avgntflt; system32\DRIVERS\avgntflt.sys [X]
S1 avipbb; system32\DRIVERS\avipbb.sys [X]
S1 avkmgr; system32\DRIVERS\avkmgr.sys [X]
S2 avnetflt; system32\DRIVERS\avnetflt.sys [X]
C:\Users\Admin\AppData\Roaming\BitTorrent\updates\7.9.5_41373\utorrentie.exe
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7m38qazu.default\Extensions\artur.dubovoy@gmail.com
C:\Users\Admin\jonqhvza.exe
Task: {8734D01D-4180-445F-BC25-8C0D75D73448} - \ProPCCleaner_Start -> No File <==== ATTENTION
Task: {CCB28E1F-704A-4F88-9042-1B0B4EFAAF82} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
C:\Users\Admin\AppData\Local\help_recover_instructions+usr.html
C:\Users\Admin\AppData\Local\Apps\help_recover_instructions+usr.html
C:\Users\Admin\Documents\recover_file_knnfuxyyo.txt
C:\Users\Public\help_recover_instructions+csb.html
C:\Users\Public\Downloads\help_recover_instructions+csb.html
C:\Users\Public\Documents\help_recover_instructions+csb.html
C:\ProgramData\help_recover_instructions+csb.html
C:\Users\Admin\help_recover_instructions+csb.html
C:\Users\Admin\Downloads\help_recover_instructions+csb.html
C:\Users\Admin\Documents\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\help_recover_instructions+csb.html
C:\Users\Admin\AppData\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\help_recover_instructions+csb.html
C:\Users\Admin\AppData\LocalLow\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Local\Apps\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Local\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\help_recover_instructions+csb.png
C:\Users\Admin\AppData\Roaming\Microsoft\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Roaming\Microsoft\help_recover_instructions+csb.png
C:\Users\Admin\AppData\Local\help_recover_instructions+csb.html
C:\Users\Admin\AppData\Local\help_recover_instructions+csb.png
C:\Users\Admin\AppData\Local\help_recover_instructions+usr.html
C:\Users\Admin\AppData\Local\help_recover_instructions+usr.png
C:\ProgramData\help_recover_instructions+csb.png
C:\Users\Admin\Documents\recover_file_fqtqqberj.txt
C:\Program Files (x86)\MyPC Backup

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If present remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)

 

 

Thank you so much!! very much appreciated! I am at work right now and will follow your instructions when I have a moment. Will keep you updated when I get a chance to look in to this. 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 24 February 2016 - 08:25 AM

Are you still with me?

#5 herb420

herb420
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 February 2016 - 09:13 AM

Are you still with me?


yes, thanks for your patience! Just been a long week at work, I have the weekend off so I will get a chance to sit down with it then. thanks again for checking up, much appreciated friend!

#6 herb420

herb420
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 02 March 2016 - 12:08 PM

-fixlog

 

thanks again

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 02 March 2016 - 01:47 PM

Nothing was found or removed.

It may be because you are running the fix from the Download folder.

Running from C:\Users\Kurt\Downloads

Please copy the Farbar tool to your desktop.
Copy also the Fixlist.txt file you created to the Desktop also.

Run the Farbar tool and the fix as suggested.

Post the fresh Fixlog.txt for my review.

Let me know what problem persists.

#8 herb420

herb420
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 02 March 2016 - 04:47 PM

Nothing was found or removed.

It may be because you are running the fix from the Download folder.

Running from C:\Users\Kurt\Downloads

Please copy the Farbar tool to your desktop.
Copy also the Fixlist.txt file you created to the Desktop also.

Run the Farbar tool and the fix as suggested.

Post the fresh Fixlog.txt for my review.

Let me know what problem persists.

 

-fixlog with farbar on desktop

 

just want to make sure the malware has all been removed, ran malwarebytes and manually deleted suspicious registry entries. I'm fairly tech savvy but this is a bit over my head lol just want to make sure that everythings removed and will install a fresh hard drive. I plan on keeping the old hard drive to the side until a fix is available for the telsacrypt 3.0 .micro file extensions. because I very foolishly did not have a restore point.

 

Thanks again!!

 

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 03 March 2016 - 08:42 AM

because I very foolishly did not have a restore point.

The restore points are removed by the bad guys.

===

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

This may take awhile, run it when you know you will not need the computer for an hour or two.
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 PM

Posted 09 March 2016 - 09:51 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users