pandafusion
asked on
CryptoWall with unusual behaviors. Confirm removal.
Background:
I hope this is not too complete :)
I have a relatively new client. This client has a server and a client machine. The server is running SBS 2011 and the client is running Windows 7. The server is the domain controller for the environment. This is an inherited system setup by someone else.
We had barely gotten into working on the server: setting up the drives, restricting access based on membership in various security groups, etc.
The office manager is an Administrator on the client machine and the server. The office manager logs onto the server directly in order to start an enterprise application and connect it to Quickbooks. The enterprise application must be started by someone who is a member of the Administrator’s group (I know, right?).
I happened to be working on the server this morning without incident between about 7:00 am and 8:30 am. Coincidentally, this included a fully updated quick Malware Bytes (MBAM) scan that detected nothing. I then logged off. The office manager logged on a little after 8:30am and the server was hit with CryptoWall. Server files were encrypted beginning at 8:36am, concluding at 8:58am based on ‘Date Modified’ in Explorer. Unaware of the issue, the office manager logged onto her desktop. Her desktop files were encrypted starting at 8:54am, concluding at 8:58am based on ‘Date Modified’ in Windows Explorer. I have read elsewhere that the time stamp file may be changed. However, that has not occurred since the initial observation. A new, full MBAM scan detects nothing.
It appears the problem originated with the server (I still want it to be the desktop’s fault). The office manager did not browse the internet or open emails on the server. It is possible a marketing intern opened their gmail account over the internet while on the server about a week ago. The same intern visited one hvac site and downloaded jpeg files from the manufacturer for use in marketing materials. There is no email client on the server and the browser histories appear to be intact. The only browser usage recorded was the intern to gmail and the hvac manufacturer’s site. The folder in which the downloaded jpegs were placed was not encrypted (see R: drive below). The infection appears to be through the office manager’s account only. Some folders on the server do not allow access (through NTFS permissions) for either the Administrators group or the office manager’s account. These folders were universally not affected in any way.
Unusual Behaviors:
I have observed the following unusual behaviors that I did not see documented elsewhere for CryptoWall and its varients:
1. The server has a number of data drives. In the Q: drive, the encryption went down three levels, then stopped. In the D: drive, encryption bottomed out at 4-6 levels and affected every file in one folder. Another folder on the same drive was entirely unaffected. NTFS permissions were the same for both folders. In the R: drive, the DECRYPT_INSTRUCTION files are listed at the top level, but no files in any folder were affected (there are no top level files in the R: drive to have been encrypted, only folders).
2. For the office manager’s account, the following control panel applets appear to have been removed and cannot be run from an elevated command prompt using canonical naming: User Accounts, Programs and Features, System, Network and Sharing Center (Network Connections can be run through ncpa.cpl), Internet Options, Folder Options.
3. Interestingly, all of the above control panel items are visible and useable by me on the server and desktop both as a super administrator.
4. It has been alluded to elsewhere that this program may encrypt files and uninstall itself. That may be the case here. I do not find any evidence of random.exe files, processes, etc. currently running. Additionally, I have looked in a variety of registry keys reported elsewhere and not found anything listed at all.
5. I thought I saw this elsewhere, so may not be something new. The desktop C: drive has 12 newly created folders from 8:51 am, that appear to be empty, named DD20.4.8201XXXXXXXXX.
Help Needed:
One of the things we did for this client was to implement good backup protections. I am fairly confident our data is good and can be easily restored.
However, before I begin restoring data:
A. I want to make sure this thing is really gone.
B. Then I need to make sure I remove any last traces, including the DECRYPT_INSTRUCTIONS files.
C. Then I’ll feel like I can restore data and move forward. We have volume shadow copies, nightly backups, etc. to work with – though I haven’t touched any of those yet.
D. Lastly, I would like to figure out how this got into the system. Any event logging was set up by the other guy (we literally just started digging into the server a few days ago).
Additional Item:
My Administrator account, which has access to the User Accounts control panel applet on the server, has an encryption key. I saw the following instructions to restore encrypted files elsewhere (scroll to end of post) http://www.411-spyware.com/remove-cryptowall-virus. Should I move forward with this?
What are my next steps (hijack this log posted below, Server as SuperAdmin first and Desktop as office manager second)?
