1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Files have been encrypted

Discussion in 'General Malware And Security' started by Tony D, Jan 26, 2019.

  1. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    I was unable to log into this Windows 7 pro computer. I was getting
    Getting in via F8 and choosing Repair computer, then selecting command prompt. In the user profile, I renamed ntuser.dat ntuser.bat. Then I was able to log in.

    This is what I got.

    The user files have been appended with .btc.

    I think we're screwed.
     

    Attached Files:

  2. Seth Anthony

    Seth Anthony Registered Members

    Joined:
    Mar 31, 2017
    Messages:
    872
    Operating System:
    Linux Based
    Computer Brand or Motherboard:
    Altaire 8800
    CPU:
    Modified Texas Instruments calculator
    Memory:
    2 transistor tubes
    Hard Drive:
    pen and paper
    Graphics Card:
    TV ready
    Power Supply:
    Mouse on a wheel
    Hopefully Starbuck may have some news on decryptors for this ransomeware.
     
  3. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,513
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Seems this ransomware targets its victims by hacking into poorly protected remote desktop services.

    There was a decrypter for the older variant, but not much seen for the last couple of years.
    If this is a new variant, that's not good.
    The old decrypter info is here....
    https://decrypter.emsisoft.com/keybtc

    It's nearly 2am here, so will have to look around a bit more tomorrow.
     
    Tony D likes this.
  4. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Get some rest and thanks for looking.
     
  5. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Here's some other information. I don't know that everything is related or if this is all a coincidence.

    I was told on Thursday that there were issues with this computer, Windows 7 Pro.

    1) Windows could not start the Computer browser service on Local Disk.
    Error 1075: The dependency service does not exist or has been marked for deletion.

    2) sfc /scannow found:
    Windows Resource Protection found corrupt files but was unable to fix some of them.​

    The computer was running normally but the Chiropractor software was having issues doing something. (The computer is part of a a chiropractor's office. The software runs patient scheduling, etc.) It was the Chiropractor software vendor who ran sfc /scannow, via remote login.

    Then on Saturday morning, I get a call that they can't log in. When they enter their password at the logon screen, they get
    So I started working on the machine. That's when I renamed ntuser.dat ntuser.bat and was able to get past this group policy client service message. And that's when I was presented with the ransomeware message that I took a photo of in the first post of this thread.

    So, I was unable to log into the computer to receive the ransomeware message because I wasn't able to log into the computer. That doesn't make sense. The ransomeware writer would want me to be able to log in so I could see the message.

    Also, the machine isn't working right at this point. I can't get into user files to even see them via normal graphic user interface. I can't get to the Users libraries: Documents, pictures, etc. When I click on the Start menu, it's all kinda blank. I can see the file names if I boot to Repair your computer / Command prompt option and use DOS commands to see what's in there.

    Am I looking at two problems?
    1) some file corruption on the computer that occurred on Thursday
    2) and then this ransomeware encryption that occurred on Friday evening as witnessed by the time stamp on all the files?
     
  6. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,513
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    I have to agree ..... The ransomware guys would want you to see the message.
    They want you to pay.
    Have you tried safe mode with networking and running something like MalwareBytes to see if anything gets thrown up?
     
  7. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Thanks - Good idea - Safe Mode.

    I was trying Safe Mode initially when I couldn't get into the machine. I still wasn't able to get in. The owner didn't know the Admin account password or if she did, it wasn't taking the password.

    First I'm going to make an image of the drive. I just started that.
     
  8. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    2 more screen shots
     

    Attached Files:

  9. Seth Anthony

    Seth Anthony Registered Members

    Joined:
    Mar 31, 2017
    Messages:
    872
    Operating System:
    Linux Based
    Computer Brand or Motherboard:
    Altaire 8800
    CPU:
    Modified Texas Instruments calculator
    Memory:
    2 transistor tubes
    Hard Drive:
    pen and paper
    Graphics Card:
    TV ready
    Power Supply:
    Mouse on a wheel
    Even if you get the ransomware out, the files are still going to be encrypted. If a decryptor doesn't work, then the only way to possibly recover the files is to pay the ransom (which still might not decrypt the files) and also may request financial information.
     
  10. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    That's true. They want bitcoins or some fraction of a bitcoin. The message says to email them.

    I'm still concerned that there's something else going on with this machine as witnessed by the screen shots. Once the image is made, I'm going to try to get into one of the other accounts to see if the machine looks right.
     
  11. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,513
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Exactly.
    If there are no backups available .... there's not much use in trying to sort it.
    I'm inclined to agree.
    It's rare that a ransomware program would mess with the actual OS. (unless the ransomware program is flawed)
     
  12. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    I found a few BTC decryptors online but non seem to fit the scenario on this machine.

    I'm now restoring the image I made earlier to another drive so I can work on it without messing with the original drive.
     
  13. Seth Anthony

    Seth Anthony Registered Members

    Joined:
    Mar 31, 2017
    Messages:
    872
    Operating System:
    Linux Based
    Computer Brand or Motherboard:
    Altaire 8800
    CPU:
    Modified Texas Instruments calculator
    Memory:
    2 transistor tubes
    Hard Drive:
    pen and paper
    Graphics Card:
    TV ready
    Power Supply:
    Mouse on a wheel
    Once you get the ransomware out, what about trying a system restore to repair the OS? Of course you still have the encrypted file problem, but at least you might be able to get the OS and programs functioning correctly.
     
    starbuck likes this.
  14. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    At this point, my goal at this point is exactly that. Get the OS running properly.
     
