Got hit with Ransomware Encryption Trojan

Page 2 of 3 FirstFirst 123 LastLast

  1. thebladeroden
    Posts : 74
    Windows 7 64-bit SP1
    Thread Starter
       New #11

    Yeah I've been trying to help out in this thread

    KeyHolder Ransomware, is this new? - General Security

    but with my expertise I'm like a third person trying to help carry a ladder.
      My Computer
    Quote Quote

  3. cottonball
    Posts : 2,470
    Windows 7 Home Premium
       New #12

    thebladeroden,

    I'm like a third person trying to help carry a ladder
    Know that feeling well!!


    Please submit a sample of the following files to:
    http://www.bleepingcomputer.com/submit-malware.php?channel=3

    However, first...
    Please go to Start > Control Panel > Folder Options
    Click the View tab.
    Under Advanced settings, click: Show hidden files, folders, and drives, and then click OK.
    Uncheck: Hide protected operating system file
    Close out by pressing: OK

    C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll

    C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
    C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
    C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
    C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
    C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
    C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe

    C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
    C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
    C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
    C:\Users\Public\Suspicious\conhost1\conhost.exe
    C:\Users\Public\Suspicious\conhost2\conhost.exe
    F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe

    When you do, please post back and let me know!

    Also, please submit the same files for analysis to VirusTotal:
    VirusTotal - Free Online Virus, Malware and URL Scanner

    Use the Choose file button to navigate to the location of each file.
    Click on the file, then, click the Open button.
    The file is now displayed in the Submit Box.

    Scroll down and click Scan it!, and wait for the results.

    If you get a message saying: File has already been analyzed, click: Reanalyze file now

    Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address.

    Then, provide the http:\\ address to the results page in your reply.
      My Computer
    Quote Quote

  4. thebladeroden
    Posts : 74
    Windows 7 64-bit SP1
    Thread Starter
       New #13

    I couldn't find fiovbon.dll anymore though I did analyze a couple other files

    https://www.virustotal.com/en/file/3...is/1418425526/
    https://www.virustotal.com/en/file/3...is/1418426001/
    https://www.virustotal.com/en/file/9...is/1418425780/
    https://www.virustotal.com/en/file/b...is/1418425845/
      My Computer
    Quote Quote

  6. cottonball
    Posts : 2,470
    Windows 7 Home Premium
       New #14

    Did you submit these files to BC Channel 3:

    C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe
    C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe

    If not, please do.
    http://www.bleepingcomputer.com/submit-malware.php?channel=3
      My Computer
    Quote Quote

  7. thebladeroden
    Posts : 74
    Windows 7 64-bit SP1
    Thread Starter
       New #15

    yep
      My Computer
    Quote Quote

  8. cottonball
    Posts : 2,470
    Windows 7 Home Premium
       New #16

    thebladeroden,

    Please press on with the instructions in Post #8,and post the fixlog.txt

    Thanks!
      My Computer
    Quote Quote

  10. thebladeroden
    Posts : 74
    Windows 7 64-bit SP1
    Thread Starter
       New #17

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-12-2014
    Ran by Josh at 2014-12-13 18:07:01 Run:1
    Running from H:\
    Loaded Profiles: (Available profiles: Josh)
    Boot Mode: Safe Mode (with Networking)
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    EmptyTemp:
    Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
    HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
    HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
    HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
    Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
    Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
    Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    C:\Users\Josh\AppData\Roaming\Hymyfi
    C:\ProgramData\FotgaYtutx
    C:\ProgramData\ywmimux
    C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
    C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan
    C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
    C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
    C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
    C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
    C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
    C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
    C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
    C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
    C:\Users\Public\Suspicious\conhost1\conhost.exe
    C:\Users\Public\Suspicious\conhost2\conhost.exe
    C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
    F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
    F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
    AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
    AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
    AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist
    end
    *****************

    Processes closed successfully.
    "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fiovbon" => Key deleted successfully.
    "HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
    "HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\fiovbon => value deleted successfully.
    "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
    "HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.
    Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
    Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
    Winsock: Catalog5-x64 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll
    C:\Users\Josh\AppData\Roaming\Hymyfi => Moved successfully.
    C:\ProgramData\FotgaYtutx => Moved successfully.
    C:\ProgramData\ywmimux => Moved successfully.
    "C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe" => File/Directory not found.
    C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
    C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
    C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
    "C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan" => File/Directory not found.
    "C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe => Moved successfully.
    "C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
    "C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
    C:\Users\Public\Suspicious\clicker3a\Clicker3.exe => Moved successfully.
    C:\Users\Public\Suspicious\clicker3b\Clicker3.exe => Moved successfully.
    "C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
    C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe => Moved successfully.
    "C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe" => File/Directory not found.
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe => Moved successfully.
    "C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
    C:\Users\Public\Suspicious\conhost1\conhost.exe => Moved successfully.
    C:\Users\Public\Suspicious\conhost2\conhost.exe => Moved successfully.
    "C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll" => File/Directory not found.
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll => Moved successfully.
    "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm" => File/Directory not found.
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm => Moved successfully.
    "F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
    F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe => Moved successfully.
    C:\Windows\system32\Drivers\iicngbln.sys => ":changelist" ADS removed successfully.
    C:\Windows\system32\Drivers\iktxlkeh.sys => ":changelist" ADS removed successfully.
    C:\Windows\system32\Drivers\rgzyaykz.sys => ":changelist" ADS removed successfully.
      My Computer
    Quote Quote

  11. cottonball
    Posts : 2,470
    Windows 7 Home Premium
       New #18

    thebladeroden,

    Please provide an update of how it is going with the system?

    Any other malware issue left to address?
      My Computer
    Quote Quote

  12. thebladeroden
    Posts : 74
    Windows 7 64-bit SP1
    Thread Starter
       New #19

    Hoping against hope they can someday conjure up a decrypter
      My Computer
    Quote Quote

  13. cottonball
    Posts : 2,470
    Windows 7 Home Premium
       New #20

    Presuming you do not have a backup of the infected files, and using Shadow Volume Copies does not work...
    CryptoLocker Ransomware Information Guide and FAQ
      My Computer
    Quote Quote

 
Page 2 of 3 FirstFirst 123 LastLast

  Related Discussions
The Sunday NY Times Week in Review (Jan 4, 2015) had an article about someone’s mother having to pay Bitcoin ransom in a ransom malware encryption attack. At home, what should I do to prevent a ransom encryption attack, in addition to Avast AV (on my home Win 7 Pro 64-bit and my home XP...
hi we have had this issue with our computer where it was locked up by this virus at the time we did not know it was a virus and we paid the money , since then we have learned it was a scam and contacted the bank to cancel the card etc we have informed the bank and they have stopped the card but...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 10:12.
Find Us