Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected very persistent trojan/worm/virus/ransomware


  • This topic is locked This topic is locked
3 replies to this topic

#1 jfuld

jfuld

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 26 February 2017 - 03:51 AM

I have a really tough issue and I'd be grateful for anyone's assistance.

I began to notice performance issues and unusually high Internet activity. Finally, I noticed files that were being created inside my document folders. They had unusual extensions and appeared to be encrypted. I deleted them and began to check my system.

I noticed multiple instances of items such as Nvidia, Google Updater, Skype, etc. As I attempted to remove these fair apps new ones appeared in their place. sometimes as the app I deleted and sometimes other apps.

The hacker is using obfuscation techniques to make it more difficult to search online. For example, an i might be replaced with an l or a 1 and a single letter will be different so when you google the search returns the information on the legitimate app. They also use different names for the process, service and the app. Deleting or turning them off seemed to make it worse.

I tried selective startup and I could not boot to my PC. My attempts to restore my PC failed. My HDD finally bricked. I should also say the system would not let me boot to safemode. This malware also effected my laptop.

I bought a new HDD and installed Windows 10 pro. the issues appeared again rapidly and I suspected it might be an infection on my router so I replaced it. when i did a fresh install the disk was strangely partitioned and I couldn't delete or format 2 sections. I believe this might be a rootkit infection.

I ran a traceroute on one of the services running and it originated from China. I think I've isolated the cause of this intrusion and will post later. This malware created or converted files with the following extensions: .encryptable, .namefile and possibly .thumbs. notice the use of common names which when googled are difficult to track down.

I noticed an unfamiliar cell phone on my network which is very strange since I thought they would need to be physically within distance of my router signal. I know this is a neighbor so im not sure how to explain it. they cleverly turned off network discovery twice so they be stealthy. I think their using a cell phone so it is more difficult to track them down.

I would greatly appreciate your help on this. Thank you.
--

BC AdBot (Login to Remove)

 


#2 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:04 PM

Posted 01 March 2017 - 03:12 PM

Hi jfuld & Welcome to the forums ^_^,


I would be helping you with your computer problems. Right now, I am a trainee at the Bleeping Computer Malware Removal Study Hall.
I am Pranav and now that we are friends, I would like to call you by your first name if that is fine with you :hug:

All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
  • Please copy and paste the logs back here.
 

While you wait for further instructions, kindly do not run any additional tools as that might complicate the process of fixing your computer and cause delays.

Have a nice day!

Regards,
Pranav

Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#3 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:04 PM

Posted 07 March 2017 - 11:50 AM

Hi Jfuld ^_^,

 

 

It has been quite some days since your last reply. Are you still with me?

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:34 AM

Posted 09 March 2017 - 05:16 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users