Deeply infected laptop and hit by crytpowall too

[beener7]

This computer seems to be seriously infected. It is very slow, unresponsive and unpredictable. Please help!

 

Thank you!

 

Aileen

 

FRST.txtAddition.txtmbam protection log.txtmbam scan log.txt

[TwinHeadedEagle]

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll try to help your with your issue.
 
     
    
Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• I volunteer to help you, so please, do not ask for help for your company/business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 

---

Scan with ComboFix
 
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
 
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
 

---

Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[beener7]

Thank you! If I already have combo fix downloaded from November 2014 do I need to download it again? I have the wifi turned off as the cryptowall continues to try to infect any drives plugged into that computer. I accidentally plugged in my back up drive and cryptowall methodically started to infect my backup folders in order they are listed. I have deleted the infected files but am now unsure as to the safety and security of my external backup drive that has 15 years of data on it. Therefore my questions are

1) do I need new combo fix or can the old one be used?

2) what do I do with my external back up portable drive?

Thank you!

Aileen

[TwinHeadedEagle]

1) Yes, delete old icon and download fresh one.

2) Unplug it until we clean the infection.

[beener7]

I figured that was the case when I looked at the versions. I already downloaded a new one : ) I am about to run frst and will send you both logs shortly. Thank you!

[beener7]

combofix log 4-16-15.txtFRST.txtAddition.txt

 

Please find the latest files attached. If you are recommending that I download any programs in the next step please advise what I should do with that program if I already have it installed on my computer.

 

Thank you!

 

Aileen

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

[beener7]

Fixlog.txt

Thanks for your help

 

Aileen

[TwinHeadedEagle]

Malware should be gone now, how is your PC behaving?

[beener7]

Well after I sent you the last report, cryptowall executed itself on that laptop again. Cryptowall has now attacked that computer on 3/31 and then again 4/17. I basically turn on the wifi on the laptop, look for your replies and execute your instructions and then turn the wifi off again. With the exception of plugging in the external portable drive yesterday ( cryptowall starting running through those files on the external hard drive yesterday morning, I turned off the wifi and it seemed to stop running through that drive. I deleted the help_decrypt files from the external drive when it was plugged into the laptop then emptied the recycle bin on the laptop) and downloading combo fix and your fixlist.txt I have not downloaded anything on this laptop in days. As I look at the laptop from this afternoon, I sent you the fix file at 1:22. There are the help_decrypt files time stamped at 1:31 today and help_decrypt files at 2:00. If I look in the download folder I see cryptowall files downloaded at 1:30 today. I don't understand much about cryptowall, where it came from, where it hides, how and when it executes how long it stays dormant on the computer, etc.

What should we do now?

[TwinHeadedEagle]

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Remove found threats is checked.
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don't forget to re-enable previously switched-off protection software!

[beener7]

Thank you! There are a few questions I have first. Am I plugging in the external hard drive and running this on the laptop and external drive? Unfortunately, this laptop has no protection software installed at all. I would like a suggestion there. I have only been manually using the free malewarebytes on a weekly basis.

Are you able to explain anything about cryptowall? I'm afraid to do anything on any drive/computer wondering if this is in my home wireless network free to unleash into anybody's connected computer. I don't understand how it is still on my laptop after everything we did. Thank you!

[TwinHeadedEagle]

No, do not plug in external drive. Why don't you have protection software, I cannot keep cleaning your PC when it is unprotected.

 

I don't think Cryptowall is able to spread via wireless network.

[beener7]

It is my husbands laptop and I am cleaning it up for him and putting on antivirus and anti spyware based on your recommendation. It doesn't matter to me if I install the protection software now or after its clean. That direction will come from you. If I have to disable the software to run all of your programs and the wifi is always off and the computer is not being used otherwise does it matter when I install the antivirus and anti spyware programs?

Do you know why/how the cryptowall 3.0 would run again on 4/17 after the 3/31 attack if I am not looking at or opening email on that laptop? I turned on the wifi to download combofix, to execute your recommendations, and to download the fixlist? Can Cryptowall survivor on the backup external drive? As far as I knew that drive was isolated and never showed any activity from the 3/31 attack. It started to show the help_decrypt files when I plugged it into the laptop onthe morning of 4/16. I turned the wifi off and the encryption of files seemed to stop progressing alphabetically through the folders on that drive. I deleted all the folders that were encrypted (thankfully it did not get to the VIP backup folders) I need to protect the remaining folders on that drive and am striving to better understand how to manage and protect 17 years of my husbands backup data on the backup drive since the entire laptop was encrypted by cryptowall and everything on the laptop was lost. I also need to clean and protect his current files on the laptop going forward. I am very nervous having only one copy of the backup files on the external drive and the external drive having been attacked and stopped mid attack. Therefore,

1) need to clean and set up antivirus and anti spyware protection on the laptop

2) need to clean and protect data on backup drive

3) would like to get a simple better understanding of cryptowall 3.0

4)need some antivirus antispyware recommendations to protect whole house of machines

In my house, among husband, myself and kids we have about 6 computers connected to the wifi and a wireless type of network that includes wifi printing. We have various thumb drives we are using to manage until main laptop is usable and we have a few external hard drives and a new western digital mycloud EX2, personal cloud storage high performance NAS that is set up but not yet connected to the Internet.

Thank you!

Aileen

[TwinHeadedEagle]

Read here everything about Cryptowall

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

[beener7]

Thank you, I will read that. I haven't executed your last command yet. What do you want me to do about virus / spyware? Now or later

[TwinHeadedEagle]

Scan with ESET as soon as possible.

[beener7]

I ran this at least 4 times. It would not complete and it would stop working after a period of time. This ran 7 hours last night and wouldn't get past 95%. This is the finished log at 95%. Please let me know how you would like me to proceed from here.

 

Thank you,

 

Aileenlog.txt

[TwinHeadedEagle]

There are too many HELP_Decrypt files and this is the reason ESET stuck. I think the best thing to do is to reformat this PC and start from scratch.

[AdvancedSetup]

Per request I will go ahead and try to assist further. There is no guarantee that we'll be able to clean up this computer and all user files are lost and without backups there is nothing that can be done to bring them back. This is only in an attempt to allow the computer to run again but format and reinstall of Windows is still the best choice here.

 

Try to run this from Normal Mode and be patient. It could easily take hours to run instead of 10 minutes as it says. Let it run over night if it has to and just leave it alone to run.

 

 

 

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
  

 

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!