mkemouse

I'm thinking the conflict with Symantec is the issue...trying the "add to exceptions" guidance and hopefully that will work.

System Checkup Results of screen317's Security Check version 0.99.89 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Java 8 Update 25 Java version out of Date! Adobe Reader 10.1.12 Adobe Reader out of Date! Google Chrome 38.0.2125.104 Google Chrome 38.0.2125.111 Google Chrome DECRYPT_INSTRUCTION.TXT.. Google Chrome plugins... ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Spybot Teatimer.exe is disabled! Malwarebytes Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 3% ````````````````````End of Log``````````````````````

TPC log ------------ Getting user folders. Stopping running processes. Emptying Temp folders. User: All Users User: Default->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 67 bytes User: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes User: Public->Temp folder emptied: 0 bytes User: West XPS->Temp folder emptied: 4055091 bytes->Temporary Internet Files folder emptied: 168274485 bytes->Java cache emptied: 52526933 bytes->Google Chrome cache emptied: 472003623 bytes->Flash cache emptied: 124048 bytes %systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 0 bytes%systemroot%\System32 .tmp files removed: 0 bytes%systemroot%\System32 (64bit) .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 526690 bytes%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 112499 bytes%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 743 bytes Emptying RecycleBin. Do not interrupt. RecycleBin emptied: 0 bytesProcess complete! Total Files Cleaned = 665.00 mb

Helps to actually attach the file

Charlie, The Shadow Volume worked!!!! Email archives were still shadowed in their encrypted states but just about everything else restored just fine. Now it's time to back everything up to an external drive After that, is there any final clean up I should do? We never used TFC.exe and the DelFix tool looked like it was designed to remove all these various tools I've downloaded. Let me know. I truly do appreciate your help. It is a great comfort to have someone walking through stressful times. It also helps to have perspective that Jesus died for us and that a few files on a computer will not matter in eternity. I've included a picture of my family for your enjoyment. The picture was from April when we added Bella to our family. She is a golden retriever mix we rescued from a local shelter. Blessings to you! Jonathan

Anything else to do? I found this page on the topic: http://deletemalware.blogspot.com/2014/10/how-to-remove-cryptowall-20-virus-and.html Method 1 - yes, I know... (I do have one 2 years old...better than nothing) Method 2 - not sure how that would attempt to work without having a key? unless if I can use a file for which I DO have a backup as some type of seed to figure out how the encryption was done? Method 3 - any harm in trying this? Step 2: Restoring files encrypted by CryptoWall 2.0 virus:Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files. Method 2: Before using Shadow Explorer, you can try to decrypt some of your files using RakhniDecryptor.exe andRectorDecryptor.exe from Kaspersky. These tools might help you, but please note that they were not designed decrypt the data encrypted by this ransomware virus. However, you can still try them. Method 3: Using the Shadow Volume Copies:

Ran Malwarebytes again...CLEAN! Malwarebytes1101-8pm.txt

Junkware removal tool: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 6.3.5 (10.31.2014:1)OS: Windows 7 Home Premium x64Ran by West XPS on Sat 11/01/2014 at 19:39:10.42~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} ~~~ Files Successfully deleted: [File] "C:\Windows\couponprinter.ocx" ~~~ Folders Successfully deleted: [Folder] "C:\Program Files (x86)\coupons" ~~~ Chrome Dumping contents of C:\Users\West XPS\appdata\local\Google\Chrome\User Data\Default\DefaultC:\Users\West XPS\appdata\local\Google\Chrome\User Data\Default\Default\aaaaafgggddfgbdbdcdfgdddgcgcddgcC:\Users\West XPS\appdata\local\Google\Chrome\User Data\Default\Default\aaaaafgggddfgbdbdcdfgdddgcgcddgc\background.jsC:\Users\West XPS\appdata\local\Google\Chrome\User Data\Default\Default\aaaaafgggddfgbdbdcdfgdddgcgcddgc\ContentScript.jsC:\Users\West XPS\appdata\local\Google\Chrome\User Data\Default\Default\aaaaafgggddfgbdbdcdfgdddgcgcddgc\manifest.json Successfully deleted: [Folder] C:\Users\West XPS\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sat 11/01/2014 at 19:41:47.52End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adware log: # AdwCleaner v3.311 - Report created 01/11/2014 at 19:23:04# Updated 30/09/2014 by Xplode# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)# Username : West XPS - MININT-0NISUIK# Running from : C:\Users\West XPS\Desktop\AdwCleaner.exe# Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Users\West XPS\AppData\Local\OpenCandyFile Deleted : C:\Users\West XPS\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorageFile Deleted : C:\Users\West XPS\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Deleted : HKCU\Software\APN PIPKey Deleted : HKCU\Software\YahooPartnerToolbarKey Deleted : HKLM\SOFTWARE\PIPKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.1 ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17344 -\\ Google Chrome v [ File : C:\Users\West XPS\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [2758 octets] - [01/11/2014 19:20:27]AdwCleaner[s0].txt - [2629 octets] - [01/11/2014 19:23:04] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2689 octets] ##########

I am going to head over to my office and get my backup drive to figure out how bad of a state I'm in... Looks like I'm fortunate that our pictures not encrypted...though they at least are mostly backed up. Let me know what other scans you would suggest. As you note this will motivate more regular backups... May be away a few hours to get a little done outside while it's still light. There are leaves to rake ...

ok. so is that it then? decide whether to pay $500 in the next week or not? I do appreciate your help but would have loved a happier ending.

So is it just me or does Symantec Endpoint Protection seem completely outgunned by more advanced virus/malware schemes?

Running symantec now... One important question -- were the encrypted files uploaded and/or copied to the virus creator's possession? Or were they simply corrupted on my computer? A lot of the descriptions talk about shutting down the network in order to stop the encryption...if the code was self-contained I was wondering why disconnecting would have stopped anything. Should I look at paying to decrypt my files? http://researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/ History has shown that paying the ransom will likely allow you to retrieve your files, but the best defense against ransomware is having up-to-date back-ups or by preventing the infection all-together. The bleepingcomputer link you sent indicates: Under the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files key will be a list of all the files that have been encrypted by CryptoLocker. This list is then processed by the decryption tool to decrypt your files if you paid the ransom. For each file that is encrypted, a new REG_DWORD value will be created that is named using the full pathname to the encrypted file. When naming the values, CryptoLocker will replace all occurrences of the forward slash character (\), with a question mark. An example of how an encrypted file's value entry would be named is C:?Users?Public?Pictures?Sample Pictures?Penguins.jpg. You can use theListCrilock program to export a human readable list of these encrypted files from the registry into a text file. But that description seems to be more related to an earlier version of Cryptolock that folks had defused...from what I can tell I have what is being called CryptoLocker 2.0 and/or TorrentLocker. Does not seem to be a solution to encrypted files at this point. Are you aware of anyone successfully paying for files?

ok...which scanners should I use? Malwarebytes came up clean. I started Symantec but that will take a while... Is the crypto / torrent locker contained...meaning it won't infect any more files?

no warnings popping up...do the tools / logs I've sent you indicate that the system is now clean?