I hope this is not too complete :)
I have a relatively new client. This client has a server and a client machine. The server is running SBS 2011 and the client is running Windows 7. The server is the domain controller for the environment. This is an inherited system setup by someone else.
We had barely gotten into working on the server: setting up the drives, restricting access based on membership in various security groups, etc.
The office manager is an Administrator on the client machine and the server. The office manager logs onto the server directly in order to start an enterprise application and connect it to Quickbooks. The enterprise application must be started by someone who is a member of the Administrator’s group (I know, right?).
I happened to be working on the server this morning without incident between about 7:00 am and 8:30 am. Coincidentally, this included a fully updated quick Malware Bytes (MBAM) scan that detected nothing. I then logged off. The office manager logged on a little after 8:30am and the server was hit with CryptoWall. Server files were encrypted beginning at 8:36am, concluding at 8:58am based on ‘Date Modified’ in Explorer. Unaware of the issue, the office manager logged onto her desktop. Her desktop files were encrypted starting at 8:54am, concluding at 8:58am based on ‘Date Modified’ in Windows Explorer. I have read elsewhere that the time stamp file may be changed. However, that has not occurred since the initial observation. A new, full MBAM scan detects nothing.
It appears the problem originated with the server (I still want it to be the desktop’s fault). The office manager did not browse the internet or open emails on the server. It is possible a marketing intern opened their gmail account over the internet while on the server about a week ago. The same intern visited one hvac site and downloaded jpeg files from the manufacturer for use in marketing materials. There is no email client on the server and the browser histories appear to be intact. The only browser usage recorded was the intern to gmail and the hvac manufacturer’s site. The folder in which the downloaded jpegs were placed was not encrypted (see R: drive below). The infection appears to be through the office manager’s account only. Some folders on the server do not allow access (through NTFS permissions) for either the Administrators group or the office manager’s account. These folders were universally not affected in any way.
Unusual Behaviors:
I have observed the following unusual behaviors that I did not see documented elsewhere for CryptoWall and its varients:
1. The server has a number of data drives. In the Q: drive, the encryption went down three levels, then stopped. In the D: drive, encryption bottomed out at 4-6 levels and affected every file in one folder. Another folder on the same drive was entirely unaffected. NTFS permissions were the same for both folders. In the R: drive, the DECRYPT_INSTRUCTION files are listed at the top level, but no files in any folder were affected (there are no top level files in the R: drive to have been encrypted, only folders).
2. For the office manager’s account, the following control panel applets appear to have been removed and cannot be run from an elevated command prompt using canonical naming: User Accounts, Programs and Features, System, Network and Sharing Center (Network Connections can be run through ncpa.cpl), Internet Options, Folder Options.
3. Interestingly, all of the above control panel items are visible and useable by me on the server and desktop both as a super administrator.
4. It has been alluded to elsewhere that this program may encrypt files and uninstall itself. That may be the case here. I do not find any evidence of random.exe files, processes, etc. currently running. Additionally, I have looked in a variety of registry keys reported elsewhere and not found anything listed at all.
5. I thought I saw this elsewhere, so may not be something new. The desktop C: drive has 12 newly created folders from 8:51 am, that appear to be empty, named DD20.4.8201XXXXXXXXX.
Help Needed:
One of the things we did for this client was to implement good backup protections. I am fairly confident our data is good and can be easily restored.
However, before I begin restoring data:
A. I want to make sure this thing is really gone.
B. Then I need to make sure I remove any last traces, including the DECRYPT_INSTRUCTIONS files.
C. Then I’ll feel like I can restore data and move forward. We have volume shadow copies, nightly backups, etc. to work with – though I haven’t touched any of those yet.
D. Lastly, I would like to figure out how this got into the system. Any event logging was set up by the other guy (we literally just started digging into the server a few days ago).
Additional Item:
My Administrator account, which has access to the User Accounts control panel applet on the server, has an encryption key. I saw the following instructions to restore encrypted files elsewhere (scroll to end of post) http://www.411-spyware.com/remove-cryptowall-virus. Should I move forward with this?
What are my next steps (hijack this log posted below, Server as SuperAdmin first and Desktop as office manager second)?
