Jump to content
NOD32_user

My computer is corrupted! Please help!

Recommended Posts

Dear All

I am NOD32 user in Win 7.

I just visit China's website to download a pdf file. My computer is corrupted. Excel and word files are ended with .roauwhd

How to clean? Please help.

Also my every directory is added a file named README in txt file, showing as following.

 

 

 ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
 ====================================================================================================
 Your files are NOT damaged! Your files are modified only. This modification is reversible.

 The only 1 way to decrypt your files is to receive the private key and decryption program.

 Any attempts to restore your files with the third party software will be fatal for your files!
 ====================================================================================================
 To receive the private key and decryption program follow the instructions below:

 1. Download "Tor Browser" from https://www.torproject.org/ and install it.

 2. In the "Tor Browser" open your personal page here:


hxxp://0026dh0x08403r670ge.rsda7v45tqyvqocp.onion/roauwhd


 Note! This page is available via "Tor Browser" only.
 ====================================================================================================
 Also you can use temporary addresses on your personal page without using "Tor Browser":


hxxp://0026dh0x08403r670ge.growboy.site/roauwhd

hxxp://0026dh0x08403r670ge.stonere.host/roauwhd

hxxp://0026dh0x08403r670ge.hellput.pw/roauwhd

hxxp://0026dh0x08403r670ge.amam.space/roauwhd


 Note! These are temporary addresses! They will be available for a limited amount of time!
 

 

 

README.txt

Share this post


Link to post
Share on other sites

The files were encrypted by Filecoder.Magniber. Most likely decryption won't be possible. Please email the following stuff to samples[at]eset.com:

1, Payment instructions
2, Logs collected with ESET Log Collector (a zip archive)
3, A couple of examples of encrypted files (ideally documents)

Share this post


Link to post
Share on other sites

Thank you. Sir. I have scanned by NOD32 and find Filecoder.Magniber existed. May I delete it? 

Share this post


Link to post
Share on other sites

It should be ransomware instructions which are detected. The last variant of Magniber was seen about 10 days ago. If you've got infected recently, it should be due to having outdated modules or disabled protection (e.g. if an attacker logged in via RDP and disabled the av). However, without further logs it's impossible to tell how the infection occurred.

Share this post


Link to post
Share on other sites
Posted (edited)
59 minutes ago, NOD32_user said:

What is meaning of item 1 , Payment instructions?

Whilst I cannot speak for Marcos, I would think he is referring to the "ransom" payment, as to how it was to be paid (the who, what & when...we already know why).

Edited by TomFace

Share this post


Link to post
Share on other sites

Would like some details on how you were infected.

Did you actually download a .pdf file and open it using for example Adobe Reader?

Share this post


Link to post
Share on other sites

 

2 hours ago, TomFace said:

Whilst I cannot speak for Marcos, I would think he is referring to the "ransom" payment, as to how it was to be paid (the who, what & when...we already know why).

I do not pay "ransom" payment.

Share this post


Link to post
Share on other sites

itman:

Firstly, I search the stretch book in pdf format in google for this name: 酸痛拉筋解剖书.pdf

Secondly,  I visit this website:  https://ck101.com/thread-4210452-1-1.html

Thirdly,  I click this website: hxxp://katfile.com/vlbmqz07mvf5

Forthly, I click a icon to download pdf. But I do not download pdf, nor open pdf. I find that it is so slow and something strange. I close all internet browsers.

Finally, I find that my word and excel files in desktop is shown in white color. My computer is corrupted.

Please help

Please let know who do this virus.

I will find someone to beat him.

 

 

Share this post


Link to post
Share on other sites
11 hours ago, NOD32_user said:

Secondly,  I visit this website:  https://ck101.com/thread-4210452-1-1.html

Thirdly,  I click this website: hxxp://katfile.com/vlbmqz07mvf5

I checked both these URLS at Zscaler Zulu and VirusTotal. Both of them stated the URLs are 100% clean.

Next, I checked the top level domain names at quettera.com which actually downloads and scans all files that can be downloaded from the web sites.

To begin with both web sites are in the U.S. and hosted by CloudFare.

As far as https://ck101.com/ goes, its 100% clean.

As far as hxxp://katfile.com goes, 2 suspicious and 1 potentially suspicious file found. The two suspicious files indicate monitoring of Google activities which one would expect by the Chinese government. The potential suspicious file is most interesting in that it contains suspect javascript code as shown by the below screen shots.

Quttera_1.thumb.png.b0207346143c54e94f064e4c80d79af8.png

Quttera_2.png.e3b7dbf708b4d540b4ad2dea7b1b9d3b.png

JavaScript code definitely looks obfuscated to me. Now if you would have upgraded to Win 10, Eset could employ AMSI to decode this script prior to memory execution.

Share this post


Link to post
Share on other sites
Posted (edited)

I will also note that if you are using IE11 as your browser, make sure it is fully patched by applying all Win Updates. This Cerber ransomware variant is known to exploit an IE11 2017 discovered vulnerability.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

itman: Would you provide a warning message, when NOD users visit this websites: at begining with hxxp: and hxxp://katfile.com .

Thank you very much.

Edited by NOD32_user

Share this post


Link to post
Share on other sites
56 minutes ago, NOD32_user said:

itman: Would you provide a warning message, when NOD users visit this websites: at begining with hxxp: and hxxp://katfile.com .

That is up to Eset to do.

In the meantime, you can do so manually. Add the URL in the format of *.katfile.com/* to the existing URL block list in Eset's Internet Protection -> Web Access section.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×