Jump to content

I know I'm infected - clean it without internet connection?


Recommended Posts

I've been handed a computer for cleaning. It's infected with the Phobos ransomware (Deuce variant), and because the infection is probably still active, I really don't want to connect it to my network, or any network I care about at all. The standard MalwareBytes install would seem to be a small installer that then goes out to the internet for (at least) definitions. Is there any way for me to retrieve a copy of the full installer, with definitions, that I can drop onto this machine via a thumb drive?

Link to post
Share on other sites

Hello @chazz

If you'd like us to review please run the following.

 

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Just to confirm before I crank this up - I note that both AdwCleaner and Farbar Recovery are relatively small, 5 and 10 MB range. Given how many viruses are out there, this would suggest that there are no definitions included in these programs. Do these programs fetch definitions from the Internet - do I have to have a hot connection to run them?

Also, MalwareBytes has already been run on this machine and isolated four files and one directory that were identified as PUP varieties, rather than active ransomware. I expect that a scan now will show no problems, making the scan report useless, and I'm wondering if there is a way to get a virus chest report in the format you want?

Link to post
Share on other sites

Yes, the scans should come back clean and why I want you to run them to make sure.

FRST is not an antivirus or malware scanner. It's just a tool to see what is running on the system. AdwCleaner can get updates from thee Cloud but like Malwarebytes both will run locally without updates if there is no network.

I'm heading out, please run as requested and post back the logs and I'll review either later tonight or tomorrow when I get back into work

Thank you

 

Link to post
Share on other sites

Certainly. Files are attached. MB11.txt is the MalwareBytes scan from today. I have the scan that caught PUPs as well if you need it. AdwCleaner actually made two log files, an S00 scan log and a C00 clean log; attached is the C00 clean log. And of course the FRST logs are attached as well. Farbar did complain about no internet connection, AdwCleaner did not.

And thank you very much for this.

mb11.txt AdwCleaner.txt Addition.txt FRST.txt

Link to post
Share on other sites

The logs don't look too bad. Please run the following fix but make sure you temporarily disable Kaspersky AV while running it.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

The log file is attached.

I'll note that a large number of applications would report failure to start originally; some of the more important ones looked to be preload bits for QuickBooks - this machine is used for accounting, apparently. After the fix, I'm not getting quite as many of those notifications. It would appear that this particular version of ransomware also will encrypt a lot of executable files, and programs were failing to start because their DLLs were no longer readable.

Just before the reboot, there was a warning that UAC settings were less than optimal, and offered to correct them. I think that was from Kaspersky which - stupidly - I forgot to disable. I can easily rerun FarBar with a new fixlist to cover anything Kaspersky refused it permission for, if necessary. I'm guessing that Farbar changed UAC so that it could autorun on reboot, and I'm hoping it changed them back.

Fixlog.txt

Link to post
Share on other sites

Windows Resource Protection found corrupt files but was unable to fix some of them.

Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example

C:\Windows\Logs\CBS\CBS.log

 

Can you zip up the CBS.log file and upload it and I'll review it on Monday.

 

Link to post
Share on other sites

An interesting log. Difficult to say for sure but my guess is that maybe Kaspersky was possibly preventing the System File Checker from accessing the Internet to check status on some files.

You might want to try fully disabling Kaspersky and then open an Admin command prompt and running the following again and see how it goes.

SFC   /SCANNOW

 

Link to post
Share on other sites

Alas, not Kaspersky. One of the things this virus did was break my Internet connectivity. Vexingly, it seems to have decided to encrypt DLLs as well, and one or more of the DLLs it has destroyed seems to be a filter driver on the network stack; the machine can see that it has a cable plugged in, and may eb able to get an IP address via DHCP, but can't see anything on the network. Every file that I've posted here, and every download that has run on that computer, has been transferred by thumb drive, because that's the only form of communication it has.

Link to post
Share on other sites

I was very afraid that would be the case. Alas. Apart from paying these clowns the ransom, there's unfortunately no way to get the data back... and what was supposedly a pretty solid AV just let this thing have its way with the machine. Saddening, it is.

Link to post
Share on other sites

One can always back up the data in the hopes that a decrypt tool will be released in the future. At different times there have been tools released to restore data. In some cases because the person doing the attack accidentally stored or left the private key somewhere.

Best of luck and yes it is.

The following though can certainly help prevent it from happening again in the future

 

 

If you're not backing up your data and you're still using Google Chrome then you're just not serious about Privacy, Safety, and protecting your data. Malwarebytes is a fantastic program but you still need to back up your data and you still need to block scripts and Ads in your browser. 
If you're still using Google Chrome I would highly suggest you consider using Firefox instead. For more advanced users you might consider installing NoScript as well (it does have a higher learning curve though)

PrivacyTools - Encryption and tools to protect against global mass surveillance - https://www.privacytools.io

Help Secure your browsers
 
You may be interested in using our new Malwarebytes Browser Guard to help protect your browser from items that uBlock or others don't target.

Please install uBlock Origin for your browsers to better protect your system.

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock Plus for Internet Explorer

How to use uBlock Origin to protect your online privacy and security | uBlock Origin tutorial 2018
This video tutorial above explains how to use uBlock Origin in advanced user mode and all the advanced settings to protect your online privacy and help prevent unwanted sites from changing your browser settings

Delete Cookies Automatically

Cookie AutoDelete plugin
Chrome  | Firefox 

Browser push notifications: a feature asking to be abused
HTTPS Everywhere
NOTHING TO HIDE documentary

Review your email and Office choices

Quit Gmail for free encrypted email - Tutanota
Why ProtonMail Is More Secure Than Gmail
LibreOffice - Free and open source office suite

Use Password Management software

Bitwarden
KeePass Password Safe

Make sure you use a strong master password
Then set the key transformation settings (the link below helps provide information on how to choose good settings)
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing
KeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation)

Encrypted Instant Messenger and Voice Calls

Please review the following site for a breakdown of features of different Messenger applications.

SafeSwiss
Riot
Signal
Wire     
NOTE: Recent news of Wire having new investors and moving to the United States.
Wickr Me

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

Thank you for choosing Malwarebytes as your preferred security protection software and tell your friends and family too. We're here to help.


 

 

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.