ASKER
Desktop as office manager:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 2:24:03 PM, on 6/5/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
FIREFOX: 29.0.1 (en-US)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\c
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweat
C:\Program Files (x86)\Nitro PDF\Professional\NitroPDFP
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
C:\Program Files (x86)\iTunes\iTunesHelper.
C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE
C:\Program Files\salesforce.com\Sales
C:\Users\sseemiller\AppDat
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.E
D:\HijackThis.exe
C:\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-4
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
O4 - HKLM\..\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweat
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files (x86)\Nitro PDF\Professional\NitroPDFP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSy
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeA
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProc
O4 - HKCU\..\Run: [Driver Detective] C:\Program Files (x86)\PC Drivers HeadQuarters\Driver Detective\DriversHQ.Driver
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm
O4 - Startup: DDHelper.lnk = C:\Program Files (x86)\DD20.4.8201402131355
O4 - Startup: Dropbox.lnk = sseemiller\AppData\Roaming
O4 - Startup: DualDesk.lnk = C:\Program Files (x86)\DD20.4.8201402131355
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.E
O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files (x86)\Common Files\Intuit\DataProtect\I
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: QuickBooks_Standard_21.lnk
O4 - Global Startup: Salesforce for Outlook.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWri
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWri
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-8
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-0
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc
O23 - Service: @%SystemRoot%\system32\Alg
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceS
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: @%SystemRoot%\system32\efs
O23 - Service: @%systemroot%\system32\fxs
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\Google
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\Google
O23 - Service: HP SI Service (HPSIService) - Unknown owner - C:\Windows\system32\HPSIsv
O23 - Service: @%SystemRoot%\system32\iee
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: NitroPDFDriverCreatorReadS
O23 - Service: NitroPDFDriverCreatorReadS
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\c
O23 - Service: @%systemroot%\system32\psb
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FC
O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\DataProtect\Q
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\
O23 - Service: @%systemroot%\system32\Loc
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Update
O23 - Service: @%SystemRoot%\system32\snm
O23 - Service: @%systemroot%\system32\spo
O23 - Service: @%SystemRoot%\system32\spp
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version8\
O23 - Service: @%SystemRoot%\system32\ui0
O23 - Service: @%SystemRoot%\system32\vau
O23 - Service: @%SystemRoot%\system32\vds
O23 - Service: @%systemroot%\system32\vss
O23 - Service: @%SystemRoot%\system32\Wat
O23 - Service: @%systemroot%\system32\wbe
O23 - Service: @%Systemroot%\system32\wbe
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 14011 bytes
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 2:24:03 PM, on 6/5/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
FIREFOX: 29.0.1 (en-US)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\c
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweat
C:\Program Files (x86)\Nitro PDF\Professional\NitroPDFP
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
C:\Program Files (x86)\iTunes\iTunesHelper.
C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE
C:\Program Files\salesforce.com\Sales
C:\Users\sseemiller\AppDat
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.E
D:\HijackThis.exe
C:\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-4
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
O4 - HKLM\..\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweat
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files (x86)\Nitro PDF\Professional\NitroPDFP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSy
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeA
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProc
O4 - HKCU\..\Run: [Driver Detective] C:\Program Files (x86)\PC Drivers HeadQuarters\Driver Detective\DriversHQ.Driver
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm
O4 - Startup: DDHelper.lnk = C:\Program Files (x86)\DD20.4.8201402131355
O4 - Startup: Dropbox.lnk = sseemiller\AppData\Roaming
O4 - Startup: DualDesk.lnk = C:\Program Files (x86)\DD20.4.8201402131355
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.E
O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files (x86)\Common Files\Intuit\DataProtect\I
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: QuickBooks_Standard_21.lnk
O4 - Global Startup: Salesforce for Outlook.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWri
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWri
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-8
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-0
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc
O23 - Service: @%SystemRoot%\system32\Alg
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceS
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: @%SystemRoot%\system32\efs
O23 - Service: @%systemroot%\system32\fxs
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\Google
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\Google
O23 - Service: HP SI Service (HPSIService) - Unknown owner - C:\Windows\system32\HPSIsv
O23 - Service: @%SystemRoot%\system32\iee
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: NitroPDFDriverCreatorReadS
O23 - Service: NitroPDFDriverCreatorReadS
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.17.20\c
O23 - Service: @%systemroot%\system32\psb
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FC
O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\DataProtect\Q
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\
O23 - Service: @%systemroot%\system32\Loc
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Update
O23 - Service: @%SystemRoot%\system32\snm
O23 - Service: @%systemroot%\system32\spo
O23 - Service: @%SystemRoot%\system32\spp
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version8\
O23 - Service: @%SystemRoot%\system32\ui0
O23 - Service: @%SystemRoot%\system32\vau
O23 - Service: @%SystemRoot%\system32\vds
O23 - Service: @%systemroot%\system32\vss
O23 - Service: @%SystemRoot%\system32\Wat
O23 - Service: @%systemroot%\system32\wbe
O23 - Service: @%Systemroot%\system32\wbe
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 14011 bytes
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The user can view files in unaffected directories (not all folders and files were encrypted, see number 1 above) and they are not encrypted upon viewing. This includes existing files that were not encrypted as well as newly created files placed in folders with and without encrypted contents.