    Last edited: Jan 27, 2019
  15. Seth Anthony

    Seth Anthony Registered Members

    Joined:
    Mar 31, 2017
    Messages:
    872
    Operating System:
    Linux Based
    Computer Brand or Motherboard:
    Altaire 8800
    CPU:
    Modified Texas Instruments calculator
    Memory:
    2 transistor tubes
    Hard Drive:
    pen and paper
    Graphics Card:
    TV ready
    Power Supply:
    Mouse on a wheel
    Ok that's good. If the System Restore succeeds, it should fix the user account / login issue.

    Don't forget about the SR flaw that may report SR failed, but it actually didn't. The only true way to know if it succeeded, is to restart the computer when you get the message "SR did not complete successfully". Upon the restart, you may find that user accounts are now fine, and you'll get a message that say's "SR completed successfully".
     
  16. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,513
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Don't you just love MS Windows :angry-1:
     
  17. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    I've been able to get in and create a new user account. I'm still hit with the ransomeware notes but can close out of them. Still have other issues.

    Avast isn't running, although it is enabled in msconfig.

    I see Process Hacker 2.39 (r124) was installed on Jan 26. Should I uninstall this?

    I looked at System restore yesterday. The most restore point was in April 2018. It was a System Image restore point. Today, I imaged that drive and restored the image to another drive which I'm working with now. System restore is showing no restore points. That's not what I expected to see.
     
  18. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,513
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Seems to be quite safe.
    MalwareBytes and Emsisoft recommend it.
     
  19. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    3,252
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Safe Mode with Networking. I was able to get to MBAM. When I clicked on download, nothing happened. Similar experience at Emsisoft. I was unable to install MBAM from my USB drive. I would get The system cannot find the path specified.

    I was able to run Emsisoft's Emergency Kit.

    Scan type: Malware Scan
    Objects: Rootkits, Memory, Traces, Files

    Detect PUPs: On
    Scan archives: Off
    Scan mail archives: Off
    ADS Scan: On
    File extension filter: Off
    Direct disk access: Off

    Scan start: 1/27/2019 2:46:12 PM
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSTART.EXE -> DEBUGGER detected: SecHijack (A) [258718]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE -> DEBUGGER detected: SecHijack (A) [258728]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSAFETRAY.EXE -> DEBUGGER detected: SecHijack (A) [258748]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSWEBSHIELD.EXE -> DEBUGGER detected: SecHijack (A) [258752]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.EXE -> DEBUGGER detected: SecHijack (A) [258759]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.KXP -> DEBUGGER detected: SecHijack (A) [258760]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVSRVXP.EXE -> DEBUGGER detected: SecHijack (A) [258767]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVXP.KXP -> DEBUGGER detected: SecHijack (A) [258773]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KWATCH.EXE -> DEBUGGER detected: SecHijack (A) [258775]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCRTP.EXE -> DEBUGGER detected: SecHijack (A) [259049]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCTRAY.EXE -> DEBUGGER detected: SecHijack (A) [259051]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVMOND.EXE -> DEBUGGER detected: SecHijack (A) [259065]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRAY.EXE -> DEBUGGER detected: SecHijack (A) [259110]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE -> DEBUGGER detected: SecHijack (A) [259160]
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SHSTAT.EXE -> DEBUGGER detected: SecHijack (A) [259167]
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\1svhost.exe detected: Gen:Variant.Ransom.Crysis.6 (B) [krnl.xmd]
    C:\Windows\Debug\beijing.ini detected: Generic.Botget.586B2F14 (B) [krnl.xmd]
    C:\Windows\mysql.ini detected: Generic.FTP.DownloaderA.1623302F (B) [krnl.xmd]
    C:\Windows\system32\1svhost.exe detected: Gen:Variant.Ransom.Crysis.6 (B) [krnl.xmd]
    C:\Windows\system32\NewAuto.inf detected: Trojan.Script.634797 (B) [krnl.xmd]
    C:\Windows\system32\us.dat detected: Generic.FTP.DownloaderA.82EB7429 (B) [krnl.xmd]
    C:\Windows\TEMP\722604836.dll detected: Gen:Variant.Zusy.232880 (B) [krnl.xmd]

    Scanned 163112
    Found 22

    Scan end: 1/27/2019 2:59:00 PM
    Scan time: 0:12:48

    C:\Windows\TEMP\722604836.dll Gen:Variant.Zusy.232880 (B)

    Quarantined 1

    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SHSTAT.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRAY.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVMOND.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCTRAY.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCRTP.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KWATCH.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVXP.KXP -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVSRVXP.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.KXP -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSWEBSHIELD.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSAFETRAY.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE -> DEBUGGER SecHijack (A)
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSTART.EXE -> DEBUGGER SecHijack (A)

    Deleted 15
     
  20. Seth Anthony

    Seth Anthony Registered Members

    Joined:
    Mar 31, 2017
    Messages:
    872
    Operating System:
    Linux Based
    Computer Brand or Motherboard:
    Altaire 8800
    CPU:
    Modified Texas Instruments calculator
    Memory:
    2 transistor tubes
    Hard Drive:
    pen and paper
    Graphics Card:
    TV ready
    Power Supply:
    Mouse on a wheel
    I've been working with Apple OS's for about the last year or so, and not only is their operating system far superior to MS's, but so are the repair functions.

    You said you see an April 2018 restore point, but then say there are no restore points???
     

Share This Page