"READ TO DECRYPT!" infection

[ugetchiefster]

All, I am new here and searched the forums and did not find the exact problem I am having, so here it goes: A friend was showing me how to stream free movies online and afterwards, I noticed almost all of my folders had a new file in them named "READ TO DECRYPT!!!.html" and the office and pdf documents in those folders would no longer open. I have attached screenshots of the messages I get when trying to open the document. I am running windows xp pro. As you will see from the attached screenshot of the contents of the Read to Decrypt.html file, this is a ransom type situation and of course I have no intention of paying it. I have a backup of my system I made a week or two ago, so worse case I could use that. Please review the attached files and let me know if there is anything I can do to recover from this other than wiping my hard drive and going back to my last backup? I would rather not have to do that since I have done quite a bit of work and updates to files since then. Thank you very much!

[LDTate]

Sorry to say if you're not going to pay then you'll need to Reformat and re-stall.

**Cryptolocker Ransomware** that is encrypting files.

There's no known tool to fix this infection at this time.

We can remove the infection but not the encryption.

Once encrypted you will not be able to access those encrypted files unless you pay a ransom and that doesn't always work.

Please be sure to backup your important files / data.

Cryptolocker Ransomware: What You Need To Know

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

Let me know if that answers your questions.

[ugetchiefster]

Not gonna pay for sure!

Thanks for your reply. Can you help me remove any traces of the bug? I will delete all folders that contain encrypted files and replace them with backups that I had made a couple of weeks ago. Fortunately, the I noticed that something weird was running on my computer after going through a website that must have loaded the bug and I stopped it before it could get through all of the folders on my computer, so it only made it through a couple of dozen folders before I stopped it. Please let me know how to proceed with getting rid of this for sure!. Thanks, Steve

[LDTate]

Lets collect additional information off the system to see if we can spot the issue.

Please download DDS from the link below and save it to your desktop:

Note: Be sure to select Save as Type > All Types

Download one of the DDS tools from the location below and save to your Desktop

dds.scr - http://download.bleepingcomputer.com/sUBs/dds.scr

dds.com - http://download.bleepingcomputer.com/sUBs/dds.com

Double click dds.scr to run the tool.

It will automatically run; all you will see is a small message saying DDS is running in silent mode, then a message saying 2 logs shall be created on your Desktop.

When done, DDS will have saved 2 logs to your desktop:

1. DDS.txt

2. Attach.txt Please attach both logs in your next reply.

[ugetchiefster]

PS- Warning to all that may be surfing through web sites that offer free streaming movies. Although I have had only pesky issues with VIOOZ.CO, there was one site (not sure which one) that definitely got me and infected my computer with the ransom bug. As I found out, it is not worth it to try and watch free movies online unless you are willing to risk the security of your computer!

[ugetchiefster]

attach.7zdds.txtLarry, here are the logs:

[LDTate]

While I'm looking at the scans,

 

 

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\documents and settings\all users\application data\yetqmyy.dat

Then click Submit. Allow the file to be scanned, and then please copy and paste the link to the results page here for me to see.

Do the same for this one:

c:\documents and settings\e0067354\1401795.exe

[LDTate]

I also need the attach that you submitted as a text file not a zip please

[ugetchiefster]

Ok, sorry about the zip file, but the instructions from running the utility told me to zip that file so I did. Here it is unzipped. I will send the other files shortly:

attach.txt

[ugetchiefster]

Larry, here are the links from the scan results:

https://www.virustotal.com/en/file/c4725d018e9c165ed9e5d89bcd3f3fbfd1884551e3cdf6a3a19eb3a5cfacdc8a/analysis/1387400423/

 

https://www.virustotal.com/en/file/88590ac6881023686e1cdaa43740fa74f310bb4dadcfbabfe819af09461056ec/analysis/1387400823/

 

I am thinking the site that did this might have been Baidu-International.... What do you think?

[LDTate]

Were you able to get those 2 files scanned?

 

Is this a work pc or are you using it at work?