The encrypted files do not appear to have been placed in a special folder on the desktop. Each encrypted file remains in its original location.
Thank you.
The encrypted files do not appear to have been placed in a special folder on the desktop. Each encrypted file remains in its original location.
Thank you.
Hello,
To confirm, is the server actually infected with the virus - I.e. are you getting notifications or anything? Or is it just the client machine which is infected and has encrypted the mapped drives?
My actions here would be to remove the infected PC from the network and either restore it from a backup (not a restore point) or re-install it. I would recover the server files via Shadow copies or just restore from a backup.
Removing the infected PC from the network should be your main priority.
To confirm, is the server actually infected with the virus - I.e. are you getting notifications or anything? Or is it just the client machine which is infected and has encrypted the mapped drives?
My actions here would be to remove the infected PC from the network and either restore it from a backup (not a restore point) or re-install it. I would recover the server files via Shadow copies or just restore from a backup.
Removing the infected PC from the network should be your main priority.
ASKER
Based on the time stamps mentioned in the background section, it appears the encryption began on the server, not the client.
The client PC was immediately removed from the network. The only notifications are coming from copies of DECRYPT_INSTRUCTION.txt and DECRYPT_INSTRUCTION.html located in the office manager's \AppData\Roaming\Microsoft
I do not detect an active infection on either machine based on examining processes and programs running in the background, but I am not an expert with logs or malware generally. I am really looking for some way to make sure this thing is gone, and I am wondering if there is something I can do other than running a full scan on MBAM.
Additional notes: sfc /scannow on the server found corrupted files that cannot be fixed. That will be part of this morning's focus (see also: missing control panel applets for the office manager). Also, I backed up the backup (Windows Server Backup), and then successfully restored the corrupted volumes last night. All the data is no longer encrypted and appears usable.
My goal at this point is to ensure the infection is gone, fix the corrupted files on the server and then restore the client insofar as possible (or re-install from scratch). The client was not backed up, but does not appear to have critical data. This is a new client, so here's hoping they have all their disks :)
Is there anything I should do to make sure the active infection is gone?
I cannot find any malware .dll's, registry keys, etc. - just the DECRYPT files. This makes me suspicious. Thoughts on making sure any other traces are gone?
Any thoughts on the unusual behaviors noted in the first post or ways to determine how this got into the system?
Thank you
The client PC was immediately removed from the network. The only notifications are coming from copies of DECRYPT_INSTRUCTION.txt and DECRYPT_INSTRUCTION.html located in the office manager's \AppData\Roaming\Microsoft
I do not detect an active infection on either machine based on examining processes and programs running in the background, but I am not an expert with logs or malware generally. I am really looking for some way to make sure this thing is gone, and I am wondering if there is something I can do other than running a full scan on MBAM.
Additional notes: sfc /scannow on the server found corrupted files that cannot be fixed. That will be part of this morning's focus (see also: missing control panel applets for the office manager). Also, I backed up the backup (Windows Server Backup), and then successfully restored the corrupted volumes last night. All the data is no longer encrypted and appears usable.
