yokatta Posted April 17, 2017 ID:1117984 Share Posted April 17, 2017 I have been hit with multiple viruses in the last week. Malwarebytes has stopped it for the most part, but still some damage. Would love some help to get rid of what is there. I have back-ups for the encrypted data so should be fine that way, just want this virus gone. I have attached the frst and addition files here. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Aura Posted April 17, 2017 ID:1117987 Share Posted April 17, 2017 Hi again yokatta It's weird, I see the ransom notes in the logs of that computer, but no encrypted files, or malicious payload. Can you attach one of the "README.txt" file located on your desktop in your next post so I can see it? Link to post Share on other sites More sharing options...
yokatta Posted April 17, 2017 Author ID:1117994 Share Posted April 17, 2017 I deleted some stuff on this one manually. Just wanted to get rid of it. Maybe not the smartest thing, but thought it sounded good at the time. README.txt Link to post Share on other sites More sharing options...
Aura Posted April 17, 2017 ID:1118004 Share Posted April 17, 2017 It looks like you've been infected with Fantom Ransomware from what I can see. https://www.bleepingcomputer.com/forums/t/624805/fantom-ransomware-help-support-topic-fantom-extension-decrypt-your-fileshtm/ Like I said, I don't see anything malicious in your logs. If you scan your computer using Malwarebytes, does it comes up with anything? Link to post Share on other sites More sharing options...
yokatta Posted April 17, 2017 Author ID:1118005 Share Posted April 17, 2017 No it says its clean. No blocked websites here since 4/13/17. But blocked a ransom virus yesterday, see report. Here is an example of an encrypted file, but this may have been from the other computer as they are on the same network. Like I said in the other post, I've been a magnet for ransom viruses. And that's without using the internet on these computers. DMUtil.dll.id-2CF3B315.[nicecrypt@india.com].wallet ransom report.txt Link to post Share on other sites More sharing options...
Aura Posted April 18, 2017 ID:1118052 Share Posted April 18, 2017 The file you mention was infected with a variant of the Dharma Ransomware (the same one that infected your other computer). However the ransom note on this computer is from the Fantom Ransomware. Both of them are dropped manually by crooks who bruteforces weak RDP passwords, force their way in the system and then run the payload. Is RDP enabled on these two computers? Or at least one computer on the network? Link to post Share on other sites More sharing options...
yokatta Posted April 18, 2017 Author ID:1118064 Share Posted April 18, 2017 RDP is enabled in the first one you helped me with. That's good to know. I had problems in the past and completely replaced the computer and changed passwords. Guess I will try changing them again. Would changing the RDP port help? Thanks again for your help. Your awesome! Link to post Share on other sites More sharing options...
Aura Posted April 18, 2017 ID:1118126 Share Posted April 18, 2017 If you learn how to secure your RDP (users, strong passwords, etc.) you should be fine, as crooks are usually bruteforcing into RDPs that have weak passwords (like default ones). Though you can change the RDP port if you wish as well. Link to post Share on other sites More sharing options...
Aura Posted April 21, 2017 ID:1118893 Share Posted April 21, 2017 Hi yokatta, I take it that there has been no detections on this computer since you created this thread? Link to post Share on other sites More sharing options...
yokatta Posted April 21, 2017 Author ID:1118920 Share Posted April 21, 2017 No. I've been checking it regularly and the blocked website alerts have stopped. Appears for now everything looks good. Thanks again for your help. Hopefully done for good ? Link to post Share on other sites More sharing options...
Aura Posted April 21, 2017 ID:1118927 Share Posted April 21, 2017 No problem yokatta, you're welcome Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 25, 2017 Root Admin ID:1119717 Share Posted April 25, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts