Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Got hit with Ransomware Encryption Trojan

09 Dec 2014   #1
thebladeroden

Windows 7 64-bit SP1
 
 
Got hit with Ransomware Encryption Trojan

I got a Trojan or something because Microsoft Security Essentials was sounding alarm bells and a scan with Anti-Malware was bringing up stuff too. After some guaranteeing and rebooting I thought I had gotten rid of the problem.

But later when I started Firefox all my addons were missing, which was weird but restoring its Appdata folder to an earlier date fixed it. Then a couple text files looked like they had part of the text corrupted. Restoring those worked too. Then I saw that there were a lot of files that were Last Modified around the same time.

So I went and did a System Restore, upon rebooting the PC, Windows said System Restore failed because one file didn't restore correctly. But now there are no other System Restore points to pick (I know there was at least one extra) none of the corrupted files have previous versions available anymore, and my C: drive suddenly has 20 more GB of space (gulp)

It was after that I saw every folder in My Documents had a how_decrypt.gif and how_decript.html



Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 12/8/2014
Scan Time: 5:39:00 PM
Logfile: malwarebytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.08.09
Rootkit Database: v2014.12.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Josh

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 470430
Time Elapsed: 2 hr, 33 min, 49 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 4
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\conhost.exe, 46460, Delete-on-Reboot, [065fe57bb5c7e05692800be269987789]
Trojan.Agent.ED, C:\Windows\temp\A4F6.tmp, 62736, Delete-on-Reboot, [b8ad520ec6b6072f343230be36cbf20e]
Trojan.Zemot, C:\Windows\SysWOW64\owuhgyfu.exe, 18692, Delete-on-Reboot, [a9bcd28ee993cc6a5952b03a12ef6997]
Trojan.Zemot, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, 38488, Delete-on-Reboot, [73f2ff61b8c463d3ebc01cce3ec3be42]

Modules: 0
(No malicious items detected)

Registry Keys: 2
Trojan.Zemot, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SecurityCenterServer737721932, Quarantined, [a9bcd28ee993cc6a5952b03a12ef6997],
Trojan.Poweliks.B, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CLASSES\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}, Quarantined,

[85e02040c2ba60d6e188ef131de3bf41],

Registry Values: 3
Trojan.Zemot, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined,

[73f2ff61b8c463d3ebc01cce3ec3be42]
Trojan.Zemot, HKU\S-1-5-21-1096825299-2601053131-2088073329-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut,

C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined, [73f2ff61b8c463d3ebc01cce3ec3be42]
Trojan.Zemot, HKU\S-1-5-21-1096825299-2601053131-2088073329-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined, [73f2ff61b8c463d3ebc01cce3ec3be42]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 18
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\conhost.exe, Delete-on-Reboot, [065fe57bb5c7e05692800be269987789],
Trojan.Agent.ED, C:\Windows\temp\A4F6.tmp, Delete-on-Reboot, [b8ad520ec6b6072f343230be36cbf20e],
Trojan.Zemot, C:\Windows\SysWOW64\owuhgyfu.exe, Delete-on-Reboot, [a9bcd28ee993cc6a5952b03a12ef6997],
Trojan.Zemot, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Delete-on-Reboot, [73f2ff61b8c463d3ebc01cce3ec3be42],
Trojan.Clicker, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe, Quarantined, [fb6a59076e0edb5b3bd77a73b051f808],
Trojan.GIFFU.ED, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_97b76ed1.exe, Quarantined, [bca9243cdba15fd76d00f0fb69989e62],
Trojan.Agent.ED, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_dd86d5a3.exe, Quarantined, [ee77c799b0cc4beb487704e0f60bf30d],
Trojan.Zemot, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe, Quarantined, [67fe5f018af296a02e7d1cce2dd4ae52],
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\3450\conhost.exe, Quarantined, [86df92ce106cae88ce447b72e21ffd03],
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\3900\conhost.exe, Quarantined, [3f26f46c3844b97d070bdc1116eb1de3],
Trojan.FakeMS, C:\Windows\temp\33.tmp, Quarantined, [4e1778e86715dd597d0a39995aa7cc34],
Trojan.Clicker, C:\Windows\temp\conhost.exe, Delete-on-Reboot, [ef76362a77050630b35fd914ef12cd33],
Trojan.Agent.ED, C:\Windows\temp\7942.tmp, Quarantined, [006564fc6a1238feab1493518d749d63],
Trojan.GIFFU.ED, C:\Windows\temp\7AFB.tmp, Quarantined, [ee773030df9d55e1e68778731fe2f808],
Trojan.Clicker, C:\Windows\temp\Low\SessionWin32k\7446\conhost.exe, Quarantined, [72f3e878e993b086987aa84538c93fc1],
CryptoDefence.Trace, C:\Users\Josh\Desktop\how_decrypt.gif, Quarantined, [84e15907245859dd786681d90cf709f7],
CryptoDefence.Trace, C:\Users\Josh\Desktop\how_decrypt.html, Quarantined, [ea7bc9972f4dc670518d3a20db2826da],
Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 737721932.job, Quarantined, [d88dd68acdaf0b2b8ba31d6f48bc26da],

