Jump to content

Guidance on Handling a Guest Account Ransom Infection


Recommended Posts

We picked up a ransom virus on a guest account on a standalone laptop (Windows 7).  Certain files were encrypted, but these aren't of any value, so we don't care.

 

I went to run a MacAfee security scan (my Malwarebytes trial has expired), and as always, first initiated an update.  Nada.  Can't run the update.  Microsoft Update also will not initiate-- service not running. 

 

I did some investigating, and discovered an entry in the startup folder titled "Kumon3485679268".  It's target was "C:\Users\Guest\AppData\Local\Temp\Temp1_Kumon.zip\Kumon.exe", but that no longer seems to exist (yes, I did enable the showing of hidden/system files). 

 

I ran regedt32.exe, and didn't see anything untoward in the Windows 'Run' or 'Run Once" folder.  I also did a search on "Kumo", and saw the target cited above in various MUICache.  I also saw the following entries:

 

     HKEY_Current_User\Software\Binary Noise\mPlayer\Kumon.exe

     HKEY_Users\s-1-5-21-2828776899-910380351-1068813182-501\Software\Binary Noise\mPlayer\Kumon.exe

 

I don't know if the virus deleted itself, or just simply went into hiding.

 

I suspect that I'll need to get into the administrator account to fix this.  My concern is that this will then open up all the other accounts to the virus and thus file encryption, and that WOULD be bad. 

 

And no, I don't have a backup.  The external backup disk has somehow disappeared (nothing nefarious; just someone trying to tidy the place up ...).

 

I know I could pull the disk and put it into another computer and do a backup that way, but I don't have the physical connectors to install it in another computer.  Of course, if need be, I could get them, but I was hoping that there might be an easier solution.

 

So, what do you think?  If I go into the Admin account do I risk everything, or is Windows 7 going to limit the virus/damage to only the Guest account?  Should I play it safe and go the pull-the-disk route?  Some other suggestion?

 

Thanks,

 

Richard

Link to post
Share on other sites

  • Root Admin

Sorry for the delay Tom but the site has been pretty busy lately.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.