Wirus w mailu

Dla specjalistów Bezpieczeństwo
#1

Witam

wczoraj nieopacznie rozpakowalem maila myslalem ze to od mojej klientki niestety pomylka… - treść maila ponizej:

You have received new fax from EPSON7643256. Attached file is scanned image

 

niestety rozpakowalem dzis juz nie jestem w stanie otworzyć zadnego zdjecia ani filmu 

 

dzis juz w operze wyskakuje taka informacja otwiera sie również notatnik z taką samą ifnormacja:

 

What happened to your files ?

All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.

More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

 

 

What does this mean ?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,

it is the same thing as losing them forever, but with our help, you can restore them.

 

 

How did this happen ?

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

 

 

What do I do ?

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

 

 

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1.http://7oqnsnzwwnm6zb7y.icepaytor.com/Lz5mzj

2.http://7oqnsnzwwnm6zb7y.ptiontor4pay.com/Lz5mzj

3.http://7oqnsnzwwnm6zb7y.waytopaytor.com/Lz5mzj

4.http://7oqnsnzwwnm6zb7y.suntorpaymoon.com/Lz5mzj

 

If for some reasons the addresses are not available, follow these steps:

1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 

2.After a successful installation, run the browser and wait for initialization.

3.Type in the address bar: 7oqnsnzwwnm6zb7y.onion/Lz5mzj

4.Follow the instructions on the site.

 

 

IMPORTANT INFORMATION:

Your personal page: http://7oqnsnzwwnm6zb7y.icepaytor.com/Lz5mzj

Your personal page (using TOR): 7oqnsnzwwnm6zb7y.onion/Lz5mzj

Your personal identification number (if you open the site (or TOR 's) directly): Lz5mzj

 

 

prosze o pomoc jezeli sie wgole jeszcze da…

 

dodatkowo otwiera sie jeszcze strona:

 

http://7oqnsnzwwnm6zb7y.icepaytor.com/Lz5mzj

#2

http://forum.dobreprogramy.pl/nowy-log-obowi%C4%85zkowy-farbar-recovery-scan-tool-t478727/

 

NIE pobieraj, ani nie klikaj w żaden link

#3

http://www.wklej.org/id/1679180/ - FRST

http://www.wklej.org/id/1679183/ - add

#4

CryptoWall szyfruje pliki i nie ma możliwości odszyfrowania tych danych.

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Odinstaluj AVG Security Toolbar i Trend Micro Titanium Internet Security.

