Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Infection, please advise.


  • This topic is locked This topic is locked
10 replies to this topic

#1 CoastalData

CoastalData

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 30 December 2016 - 02:54 PM

Hello,

 

A customer just brought a computer to my attention; this is her home laptop, and she found all of her documents renamed to *.crypted, so mydocument.docx becomes mydocument.docx.crypted.

 

I tried renaming a file, as I found some references to "bluffware", but this did not work.

 

The ransom note was found on the laptops' desktop. I think the "3 day deadline" mentioned in the note is gone by, so I do not actually expect to recover data, just to get back to a clean system.

 

I've quarantined the laptop, and have not run any tools on it. It does have an active McAfee subscription, and it appears that it has detected nothing.

 

I can submit sample documents if it helps the cause!

 

How should I proceed with this system? The system is running Windows 10.

 

Thanks in advance!

 

--Jon

 

--Edit: Adding FRST log files

Attached Files


Edited by CoastalData, 30 December 2016 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 30 December 2016 - 03:56 PM

I see that I've posted this in the wrong place, as there is a forum just for Ransomware. Can this post be moved, or should I repost, or leave as is?

 

Over in the other forum, I used "ID Ransomware" and it produced this:

 

 

Nemucod
 This ransomware is decryptable!

Identified by

  • ransomnote_filename: DECRYPT.txt
  • sample_extension: .crypted
  • custom_rule: ransom note contents

 

Click here for more information about Nemucod


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 31 December 2016 - 10:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Stay with this topic.

Execute the instructions on the

Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware

Hope you can get some of your files back in service.

===

When finished, run this fix.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\karin\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\...\Run: [BingSvc] => C:\Users\karin\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\...\Run: [Crypted] => C:\Users\karin\AppData\Local\Temp\a.txt [1353 2016-10-04] () <===== ATTENTION
Startup: C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\317b9.lnk [2016-10-19]
ShortcutTarget: 317b9.lnk ->  (No File)
Startup: C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b2ec.lnk [2016-10-19]
ShortcutTarget: 8b2ec.lnk ->  (No File)
CHR Extension: (Bing) - C:\Users\karin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-09-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\karin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Chrome Media Router) - C:\Users\karin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-30]
CHR HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\Software\Classes\bb920: "C:\WINDOWS\system32\mshta.exe" "javascript:M6PHvy1C="tot";Hn35=new ActiveXObject("WScript.Shell");OSPYE7v="ww3l5v";I0vs2z=Hn35.RegRead("HKCU\\software\\aesi\\pbvkrllx");WysS67J="9vbaeu";eval(I0vs2z);SZ7XrV4="rYe";" <===== ATTENTION
C:\Users\karin\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\317b9.lnk
C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b2ec.lnk

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

ADOBE SHOCKWARE

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

Remove this old version if still present via the Control Panel > Programs > Programs and Features.
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.9.159 - Adobe Systems, Inc.)

Edited by nasdaq, 31 December 2016 - 10:18 AM.


#4 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 31 December 2016 - 07:00 PM

Hello,

 

I've got the fix script all setup and ready to go, but I've been spinning my wheels trying to get a file to decrypt; I've found a few pairs of files, encrypted and non-encrypted, but none of them are working for me. Not sure if I should keep on trying, maybe reach out to Emsisoft about the decrypter, and/or continue on with the fix?

 

It shouldn't matter if we go ahead and continue fixing the computer now, right? I could still work with decrypting after, I would think, right?

 

Thoughts?

 

--Jon



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 01 January 2017 - 09:47 AM


You may have a new version.

Go to the end of this topic.

https://www.bleepingcomputer.com/forums/t/608045/nemucod-ransomware-crypted-decrypttxt-support-help-topic/page-36

Ask for help. You may be requeted to submit a good and bad files.

==

p.s.
not sure about you running my fix just yet.

This key is problematic.
Not sure what the Javascrip is performing. It may be a good thing to remove it but I'm not sure if I should just yet.
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\Software\Classes\bb920: "C:\WINDOWS\system32\mshta.exe" "javascript:M6PHvy1C="tot";Hn35=new ActiveXObject("WScript.Shell");OSPYE7v="ww3l5v";I0vs2z=Hn35.RegRead("HKCU\\software\\aesi\\pbvkrllx");WysS67J="9vbaeu";eval(I0vs2z);SZ7XrV4="rYe";" <===== ATTENTION

#6 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 01 January 2017 - 12:50 PM

Okay! I just got a working decryption key, I'm going to get her documents cleared up, and then I'll be ready to proceed.

 

The problematic key above, did you want me to remove that from the script, or are we good to go after decrypting?

 

Thanks so much for your help!

 

--Jon



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 02 January 2017 - 07:55 AM

When ready to proceed and after having restarted the computer run the fix as I have suggested.

#8 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 02 January 2017 - 11:12 AM

Okay, the fix has run as suggested, and the computer has rebooted. Do you need new FRST logs?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 02 January 2017 - 02:00 PM

Why not just be be sure all is well.

#10 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 02 January 2017 - 05:59 PM

Awesome, here they are.

 

Thanks!

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 03 January 2017 - 08:11 AM


All clean.

ADOBE SHOCKWARE

Navigate to this page and follow the instructions and get the latest version.
https://www.adobe.com/shockwave/welcome/

Remove this old version via the Control Panel > Programs > Programs and Features.
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.9.159 - Adobe Systems, Inc.)
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users