Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Got hit with Ransomware Encryption Trojan

12 Dec 2014   #11
thebladeroden

Windows 7 64-bit SP1
 
 

Yeah I've been trying to help out in this thread

KeyHolder Ransomware, is this new? - General Security

but with my expertise I'm like a third person trying to help carry a ladder.


My System SpecsSystem Spec
.
12 Dec 2014   #12
cottonball

Windows 7 Home Premium
 
 

thebladeroden,

Quote:
I'm like a third person trying to help carry a ladder
Know that feeling well!!


Please submit a sample of the following files to:
http://www.bleepingcomputer.com/submit-malware.php?channel=3

However, first...
Please go to Start > Control Panel > Folder Options
Click the View tab.
Under Advanced settings, click: Show hidden files, folders, and drives, and then click OK.
Uncheck: Hide protected operating system file
Close out by pressing: OK

C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll

C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe

C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\Public\Suspicious\conhost1\conhost.exe
C:\Users\Public\Suspicious\conhost2\conhost.exe
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe

When you do, please post back and let me know!

Also, please submit the same files for analysis to VirusTotal:
VirusTotal - Free Online Virus, Malware and URL Scanner

Use the Choose file button to navigate to the location of each file.
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Scan it!, and wait for the results.

If you get a message saying: File has already been analyzed, click: Reanalyze file now

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address.

Then, provide the http:\\ address to the results page in your reply.
My System SpecsSystem Spec
12 Dec 2014   #13
thebladeroden

Windows 7 64-bit SP1
 
 

My System SpecsSystem Spec
.

12 Dec 2014   #14
cottonball

Windows 7 Home Premium
 
 

Did you submit these files to BC Channel 3:

C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe
C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe

If not, please do.
http://www.bleepingcomputer.com/submit-malware.php?channel=3
My System SpecsSystem Spec
13 Dec 2014   #15
thebladeroden

Windows 7 64-bit SP1
 
 

yep
My System SpecsSystem Spec
13 Dec 2014   #16
cottonball

Windows 7 Home Premium
 
 

thebladeroden,

Please press on with the instructions in Post #8,and post the fixlog.txt

Thanks!
My System SpecsSystem Spec
13 Dec 2014   #17
thebladeroden

Windows 7 64-bit SP1
 
 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-12-2014
Ran by Josh at 2014-12-13 18:07:01 Run:1
Running from H:\
Loaded Profiles: (Available profiles: Josh)
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
EmptyTemp:
Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Users\Josh\AppData\Roaming\Hymyfi
C:\ProgramData\FotgaYtutx
C:\ProgramData\ywmimux
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan
C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\Public\Suspicious\conhost1\conhost.exe
C:\Users\Public\Suspicious\conhost2\conhost.exe
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist
end
*****************

Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fiovbon" => Key deleted successfully.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\fiovbon => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Users\Josh\AppData\Roaming\Hymyfi => Moved successfully.
C:\ProgramData\FotgaYtutx => Moved successfully.
C:\ProgramData\ywmimux => Moved successfully.
"C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe" => File/Directory not found.
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
"C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe => Moved successfully.
"C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe => Moved successfully.
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe => Moved successfully.
"C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe => Moved successfully.
"C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe" => File/Directory not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe => Moved successfully.
"C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
C:\Users\Public\Suspicious\conhost1\conhost.exe => Moved successfully.
C:\Users\Public\Suspicious\conhost2\conhost.exe => Moved successfully.
"C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll" => File/Directory not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll => Moved successfully.
"C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm" => File/Directory not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm => Moved successfully.
"F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe => Moved successfully.
C:\Windows\system32\Drivers\iicngbln.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\iktxlkeh.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\rgzyaykz.sys => ":changelist" ADS removed successfully.
My System SpecsSystem Spec
13 Dec 2014   #18
cottonball

Windows 7 Home Premium
 
 

thebladeroden,

Please provide an update of how it is going with the system?

Any other malware issue left to address?
My System SpecsSystem Spec
13 Dec 2014   #19
thebladeroden

Windows 7 64-bit SP1
 
 

Hoping against hope they can someday conjure up a decrypter
My System SpecsSystem Spec
14 Dec 2014   #20
cottonball

Windows 7 Home Premium
 
 

Presuming you do not have a backup of the infected files, and using Shadow Volume Copies does not work...
CryptoLocker Ransomware Information Guide and FAQ
My System SpecsSystem Spec
Reply

 Got hit with Ransomware Encryption Trojan




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Extra help to block ransomware (no disk encryption unless keyboard OK)
The Sunday NY Times Week in Review (Jan 4, 2015) had an article about someone’s mother having to pay Bitcoin ransom in a ransom malware encryption attack. At home, what should I do to prevent a ransom encryption attack, in addition to Avast AV (on my home Win 7 Pro 64-bit and my home XP...
System Security
biggest encryption std to date+ most power encryption soft ?
biggest encryption std to date+ most power encryption soft ? nowadays I am so much excited about encryption after watching BlackHat 2013 videos and Def Con 19 ,20 can u help me to find out words most powerful encryption software and methods and where to learn it I think doing PHD in...
System Security
Trojan Ransomware Police Central e-crime Unit
hi we have had this issue with our computer where it was locked up by this virus at the time we did not know it was a virus and we paid the money , since then we have learned it was a scam and contacted the bank to cancel the card etc we have informed the bank and they have stopped the card but...
System Security
BitLocker Drive Encryption - Change Encryption Method and Cipher Strength
How to Change Windows 7 BitLocker Drive Encryption Method and Cipher Strength This will show you how to change the encryption algorithm and key cipher strength used by BitLocker to encrypt drives in Windows 7.BitLocker Drive Encryption supports 128-bit and 256-bit encryption keys. Longer...
Tutorials


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 08:18.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App