Jump to content

remove cryptowall virus


Leef_me

Recommended Posts

Welcome to the forum. (we can clean up the virus but your files are most likely gone)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

the virus corrupts files, so I am running "safe mode with networking"

is that ok???

PUM does not have quarantten, I used "treat as malware"

is that ok???


Before posting I already installed 'cryptoprevent' to limit write permissions.

  https://www.foolishit.com/vb6-projects/cryptoprevent/


It does not seem to help.



How do I set a system restore when In 'safe mode'?

 othewise the virus continues to corrupts files?





Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/29/2014
Scan Time: 5:54:01 AM
Logfile: first_mbam log.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.03.04.09
Rootkit Database: v2014.02.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Lee

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 261515
Time Elapsed: 10 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)





RogueKiller V9.2.13.0 (x64) [sep 25 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Safe mode with network support
User : Lee [Admin rights]
Mode : Scan -- Date : 09/29/2014  06:30:25

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 35 ¤¤¤
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Run | DisplaySwitch : "C:\ProgramData\DisplaySwitch.exe"  -> FOUND
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Run | DisplaySwitch : "C:\ProgramData\DisplaySwitch.exe"  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 191.168.1.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 191.168.1.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0CCFEC-9776-4264-A5F5-6C02F1819AA1} | DhcpNameServer : 191.168.1.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7D0CCFEC-9776-4264-A5F5-6C02F1819AA1} | DhcpNameServer : 191.168.1.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7D0CCFEC-9776-4264-A5F5-6C02F1819AA1} | DhcpNameServer : 191.168.1.1  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | disableregistrytools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | disableregistrytools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 2  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 3 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\windows\System32\drivers\etc\hosts] 0.0.0.0        vube.com
[C:\windows\System32\drivers\etc\hosts] 0.0.0.0        doubleclick.net

¤¤¤ Antirootkit : 4 (Driver: NOT LOADED [0xc000035f]) ¤¤¤
[EAT:Addr] (explorer.exe) hcproviders.dll - DllCanUnloadNow : C:\Windows\system32\imapi2.dll @ 0x7fef9616edc
[EAT:Addr] (explorer.exe) hcproviders.dll - DllGetClassObject : C:\Windows\system32\imapi2.dll @ 0x7fef9612164
[EAT:Addr] (explorer.exe) hcproviders.dll - DllRegisterServer : C:\Windows\system32\imapi2.dll @ 0x7fef96512e0
[EAT:Addr] (explorer.exe) hcproviders.dll - DllUnregisterServer : C:\Windows\system32\imapi2.dll @ 0x7fef965146c

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BEVT-16A0RT0 +++++
--- User ---
[MBR] 33e713f218b215df8858c35b4b893cd9
[bSP] b1a2fdd7f89727dad4bccfe7d2564807 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 33556480 | Size: 200 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 33966080 | Size: 230178 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 505370624 | Size: 230176 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

the virus corrupts files, so I am running "safe mode with networking"

OK



PUM does not have quarantten, I used "treat as malware"

That's OK


Before posting I already installed 'cryptoprevent' to limit write permissions.

OK, but it won't help now

=========================================

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Run | DisplaySwitch : "C:\ProgramData\DisplaySwitch.exe" -> FOUND
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3687351792-3045335220-984035415-1000\Software\Microsoft\Windows\CurrentVersion\Run | DisplaySwitch : "C:\ProgramData\DisplaySwitch.exe" -> FOUND

Now click Delete on the right hand column under Options

Delete this file if possible

C:\ProgramData\DisplaySwitch.exe

You may have to enable hidden files to see it:
http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ <--Hidden files W7 Vista

===========================

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
Run FRST.exe/FRST64.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Reboot....

==========================

Make sure you have created a restore point and.....
bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ==============================

    Please read the directions carefully so you don't end up deleting something that is good!!

    If in doubt about an entry....please ask or choose Skip!!!!

    Don't Delete anything unless instructed to!

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If a suspicious object is detected, the default action will be Skip, click on Continue

    Please note that TDSSKiller can be run in safe mode if needed.

    Please download the latest version of TDSSKiller from HERE and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

      tds2.jpg
    • Put a checkmark beside loaded modules.

      13040712472913819.png
    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.

      clip.jpg
    • Click the Start Scan button.

      tds2.jpg
    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.

      tdsskiller_guide_5.gif

      Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

      If in doubt about an entry....please ask or choose Skip
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      tdsskiller_guide_3.gif

      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
    • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    Here's a summary of what to do if you would like to print it out:

    If in doubt about an entry....please ask or choose Skip

    Don't Delete anything unless instructed to!

    If a suspicious object is detected, the default action will be Skip, click on Continue

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    ~~~~~~~~~~~~~~~~~~~~

    You can attach the logs if they're too long:

    Bottom right corner of this page.
    reply1.jpg

    New window that comes up.
    replyer1.jpg

    Then...........

    Please download and run ComboFix.

    The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

    Please visit this webpage for download links, and instructions for running ComboFix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

    Please make sure you click download buttons that look similar to this, not "sponsored ad links":

    bleep-crop.jpg

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Information on disabling your malware programs can be found Here.

    Make sure you run ComboFix from your desktop.

    Give it at least 30-45 minutes to finish if needed.

    Please include the C:\ComboFix.txt in your next reply for further review.

    ---------->NOTE<----------

    If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

    MrC
Link to post
Share on other sites

Here are the (3)TDSS logs, had a little trouble with getting it to take the "loaded modules" setting,

Had to start tdds 2X and set the flag for it to 'take'

 

had trouble disabling McAfee, the link @ 'bleeping' is outdated (inaccurate) for "Macfee security "

I told COmbofix to "go ahead" when it found macafee

 

took >5 min to write combofix log & 2 more to show it.

