Jump to content

CryptoWall 2.0 Removal


Figton

Recommended Posts

Hello, Thanks for your willingnes to assist. Here is a copy of my log file.

 

RogueKiller V10.0.8.0 (x64) [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Janet [Administrator]
Mode : Scan -- Date : 11/24/2014  11:25:03

¤¤¤ Processes : 1 ¤¤¤
[Hj.Name?Suspicious.Path] conhost.exe -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 22 ¤¤¤
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Windows\CurrentVersion\Run | Irsjsoft Update : regsvr32.exe C:\Users\Janet\AppData\Local\Irsjsoft\lxa5WIA.DLL  -> Found
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Windows\CurrentVersion\Run | YkdbPack : C:\Windows\SysWOW64\regsvr32.exe C:\Users\Janet\AppData\Local\Adkworks\CNBJOP92.DLL  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Windows\CurrentVersion\Run | Irsjsoft Update : regsvr32.exe C:\Users\Janet\AppData\Local\Irsjsoft\lxa5WIA.DLL  -> Found
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Windows\CurrentVersion\Run | YkdbPack : C:\Windows\SysWOW64\regsvr32.exe C:\Users\Janet\AppData\Local\Adkworks\CNBJOP92.DLL  -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NEWPLAYER -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NEWPLAYER -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NewPlayer -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13933  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13933  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-695488545-597031157-3067637020-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C1E47DE2-85BA-4583-B7DE-E4A38626BD30} | DhcpNameServer : 64.59.135.135 64.59.128.121 [CANADA (CA)][CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C1E47DE2-85BA-4583-B7DE-E4A38626BD30} | DhcpNameServer : 64.59.135.135 64.59.128.121 [CANADA (CA)][CANADA (CA)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C1E47DE2-85BA-4583-B7DE-E4A38626BD30} | DhcpNameServer : 64.59.135.135 64.59.128.121 [CANADA (CA)][CANADA (CA)]  -> Found
[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 8 ¤¤¤
[suspicious.Path] \\Security Center Update - 1184452350 -- C:\Users\Janet\AppData\Roaming\Nekowya\rexobes.exe -> Found
[suspicious.Path] \\Security Center Update - 1278791932 -- C:\Users\Janet\AppData\Roaming\Avqihayp\imyxfui.exe -> Found
[suspicious.Path] \\Security Center Update - 1449157536 -- C:\Users\Janet\AppData\Roaming\Cyywwi\ipohize.exe -> Found
[suspicious.Path] \\Security Center Update - 1525197069 -- C:\Users\Janet\AppData\Roaming\Wisyilyt\alkoco.exe -> Found
[suspicious.Path] \\Security Center Update - 1812757941 -- C:\Users\Janet\AppData\Roaming\Raevpyv\cumif.exe -> Found
[suspicious.Path] \\Security Center Update - 3016760313 -- C:\Users\Janet\AppData\Roaming\Omevafy\ywpau.exe -> Found
[suspicious.Path] \\Security Center Update - 762318953 -- C:\Users\Janet\AppData\Roaming\Econirde\ypqypey.exe -> Found
[suspicious.Path] \\{B7ADED9B-36B6-4F86-BF17-928D322E17F7} -- C:\Users\Janet\AppData\Roaming\Smilebox\SmileboxStarter.exe -> Found