Did you setup a proxy server?

uProxyServer = proxy.etn.com:8080

uProxyOverride = connect.eaton.com;rs.eportal.eaton.com;*tnv.com;*lmtas.com;htgapp*.dana.com;portal.pw.utc.com;business.isabel.be;*.corp.moeller.net;intranet.moeller.net;mis.moeller.net;wtt.moeller.net;was.moeller.net;ctx.moeller.net;yambs.moeller.net;vip.moeller.net;tintranet.moeller.net;statistik.moeller.net;www.moeller.net;legolas.moeller*cz.com;portal.bicguniversity.com;127*;255.*;192.168.*;198.151.185.90;198.147.174*;207.24.213*;206.18.202.35;162.74.90.10;162.74.22.196;162.74.80.200;193.228.200*;*aero.bombardier.net;*.mau.dana.com;*.vpn.dana.com;*.wdl.dana.com;nacitrix.dana.com;qts.ras.audi.vwg;kvs.ras.audi.vwg;*etn.com;151.110.*;148.179.*;166.99.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;10.*;<local>

[LDTate]

Sorry.

We posted at about the same time.

I'll wait for you to answer the questions I asked.

That guy is a RootKit

c:\documents and settings\e0067354\1401795.exe

[ugetchiefster]

This is a work computer that I use by connecting to our company vpn and the proxy server is legit and needed for my work

[ugetchiefster]

FYI, I have not been connected to the vpn during these posts. Nor do I have it connected when I surf the net for my personal use.

[LDTate]

I am thinking the site that did this might have been Baidu-International.... What do you think?

That would be interesting as they appear to be a anti-virus company along with other things.

http://blog.virustotal.com/2013/09/virustotal-baidu-international.html

[LDTate]

OK.

This infection also is backdoor infection so be sure to change ALL your passwords.

Email, banks, etc. ALL of them.

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.

Direct link to the file:

http://downloads.malwarebytes.org/file/mbar

•Be sure to print out and follow the instructions provided on that same page.

•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

•Doubleclick on the MBAR file you downloaded.

•Approve the UAC prompt in Vista / Windows 7 and newer operating systems.

•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.

•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next'.

•Click the 'Scan' button.

A.With some infections, you may see two messages boxes.

1.'Could not load protection driver'. Click 'OK'.

2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.

Then, please send the following logs as attachments to your reply. These logs are located in the mbar folder on your desktop where the tool extracted itself to.

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)

system-log.txt

[ugetchiefster]

Ok, took a long time, but here are the logs:mbar-log-2013-12-18 (16-37-20).txtsystem-log.txt

 

[LDTate]

WOW, that's pretty nasty.

Please run another scan with mbar.exe. You'll find it in the extracted mbar folder.

Double click mbar.exe to run it.

Check for Updates, then click 'Next'.

Click 'Scan'

When it has completed, click the 'CleanUp' button and allow the reboot if prompted.

Please attach the most recent mbar-log <date and time>.txt in your next reply.

[ugetchiefster]

That does not sound good. How would you rate this on a scale of 1 - 10 how bad is it?

[ugetchiefster]

still running the rescan

[LDTate]

I'd say a 9 anyway as it shows BackDoor and RootKits.

A 10 would be that the pc wouldn't start.

Lets see what we have when we do all we can.

[ugetchiefster]

mbar-log-2013-12-18 (18-05-35).txtok Larry, finally have the last scan results. Here you go. Please let me know what to do next. Thanks so much!

[ugetchiefster]

I can't believe you guys do what you do! How do you learn to do all of this amazing stuff?

[LDTate]

There are malware removal training schools that I'll give you the links to but it takes about 1 yr to complete now.

https://forums.malwarebytes.org/index.php?showtopic=12264

 

I'm sure you don't want to but we need to run another scan with MBAR to make sure all the bad guys were removed.

 

Then let me know how it's running.

[ugetchiefster]

mbar-log-2013-12-18 (22-17-20).txtsystem-log.txtHere are the logs from the second scan after cleanup: