Jump to content

Was infected with Encryption virus. Does any of this look suspicious?


Recommended Posts

I was infected with the horrible GandCrab v5.2 virus and many of my files got encrypted, but luckily I stopped it in time and didn't lose much data.

That being said, I want to make sure nothing was left on my computer that could cause me to get re-infected. I know how I got infected the first time and it was due to a nefarious download.

I've attached my scans for Malwarebytes, FRST, and Addition. Malwarebytes removed the GandCrab virus and is now showing a clean scan.

FRST.txt Addition.txt MalwarebytesScan.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore ON for Drives in Windows 10 - Immediately.
https://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
<<<>>>

No malware was found in your Addition.txt log.
This fix will remove the empty entries.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

p.s.
FRST.TXT log was incomplete I need the see a complete log to review it all.
Please post it in your next reply.

fixlist.txt

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Attached new Fixlog.txt

Also, since getting the virus and removing with Malwarebytes, I get a prompt every time I start my computer to open up a URL. Windows asks me, "With what program would you like to open up this URL file. I chose a notepad document to see what the URL was, without going to specific website. It seems to be a URL to my own file system, trying to run a file in my AppData folder. Here is the file path. Here it is below:

[InternetShortcut] URL=file:///C:/Users/Kirby/AppData/Roaming/tsdiscon/MDEServer.vbs

I opened this file (the MDEServer.vbs) in a notepad and this is what it says:

Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run """C:\Users\Kirby\AppData\Roaming\tsdiscon\BthMtpContextHandler.exe"""

Link to post
Share on other sites

Hi,

I missed that entry.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===
Post the Fixlog.txt and let me know if the problem persists.

fixlist.txt

Link to post
Share on other sites

The script that was trying to run everytime I started my computer is still in my AppData/Roaming/tsdiscon folder.

The script is a .vbs file. The script file is located at C:\Users\Kirby\AppData\Roaming\tsdiscon\MDEServer.vbs. When opened in notepad, the script is this: 

Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run """C:\Users\Kirby\AppData\Roaming\tsdiscon\BthMtpContextHandler.exe"""

Seeing that it looks like this is trying to run the file BthMtpContextHandler.exe, I was confused as to why this was not showing up in the tsdiscon folder. I went to view, options, and unchecked "Hide protected operating system files". This caused the BthMtpContextHandler.exe to show up. It seems to be hidden in this safe area! I scanned this specific folder with Malwarebytes and it found nothing, however, when I uploaded it to VirusTotal, here are my results below:

https://www.virustotal.com/#/file/34935586067fc242ccd256fbba00eaeb1026c757b0cda93894f250e9c93b0b03/detection

This was definitely put on my computer when GandCrab v5.2 Encryption Virus was on my computer. I'm so close to just wiping my hard drive and starting new if I can't be sure I am rid of this.

 

Thoughts?

 

Link to post
Share on other sites

I took some further steps and used Windows Defender to scan the tsdiscon folder since MWBytes didn't find anything and good news! Windows Defender found the virus and I got it Quarantined. I attached a screenshot of this action to this post.

 

Are there any steps you recommend me doing? I'm still a bit wary.

WDefender Scan of BthMtpContextHandler.png

Link to post
Share on other sites

Oh, I am also a bit worried to "Remove" this file as Windows Defender recommends. Is it possible that this file might be a crucial system file that was falsely triggered as a virus? Again, I had to uncheck "Hide protected operating system files" to even see this, and I manually scanned this folder for it to find this file and flag it as a virus.

Also, thank you for your time again. I hope you can guide me to take the appropriate actions safely.

Link to post
Share on other sites

HI,

Lets just make sure that this file MDEServer.vbs is not in your computer.


Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
MDEServer.vbs
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

Submit the file in Bold to Virus total for an inspection.
https://www.virustotal.com/gui/home/upload
Follow the instructions on the page.

C:\Users\Kirby\AppData\Roaming\tsdiscon\BthMtpContextHandler.exe
===

Please let me know if Windows Defender is still reporting this condition.

Link to post
Share on other sites

I already used VirusTotal to assess BthMtpContextHandler.exe and gave the link above. I'll re-post that link below:

https://www.virustotal.com/#/file/34935586067fc242ccd256fbba00eaeb1026c757b0cda93894f250e9c93b0b03/detection

It seems like the MDEServer.vbs script is only running the BthMtpContectHandler.exe program, and not really connecting to any online URL to pull malicious files for download. Not too sure though as I'm not too familiar with .vbs scripting. If this is the case, I'm thinking now that BthMtpContectHandler.exe is quarantined by WinDefender, the MDEServer.vbs may no longer be a threat?

Not home at the moment, but when I get home I'll go ahead and use the FarBar tool to check if MDEServer.vbs might be in any other locations on my computer. Good Idea. Again, Windows Defender did quarantine the BthMtpContextHandler.exe so it is no longer in the C:\Users\Kirby\AppData\Roaming\tsdiscon folder. I'll post the results of the FRST later today.

Thanks again for your time! I really appreciate it.

Link to post
Share on other sites

Hi,

The file was found in th tsdiscon folder.
C:\Users\Kirby\AppData\Roaming\tsdiscon\MDEServer.vbs
[2019-03-27 11:37][2019-03-29 16:23] 000000137 _____ () 4F2DDB2962832638B6434319BA651216 [File not signed]

---

Lets see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
MDEServer.vbs
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.