Physical Sectors: 0
(No malicious items detected)


(end)

I haven't noticed any more weird behavior yet, but can you help me rid my comp of this thing if it isn't gone for good, and is there a way to get my files back?


My System SpecsSystem Spec
.
09 Dec 2014   #2
cottonball

Windows 7 Home Premium
 
 

thebladeroden,

Please plug in a USB pen drive into a clean working computer.

Go to the Farbar Recovery Scan Tool Download
Farbar Recovery Scan Tool Download
Select the download that applies to your system: 64-bit
Save the program to the >> USB pen drive.
Remove USB pen drive when done.

Now, go to the problem computer.
Plug in the USB pen drive which has FRST.
Save the file to the Desktop.

Double-click the FRST file to run it.
When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).
The first time the tool is run, it also creates another log: Addition.txt

Please move the two reports produced to the USB pen drive, go back to the clean computer, and post the reports.


Thanks!
My System SpecsSystem Spec
09 Dec 2014   #3
thebladeroden

Windows 7 64-bit SP1
 
 

My System SpecsSystem Spec
.

09 Dec 2014   #4
cottonball

Windows 7 Home Premium
 
 

TheBladeRoden,

My apology for the delay. A dear friend passed on this AM.

It appears that lots of action was taken to remove the ransomware Cryptorbit. Programs like ComboFix, RogueKiller, AdwCleaner, Junkware Removal Tool, and Malwarebytes Anti-Maware show their files on the FRST report. Could not see any sign of typical files such as how_decrypt.gif, how_decript.html, and others.

Unfortunately, in so far as getting your files back, the situation does not look promising. The removal process appears to have gone too far. Also, the cybercriminals claim there is a deadline to pay up, or all the files will be lost forever. No telling what they will do, even if you pay the ransom!





If you wish, to see if you are clean, you can run the ESET Online Scanner, and see what it detects:
  • Usint the Internet Explorer browser, please go to the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button
  • Accept the Terms of Use and click: Start
  • When asked, allow the ActiveX control to install.
  • Next, select Enable detection of potentially unwanted applications and thenclick Advanced Settings
  • Make sure the following option is UNchecked > Remove found threats, and that > Enable Anti-Stealth technology is checked.
  • Click Start. (This scan can take several hours, so please be patient)
  • Once the scan is completed, select: List of found threats
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop
  • Click the Back button.
  • Click the Finish button
Please provide the Esetlog.txt in your reply.
My System SpecsSystem Spec
09 Dec 2014   #5
mdd1963

Windows 7 Home Premium 64 bit
 
 

Send them a pic of your bum, delete your partition(s), and do a full wipe and reload. I'd not pay the ransom even if it was 1 cent/yen/peso!
My System SpecsSystem Spec
10 Dec 2014   #6
thebladeroden

Windows 7 64-bit SP1
 
 

Well that only took 22 hours
Do you think one of these could be the original installer?


