Jump to content


  • Content Count

  • Joined

  • Last visited

About MrWashingToad

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Then not much I can do at this point except wait for justice to find them, and hope the unlock keys are done, then.
  2. Indeed. I tried multiple times to get Malwarebytes to run in the full Premium mode (as I stated previously, the system was running Malwarebytes Premium when this occurred, and has a lifetime license, was updated on Friday (attack occurred sometime over weekend). I have attached the other logs I could provide above. Note - I WAS able to get the infected drive imaged to another drive, so now I can play with it whilst keeping the original data drive safe. However, as this happened during a weekend backup run, it corrupted all local copies of my data on that computer, the network attached storage drive backups, AND the online backup as that was set to run at the end of the backup sequence.
  3. Ok, nearly a full 48 hours now, and no replies at all, thanks - really feel like I'm being helped. I've attempted multiple times to get Malwarebytes and Malwarebytes Chameleon to load correctly, but they all fail install; OR, install, but do not allow premium features (real time protection) to turn on. Have checked with the MalwareHunterTeam website, uploaded the .hta ransom note there, and it came back as 1) Dharma, and 2) Phobos. Additionally, all the files are labeled as 'FRENDI' files, and are labeled ID-C602BF82.[withdirimugh1982@aol.com].Frendi. I've located a hidden folder under the C drive that I didn't make, it has 2 files in it and is labeled: C:\Recovery\36db1731-fe3f-11e7-8c3b-fd77c61fa398\ file 1: boot.sdi.ID-C602BF82.[withdirimugh1982@aol.com].Frendi [3,865KB] file2: Winre.wim.ID-C602BF82.[withdirimugh1982@aol.com].Frendi [165,213KB] I have done nothing to the original hard drive. I removed it from the hardware, and used a computerless disk imager to image that drive to a spare hard drive, and am playing with the clone in order to attempt installations. I've also reached out to CoveWare, and had a chat with one of their staff. I have provided them download links to the recovery files, and other info as well, however, since I'm not a business, and just a personal user - they won't take me on as a customer, but I've provided them everything in hopes I can get an decryptor program, or at least help them recover for someone else.
  4. Had updated copy of Malwarebytes Premium (lifetime license user) installed on Windows Server 2008r2. Note this is a personal server, not a business server, I just have software I use requiring the use of Windows Server base code in order to run stuff I need. Last I did on server on Friday March 29th was go ahead and let Skype update. Then logged out my RDP session. Go to login this morning, Monday April 1st, and the RDP won't connect. Walk over to the system console and login manually locally, and it pops up with 'Phobos Ransomware', and was encrypting files. I immediately checked all other computers on network, and ensured all shared drives were no longer shared, initiated Malwarebytes 3 full scans, and then Norton Antivirus full system scans on all computers. The only computer I don't have Norton also installed on, is that server - b/c I can't afford their overpriced 'Endpoint solutions' software for servers, so I have been using ClamWin free antivirus. Which has worked OK, since I don't open anything I don't make myself, nor go to websites that are sketchy. Following the Malware Removal topic: Malwarebytes 3 is already installed, but was encrypted on the computer. Tried installing from a USB drive, however it wants to restart computer instead of installing the software. Tried installing to the USB drive, same thing. Current antivirus let infection thru, I ALREADY had Malwarebytes Premium running and updated on the computer - this ALSO let in the ransomware. Have not attempted temp file cleaners. Farbar recovery information: Attached. Made sure to click and add the other items as well. Copying the files to USB, I snagged what I could to see if I could get a hit. I did on the ProcessHacker 2 files. Malwarebytes Premium on my normal workstation let them thru with no problems. Norton AV scan identified them, but recommended exclusion. Threat identified as: Hacktool.ProcHack!g1 Have attached those files as well for additional information. Addition.txt FRST.txt Shortcut.txt Process Hacker 2.zip PS.zip encrypted stuff.zip
  5. Looks like Update package 1.0.3306 fixed the issue for me.
  6. Still getting the same error after forcing package update.
  7. Negative - just came back up after ~1-2 min unblocked on update package 1.0.3305. Edit: Tested against the drobox, not user: GroundHogDay's svchost.exe issue as I was not experiencing that one.
  8. Adding IP address to the exclusion list has stopped the popups every ~8 seconds - for now.
  9. Same thing - just started as well. Dropbox version: 39.4.49. Just uninstalled / reinstalled dropbox as well - same thing. Malwarebytes version: Component package: 1.0.236 Update package version: 1.0.3304
  10. I have a personal subdomain off duckdns.org. (I can PM the direct link, but as this directs to my personal WAN IP, would like to keep this from the main public for my subdomain). The MB3 program is blacklisting the main DuckDNS.ORG domain (IP for duckdns.org: This was preventing any incoming IP address. I have the duckdns updater on another computer that doesn't have MB3 on it, so the auto-updater worked fine. I couldn't figure out what was causing the failure until I tried to visit duckdns.org directly, and had it immediately blocked, which would then come up with the notification, but the notifications are half to 3/4 off the screen, and I can't move them or see what everything in the notification is. mb-check-results.zip
  11. Hosting a java based Minecraft server from my computer. Internal IP address works fine for accessing. Cannot use Dyndns (duckdns.org) IP, nor direct IP to connect to the server with Malwarebytes web protection turned on. It does pop up notices that it blocked a "Java malicious inbound socket detected". BUT, where this SHOULD popup in the exclusions tab for a "previously detected threat", there is nothing listed, so I can't just add an exclusion.I did do a web exclude for website (duckdns.org), and it worked for about 4-5 hours. Then, it blocked access again by itself later on. (EDIT: This now seems to be working after a modem/router reset, but still would be much easier to have a spot to add in specific ports for programs (and all programs aren't .EXE !!)). Not sure why DuckDns.org itself is considered a blocked domain - yes, I could see some subdomains (i.e.: <YourSite>.duckdns.org) being blocked b/c they are setup from infected users, but the main domain url is useful. Also, another issue - the notification popup is situated to the bottom right of my screen - BUT I cannot move the notice - and can't see half of it, or the bottom half. Being a Malwarebytes user for years, I used to remember having options available on the bottom of those notifications, but since I cannot see them, nor move them - it's about useless - why force the notifications to a specific spot and not be able to move them?! Very irritating. They don't show up on the task manager bar, nor in the alt-tab menu where I could highlight the window, right click it and select move, and move them like I can other windows that do the same.
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.