[britechguy]

Hello All,

 

          I am helping a cousin who recently fell victim to the Microsoft Impersonation Scam.   I have managed to get the computer itself entirely back to the land of the living.  It is a Windows 7 Home Premium 64-bit and there are two separate users on the machine.  The machine has been scanned for malware by malwarebytes, and a full rootkit scan has been done as well, and all of that comes back clean.  Spybot S&D isn't finding anything, either.  I have been working with Malwarebytes.org using farbar and so far that is looking just fine as well.

 

          For the user who was not the one logged in when the scam attack took place all documents seem to be fine.  This is not true, though, for the MS-Word documents under the user who was logged in, and it doesn't matter whether they're .docx, .doc, or .rtf except in one small detail.  If you attempt to open a .doc file or a .rtf you get the following dialog:

 

If you attempt to open a .docx you get a message that it cannot be opened because the file is corrupt.  After you click OK you get a follow up dialog that says there is readable content and you can try to recover it if you trust the file.   On the machine that was originally attacked I thought, "What the heck?," and tried to recover - it just comes right back to the "file is corrupt message."   I have no intention of trying this on my own laptop, though I have tried opening the files in MS-Word 2010 (which is what the .docx files on the other machine were created with) and the results are exactly the same.

 

Does anyone know how these vermin corrupt MS-Word document files and whether there is something out there that would allow me to "disinfect" them so they'll be functional again?

 

Thank you in advance for any assistance you can offer.

 

[Advertisements]

Close Word.  Search for normal.dot or normal.dotm and rename any you find that are in the infected user's folders.  Then open Word by using the All Programs link not by opening a document.  Word should create a new normal template.  In Word:

 

1. In Word 2007, click the Microsoft Office Button, and then click Word Options.
   
   In Word 2010, click the File button, and then click Options.
2. Click Advanced.
3. Under Save, make sure the Prompt before saving Normal template check box has a check in it.
4. Click OK to close the Word Options dialog box.

 

 

1. Click the Microsoft Office Button , and then click Access Options.

2. Click Trust Center, click Trust Center Settings, and then click Macro Settings.

3. Click the options that you want:

   • Disable all macros with notification This is the default setting. Click this option if you want macros to be disabled, but you want to get security alerts if there are macros present. This way, you can choose when to enable those macros on a case by case basis.

4. OK 
    

   Close Word.  If it asks you to save the normal template say Yes this time.  In the future say No unless you have made a change to the default - like font, font size or paper layout or similar.

    

   Open word again and try some of the bad documents.  Do not let it run any macros!  Do not save the normal template when you close it.

If that's not it then attach one of the bad docs and let me look at it.

[RKinner]

Close Word.  Search for normal.dot or normal.dotm and rename any you find that are in the infected user's folders.  Then open Word by using the All Programs link not by opening a document.  Word should create a new normal template.  In Word:

 

1. In Word 2007, click the Microsoft Office Button, and then click Word Options.
   
   In Word 2010, click the File button, and then click Options.
2. Click Advanced.
3. Under Save, make sure the Prompt before saving Normal template check box has a check in it.
4. Click OK to close the Word Options dialog box.

 

 

1. Click the Microsoft Office Button , and then click Access Options.

2. Click Trust Center, click Trust Center Settings, and then click Macro Settings.

3. Click the options that you want:

   • Disable all macros with notification This is the default setting. Click this option if you want macros to be disabled, but you want to get security alerts if there are macros present. This way, you can choose when to enable those macros on a case by case basis.

4. OK 
    

   Close Word.  If it asks you to save the normal template say Yes this time.  In the future say No unless you have made a change to the default - like font, font size or paper layout or similar.

    

   Open word again and try some of the bad documents.  Do not let it run any macros!  Do not save the normal template when you close it.

If that's not it then attach one of the bad docs and let me look at it.

[britechguy]

RKinner,

 

         Thank you very much for replying.   I have done what you requested, with one small variation, I simply went to the trust center from within Word itself.  The Disable all macros with notification default was already the selected setting.   I have removed all of the old Normal.dotm related items from the corrupted user account and MS-Word [2010, for the record] had no problem creating a replacement Normal.dotm file.

