?
Solved

Anti-Child Porn Spam Protection

Posted on 2012-09-13
16
Medium Priority
?
7,466 Views
Last Modified: 2013-11-22
One server in my computer room that i use as an RDP Server to allow  a few accounting personnel to logon from their home has been rendered useless with this a malware that I have found on it.  The remote user logged in, and right after entering their username and password  a screen message came up stating the followoing;
ANTI CHILD PORN SPAM PROTECTION (18 U.S.C  & 2252)
WARNING  Access to your computer is limited.  Your files have been decrypted.  

This is certainly malware and the programs author attemps to get to to purchase unlock codes etc to remove the lock on the computer.  

This server is was exttremely imporant to our company and I am hopring to remove the lock and malware and get a viable machine again.  
please advise how remove and keep this serve safe
Thank you
-JOHN
New-ransomware-called-Anti-Child.mht
0
Comment
Question by:jvanderwyden
  • 3
  • 3
  • 3
  • +4
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38397276
On a PC at a customer's site I simply used the "Last Known Good Config" to remove a similar issue and another customer's laptop picked up a similar issue on Monday and they booted into safe mode and then did a system restore and now all seems well.

With a server - not sure it will be quite that easy.

When was your last backup of the server?
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38397373
If what alanhardisty recommended is not working you can install Malwarebyte's and run a full scan.
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38397671
I agree with clonyxlro.  Malwarebytes is a very good program for removing scareware.  Boot up your server and press F8 before it loads up.  Choose Safe Mode with Command prompt.  Once it loads, you should be able to check your msconfig for the infection that is running.  

According to this website
http://www.bleepingcomputer.com/forums/topic449398.html
Look for the following files that might be trying to load.

c:\dvsdlk\svchost.exe
c:\dc.exe
c:\svchost.exe
c:\Documents and Settings\All Users\Desktop\.bat
c:\Documents and Settings\All Users\Desktop\.txt
c:\ProgramData\.bat
c:\ProgramData\.dll
c:\ProgramData\.dll.dlls
c:\ProgramData\.dlls
c:\ProgramData\svchost.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe

These are all created by the infection.  These files are all safe to delete manually, but be sure to read the spelling of the files!  Do not get svschost.exe confused with svchost.exe which is a real Windows File.

Once you reboot the server after deleting these files, install Malwarebytes, update it, and run a scan.  Please post your results.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 32

Expert Comment

by:Scott C
ID: 38398569
I had a similar issue on my PC.  Mine was an "FBI" warning.  Malwarebytes couldn't get rid of it.  What I wound up doing was booting my PC with my KNOPPIX partition and manually removing the virus files.

You need to be VERY careful when you do this so you don't do something that will affect the OS.

Make sure you backup your data before you try anything.
0
 
LVL 2

Expert Comment

by:OMC_Hammer
ID: 38400364
Scan with AVG Usb edition or cold scan the HD (other PC) via other AV. Then press F8 and hit the last known good configuration. After that scan it either by Hitman Pro and Malwarebytes. And AVOID WATCHING PORN!!! (Just kidding)
0
 

Author Comment

by:jvanderwyden
ID: 38400658
Yes, Just a quick note here;  This server has never been used (or rarely) to browse the internet.  It's set up as a Terminal Services server allowing a few of our offsite Billing staff to work from home.  They log in using RDP and run a Dos Based application to  generate invoices.  
I have been using Malwarebytes for a long time.  They used to be donation only, and I always sent them money.  I now purchase a license for as many workstations as I need it for.  Have no experience with Hitman Pro, but I have used Spybot Search and Destroy which is another great Malware tool.

