Avast blocked by group policy (CTB-Locker infection)

This computer was infected with CTB-Locker. The system was cleaned with a few tools (Malwarebytes, ComboFix, and finally ClamAV from Trinity Rescue Disk). The infection seems to be cleared. I understand the encrypted files cannot be fixed.

The problem is Avast cannot be started because of being blocked by Group Policy. Another issue I noticed is the Control Panel is empty under the user’s account. I can log in as Administrator and see everything in the Control Panel just fine. But, Avast is still blocked.

I’ve attached the FRST logs. Let me know if you need more information. Many thanks!

Combofix, attach the log.
TDSSKiller too…

Read this: http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

Remover Notified.

This file: 2014-12-09 12:06 - 2014-12-09 12:06 - 00000480 ____H () C:\Users[u]FrontDesk1[/u]\AppData\Roaming\麽鎒駓覜

Work Computer?

I have left the encrypted files on the system as you may, and I stress may be able to recover some of them.
Could you attach the combofix log please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Save the attached fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FILE RECOVERY

http://i.imgur.com/y3MMIrs.png
Previous Versions

[*]Right-click the file/folder and click Properties.
[*]Click Previous Versions.
[*]This tab will list all copies of the file and the date they were backed up.
[*]To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
[*]If you wish to restore the selected file and replace the existing one, click Restore
[*]If you wish to view the contents of the file before restoring, click Open.

http://i.imgur.com/MzmiIl9.gif
ShadowExplorer

[*]Please download ShadowExplorer and save the file to your Desktop
[*]Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract
[*]Right-Click ShadowExplorer.exe and select
http://Run as administrator
to run the programme.
[*]You will see a drop-down menu with the shadow copies of all partitions and disks present.
[*]Click C:\ from the drop-down menu.
[*]To the right, pick a date prior to the infection from the drop-down menu.
[*]To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.

[img]http://i.imgur.com/J8xQM97.png
File Recovery Software

File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

[]
http://i.imgur.com/fSA1TL4.png
R-Studio
[
]
http://i.imgur.com/C08PZmH.png
Photorec
[*]
http://i.imgur.com/uc6sByo.png
Recuva

I’m sorry I thought I had attached these in a reply already. Yes, this is a business computer.

I’m a consultant in and out of the shop and at other clients a lot so my apologies for the latent responses. I greatly appreciate the help.

Intriguing Avast caught the poweliks in the combofix log, I had to disable my shield to download it :slight_smile:

Time is not a problem, if you can let me know how the computer is behaving after the FRST fix and attach the fixlog. Does your client have an image/backup strategy ?

They do not have a backup for this computer. They only backup the servers which they are not actually backing up. There’s a generous layer of dust on the tapes that are sticking out of their tape drives. Anyway, this computer does have System Restore points available. They indicated there isn’t anything on here they need, but there are files on the desktop so I’m not so sure.

Log attached. Thanks!

If there is a restore point available it may be worth trying that if it goes back far enough, although this malware generally tries to destroy any restore points

This usually comes down via an e-mail that has an invoice attached and when that is opened all hell is let loose. This one appears to be a bit of an overkill though with poweliks as well

When we have this cleaned to your satisfaction I will give a link for some software that will alter registry permissions to try and stop this kind of attack

Well, that brought back the AvastUI, but the service isn’t starting. I tried to “Fix All” but it didn’t fix it. I went into Services and found the Avast service is set to Disabled. When I try to set it to Automatic, I get “Access is denied”. Looking in the System Event Log, I found the corresponding event saying “The ScRegSetValueExW call failed for Start with the following error: Access is denied.”. I can manipulate other services like the Windows Update and Windows Time without issue.

I did a repair install on avast and now it’s working. Thanks very much! I’m going to look into what it will take to recover any data files. I’ll post back soon.

System Restore did not work. It said “The restore point selected was damaged or deleted during the restore”. So that’s not going to work.

Also, when I logged out of the Administrator and then back in as the normal user, I get a notice it blocked something from dllhost.exe. See attached screenshot.

Can you attach a fresh FRST log for Essexboy?

Yes please as it probably restored the poweliks element

It sure did! >.<

Poweliks is a pain but very easy to remove. How is the computer behaving

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-3809608781-2388329134-1386553859-1169\...\Run: [fiwvisl] => rundll32 "C:\Users\FrontDesk1\AppData\Local\fiwvisl.dll",fiwvisl <===== ATTENTION HKU\S-1-5-21-3809608781-2388329134-1386553859-1169\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! HKU\S-1-5-21-3809608781-2388329134-1386553859-1169\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CustomCLSID: HKU\S-1-5-21-3809608781-2388329134-1386553859-1169_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

So far, looking good. I did not get a notification from Avast blocking anything after I logged in.

Attached

What I will do now is give some clean up instructions and tools which should stop this occurring again. If you need anything else, or have another problem then just shout

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: