Jump to content

Trojan-Ransom.Win32.GpCode.ax


Recommended Posts

Hi there I also have this virus. I found this on google. I know AV vendors found about this virus on November 29, 2010. What GPcode.ac is doing encrypting files with a message seen here:

dliyht.jpg

So whats happened is most files on the computer have been "encrypted" renaming all files with .ENCODED as the file extension. What hes asking is if the files thats are "encrypted" can be recovered. I am also wondering this because the computer that got infected on mine was the server! So I really need a fix for this. I've been on the phone with Symantec for 3 hours now; they seem clueless!

In the decrypting text file on the desktop its just basically asking you to pay them $120 through wire transfer and they still send the key to decrypt the files.

Link to post
Share on other sites

If you can't help him; you can help me! Hopefully we can get this infection cleaned up!

Here is my DDS log:

DDS (Ver_10-12-05.01) - NTFSx86

Run by huronperth2 at 15:11:48.09 on Fri 12/10/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.373 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe

C:\Documents and Settings\huronperth2\Local Settings\Application Data\CrossLoop\CrossLoopService.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\huronperth2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.on.lung.ca/

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exe

mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AgentUiRunKey] "c:\program files\iron mountain\connected backuppc\Agent.exe" -ni -sss -e http://localhost:16386/

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258036365381

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 AgentService;AgentService;c:\program files\iron mountain\connected backuppc\AgentService.exe [2010-4-22 7583136]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\huronperth2\local settings\application data\crossloop\CrossLoopService.exe [2010-12-6 560848]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-1 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-12-6 47640]

R2 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [2010-4-22 45384]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-9 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101210.002\NAVENG.SYS [2010-12-10 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101210.002\NAVEX15.SYS [2010-12-10 1360248]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]

S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]

S3 tvnserver;TightVNC Server;c:\documents and settings\huronperth2\local settings\application data\crossloop\tvnserver.exe [2010-12-6 814080]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== File Associations ===============

scrfile="%1" /S

=============== Created Last 30 ================

2010-12-09 19:43:23 -------- d-----w- c:\docume~1\huronp~1\locals~1\applic~1\Symantec

2010-12-09 19:43:04 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-12-09 19:41:27 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2010-12-09 19:41:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-12-09 19:41:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-12-09 19:40:07 503808 ----a-w- c:\windows\system32\MSVCP71.DLL

2010-12-09 19:40:07 348160 ----a-w- c:\windows\system32\MSVCR71.DLL

2010-12-09 19:40:07 1060864 ----a-w- c:\windows\system32\MFC71.DLL

2010-12-09 19:39:48 -------- d-----w- c:\program files\Symantec

2010-12-09 19:39:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec

2010-12-09 19:32:38 -------- d-----w- c:\windows\system32\appmgmt

2010-12-09 18:16:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeReturner

2010-12-09 17:45:39 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-12-09 17:45:39 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-12-09 17:45:33 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-12-09 17:45:33 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-12-09 17:45:21 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-12-09 17:45:21 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-12-06 17:53:03 -------- d-----w- c:\docume~1\huronp~1\locals~1\applic~1\LogMeIn

2010-12-06 17:53:00 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2010-12-06 17:53:00 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-12-06 17:52:59 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-12-06 17:52:59 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys

2010-12-06 17:52:49 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-12-06 17:52:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn

2010-12-06 17:52:26 -------- d-----w- c:\program files\LogMeIn

2010-12-06 17:21:58 -------- d-----w- c:\docume~1\huronp~1\applic~1\Malwarebytes

2010-12-06 17:20:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-06 17:20:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-06 17:20:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-06 17:20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-06 17:08:38 -------- d-----w- c:\docume~1\huronp~1\locals~1\applic~1\CrossLoop

2010-11-19 15:57:15 -------- d-----w- c:\docume~1\huronp~1\locals~1\applic~1\WinZip

==================== Find3M ====================

2010-11-05 15:58:06 142 ----a-w- C:\backupto server.bat

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-17 20:39:58 25248 ----a-w- c:\windows\system32\lmimirr.dll

2010-09-17 20:39:58 11552 ----a-w- c:\windows\system32\lmimirr2.dll

============= FINISH: 15:12:17.39 ===============

Here is my GMER Log:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-13 11:04:35

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.8.11

Running: gmer.exe; Driver: C:\DOCUME~1\HURONP~1\LOCALS~1\Temp\uftdypob.sys

---- System - GMER 1.0.15 ----

SSDT 8611F100 ZwAlertResumeThread

SSDT 863C8100 ZwAlertThread

SSDT 862EDAE8 ZwAllocateVirtualMemory

SSDT 860B8BF0 ZwConnectPort

SSDT 863CF158 ZwCreateMutant

SSDT 8604E1A8 ZwCreateThread

SSDT 861E9110 ZwFreeVirtualMemory

SSDT 860E8100 ZwImpersonateAnonymousToken

SSDT 8611F0C8 ZwImpersonateThread

SSDT 85F96830 ZwMapViewOfSection

SSDT 860E80C8 ZwOpenEvent

SSDT 8638C450 ZwOpenProcessToken

SSDT 85DA0348 ZwOpenThreadToken

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF76CB880]

SSDT 8635F7A0 ZwResumeThread

SSDT 860E9800 ZwSetContextThread

SSDT 85D670C0 ZwSetInformationProcess

SSDT 862A6690 ZwSetInformationThread

SSDT 861EAAF0 ZwSuspendProcess

SSDT 860F50B8 ZwSuspendThread

SSDT 860E7B38 ZwTerminateProcess

SSDT 860E7D20 ZwTerminateThread

SSDT 860910B0 ZwUnmapViewOfSection

SSDT 860AAC18 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 90 804E26FC 4 Bytes CALL 97D455DB

? C:\DOCUME~1\HURONP~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2480] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.