Attached Files
File Type: txt ESETlog.txt (10.6 KB, 10 views)
My System SpecsSystem Spec
11 Dec 2014   #7
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Choose to quarantine and remove all that ESET found!!
My System SpecsSystem Spec
11 Dec 2014   #8
cottonball

Windows 7 Home Premium
 
 

@Jacee,
There are some items in the FRST report that need addressed, and it will be easier to also address the ESET items in the fixlist.

@thebladeroden,

Please place these instructions on HOLD. This infection is new, and there are experts working on it. You posted in its discussion.


Please do the following...

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Code:
start
CloseProcesses:
EmptyTemp:
Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Users\Josh\AppData\Roaming\Hymyfi
C:\ProgramData\FotgaYtutx
C:\ProgramData\ywmimux
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe 
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan 
C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe 
C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe 
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe 
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe  
C:\Users\Public\Suspicious\conhost1\conhost.exe 
C:\Users\Public\Suspicious\conhost2\conhost.exe 
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll 
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm  
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm 
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe  
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist 
end
NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.
If for some reason the tool needs a restart, please let the system restart normally. and let the tool complete its run.

When done, FRST creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.


The ESET scan reported some issues in drive I (FreeAgent Drive). Opted not address those items for now.
The folder/file structure appears to be generated by PhotoRec
Can you provide some info as to what you have stored in them.
Any of them get encrypted by the ransomware?

Thanks!
My System SpecsSystem Spec
11 Dec 2014   #9
thebladeroden

Windows 7 64-bit SP1
 
 

Hold off on doing the fixlist thing?

Quote:
The ESET scan reported some issues in drive I (FreeAgent Drive). Opted not address those items for now.
The folder/file structure appears to be generated by PhotoRec
Can you provide some info as to what you have stored in them.
Any of them get encrypted by the ransomware?
I was trying to see if I could recover any files deleted from C Drive, but man there is no organizing the results. I'm guessing the flagged exes were ones previously deleted by Anti-Malware?
There were a few unintelligible txt files but other txts and image files looked readable.
My System SpecsSystem Spec
11 Dec 2014   #10
cottonball

Windows 7 Home Premium
 
 

thebladeroden,

Quote:
Hold off on doing the fixlist thing?
Yes, please, for now. Need to do some checking on this malware before we remove files.
The ransomware is created by the same authors as CryptoBit, as previously assumed, but has a different twist.

You may want to look at whatever developments appear in the KeyHolder discussion topic:
http://www.bleepingcomputer.com/forums/t/559463/keyholder-support-and-discussion-topic/

Also...
New KEYHolder ransomware brought to you by the same developers of CryptorBit - News

Thanks for your patience!


.
My System SpecsSystem Spec
Reply

 Got hit with Ransomware Encryption Trojan




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Extra help to block ransomware (no disk encryption unless keyboard OK)
The Sunday NY Times Week in Review (Jan 4, 2015) had an article about someone’s mother having to pay Bitcoin ransom in a ransom malware encryption attack. At home, what should I do to prevent a ransom encryption attack, in addition to Avast AV (on my home Win 7 Pro 64-bit and my home XP...
System Security
biggest encryption std to date+ most power encryption soft ?
biggest encryption std to date+ most power encryption soft ? nowadays I am so much excited about encryption after watching BlackHat 2013 videos and Def Con 19 ,20 can u help me to find out words most powerful encryption software and methods and where to learn it I think doing PHD in...
System Security
Trojan Ransomware Police Central e-crime Unit
hi we have had this issue with our computer where it was locked up by this virus at the time we did not know it was a virus and we paid the money , since then we have learned it was a scam and contacted the bank to cancel the card etc we have informed the bank and they have stopped the card but...
System Security
BitLocker Drive Encryption - Change Encryption Method and Cipher Strength
How to Change Windows 7 BitLocker Drive Encryption Method and Cipher Strength This will show you how to change the encryption algorithm and key cipher strength used by BitLocker to encrypt drives in Windows 7.BitLocker Drive Encryption supports 128-bit and 256-bit encryption keys. Longer...
Tutorials


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 19:50.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App