Jump to content

CryptoWall 2.0 Removal

Figton

By Figton
in Resolved Malware Removal Logs

 Share

Recommended Posts

Figton

Figton

Posted
Posted

Hello, I'm new here, and I've followed a previous thread on removing CryptoWall:

 

https://forums.malwarebytes.org/index.php?/topic/157975-remove-cryptowall-virus/

 

I've followed user, "MrCharlie" and his advice, and below I've attached the logs from the different programs they suggested to run. Already my computer is running better, but I'm well aware of how hidden and persistent these programs can be. Hopefully we'll get this nipped in the bud.

Addition.txt

FRST.txt

report.txt

mwbscanlog.txt

protectionlog.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

1. Please run a Threat Scan with Malwarebytes

Start Malwarebytes 2.0..........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button and post the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites
zabeta

zabeta

Posted
Posted

malwarebytes removed my cryptowall virus but i have many leftover files named "INSTALL_TOR" and "DECRYPT_INSTRUCTION.TXT/HTML"

do you know how i can get rid of these en masse ?  Also, i assume my virus is gone, but i see here that you have many more programs i should use  --FRST and Roguekiller........ should i start over and follow these steps or is it possible i am rid of this horror.

thank you

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

=======================

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\SYSNATIVE\drivers\hckhvogo.sys

c:\windows\SYSNATIVE\drivers\mepcjixw.sys

c:\windows\System32\drivers\xdyw.sys

Driver::

hckhvogo

mepcjixw

ayyrbdgm

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites
Figton

Figton

Posted
  • Author
Posted

I'm so sorry for not getting back to you sooner! The past four-five days have been extremely hectic for me, what with work and school.

 

Here's the long version:

 

Before I ran ComboFix, I copied your text from the quote box and dragged it into the .exe file, as directed. It went through various stages, and everything was going pretty much exactly how you said, time-wise and everything. I went away for a moment, came back, and saw that it had restarted, and was at the Windows loading screen. "Great," I thought, "I haven't missed anything."

 

As it booted up and loaded my desktop screen, ComboFix brought up a blue command-prompt screen, shuddered for a moment, and then 'spazzed out'. By this I mean that the command prompt box opens, closes, and moves slightly to the right and down to open again, doing this about 6-7 times before going back to its original position - only to start the process all over again. It does this very rapidly too, cascading from top-left to lower-middle in a 6-7 flicker burst in under a second. Because it's continuously refreshing the file, I can't click anything.

 

I restarted my computer. It did the same thing.

I turned my computer off, and after that did a hard-boot. Both times the command prompt came on, 'shuddered', and cascaded down my desktop.

 

My fear is that there is a program interfering with it. As you said, I turned off Microsoft Security Essentials - the only anti-virus program that I know I have installed. However, on retrospect, that was the only thing I disabled, and I may have needed to disable some of the programs you had me download, like RogueKiller, or MalwareBytes.

 

Weirdly enough, my laptop was struggling to turn on, but that may be a battery-cable issue. But, like I mentioned before, I'm unable to check because none of my clicks register due to the prompt continuously opening and closing.

 

I'm really not sure where to go from here, and I just haven't had the time to sit down and type this out. I'm sorry for making this so complicated, and I really do appreciate your assistance.

 

Here's the short version (Summary):

 

I apologize for not getting back with you sooner, things have been very busy recently. I ran ComboFix. After it had restarted its blue command prompt came up and, to the best of my computer vernacular, 'glitched'. I am unable to click anything due to the .exe file opening and closing dozens of times in mere seconds. It is still doing this today. Something odd was that my computer wouldn't boot up for a few minutes, but this may be a simple laptop battery-life/cable issue; however, I am unable to verify this, as the prompt inhibits me from clicking anything, as mentioned before. I'm unsure of what to do at this point, and any assistance is greatly appreciated.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

I apologize for not getting back with you sooner, things have been very busy recently. I ran ComboFix. After it had restarted its blue command prompt came up and, to the best of my computer vernacular, 'glitched'. I am unable to click anything due to the .exe file opening and closing dozens of times in mere seconds. It is still doing this today. Something odd was that my computer wouldn't boot up for a few minutes, but this may be a simple laptop battery-life/cable issue; however, I am unable to verify this, as the prompt inhibits me from clicking anything, as mentioned before. I'm unsure of what to do at this point, and any assistance is greatly appreciated.

Sorry but some how I missed your reply.

Are you still having problems???

Have you tried system restore??

