My computer is corrupted! Please help!

[NOD32_user 0]

Dear All

I am NOD32 user in Win 7.

I just visit China's website to download a pdf file. My computer is corrupted. Excel and word files are ended with .roauwhd

How to clean? Please help.

Also my every directory is added a file named README in txt file, showing as following.

 

 

 ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
 ====================================================================================================
 Your files are NOT damaged! Your files are modified only. This modification is reversible.

 The only 1 way to decrypt your files is to receive the private key and decryption program.

 Any attempts to restore your files with the third party software will be fatal for your files!
 ====================================================================================================
 To receive the private key and decryption program follow the instructions below:

 1. Download "Tor Browser" from https://www.torproject.org/ and install it.

 2. In the "Tor Browser" open your personal page here:

hxxp://0026dh0x08403r670ge.rsda7v45tqyvqocp.onion/roauwhd

 Note! This page is available via "Tor Browser" only.
 ====================================================================================================
 Also you can use temporary addresses on your personal page without using "Tor Browser":

hxxp://0026dh0x08403r670ge.growboy.site/roauwhd

hxxp://0026dh0x08403r670ge.stonere.host/roauwhd

hxxp://0026dh0x08403r670ge.hellput.pw/roauwhd

hxxp://0026dh0x08403r670ge.amam.space/roauwhd

 Note! These are temporary addresses! They will be available for a limited amount of time!
 

 

 

README.txt

[Marcos 5,074]

The files were encrypted by Filecoder.Magniber. Most likely decryption won't be possible. Please email the following stuff to samples[at]eset.com:

1, Payment instructions
2, Logs collected with ESET Log Collector (a zip archive)
3, A couple of examples of encrypted files (ideally documents)

[NOD32_user 0]

Thank you. Sir. I have scanned by NOD32 and find Filecoder.Magniber existed. May I delete it? 

[Marcos 5,074]

It should be ransomware instructions which are detected. The last variant of Magniber was seen about 10 days ago. If you've got infected recently, it should be due to having outdated modules or disabled protection (e.g. if an attacker logged in via RDP and disabled the av). However, without further logs it's impossible to tell how the infection occurred.

[NOD32_user 0]

email is already sent to samples@eset.com

[NOD32_user 0]

What is meaning of item 1 , Payment instructions?

[TomFace 539]

59 minutes ago, NOD32_user said:

What is meaning of item 1 , Payment instructions?

Whilst I cannot speak for Marcos, I would think he is referring to the "ransom" payment, as to how it was to be paid (the who, what & when...we already know why).

Edited August 2, 2018 by TomFace

[itman 1,659]

Would like some details on how you were infected.

Did you actually download a .pdf file and open it using for example Adobe Reader?

[NOD32_user 0]

 

2 hours ago, TomFace said:

Whilst I cannot speak for Marcos, I would think he is referring to the "ransom" payment, as to how it was to be paid (the who, what & when...we already know why).

I do not pay "ransom" payment.

[NOD32_user 0]

itman:

Firstly, I search the stretch book in pdf format in google for this name: 酸痛拉筋解剖书.pdf

Secondly,  I visit this website:  https://ck101.com/thread-4210452-1-1.html

Thirdly,  I click this website: hxxp://katfile.com/vlbmqz07mvf5

Forthly, I click a icon to download pdf. But I do not download pdf, nor open pdf. I find that it is so slow and something strange. I close all internet browsers.

Finally, I find that my word and excel files in desktop is shown in white color. My computer is corrupted.

Please help

Please let know who do this virus.

I will find someone to beat him.

 

 

[itman 1,659]

11 hours ago, NOD32_user said:

Secondly,  I visit this website:  https://ck101.com/thread-4210452-1-1.html

Thirdly,  I click this website: hxxp://katfile.com/vlbmqz07mvf5

I checked both these URLS at Zscaler Zulu and VirusTotal. Both of them stated the URLs are 100% clean.

Next, I checked the top level domain names at quettera.com which actually downloads and scans all files that can be downloaded from the web sites.

To begin with both web sites are in the U.S. and hosted by CloudFare.

As far as https://ck101.com/ goes, its 100% clean.

As far as hxxp://katfile.com goes, 2 suspicious and 1 potentially suspicious file found. The two suspicious files indicate monitoring of Google activities which one would expect by the Chinese government. The potential suspicious file is most interesting in that it contains suspect javascript code as shown by the below screen shots.

JavaScript code definitely looks obfuscated to me. Now if you would have upgraded to Win 10, Eset could employ AMSI to decode this script prior to memory execution.

[itman 1,659]

I will also note that if you are using IE11 as your browser, make sure it is fully patched by applying all Win Updates. This Cerber ransomware variant is known to exploit an IE11 2017 discovered vulnerability.

Edited August 3, 2018 by itman

[NOD32_user 0]

itman: Would you provide a warning message, when NOD users visit this websites: at begining with hxxp: and hxxp://katfile.com .

Thank you very much.

Edited August 4, 2018 by NOD32_user

[itman 1,659]

56 minutes ago, NOD32_user said:

itman: Would you provide a warning message, when NOD users visit this websites: at begining with hxxp: and hxxp://katfile.com .

That is up to Eset to do.

In the meantime, you can do so manually. Add the URL in the format of *.katfile.com/* to the existing URL block list in Eset's Internet Protection -> Web Access section.