Got hit with Ransomware Encryption Trojan

thebladeroden · Dec 9, 2014

I got a Trojan or something because Microsoft Security Essentials was sounding alarm bells and a scan with Anti-Malware was bringing up stuff too. After some guaranteeing and rebooting I thought I had gotten rid of the problem.

But later when I started Firefox all my addons were missing, which was weird but restoring its Appdata folder to an earlier date fixed it. Then a couple text files looked like they had part of the text corrupted. Restoring those worked too. Then I saw that there were a lot of files that were Last Modified around the same time.

So I went and did a System Restore, upon rebooting the PC, Windows said System Restore failed because one file didn't restore correctly. But now there are no other System Restore points to pick (I know there was at least one extra) none of the corrupted files have previous versions available anymore, and my C: drive suddenly has 20 more GB of space (gulp)

It was after that I saw every folder in My Documents had a how_decrypt.gif and how_decript.html

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 12/8/2014
Scan Time: 5:39:00 PM
Logfile: malwarebytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.08.09
Rootkit Database: v2014.12.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Josh

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 470430
Time Elapsed: 2 hr, 33 min, 49 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 4
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\conhost.exe, 46460, Delete-on-Reboot, [065fe57bb5c7e05692800be269987789]
Trojan.Agent.ED, C:\Windows\temp\A4F6.tmp, 62736, Delete-on-Reboot, [b8ad520ec6b6072f343230be36cbf20e]
Trojan.Zemot, C:\Windows\SysWOW64\owuhgyfu.exe, 18692, Delete-on-Reboot, [a9bcd28ee993cc6a5952b03a12ef6997]
Trojan.Zemot, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, 38488, Delete-on-Reboot, [73f2ff61b8c463d3ebc01cce3ec3be42]

Modules: 0
(No malicious items detected)

Registry Keys: 2
Trojan.Zemot, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SecurityCenterServer737721932, Quarantined, [a9bcd28ee993cc6a5952b03a12ef6997],
Trojan.Poweliks.B, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CLASSES\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}, Quarantined,

[85e02040c2ba60d6e188ef131de3bf41],

Registry Values: 3
Trojan.Zemot, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined,

[73f2ff61b8c463d3ebc01cce3ec3be42]
Trojan.Zemot, HKU\S-1-5-21-1096825299-2601053131-2088073329-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut,

C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined, [73f2ff61b8c463d3ebc01cce3ec3be42]
Trojan.Zemot, HKU\S-1-5-21-1096825299-2601053131-2088073329-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0

\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Cyecigruywgut, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Quarantined, [73f2ff61b8c463d3ebc01cce3ec3be42]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 18
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\conhost.exe, Delete-on-Reboot, [065fe57bb5c7e05692800be269987789],
Trojan.Agent.ED, C:\Windows\temp\A4F6.tmp, Delete-on-Reboot, [b8ad520ec6b6072f343230be36cbf20e],
Trojan.Zemot, C:\Windows\SysWOW64\owuhgyfu.exe, Delete-on-Reboot, [a9bcd28ee993cc6a5952b03a12ef6997],
Trojan.Zemot, C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe, Delete-on-Reboot, [73f2ff61b8c463d3ebc01cce3ec3be42],
Trojan.Clicker, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe, Quarantined, [fb6a59076e0edb5b3bd77a73b051f808],
Trojan.GIFFU.ED, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_97b76ed1.exe, Quarantined, [bca9243cdba15fd76d00f0fb69989e62],
Trojan.Agent.ED, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_dd86d5a3.exe, Quarantined, [ee77c799b0cc4beb487704e0f60bf30d],
Trojan.Zemot, C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe, Quarantined, [67fe5f018af296a02e7d1cce2dd4ae52],
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\3450\conhost.exe, Quarantined, [86df92ce106cae88ce447b72e21ffd03],
Trojan.Clicker, C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\3900\conhost.exe, Quarantined, [3f26f46c3844b97d070bdc1116eb1de3],
Trojan.FakeMS, C:\Windows\temp\33.tmp, Quarantined, [4e1778e86715dd597d0a39995aa7cc34],
Trojan.Clicker, C:\Windows\temp\conhost.exe, Delete-on-Reboot, [ef76362a77050630b35fd914ef12cd33],
Trojan.Agent.ED, C:\Windows\temp\7942.tmp, Quarantined, [006564fc6a1238feab1493518d749d63],
Trojan.GIFFU.ED, C:\Windows\temp\7AFB.tmp, Quarantined, [ee773030df9d55e1e68778731fe2f808],
Trojan.Clicker, C:\Windows\temp\Low\SessionWin32k\7446\conhost.exe, Quarantined, [72f3e878e993b086987aa84538c93fc1],
CryptoDefence.Trace, C:\Users\Josh\Desktop\how_decrypt.gif, Quarantined, [84e15907245859dd786681d90cf709f7],
CryptoDefence.Trace, C:\Users\Josh\Desktop\how_decrypt.html, Quarantined, [ea7bc9972f4dc670518d3a20db2826da],
Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 737721932.job, Quarantined, [d88dd68acdaf0b2b8ba31d6f48bc26da],