From what i have read, and this is the part that keeps me up at night;  This was installed by the attacker. He or She hacked into our network, and logged onto this server, installed this RANSOMEWARE and then sat in his room laughing.  This takes a fairly high skill set to be able to acomplish this level of destruction.  Why don't they use this talent to make a good living?  I am totally puzzled by the behavor.  It's evil for the sake of evil.  Destruction instead of creation. Not cool.
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38400796
0
 
LVL 8

Expert Comment

by:Scott Thompson
ID: 38400896
There is actually someone else with this same issue right now on EE.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_27864422.html

It looks like you might be able to get the infection off, but your files may be encrypted and unrecoverable.  If you have a backup of your server, I would recommend a complete partition wipe, complete format, and reload (assuming this is not a big issue to do)
0
 
LVL 2

Expert Comment

by:OMC_Hammer
ID: 38402071
My PC was infected once by a malware (Live Security Platinum) and it disabled all of my .exe files and I was not able to execute any executable file so what I done was restart the PC to plain  safe mode and search for that malicious.exe located in C:\Users...\DataApp\Roaming and delete it but the problem gone worst it modified my registries and wasnt able to normal boot. What Ive did was hit the last known good configuration and scan the remaining residing malware by hitman pro and download REFRESH PC to restore to default my registries. I recommend to backup your registries first before take any actions. Im not promoting any app here but I once used to Spybot S&D and base from my experience it has poor DB and engine though hitman pro is not an active scanner but malwarebytes pro is. By the way I was also infected by a SPAM app but I successfully uninstall it in control panel.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38414539
@jvanderwyden,

Have you ran any tool to clean up this infection yet?

I would advice you not to if you want to recover any files which are already crypted and you want them de-encrypted.

Some Malware experts might need the files which caused the infection to reverse it and provide you with the code to de-crypt the encrypted files.

If you don't have any important file you may either choose to dis-infect the system or wipe the system and do the complete clean install.
0
 

Author Comment

by:jvanderwyden
ID: 38430776
TO; alanhardisty  OMC_Hammer; pc_solutions50501; SSharma ;clonyxlro ET AL;
First a heart felt thanks to all of you for sending me your expert opinion on how to fix this really nasty  peice of Malware.  Malicious Software is the CORRECT name for it.  Regarding this particular incarnation of malware...Yikes, it wants to destroy my computer.  
I have pretty much decided to shut down this server, remove the hardrives, upgrade the RAM memory and install 3 new 146GB hard drives in a raid 5. So, tomorrow I pull the the hard drives and replace them with new 146GB SATA Drive, new RAM. Need to update the RAM, and re-install Windows Server 2003 R2, and place the three (3) 146GB SATA Drives in a RAID 5.  I will have to download the drivers for various items like NIC Cards, sound & Video etc.  
Now my question;  I use Symantec endpoint protection v11.07 and am planning to migrate to Sophos in a few months,.   Is there something I can install and manage from a central location to protect my servers from kinds of attacks.  
Please advise.
Thank you
- J o h n
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38432736
I don't know much about Sophos software but Symantec has a pretty good solution called Symantec Endpoint Protection Manager that can be installed on one server and it can manage all your Symantec Endpoint clients. We are running Symantec 12.1 and it does a pretty good job.
I'm sure you can talk with the Sophos folks and they can offer you something similar.
0
 
LVL 2

Expert Comment

by:OMC_Hammer
ID: 38435384
Sophos is from U.K. and they release separate version of Sophos anti-root kit for on-demand. Interestingly old version Symantec and older version Sophos have quite similar shield logo.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1500 total points
ID: 38449286
There is no magic solution to AV protection.  If the virus is newly released then the majority of software won't be able to protect you from it because they don't have the definitions available to detect it, so whilst some may swear by one AV package and others swear by another, there is no 'best' solution.

We did stop using Symantec Endpoint Protection though and installed Vipre, which picked up plenty of things that SEP let through, so I wouldn't be recommending SEP.

Education is one line of defense that you need to improve if your users open daft emails and click on links on webpages they shouldn't.  Helping them to understand what to look for in an email (as well as making sure you have good anti-spam software which doesn't let viruses / bad links through is also a must) will help you to reduce the chances of this happening again.

Hopefully you were just damned unlucky.
0
 

Author Closing Comment

by:jvanderwyden
ID: 38461774
I was not able to utilize any of the suggestions.  I wound up pulling all the drives, re-installing the operating system Windows Server 2003 R3 Standard Edition.  I moved the terminal server to another server and set up my firewall to allow only 2 outside ip addresses in from the outside world using RDP.  
This version of the ransomeware also reset the Passwords I use to get into the BIOS, so I had to reconfigure all oft  hat ass well.

Thanks for the good advice.  I agree  with all you have stated here.  Thank you.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question