My goal at this point is to ensure the infection is gone, fix the corrupted files on the server and then restore the client insofar as possible (or re-install from scratch). The client was not backed up, but does not appear to have critical data. This is a new client, so here's hoping they have all their disks :)
Is there anything I should do to make sure the active infection is gone?
I cannot find any malware .dll's, registry keys, etc. - just the DECRYPT files. This makes me suspicious. Thoughts on making sure any other traces are gone?
Any thoughts on the unusual behaviors noted in the first post or ways to determine how this got into the system?
Thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The registry key was definitive. No other post mentioned it. That allowed us to confirm the source, despite the time-stamp indicator. At that point we felt the server was secure and we were able to move forward. Post-mortem included for posterity.
Participation points for other experts comments.
Participation points for other experts comments.
ASKER
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 2:13:34 PM, on 6/5/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505) - (Poster’s Note – SBS 2011)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
Boot mode: Normal
Running processes:
C:\Users\SysAdmin\AppData\
C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
T:\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSy
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeA
O4 - HKCU\..\Run: [SkyDrive] "C:\Users\SysAdmin\AppData
O4 - HKCU\..\RunOnce: [Uninstall C:\Users\SysAdmin\AppData\
O4 - HKCU\..\RunOnce: [Uninstall C:\Users\SysAdmin\AppData\
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macrom
O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files (x86)\Common Files\Intuit\DataProtect\I
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: QuickBooks_Standard_21.lnk
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://*.intuit.com
O15 - ESC Trusted Zone: http://login.live.com (HKLM)
O15 - ESC Trusted Zone: http://accountservices.passport.net (HKLM)
O16 - DPF: {0AD584EB-F10F-46F7-BCB8-1
O16 - DPF: {5C709EEC-DDE1-4738-8E57-7
O16 - DPF: {788539E8-002D-4E59-9089-4
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-5
O23 - Service: AcowinBackup - Team Management Systems - C:\Program Files (x86)\Acowin\AcowinBackup\
O23 - Service: AcowinGPS - Team Management Systems - C:\Program Files (x86)\Acowin\AcowinGPS.exe
O23 - Service: Acowin Happy Call Survey (AcowinHappyCallSurvey) - Hewlett-Packard Company - C:\Program Files (x86)\Acowin\HappyCallSurv
O23 - Service: Acowin Intercall (AcowinIntercall) - Hewlett-Packard Company - C:\Program Files (x86)\Acowin\AcowinInterca
O23 - Service: AcowinRemote - Unknown owner - C:\Program Files (x86)\Acowin\AcowinRemote.
O23 - Service: AcowinUpdater - Team Managment Systems, Inc - C:\Program Files (x86)\Acowin\AutoUpdater\A
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc
O23 - Service: @%SystemRoot%\system32\Alg
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atasho
O23 - Service: @%systemroot%\system32\cer
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%systemroot%\system32\dfs
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.
O23 - Service: @%systemroot%\system32\dns
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%SystemRoot%\system32\efs
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSv
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%SystemRoot%\system32\iee
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%SystemRoot%\System32\ism
O23 - Service: @%SystemRoot%\System32\kdc
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%SystemRoot%\System32\ntd
O23 - Service: @%systemroot%\system32\psb
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QB
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FC
O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\DataProtect\Q
O23 - Service: QuickBooksDB22 - Intuit, Inc. - C:\PROGRA~2\Intuit\QUICKB~
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%systemroot%\system32\Loc
O23 - Service: @%Systemroot%\system32\rqs
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPPr
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%SystemRoot%\system32\snm
O23 - Service: @%systemroot%\system32\spo
O23 - Service: @%SystemRoot%\system32\spp
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%ProgramFiles%\Windows Server\Bin\storageservice.
O23 - Service: @%SystemRoot%\system32\ui0
O23 - Service: @%SystemRoot%\system32\vau
O23 - Service: @%SystemRoot%\system32\vds
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.
O23 - Service: @%systemroot%\system32\wbe
O23 - Service: WD Drive Manager (WDDriveService) - Western Digital - C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
O23 - Service: @%Systemroot%\system32\wbe
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%ProgramFiles%\Windows Server\Bin\CommonRes.dll,-
O23 - Service: @%ProgramFiles%\Windows Server\Bin\wssbackup.exe,-
--
End of file - 13092 bytes