View original (French)

Ransomware

Solved
spoon62420 -  
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   -
Hello,

I was infected by ransomware and I have the 3 requested links.
Can you help me
Thank you in advance

Configuration: Windows 7 / Internet Explorer 10.0

3 réponses

Réponse 1 / 3
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Hello,

you need to provide the attached links to the reports here, otherwise we cannot read them.

Please press a key to continue the disinfection...
1
Réponse 2 / 3
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Only remnants,
The computer was infected by Win64/Sathurbot.A and Win32/Boaxxe
which dropped CryptoWall.

ESET had to remove Boaxxe.

Here is the correction to perform with FRST. You can refer to this explanatory note with screenshots.

Open Notepad: Windows key + R,
In the "Run" field, type notepad and click OK.
Copy/Paste the following into it: 

CreateRestorePoint:
CloseProcesses:
 ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll No file 
 2015-08-08 15:19 - 2015-08-08 15:19 - 0000000 _____ () C:\Users\admin\AppData\Roaming\.sys 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.HTML 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.PNG 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.TXT 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.URL 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.URL 
 2015-08-17 19:15 - 2015-08-17 19:16 - 0019968 ___SH () C:\Users\admin\AppData\Roaming\Microsoft\Thumbs.db 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.HTML 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.PNG 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.TXT 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.URL 
2015-06-03 19:19 - 2015-06-14 16:38 - 0000616 ____H () C:\ProgramData\@system.temp 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\ProgramData\HELP_DECRYPT.HTML 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\ProgramData\HELP_DECRYPT.PNG 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\ProgramData\HELP_DECRYPT.TXT 
 2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\ProgramData\HELP_DECRYPT.URL 
 2015-06-18 14:43 - 2015-07-15 18:17 - 0000126 _____ () C:\ProgramData\search_result.xml 
 2014-10-26 17:38 - 2014-10-26 17:38 - 0004991 _____ () C:\ProgramData\xhbjddli.elu 
Task: {1CC83DE5-591F-42CF-B744-D5F876E79983} - System32\Tasks\{C3F51019-7CEE-4970-97BC-3384F616878B} => pcalua.exe -a C:\ProgramData\BreakingNewsAlert\uninstall.exe -c /kb=y /ic=1
Task: {5906FF6E-5D1C-433F-8357-D5204734BFC1} - System32\Tasks\Security Center Update - 3980801789 => C:\Users\admin\AppData\Roaming\Ocyrypqa\ykmecef.exe <==== ATTENTION
Task: {6DDE1CFB-81E2-4373-903D-4979D91E46BD} - System32\Tasks\Security Center Update - 2388764943 => C:\Users\admin\AppData\Roaming\Tuesxuaq\uxotpoc.exe <==== ATTENTION


Once the text is pasted into Notepad,
Go to the "File" menu and then "Save as",
On the left, navigate to the Desktop,
In the bottom field, for the file name type: fixlist.txt
Click "Save", this will create fixlist.txt on the Desktop.

Restart FRST and click on the "Fix" button
A restart may be necessary (not mandatory)
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

Please press a key to continue the disinfection...
1
spoon62420 Posted messages 3 Status Membre
 
Results of Farbar Recovery Scan Tool (x64) Version: 29-08-2016
Executed by admin (30-08-2016 16:39:16) Run:1
Executed from C:\Users\admin\Desktop
Loaded profiles: admin & UpdatusUser (Available profiles: admin & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:

CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll No file
2015-08-08 15:19 - 2015-08-08 15:19 - 0000000 _____ () C:\Users\admin\AppData\Roaming\.sys
2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.HTML
2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.PNG
2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.TXT
2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\Users\admin\AppData\Roaming\HELP_DECRYPT.URL
2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML
2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG
2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT
2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.URL
2015-08-17 19:15 - 2015-08-17 19:16 - 0019968 ___SH () C:\Users\admin\AppData\Roaming\Microsoft\Thumbs.db
2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.HTML
2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.PNG
2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.TXT
2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\Users\admin\AppData\Local\HELP_DECRYPT.URL
2015-06-03 19:19 - 2015-06-14 16:38 - 0000616 ____H () C:\ProgramData\@system.temp
2015-06-07 15:06 - 2015-06-07 15:06 - 0009150 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-06-07 15:06 - 2015-06-07 15:06 - 0047560 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-06-07 15:06 - 2015-06-07 15:06 - 0004766 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-06-07 15:06 - 2015-06-07 15:06 - 0000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-06-18 14:43 - 2015-07-15 18:17 - 0000126 _____ () C:\ProgramData\search_result.xml
2014-10-26 17:38 - 2014-10-26 17:38 - 0004991 _____ () C:\ProgramData\xhbjddli.elu
Task: {1CC83DE5-591F-42CF-B744-D5F876E79983} - System32\Tasks\{C3F51019-7CEE-4970-97BC-3384F616878B} => pcalua.exe -a C:\ProgramData\BreakingNewsAlert\uninstall.exe -c /kb=y /ic=1
Task: {5906FF6E-5D1C-433F-8357-D5204734BFC1} - System32\Tasks\Security Center Update - 3980801789 => C:\Users\admin\AppData\Roaming\Ocyrypqa\ykmecef.exe <==== ATTENTION
Task: {6DDE1CFB-81E2-4373-903D-4979D91E46BD} - System32\Tasks\Security Center Update - 2388764943 => C:\Users\admin\AppData\Roaming\Tuesxuaq\uxotpoc.exe <==== ATTENTION


A restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1SecureIconsProvider" => key removed successfully
"HKCR\CLSID\{FC9D8189-520A-4417-AED7-9EAC810C6FBA}" => key removed successfully
"C:\Users\admin\AppData\Roaming\.sys" => not found.
C:\Users\admin\AppData\Roaming\HELP_DECRYPT.HTML => moved successfully
C:\Users\admin\AppData\Roaming\HELP_DECRYPT.PNG => moved successfully
C:\Users\admin\AppData\Roaming\HELP_DECRYPT.TXT => moved successfully
C:\Users\admin\AppData\Roaming\HELP_DECRYPT.URL => moved successfully
C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML => moved successfully
C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.PNG => moved successfully
C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT => moved successfully
C:\Users\admin\AppData\Roaming\Microsoft\HELP_DECRYPT.URL => moved successfully
C:\Users\admin\AppData\Roaming\Microsoft\Thumbs.db => moved successfully
C:\Users\admin\AppData\Local\HELP_DECRYPT.HTML => moved successfully
C:\Users\admin\AppData\Local\HELP_DECRYPT.PNG => moved successfully
C:\Users\admin\AppData\Local\HELP_DECRYPT.TXT => moved successfully
C:\Users\admin\AppData\Local\HELP_DECRYPT.URL => moved successfully
C:\ProgramData\@system.temp => moved successfully
C:\ProgramData\HELP_DECRYPT.HTML => moved successfully
C:\ProgramData\HELP_DECRYPT.PNG => moved successfully
C:\ProgramData\HELP_DECRYPT.TXT => moved successfully
C:\ProgramData\HELP_DECRYPT.URL => moved successfully
C:\ProgramData\search_result.xml => moved successfully
C:\ProgramData\xhbjddli.elu => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1CC83DE5-591F-42CF-B744-D5F876E79983}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1CC83DE5-591F-42CF-B744-D5F876E79983}" => key removed successfully
C:\Windows\System32\Tasks\{C3F51019-7CEE-4970-97BC-3384F616878B} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C3F51019-7CEE-4970-97BC-3384F616878B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5906FF6E-5D1C-433F-8357-D5204734BFC1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5906FF6E-5D1C-433F-8357-D5204734BFC1}" => key removed successfully
C:\Windows\System32\Tasks\Security Center Update - 3980801789 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3980801789 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6DDE1CFB-81E2-4373-903D-4979D91E46BD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6DDE1CFB-81E2-4373-903D-4979D91E46BD}" => key removed successfully
C:\Windows\System32\Tasks\Security Center Update - 2388764943 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2388764943 => key not found.


The system had to restart.

End of Fixlog 16:39:25

0
Réponse 3 / 3
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Here it is...
For file recovery, it’s probably dead.

Strengthen the security of your Windows: How to secure my Windows
Especially against Web exploits.

--
Please press any key to continue the disinfection...
1
spoon62420 Posted messages 3 Status Membre
 
Thank you again for your help, I will follow the 2 tutorials.
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711 > spoon62420 Posted messages 3 Status Membre
 
You're welcome, good luck, make sure to update all the software (Java, Flash, etc.).
Boaxxe relies heavily on web exploits.
0