Physical Sectors: 0
(No malicious items detected)

(end)

I haven't noticed any more weird behavior yet, but can you help me rid my comp of this thing if it isn't gone for good, and is there a way to get my files back?

cottonball · Dec 9, 2014

thebladeroden,

Please plug in a USB pen drive into a clean working computer.

Go to the Farbar Recovery Scan Tool Download
Farbar Recovery Scan Tool Download
Select the download that applies to your system: 64-bit
Save the program to the >> USB pen drive.
Remove USB pen drive when done.

Now, go to the problem computer.
Plug in the USB pen drive which has FRST.
Save the file to the Desktop.

Double-click the FRST file to run it.
When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).
The first time the tool is run, it also creates another log: Addition.txt

:ar: Please move the two reports produced to the USB pen drive, go back to the clean computer, and post the reports.

Thanks!

thebladeroden · Dec 9, 2014

I had to pastebin them

FRST - Pastebin.com

addition - Pastebin.com

cottonball · Dec 9, 2014

TheBladeRoden,

My apology for the delay. A dear friend passed on this AM.

It appears that lots of action was taken to remove the ransomware Cryptorbit. Programs like ComboFix, RogueKiller, AdwCleaner, Junkware Removal Tool, and Malwarebytes Anti-Maware show their files on the FRST report. Could not see any sign of typical files such as how_decrypt.gif, how_decript.html, and others.

Unfortunately, in so far as getting your files back, the situation does not look promising. The removal process appears to have gone too far. Also, the cybercriminals claim there is a deadline to pay up, or all the files will be lost forever. No telling what they will do, even if you pay the ransom!

If you wish, to see if you are clean, you can run the ESET Online Scanner, and see what it detects:

Usint the Internet Explorer browser, please go to the ESET Online Scanner Web Page
Select the blue Run ESET Online Scanner button
Accept the Terms of Use and click: Start
When asked, allow the ActiveX control to install.
Next, select Enable detection of potentially unwanted applications and thenclick Advanced Settings
Make sure the following option is UNchecked > Remove found threats, and that > Enable Anti-Stealth technology is checked.
Click Start. (This scan can take several hours, so please be patient)
Once the scan is completed, select: List of found threats
Select Export to text file... and save the file as ESETlog.txt on your Desktop
Click the Back button.
Click the Finish button

:ar: Please provide the Esetlog.txt in your reply.

mdd1963 · Dec 9, 2014

Send them a pic of your bum, delete your partition(s), and do a full wipe and reload. I'd not pay the ransom even if it was 1 cent/yen/peso!

thebladeroden · Dec 10, 2014

Well that only took 22 hours

Do you think one of these could be the original installer?

Jacee · Dec 11, 2014

Choose to quarantine and remove all that ESET found!!

cottonball · Dec 11, 2014

@Jacee,
There are some items in the FRST report that need addressed, and it will be easier to also address the ESET items in the fixlist.

@thebladeroden,

Please place these instructions on HOLD. This infection is new, and there are experts working on it. You posted in its discussion.

Please do the following...