MrC

Link to post
Share on other sites
Figton

Figton

Posted
  • Author
Posted

Okay, as usual, everything is getting in the way of me actually getting a chance to just sit down and work with you. Again, I apologize for the continued inconvenience, and you have no idea how grateful I am for your patience.

 

Yesterday, I did a system restore to the last time ComboFix ran. It seems to be running 'fine' now - that is to say, the blue prompt is no longer flickering all over the screen, and I can actually interact and execute files now.

 

So, I assume now we'll try to run ComboFix again, and hopefully I'll disable everything I need to in order to make sure it doesn't have any issues the next go around. As far as I know, I only have Microsoft Security Essentials (which I disabled), and MalwareBytes and RogueKiller (the two of which I didn't disable, due to being ignorant of whether or not they would interfere with ComboFix) as potential programs that may have caused ComboFix to crash like it did.

 

I hope to do it correctly this time, and I appreciate any additional information you can provide me to ensure I don't fudge this up all over again. I'll wait for your response and go-ahead before I do anything.

Link to post
Share on other sites
Figton

Figton

Posted
  • Author
Posted

Alright, upon starting my laptop up (which, this time, I'm using instead of my desktop), I received a bunch of notifications from different programs like Java, Steam, AdBlock Plus, iTunes, etc. This isn't unusual, but it got me thinking that these programs may have been what caused ComboFix to crash because they interrupted it from running properly. I'm not sure of this, but I have disabled and uninstalled any programs that pop up like this.

 

What prompted me to do this is that I tried to run FRST, but it became unresponsive due to an update alert from ABP. So, now that I've disabled/uninstalled them, another potential issue has come up that I want to make sure I alert you to before we continue on.

 

The very first time I ran FRST, I received these error messages that I simply assumed were files corrupted by this virus. Since I assumed they were unimportant, I didn't mention them. There are 8 in total:

 

 


Warning!

 

     Error saving file

     C:\FRST\HIVES\BCD !

 

     Continue with the next file?

 

     [ RegCreateKeyEx: 5 - Access is denied ]

 

          Yes          No

 

Other files/pathways include:

 

C:\FRST\HIVES\SYSTEM !

C:\FRST\HIVES\SOFTWARE !

C:\FRST\HIVES\DEFAULT !

C:\FRST\HIVES\SECURITY !

C:\FRST\HIVES\SAM !

C:\FRST\HIVES\Users\00000001\ntuser.dat !

C:\FRST\HIVES\Users\00000002\UsrClass.dat !

 

I'm not sure if this is normal for all computers, normal for corrupted ones, or just simply abnormal. I realize that these are all files relating to FRST, but I don't know what they mean; I simply click 'Yes' to go to the next file it has in the lineup in order to run FRST. I'm only mentioning this to give you as much information as I can so that you have a better idea of what it is we're dealing with. Please let me know if this is useful or simply superfluous information.

 

One other note I might add is that my laptop has an Administrator Account and a 'Public' Account. I never use the admin account, and I try to verify anything I install that requires installation to both accounts. However, I am aware that the CryptoWall virus can infect multiple accounts (even password protected ones like mine) and System Restore Points. I haven't checked if either of these areas are infected, as I fear I may do more harm than good - and I truly don't know what I'm looking for. Again, I only mention this to try and give you a broader picture of my system and what may interfere with different programs.

 

So, with all that out of the way, I ran FRST. The files you wanted are attached below.

 

If you have any questions that I can help clear up, don't hesitate to ask them. Hopefully, the information provided was helpful, and not redundant.

Addition11-16-14.txt

FRST11-16-14.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Not much showing....

Downkload and run this uninstaller for ComboFix:

http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE

============================

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

==============================

Download and run rkill (post the log):

http://www.bleepingcomputer.com/download/rkill/dl/132/

MrC

Link to post
Share on other sites
Figton

Figton

Posted
  • Author
Posted

Alright, I ran your link to uninstall ComboFix. In my folder, CF is still there, sitting next to the program to uninstall it. When I try to run it, it simply says, 'Done!' after a couple seconds, and then Windows says it may not have installed correctly. I've ran it 4 or 5 times now, and CF is still there.

 

Attached is the fix log.Fixlog11-22-14.txt

 

Lastly, I can't save the rkill notepad document, so I'm just going to copy/paste it here.

 

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/22/2014 03:20:59 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 11/22/2014 03:21:13 PM
Execution time: 0 hours(s), 0 minute(s), and 13 seconds(s)

 

Because it wouldn't save the file, I ran the program 2 more times before I just decided to copy/paste the notepad document.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.