Got hit with Ransomware Encryption Trojan

thebladeroden · 09 Dec 2014

I got a Trojan or something because Microsoft Security Essentials was sounding alarm bells and a scan with Anti-Malware was bringing up stuff too. After some guaranteeing and rebooting I thought I had gotten rid of the problem.

But later when I started Firefox all my addons were missing, which was weird but restoring its Appdata folder to an earlier date fixed it. Then a couple text files looked like they had part of the text corrupted. Restoring those worked too. Then I saw that there were a lot of files that were Last Modified around the same time.

So I went and did a System Restore, upon rebooting the PC, Windows said System Restore failed because one file didn't restore correctly. But now there are no other System Restore points to pick (I know there was at least one extra) none of the corrupted files have previous versions available anymore, and my C: drive suddenly has 20 more GB of space (gulp)

It was after that I saw every folder in My Documents had a how_decrypt.gif and how_decript.html

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 12/8/2014
Scan Time: 5:39:00 PM
Logfile: malwarebytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.08.09
Rootkit Database: v2014.12.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Josh

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 470430
Time Elapsed: 2 hr, 33 min, 49 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 4
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\conhost.exe, 46460, Delete-on-Reboot, [065fe57bb5c7e05692800be269987789]
Trojan.Agent.ED, C:\Windows\temp\A4F6.tmp, 62736, Delete-on-Reboot, [b8ad520ec6b6072f343230be36cbf20e]
Trojan.Zemot, C:\Windows\SysWOW64\owuhgyfu.exe, 18692, Delete-on-Reboot, [a9bcd28ee993cc6a5952b03a12ef6997]
Trojan.Zemot, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, 38488, Delete-on-Reboot, [73f2ff61b8c463d3ebc01cce3ec3be42]

Modules: 0
(No malicious items detected)

Registry Keys: 2
Trojan.Zemot, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SecurityCenterServer737721932, Quarantined, [a9bcd28ee993cc6a5952b03a12ef6997],
Trojan.Poweliks.B, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CLASSES\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}, Quarantined,

[85e02040c2ba60d6e188ef131de3bf41],

Registry Values: 3
Trojan.Zemot, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined,

[73f2ff61b8c463d3ebc01cce3ec3be42]
Trojan.Zemot, HKU\S-1-5-21-1096825299-2601053131-2088073329-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut,

C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined, [73f2ff61b8c463d3ebc01cce3ec3be42]
Trojan.Zemot, HKU\S-1-5-21-1096825299-2601053131-2088073329-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined, [73f2ff61b8c463d3ebc01cce3ec3be42]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 18
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\conhost.exe, Delete-on-Reboot, [065fe57bb5c7e05692800be269987789],
Trojan.Agent.ED, C:\Windows\temp\A4F6.tmp, Delete-on-Reboot, [b8ad520ec6b6072f343230be36cbf20e],
Trojan.Zemot, C:\Windows\SysWOW64\owuhgyfu.exe, Delete-on-Reboot, [a9bcd28ee993cc6a5952b03a12ef6997],
Trojan.Zemot, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Delete-on-Reboot, [73f2ff61b8c463d3ebc01cce3ec3be42],
Trojan.Clicker, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe, Quarantined, [fb6a59076e0edb5b3bd77a73b051f808],
Trojan.GIFFU.ED, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_97b76ed1.exe, Quarantined, [bca9243cdba15fd76d00f0fb69989e62],
Trojan.Agent.ED, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_dd86d5a3.exe, Quarantined, [ee77c799b0cc4beb487704e0f60bf30d],
Trojan.Zemot, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe, Quarantined, [67fe5f018af296a02e7d1cce2dd4ae52],
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\3450\conhost.exe, Quarantined, [86df92ce106cae88ce447b72e21ffd03],
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\3900\conhost.exe, Quarantined, [3f26f46c3844b97d070bdc1116eb1de3],
Trojan.FakeMS, C:\Windows\temp\33.tmp, Quarantined, [4e1778e86715dd597d0a39995aa7cc34],
Trojan.Clicker, C:\Windows\temp\conhost.exe, Delete-on-Reboot, [ef76362a77050630b35fd914ef12cd33],
Trojan.Agent.ED, C:\Windows\temp\7942.tmp, Quarantined, [006564fc6a1238feab1493518d749d63],
Trojan.GIFFU.ED, C:\Windows\temp\7AFB.tmp, Quarantined, [ee773030df9d55e1e68778731fe2f808],
Trojan.Clicker, C:\Windows\temp\Low\SessionWin32k\7446\conhost.exe, Quarantined, [72f3e878e993b086987aa84538c93fc1],
CryptoDefence.Trace, C:\Users\Josh\Desktop\how_decrypt.gif, Quarantined, [84e15907245859dd786681d90cf709f7],
CryptoDefence.Trace, C:\Users\Josh\Desktop\how_decrypt.html, Quarantined, [ea7bc9972f4dc670518d3a20db2826da],
Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 737721932.job, Quarantined, [d88dd68acdaf0b2b8ba31d6f48bc26da],

Physical Sectors: 0
(No malicious items detected)

(end)

I haven't noticed any more weird behavior yet, but can you help me rid my comp of this thing if it isn't gone for good, and is there a way to get my files back?

cottonball · 09 Dec 2014

thebladeroden,

Please plug in a USB pen drive into a clean working computer.

Go to the Farbar Recovery Scan Tool Download
Farbar Recovery Scan Tool Download
Select the download that applies to your system: 64-bit
Save the program to the >> USB pen drive.
Remove USB pen drive when done.

Now, go to the problem computer.
Plug in the USB pen drive which has FRST.
Save the file to the Desktop.

Double-click the FRST file to run it.
When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).
The first time the tool is run, it also creates another log: Addition.txt

Please move the two reports produced to the USB pen drive, go back to the clean computer, and post the reports.

Thanks!

thebladeroden · 09 Dec 2014

I had to pastebin them

FRST - Pastebin.com

addition - Pastebin.com

cottonball · 09 Dec 2014

TheBladeRoden,

My apology for the delay. A dear friend passed on this AM.

It appears that lots of action was taken to remove the ransomware Cryptorbit. Programs like ComboFix, RogueKiller, AdwCleaner, Junkware Removal Tool, and Malwarebytes Anti-Maware show their files on the FRST report. Could not see any sign of typical files such as how_decrypt.gif, how_decript.html, and others.

Unfortunately, in so far as getting your files back, the situation does not look promising. The removal process appears to have gone too far. Also, the cybercriminals claim there is a deadline to pay up, or all the files will be lost forever. No telling what they will do, even if you pay the ransom!

If you wish, to see if you are clean, you can run the ESET Online Scanner, and see what it detects:

Usint the Internet Explorer browser, please go to the ESET Online Scanner Web Page
Select the blue Run ESET Online Scanner button
Accept the Terms of Use and click: Start
When asked, allow the ActiveX control to install.
Next, select Enable detection of potentially unwanted applications and thenclick Advanced Settings
Make sure the following option is UNchecked > Remove found threats, and that > Enable Anti-Stealth technology is checked.
Click Start. (This scan can take several hours, so please be patient)
Once the scan is completed, select: List of found threats
Select Export to text file... and save the file as ESETlog.txt on your Desktop
Click the Back button.
Click the Finish button

Please provide the Esetlog.txt in your reply.

mdd1963 · 09 Dec 2014

Send them a pic of your bum, delete your partition(s), and do a full wipe and reload. I'd not pay the ransom even if it was 1 cent/yen/peso!

thebladeroden · 10 Dec 2014

Well that only took 22 hours

Do you think one of these could be the original installer?

Jacee · 11 Dec 2014

Choose to quarantine and remove all that ESET found!!

cottonball · 11 Dec 2014

@Jacee,
There are some items in the FRST report that need addressed, and it will be easier to also address the ESET items in the fixlist.

@thebladeroden,

Please place these instructions on HOLD. This infection is new, and there are experts working on it. You posted in its discussion.

Please do the following...

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Code:

start
CloseProcesses:
EmptyTemp:
Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Users\Josh\AppData\Roaming\Hymyfi
C:\ProgramData\FotgaYtutx
C:\ProgramData\ywmimux
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe 
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan 
C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe 
C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe 
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe 
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe  
C:\Users\Public\Suspicious\conhost1\conhost.exe 
C:\Users\Public\Suspicious\conhost2\conhost.exe 
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll 
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm  
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm 
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe  
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist 
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.
If for some reason the tool needs a restart, please let the system restart normally. and let the tool complete its run.

When done, FRST creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.

The ESET scan reported some issues in drive I (FreeAgent Drive). Opted not address those items for now.
The folder/file structure appears to be generated by PhotoRec
Can you provide some info as to what you have stored in them.
Any of them get encrypted by the ransomware?

Thanks!

thebladeroden · 11 Dec 2014

Hold off on doing the fixlist thing?

The ESET scan reported some issues in drive I (FreeAgent Drive). Opted not address those items for now.
The folder/file structure appears to be generated by PhotoRec
Can you provide some info as to what you have stored in them.
Any of them get encrypted by the ransomware?

I was trying to see if I could recover any files deleted from C Drive, but man there is no organizing the results. I'm guessing the flagged exes were ones previously deleted by Anti-Malware?
There were a few unintelligible txt files but other txts and image files looked readable.

cottonball · 11 Dec 2014

thebladeroden,

Hold off on doing the fixlist thing?

Yes, please, for now. Need to do some checking on this malware before we remove files.
The ransomware is created by the same authors as CryptoBit, as previously assumed, but has a different twist.

You may want to look at whatever developments appear in the KeyHolder discussion topic:
http://www.bleepingcomputer.com/forums/t/559463/keyholder-support-and-discussion-topic/

Also...
New KEYHolder ransomware brought to you by the same developers of CryptorBit - News

Thanks for your patience!

.