Jump to content

Ransomware\backdoor attack - Prevent and identification


Recommended Posts

First of all, sorry but I cannot provide a FRST scan.. im sorry... I cannot open it in safe mode and im extremely afraid to go to safe mode since my computer is compromised 

I hope you understand! thank you!!

Hey! I just reformatted my PC two days ago and today I got backdoor attacked, my computer is compromised, I need help to prevent it from happening on the next install, scanning my computer right now is nearly as very dangerous since most of the scans I would have to perfom would be in normal boot where the ransomeware is active.

 

So short long story,

 

Two years ago I was infected with a Bitcoin Miner that used to launch wscript executes, it was very hard to remove and I had to reformat my computer, I saved all my documents, pictures, photoshop files, adobe flash files and Sai Paint Tool files, I made sure not to leave any trace of zip\exe files (all though dll files can be infected too but I didnt have any of them to execute by another program)

The only files I could execute is my artwork and adobe files, and pictures i guess

I backed up all of these files on a spare clean HDD that i made sure to reformat, I scanned the HDD, no viruses.

I havent used the HDD for two years not until two days ago

 

My previous operating system, which was windows 10 was questionably infected so I backed up my files and formatted the PC two days ago

 

Two days ago I have installed a clean fresh new Windows 10 OS, plugged in all of my backup data, but from 2 years ago and from the previous operating system

I made sure to scan every program, installation or any files that are exe\rar\dll or just suspicious, i made sure to scan them with malwarebytes, defender and virus total since I wanted to be super careful and careful and now allow anything dangerous to get injected into my pc, even if i got a false positive on a program, I would not install it or execute it.

 

Today a hour ago my malwarebytes started popping out malicious traffic, it's domain was 3.winsrw.com 4.winsrw.com...etc

Windows Defender jumped in at the same moment, notifying me about the Clavir.d!cl virus, I couldnt get much any information about it on google

I opened my task manager and went to startup, and theres a new loggon called Qatuvdz, couldnt find any information about it either, but heres a screenshot + location 

 

tumblr_oq0k10uD8c1rbrh4ro1_1280.png

 

Windows Defender was trying to delete the virus, but it only comes back instead, I immediately disconnected from the internet, started browsing the Event Viewer and apparently for the past hour, there were new registry changes, new user creations and privilege creations, loggon edits and etc

 

Before I deleted the virus file, I uploaded it to virus total: https://www.virustotal.com/en/file/5f7556de1fd33558baa96adc953eea1c15353c7f73c60f16354efab6b288fac9/analysis/1494869968/

 

 Im in Safe mode, backing up my files, my computer is totally compromised.

I have so many questions, I dont want to trigger it again and let it consume my computer!

 

Q. what is this virus? any ideas?

Q. How do I find out what triggered the virus? how do I know what brought the virus to live, anything could bring it to live!

Q. Could my back up data, like music, sai. fla. swf. png.psd.pdf.txt. files be infected or are in risk of being encrypted and dangerous? 

Q. What other stuff should I do to prevent the virus from coming back? is there any ideas? I tried looking up articles outside the forum and inside the forum and I couldnt find anything too personal, could I get a personal opinion?  

Q. I am using chrome, creative cloud, archive programs like winrar and 7z and other programs, am I in risk of getting infected again next time from logging in? could I also get infected from logging into my microsoft account on my windows?

Q. could my boot be infected?

 

I just dont want it to happen again :((

Link to post
Share on other sites

  • 3 weeks later...

I got this one, too. Uninstall 7Zip, for one thing. I was able to remove qatuvdz, though I'm still looking for potential leftovers from it. I haven't gotten any typical ransomware issues, so I think you should be OK running in Normal Mode to diagnose and remove it. Just make sure any accounts you have are backed up by an authenticator such as Authy, Microsoft, or Google, so that even if someone does use your password they cannot access your account without your approval.

 

I can't remember exactly how I removed the main part of the problem, but I do remember using Process Explorer to find out what was keeping me from being able to delete the files. It shows you what command line arguments are being passed to processes and services and more in-depth information on quite a bit.

 

AH! I had to remove some Registry Entries. You should be able to do a search in Regedit to qatuvdz or related files/users, just look at the properties of the qatuvdz.exe and the command line arguments.

 

God, I wish I had written this down. Was 8 days ago and I spent a good 6 hours trying to figure out how to get rid of it. >.<

Edited by AvariceSyn
Link to post
Share on other sites

Haha thank you for sharing your research! 

Funny thing is that I already installed a fresh OS since i figured i shouldnt leave myself hanging over a compromised operating system and instead flash a clean one again haha

Thank you again my fellow friend! I just hooked my backup drivers again so I hope I dont get myself doofed again haha

 

Link to post
Share on other sites

Quote

Q. what is this virus? any ideas?

The detections for the file you uploaded on VirusTotal are all generic, so it isn't possible to tell you what family this malware is from. We know for sure that it's a trojan, and maybe a downloader/dropper (which download and install additional payloads on a compromised system).

Quote

Q. How do I find out what triggered the virus? how do I know what brought the virus to live, anything could bring it to live!

That would require a more in-depth analysis of your system to find the attack vector it used and how it got in. Not something that can be easily offered online via forums sadly.

Quote

Q. Could my back up data, like music, sai. fla. swf. png.psd.pdf.txt. files be infected or are in risk of being encrypted and dangerous? 

None of the security vendors flagged this file as being a Ransomware, so I doubt that your files are at risk of being encrypted.

Quote

Q. What other stuff should I do to prevent the virus from coming back? is there any ideas? I tried looking up articles outside the forum and inside the forum and I couldnt find anything too personal, could I get a personal opinion?  

Having a decent security setup (Antivirus, Antimalware, Firewall) and good browsing habits would be a good start. This will prevent not only this infection to comeback, but all the others as well.

Quote

Q. I am using chrome, creative cloud, archive programs like winrar and 7z and other programs, am I in risk of getting infected again next time from logging in? could I also get infected from logging into my microsoft account on my windows?

I've never seen that happen to be honest.

Quote

Q. could my boot be infected?

Once again, according to VirusTotal's hits on the file you uploaded, I doubt this malware would infect your bootmgr.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.