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Code:

start
CloseProcesses:
EmptyTemp:
Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Users\Josh\AppData\Roaming\Hymyfi
C:\ProgramData\FotgaYtutx
C:\ProgramData\ywmimux
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe 
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan 
C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe 
C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf 
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe 
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe 
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe  
C:\Users\Public\Suspicious\conhost1\conhost.exe 
C:\Users\Public\Suspicious\conhost2\conhost.exe 
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll 
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm  
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm 
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe  
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist 
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.
If for some reason the tool needs a restart, please let the system restart normally. and let the tool complete its run.

When done, FRST creates a report on the Desktop called: Fixlog.txt

:ar: Please post the Fixlog.txt in your reply.

The ESET scan reported some issues in drive I (FreeAgent Drive). Opted not address those items for now.
The folder/file structure appears to be generated by PhotoRec
Can you provide some info as to what you have stored in them.
Any of them get encrypted by the ransomware?

Thanks!

thebladeroden · Dec 11, 2014

Hold off on doing the fixlist thing?

The ESET scan reported some issues in drive I (FreeAgent Drive). Opted not address those items for now.
The folder/file structure appears to be generated by PhotoRec
Can you provide some info as to what you have stored in them.
Any of them get encrypted by the ransomware?

I was trying to see if I could recover any files deleted from C Drive, but man there is no organizing the results. I'm guessing the flagged exes were ones previously deleted by Anti-Malware?
There were a few unintelligible txt files but other txts and image files looked readable.

cottonball · Dec 11, 2014

thebladeroden,

Hold off on doing the fixlist thing?

Yes, please, for now. Need to do some checking on this malware before we remove files.
The ransomware is created by the same authors as CryptoBit, as previously assumed, but has a different twist.

You may want to look at whatever developments appear in the KeyHolder discussion topic:
http://www.bleepingcomputer.com/forums/t/559463/keyholder-support-and-discussion-topic/

Also...
New KEYHolder ransomware brought to you by the same developers of CryptorBit - News

Thanks for your patience!

.

thebladeroden · Dec 12, 2014

Yeah I've been trying to help out in this thread

KeyHolder Ransomware, is this new? - General Security

but with my expertise I'm like a third person trying to help carry a ladder.

cottonball · Dec 12, 2014

thebladeroden,

I'm like a third person trying to help carry a ladder

Know that feeling well!!

Please submit a sample of the following files to:
http://www.bleepingcomputer.com/submit-malware.php?channel=3

However, first...
:info: Please go to Start > Control Panel > Folder Options
Click the View tab.
Under Advanced settings, click: Show hidden files, folders, and drives, and then click OK.
Uncheck: Hide protected operating system file
Close out by pressing: OK

C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll

C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe

C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\Public\Suspicious\conhost1\conhost.exe
C:\Users\Public\Suspicious\conhost2\conhost.exe
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe

:ar: When you do, please post back and let me know!

Also, please submit the same files for analysis to VirusTotal:
VirusTotal - Free Online Virus, Malware and URL Scanner

Use the Choose file button to navigate to the location of each file.
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Scan it!, and wait for the results.

If you get a message saying: File has already been analyzed, click: Reanalyze file now

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address.

:ar: Then, provide the http:\\ address to the results page in your reply.

thebladeroden · Dec 12, 2014

I couldn't find fiovbon.dll anymore though I did analyze a couple other files

https://www.virustotal.com/en/file/...61a8e5e260b1dd2c5032c1f7/analysis/1418425526/
https://www.virustotal.com/en/file/...61a8e5e260b1dd2c5032c1f7/analysis/1418426001/
https://www.virustotal.com/en/file/...887a4990b7af247aa9581251/analysis/1418425780/
https://www.virustotal.com/en/file/...ef578712fd9660c39c81ff11/analysis/1418425845/

cottonball · Dec 12, 2014

Did you submit these files to BC Channel 3:

C:\Users\Josh\AppData\Local\Temp\UpdateFlashPlayer_f43266db.exe
C:\Users\Josh\AppData\Roaming\Hymyfi\rasyag.exe