 

         Unfortunately, when attempting to open the documents there is absolutely no difference.   In addition I decided to attempt to open an Excel spreadsheet as well and am getting essentially the same "file is corrupted" and "if you trust this we can try to recover it" dialogs within Excel.

 

        I just tried to attach one document that was originally created on some earlier version of Word, with a .doc extension, and another that was created with Word 2010 that has a .docx extension, and both are giving me a, "You aren't permitted to upload this kind of file" warning from the forums software.  I have put them out on my personal webspace as a workaround.  Here's the link to Cast.doc and Casseroles_sign.docx.  Please let me know once you've snagged them and I'll take them down.  I have no idea of their content and selected files based upon the innocuous names.

 

         Thank you again for your assistance.

 

[RKinner]

Got them.  Haven't looked at them yet tho.

[RKinner]

Files appear to be garbage or possibly encrypted.  I sent one to a Cryptolocker decrypt site and it said it wasn't a cryptolocker encrypted file.  

 

Are you able to generate a new test document, type a few words, save it, close Word and reopen the test document?  Does that work OK?  

[britechguy]

I now believe that virtually every file under that userid (except in a few odd folders like "Sample Pictures) were encrypted by these creeps.   I can open absolutely nothing:  PDFs, pictures, etc.   I was surprised that one folder that is clearly not sample pictures happened to get tucked into that folder, and it is untouched with four pictures that show as icons/tiles and that open normally.   All other photo files are displaying as a "four page sheet showing a gerber daisy."

 

I did just create a new MS-Word file, saved it, exited Word, then reopened it with a double click on the document.   It worked precisely as you'd expect it to.

[RKinner]

It's probably a cryptowall infection or variation on the theme.  The only way to recover the files is to look for the deleted files but it's too late for that.  Too much time has passed since the infection.

The latest version even scrubs the deleted files to make it impossible to recover so even if you had looked right away you might not have found something.

 

http://community.spi...eware-infection

 

http://www.bleepingc...are-information

 

 

http://www.bleepingc...-cryptodefense/

[britechguy]

This whole scenario is just so sad in a couple of ways.

 

The antivirus on this computer (subscription, of course) had run out and not been removed.  The computer was ridden with DECRYPT stuff in November, but I was called in before the "bomb went off" and managed to excise that (but not its remnants, the URLs that direct you to the ransomware site that they tuck everywhere).  Things were working perfectly fine since then, and I had loaded the computer with Panda Cloud Antivirus, CCleaner, Spybot S&D, Spywareblaster, and Malwarebytes.  These were all run, in multiple iterations, and the machine was clean.

 

Then, out of the blue, she somehow gets taken in by the Microsoft Impersonation Scam which, while she had the common sense to figure out was a scam not long into it, it was after she'd allowed remote control of the computer.

 

It was a simple matter to get rid of the crap requiring a password to allow Windows to boot, but the rest of the aftermath has been a nightmare.   I've been working on the machine for several days now, and running disinfection programs to try to get rid of everything, and appear to have succeeded.  They don't, however, undo file encryption and the people who did this are likely already closed down and running the scam from another location (or running it with impunity offshore).

 

I may play with a couple of the suggested recovery options just to educate myself about the process but I have no real hope that I'll get anything back.  If anyone has an insight as to why any one or more of the techniques offered in the above referenced articles might be preferable if one is "trying this late" please let me know.

 

I truly appreciate all the help you've already offered.  These scams make my blood boil even when they don't happen to me.

[RKinner]

That is sad.  

 

We get the calls "from Microsoft" all of the time.  Never let them on a PC so wasn't sure what they would do.  Just knew it wouldn't be good.

 

I haven't personally worked on any crypto PCs.  Worked a bunch of forum cases where they had the FBI, Scotland Yard or BundesPolizei warning but most of the time we got them before things got really bad or they just wrote off the files.

 

I have worked with deleted file recovery software and I'm sure its obvious and that the links probably tell you the same thing but just in case run the recovery program from a USB and not from the C:\ drive unless the recovery program was installed prior to the file deletion.