 

here  the combofix log

 

 

 

What's next?

 

Btw, thanks much.

TDSSKiller.3.0.0.40_29.09.2014_10.10.20_log.txt

TDSSKiller.3.0.0.40_29.09.2014_10.17.35_log.txt

TDSSKiller.3.0.0.40_29.09.2014_10.21.03_log.txt

ComboFix.txt

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

===========================

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unsafe applications is checked

Click Advanced settings and select the following:

ceba8c51-8f88-44b9-ad41-5f07ba8351b1.png

Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

Link to post
Share on other sites

All of these are your encrypted file instructions:
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.URL
DECRYPT_INSTRUCTION.TXT


These you can manually delete:
C:\Users\Lee\Downloads\pdf_creator\PDFCreator-1_6_2_setup.exe Win32/InstallMonetizer.AQ potentially unwanted application
C:\Users\Lee\Downloads\pdf_creator\PDFCreator-1_7_0_setup.exe Win32/InstallMonetizer.AQ potentially unwanted application
C:\Users\Lee\Downloads\pdf_creator\PDFCreator-1_7_3_setup.exe Win32/InstallMonetizer.AQ potentially unwanted application
C:\Users\Lee\Downloads\tone_gen\tnsetup.exe a variant of Win32/Toolbar.Conduit.K potentially unwanted application
C:\Windows\assembly\GAC_MSIL\Interop.SHDocVw\1.1.0.0__84542ff99aed6a4d\Interop.SHDocVw.dll a variant of Win32/Toolbar.Linkury.G potentially unwanted application
C:\Users\Lee\Downloads\411_SUPERsetup.exe Win32/OpenCandy potentially unsafe application
C:\Program Files (x86)\NCH Software\ToneGen\tnsetup_v3.00.exe a variant of Win32/Toolbar.Conduit.K potentially unwanted application
C:\Program Files (x86)\NCH Software\ToneGen\tonegen.exe a variant of Win32/Toolbar.Conduit.K potentially unwanted application
C:\Program Files (x86)\NCH Software\ToneGen\uninst.exe a variant of Win32/Toolbar.Conduit.K potentially unwanted application
C:\Users\Lee\Documents\PDFCreator-1_3_2_setup.exe Win32/OpenCandy potentially unsafe application
C:\Users\Lee\Documents\Autohotkey\ccsetup320.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
C:\Users\Lee\Documents\Autohotkey\ManyCam.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Lee\Documents\Autohotkey\PDFCreator-1_4_3_setup.exe Win32/OpenCandy potentially unsafe application
C:\Users\Lee\Documents\Autohotkey\PDFCreator-1_6_0_setup.exe Win32/InstallMonetizer.AQ potentially unwanted application
C:\Users\Lee\Documents\Autohotkey\pdfforge_PDFArchitect-0_5_5-setup.exe Win32/OpenCandy potentially unsafe application
C:\Users\Lee\Documents\Autohotkey\setupGMSFree\setupGMSFree.exe Win32/DownWare.W potentially unwanted application
C:\Users\Lee\Documents\poison pen\cbsidlm-tr1_5-System_Scheduler_Professional-43286.exe Win32/DownloadAdmin.G potentially unwanted application

 

MrC

Link to post
Share on other sites

>>All of these are your encrypted files:

>>DECRYPT_INSTRUCTION.HTML
>>DECRYPT_INSTRUCTION.URL
>>DECRYPT_INSTRUCTION.TXT

 

Those are files added by the virus, placed in directories where it encrypted files, approx 1600 locations.

I choose not to pay a ransom or run them.

 

I can manually delete the other files you listed.

 

I will recovery the encrypted data I need by other means.

 

***********************

 

What other instructions do you have for me?

Link to post
Share on other sites

OK....

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.87  
 Windows 7  x64 (UAC is enabled)  
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
McAfee Anti-Virus and Anti-Spyware   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 IE HTML Element Spy 1.10
 Java 7 Update 7  
 Java version out of Date!
 Adobe Flash Player 14.0.0.145  
 Adobe Reader 9  
 Adobe Reader XI  
 Mozilla Firefox (27.0)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 10%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

I just notice the note about "service pack out of date"

Btw, I have chosen to update my computer with windows updates because

    on 2 occassions the update caused a loss of work ability.

 

The reasons related to 1. disabling an older software that I have used

2. disabling multiple monitor drivers for USB->VGA adapters.

 

FYI, I have 16 important updates and 3 optional updates pending.

 

******************************************************************************

 

I have a shared dropbox that I disabled just after learning I had this virus.

I use a logmein account for a shared computer, I have not after learning I had this virus.

 

Can you confirm that our method will not allow the virus to propigate(sp?) after we are done?

Link to post
Share on other sites

Can you confirm that our method will not allow the virus to propigate(sp?) after we are done?

The virus has been deleted from your system.

=============================

I'll go by what the log says and you can update what you want.

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


------------------------------------

Windows 7 x64 (UAC is enabled)
Out of date service pack!! <---------visit Windows Update for this


-------------------------------

Java 7 Update 7 <----please update, should be Update 67
Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

-----------------------------

You seem to have 2 version of Adobe Reader on the system, this may be inaccurate but check:

Adobe Reader 9 <-----------this may have already been uninstalled when ver: XI was installed
Adobe Reader XI <----------this is correct

=======================

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.