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKLM-x32\...\Run: [NPSStartup] => [X]
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1230704 2011-03-21] ()
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2503704 2015-03-06] ()
HKU\S-1-5-21-3081879787-2621475467-4212804012-1000\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe [1266712 2013-06-03] (AVG Secure Search)
Startup: C:\Users\barbara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\barbara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\barbara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\barbara\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://7oqnsnzwwnm6zb7y.icepaytor.com/Lz5mzj
HKU\S-1-5-21-3081879787-2621475467-4212804012-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/mb68?u=92260254170337077
SearchScopes: HKU\S-1-5-21-3081879787-2621475467-4212804012-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3081879787-2621475467-4212804012-1001 -> {83FA536C-FAB1-46FB-8FB6-8B09CA8E4CA0} URL = http://www.search.ask.com/web?tpid=ORJ-V7C&o=APN11406&pf=V7&p2=^BBE^OSJ000^YY^PL&gct=&itbv=12.10.6.48&apn_uid=EA545F51-B85B-4292-B826-EF017175D63C&apn_ptnrs=BBE&apn_dtid=^OSJ000^YY^PL&apn_dbr=Opera.exe_0_11.61.1250.0&doi=2014-04-16&trgb=IE&q={searchTerms}&psv=
SearchScopes: HKU\S-1-5-21-3081879787-2621475467-4212804012-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={C785D38B-31BC-499B-825F-36D09DFB1FC0}&mid=c3309ffe53cd47d0b7a2252442a88d4d-7bbe495f8f280329f01a985fe78aa0a956e5e55b&lang=pl&ds=xn011&pr=sa&d=2013-01-13 20:22:41&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
DPF: HKLM-x32 {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml [2013-05-21]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2013-05-21]
CHR Extension: (AVG Security Toolbar) - C:\Users\barbara\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2013-01-28]
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\18.1.0.443\avg.crx [2014-04-28]
R2 vToolbarUpdater18.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe [1802776 2015-03-06] (AVG Secure Search)
2015-04-02 09:14 - 2015-04-02 09:14 - 00008572 _____ () C:\Users\barbara\HELP_DECRYPT.HTML
2015-04-02 09:14 - 2015-04-02 09:14 - 00008572 _____ () C:\Users\barbara\Desktop\HELP_DECRYPT.HTML
2015-04-02 09:14 - 2015-04-02 09:14 - 00004226 _____ () C:\Users\barbara\HELP_DECRYPT.TXT
2015-04-02 09:14 - 2015-04-02 09:14 - 00004226 _____ () C:\Users\barbara\Desktop\HELP_DECRYPT.TXT
2015-04-02 09:14 - 2015-04-02 09:14 - 00000276 _____ () C:\Users\barbara\HELP_DECRYPT.URL
2015-04-02 09:14 - 2015-04-02 09:14 - 00000276 _____ () C:\Users\barbara\Desktop\HELP_DECRYPT.URL
2015-03-31 22:23 - 2015-03-31 22:23 - 00008572 _____ () C:\Users\barbara\Downloads\HELP_DECRYPT.HTML
2015-03-31 22:23 - 2015-03-31 22:23 - 00004226 _____ () C:\Users\barbara\Downloads\HELP_DECRYPT.TXT
2015-03-31 22:23 - 2015-03-31 22:23 - 00000276 _____ () C:\Users\barbara\Downloads\HELP_DECRYPT.URL
2015-03-31 22:21 - 2015-03-31 22:21 - 00008572 _____ () C:\Users\barbara\Documents\HELP_DECRYPT.HTML
2015-03-31 22:21 - 2015-03-31 22:21 - 00004226 _____ () C:\Users\barbara\Documents\HELP_DECRYPT.TXT
2015-03-31 22:21 - 2015-03-31 22:21 - 00000276 _____ () C:\Users\barbara\Documents\HELP_DECRYPT.URL
2015-03-31 21:28 - 2015-03-31 21:28 - 00008572 _____ () C:\Users\barbara\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-31 21:28 - 2015-03-31 21:28 - 00008572 _____ () C:\Users\barbara\AppData\HELP_DECRYPT.HTML
2015-03-31 21:28 - 2015-03-31 21:28 - 00004226 _____ () C:\Users\barbara\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-31 21:28 - 2015-03-31 21:28 - 00004226 _____ () C:\Users\barbara\AppData\HELP_DECRYPT.TXT
2015-03-31 21:28 - 2015-03-31 21:28 - 00000276 _____ () C:\Users\barbara\AppData\Roaming\HELP_DECRYPT.URL
2015-03-31 21:28 - 2015-03-31 21:28 - 00000276 _____ () C:\Users\barbara\AppData\HELP_DECRYPT.URL
2015-03-31 21:27 - 2015-03-31 21:27 - 00008572 _____ () C:\Users\barbara\AppData\Local\HELP_DECRYPT.HTML
2015-03-31 21:27 - 2015-03-31 21:27 - 00004226 _____ () C:\Users\barbara\AppData\Local\HELP_DECRYPT.TXT
2015-03-31 21:27 - 2015-03-31 21:27 - 00000276 _____ () C:\Users\barbara\AppData\Local\HELP_DECRYPT.URL
2015-03-31 21:26 - 2015-03-31 21:26 - 00008572 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-31 21:26 - 2015-03-31 21:26 - 00004226 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-31 21:26 - 2015-03-31 21:26 - 00000276 _____ () C:\ProgramData\HELP_DECRYPT.URL
2011-06-23 03:26 - 2011-06-23 03:27 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2011-06-23 03:26 - 2011-06-23 03:26 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
Task: {07139474-F9A3-4A76-A366-C41FFC52F93C} - System32\Tasks\{235076B5-D2D1-4E15-9A85-D81FB99A3C0C} => pcalua.exe -a E:\setup.exe -d E:\
Task: {38123C30-56DC-4243-A815-1006241168DC} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{62492F64-5627-4DA2-AA0C-48C69C84426A}.exe
Task: {FADF520D-FA8D-488C-BC25-A6263FD020F1} - System32\Tasks\{B8D01272-F591-4127-91F2-E0DA356F0AC1} => pcalua.exe -a C:\Users\barbara\AppData\Local\Temp\Temp2_dialang(1).zip\dialang.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{62492F64-5627-4DA2-AA0C-48C69C84426A}.exe <==== ATTENTION
C:\Program Files (x86)\Common Files\AVG Secure Search
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition.

#5

http://www.wklej.org/id/1679296/ - fixlog

http://www.wklej.org/id/1679297/ - frst

#6

Nie cytuj moich odpowiedzi.

 

Dlaczego pokazujesz raport z starej wersji FRST?

Wykonaj Fixlist używając najnowszej wersji FRST.

#7

http://www.wklej.org/id/1679398/ - fix

http://www.wklej.org/id/1679402/ - frst

#8

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.3.0\ViProtocol.dll No File
2015-03-31 21:28 - 2015-03-31 21:28 - 0045485 _____ () C:\Users\barbara\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-31 21:27 - 2015-03-31 21:27 - 0045485 _____ () C:\Users\barbara\AppData\Local\HELP_DECRYPT.PNG
2015-03-31 21:26 - 2015-03-31 21:26 - 0045485 _____ () C:\ProgramData\HELP_DECRYPT.PNG
DeleteQuarantine:

Uruchom FRST i kliknij Fix. Skasuj folder C:\FRST

Dysk przeskanuj ESET Online Scanner

Odinstaluj:

Adobe Flash Player 16 ActiveX

Adobe Flash Player 16 NPAPI

Java 7 Update 55

Java 6 Update 29

Zainstaluj:

Flash Player 17.0.0.134 Plugin

Flash Player 17.0.0.134 ActiveX

Java 8 Update 40

#9

witam

wszystko zrobione . ESET zatrzymuje sie na 66% za kazdym razem i nie idze dalej nic zrobi zatyrzuje sie kiedy skanuje dysk Q: microsoft office 2010 click to run 2010 (protected)

czy mozna jakiejs firmie zlecic próbe odzyskania zdjeć??

#10

W raporcie były widoczne tylko dyski C i D.

Nie mam pojęcia czy w ogóle możliwe jest odzyskanie tych zdjęć.

Nie zapisuj żadnych plików na dysku z którego chcesz odzyskać dane.

Recuva - Portable i zaznacz Głębokie skanowanie (Deep Scan):

http://www.piriform.com/recuva/builds

Puran File Recovery Portable:

http://www.puransoftware.com/File-Recovery-Download.html

QPhotoRec:

http://www.cgsecurity.org/wiki/TestDisk_Download