If not, please do.
http://www.bleepingcomputer.com/submit-malware.php?channel=3

thebladeroden · Dec 13, 2014

cottonball · Dec 13, 2014

thebladeroden,

Please press on with the instructions in Post #8,and post the :ar: fixlog.txt

Thanks!

thebladeroden · Dec 13, 2014

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-12-2014
Ran by Josh at 2014-12-13 18:07:01 Run:1
Running from H:\
Loaded Profiles: (Available profiles: Josh)
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
EmptyTemp:
Winlogon\Notify\fiovbon-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll ()
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\...A8F59079A8D5}\localserver32:
HKU\S-1-5-18\...\Run: [fiovbon] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\fiovbon.dll",fiovbon
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Users\Josh\AppData\Roaming\Hymyfi
C:\ProgramData\FotgaYtutx
C:\ProgramData\ywmimux
C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan
C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf
C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe
C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe
C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
C:\Users\Public\Suspicious\conhost1\conhost.exe
C:\Users\Public\Suspicious\conhost2\conhost.exe
C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm
F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe
AlternateDataStreams: C:\Windows\system32\Drivers\iicngbln.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\iktxlkeh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rgzyaykz.sys:changelist
end
*****************

Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fiovbon" => Key deleted successfully.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\fiovbon => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1096825299-2601053131-2088073329-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Users\Josh\AppData\Roaming\Hymyfi => Moved successfully.
C:\ProgramData\FotgaYtutx => Moved successfully.
C:\ProgramData\ywmimux => Moved successfully.
"C:\Documents and Settings\Josh\AppData\Local\Temp\conhost.exe" => File/Directory not found.
C:\Documents and Settings\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
C:\Documents and Settings\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
C:\Documents and Settings\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf => Moved successfully.
"C:\Documents and Settings\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe MSIL/TrojanClicker.Agent.NII trojan" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Documents and Settings\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
C:\Documents and Settings\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe => Moved successfully.
"C:\Users\Josh\AppData\Local\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\AppData\Local\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\AppData\Local\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\2524\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\2d64\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D9MUVH2Q\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\d214\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45O3E44T\e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0[1].swf" => File/Directory not found.
"C:\Users\Josh\Local Settings\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
C:\Users\Public\Suspicious\clicker3a\Clicker3.exe => Moved successfully.
C:\Users\Public\Suspicious\clicker3b\Clicker3.exe => Moved successfully.
"C:\Users\Josh\AppData\Local\Temp\Low\SessionWin32k\4126\Clicker3.exe" => File/Directory not found.
C:\Windows\temp\Low\SessionWin32k\9653\Clicker3.exe => Moved successfully.
"C:\Documents and Settings\Josh\Local Settings\Temp\conhost.exe" => File/Directory not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe => Moved successfully.
"C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
C:\Users\Public\Suspicious\conhost1\conhost.exe => Moved successfully.
C:\Users\Public\Suspicious\conhost2\conhost.exe => Moved successfully.
"C:\Windows\System32\config\systemprofile\AppData\Local\fiovbon.dll" => File/Directory not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\fiovbon.dll => Moved successfully.
"C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm" => File/Directory not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ljd4sbp5vw[1].htm => Moved successfully.
"F:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe" => File/Directory not found.
F:\Program Files (x86)\Nexon\Library\dirtybomb\appdata\Binaries\Win32\ShooterGame-Win32-Shipping.exe => Moved successfully.
C:\Windows\system32\Drivers\iicngbln.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\iktxlkeh.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\rgzyaykz.sys => ":changelist" ADS removed successfully.

cottonball · Dec 13, 2014

thebladeroden,

Please provide an update of how it is going with the system?

Any other malware issue left to address?

thebladeroden · Dec 13, 2014

Hoping against hope they can someday conjure up a decrypter

cottonball · Dec 14, 2014

Presuming you do not have a backup of the infected files, and using Shadow Volume Copies does not work...
CryptoLocker Ransomware Information Guide and FAQ

Got hit with Ransomware Encryption Trojan

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

New member

Attachments

My Computer

Consumer Security

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

New member

My Computer

Retired ol' hound...

My Computer

Similar threads