New
#11
Yeah I've been trying to help out in this thread
KeyHolder Ransomware, is this new? - General Security
but with my expertise I'm like a third person trying to help carry a ladder.
Yeah I've been trying to help out in this thread
KeyHolder Ransomware, is this new? - General Security
but with my expertise I'm like a third person trying to help carry a ladder.
thebladeroden,
Know that feeling well!!I'm like a third person trying to help carry a ladder
Please submit a sample of the following files to:
http://www.bleepingcomputer.com/submit-malware.php?channel=3
However, first...
Please go to Start > Control Panel > Folder Options
Click the View tab.
Under Advanced settings, click: Show hidden files, folders, and drives, and then click OK.
Uncheck: Hide protected operating system file
Close out by pressing: OK
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\Public\Suspicious\conhost1\conhost.exe
C:\Users\Public\Suspicious\conhost2\conhost.exe
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
When you do, please post back and let me know!
Also, please submit the same files for analysis to VirusTotal:
VirusTotal - Free Online Virus, Malware and URL Scanner
Use the Choose file button to navigate to the location of each file.
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.
Scroll down and click Scan it!, and wait for the results.
If you get a message saying: File has already been analyzed, click: Reanalyze file now
Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address.
Then, provide the http:\\ address to the results page in your reply.
I couldn't find fiovbon.dll anymore though I did analyze a couple other files
https://www.virustotal.com/en/file/3...is/1418425526/
https://www.virustotal.com/en/file/3...is/1418426001/
https://www.virustotal.com/en/file/9...is/1418425780/
https://www.virustotal.com/en/file/b...is/1418425845/
Did you submit these files to BC Channel 3:
C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe
C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe
If not, please do.
http://www.bleepingcomputer.com/submit-malware.php?channel=3
yep
thebladeroden,
Please press on with the instructions in Post #8,and post the fixlog.txt
Thanks!
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-12-2014
Ran by Josh at 2014-12-13 18:07:01 Run:1
Running from H:\
Loaded Profiles: (Available profiles: Josh)
Boot Mode: Safe Mode (with Networking)
==============================================
Content of fixlist:
*****************
start
CloseProcesses:
EmptyTemp:
Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Users\Josh\AppData\Roaming\Hymyfi
C:\ProgramData\FotgaYtutx
C:\ProgramData\ywmimux
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan
C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\Public\Suspicious\conhost1\conhost.exe
C:\Users\Public\Suspicious\conhost2\conhost.exe
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist
end
*****************
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fiovbon" => Key deleted successfully.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\fiovbon => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Users\Josh\AppData\Roaming\Hymyfi => Moved successfully.
C:\ProgramData\FotgaYtutx => Moved successfully.
C:\ProgramData\ywmimux => Moved successfully.
"C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe" => File/Directory not found.
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
"C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe => Moved successfully.
"C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe => Moved successfully.
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe => Moved successfully.
"C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe => Moved successfully.
"C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe" => File/Directory not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe => Moved successfully.
"C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
C:\Users\Public\Suspicious\conhost1\conhost.exe => Moved successfully.
C:\Users\Public\Suspicious\conhost2\conhost.exe => Moved successfully.
"C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll" => File/Directory not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll => Moved successfully.
"C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm" => File/Directory not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm => Moved successfully.
"F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe => Moved successfully.
C:\Windows\system32\Drivers\iicngbln.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\iktxlkeh.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\rgzyaykz.sys => ":changelist" ADS removed successfully.
thebladeroden,
Please provide an update of how it is going with the system?
Any other malware issue left to address?
Hoping against hope they can someday conjure up a decrypter
Presuming you do not have a backup of the infected files, and using Shadow Volume Copies does not work...
CryptoLocker Ransomware Information Guide and FAQ