¤¤¤ Files : 5 ¤¤¤
[suspicious.Path][File] EhStorAuthn.lnk -- C:\Users\Janet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EhStorAuthn.lnk [LNK@] C:\Users\Janet\AppData\Roaming\Microsoft\Windows\IEUpdate\EhStorAuthn.exe -> Found
[suspicious.Path][File] Magnify.lnk -- C:\Users\Janet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Magnify.lnk [LNK@] C:\Users\Janet\AppData\Roaming\Microsoft\Windows\IEUpdate\Magnify.exe -> Found
[suspicious.Path][File] perfhost.lnk -- C:\Users\Janet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\perfhost.lnk [LNK@] C:\Users\Janet\AppData\Roaming\Microsoft\Windows\IEUpdate\perfhost.exe -> Found
[suspicious.Path][File] TSTheme.lnk -- C:\Users\Janet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TSTheme.lnk [LNK@] C:\Users\Janet\AppData\Roaming\Microsoft\Windows\IEUpdate\TSTheme.exe -> Found
[Hj.Name?Suspicious.Path?Suspicious.Startup][File] conhost.exe -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 34 (Driver: Loaded) ¤¤¤
[iAT:Inl] (iexplore.exe @ LPK.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ MSCTF.dll) USER32.dll - DrawTextExW : Unknown @ 0x5515c6c (push dword 0x5515c6c|ret )
[iAT:Inl] (iexplore.exe @ shell32.DLL) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ shell32.DLL) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ IEFRAME.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ IEFRAME.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ IEFRAME.dll) USER32.dll - DrawTextExW : Unknown @ 0x5515c6c (push dword 0x5515c6c|ret )
[iAT:Inl] (iexplore.exe @ ole32.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ comctl32.dll) USER32.dll - DrawTextExW : Unknown @ 0x5515c6c (push dword 0x5515c6c|ret )
[iAT:Inl] (iexplore.exe @ comctl32.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ comctl32.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ comdlg32.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ comdlg32.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ api-ms-win-downlevel-ole32-l1-1-0.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ api-ms-win-downlevel-ole32-l1-1-0.dll) USER32.dll - DrawTextExW : Unknown @ 0x5515c6c (push dword 0x5515c6c|ret )
[iAT:Inl] (iexplore.exe @ uxtheme.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ uxtheme.dll) USER32.dll - DrawTextExW : Unknown @ 0x5515c6c (push dword 0x5515c6c|ret )
[iAT:Inl] (iexplore.exe @ comctl32.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ comctl32.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ comctl32.dll) USER32.dll - DrawTextExW : Unknown @ 0x5515c6c (push dword 0x5515c6c|ret )
[iAT:Inl] (iexplore.exe @ urlmon.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x551b0ac (push dword 0x551b0ac|ret )
[iAT:Inl] (iexplore.exe @ WININET.dll) WS2_32.dll - WSASend : Unknown @ 0x551112c (push dword 0x551112c|ret )
[iAT:Inl] (iexplore.exe @ IEUI.dll) USER32.dll - DrawTextW : Unknown @ 0x551511c (push dword 0x551511c|ret )
[iAT:Inl] (iexplore.exe @ MSHTML.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ SETUPAPI.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ MSACM32.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ MSACM32.dll) WINMM.dll - waveOutOpen : Unknown @ 0x551cbfc (push dword 0x551cbfc|ret )
[iAT:Inl] (iexplore.exe @ wdmaud.drv) WINMM.dll - waveOutOpen : Unknown @ 0x551cbfc (push dword 0x551cbfc|ret )
[iAT:Inl] (iexplore.exe @ Flash32_15_0_0_223.ocx) WINMM.dll - waveOutOpen : Unknown @ 0x551cbfc (push dword 0x551cbfc|ret )
[iAT:Inl] (iexplore.exe @ Flash32_15_0_0_223.ocx) WININET.dll - HttpOpenRequestA : Unknown @ 0x551a55c (push dword 0x551a55c|ret )
[iAT:Inl] (iexplore.exe @ msacm32.drv) WINMM.dll - waveOutOpen : Unknown @ 0x551cbfc (push dword 0x551cbfc|ret )
[iAT:Inl] (iexplore.exe @ uiautomationcore.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )
[iAT:Inl] (iexplore.exe @ OLEACC.dll) USER32.dll - MessageBeep : Unknown @ 0x5521b2c (push dword 0x5521b2c|ret )

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ARRAY0 +++++
--- User ---
[MBR] 3a702abb7338a3bcf3517c98c46ac4bb
[bSP] dabf446fc636fd7bb2eb42ab058c69a6 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 13566 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 27865088 | Size: 940268 MB
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Link to post
Share on other sites

What problems remain??

 

MrC

 

Well, assuming that the files the virus corrupted are all gone, I still have a couple of issues.

 

1. There's dozens, if not hundreds of files that the program mass produced into every conceivable folder that direct me to install TOR, and how to 'decrypt' my data for a price. Someone else mentioned if there was a way to delete them en masse, but I didn't want to ask before we were finished or close to finished.

malwarebytes removed my cryptowall virus but i have many leftover files named "INSTALL_TOR" and "DECRYPT_INSTRUCTION.TXT/HTML"

do you know how i can get rid of these en masse ?  Also, i assume my virus is gone, but i see here that you have many more programs i should use  --FRST and Roguekiller........ should i start over and follow these steps or is it possible i am rid of this horror.

 

2. When you instructed me to use RogueKiller and MalwareBytes, you said only to quarantine. I sent you the logs but you never replied to which files should be deleted, assuming I'm supposed to delete any.

Okay, here's the two extra log files.

 

Also, just to make sure, I haven't deleted anything from the MalwareBytes threat list nor the RogueKiller threat list - I assume you're looking over which files are dangerous or not? My apologies if I'm jumping the gun, I just wanted to make sure I'm doing what I need to. 

That being said, am I to run them both again and delete/remove dangerous files this time? And if so, which? I recall RogueKiller citing a couple of processes that I wasn't exactly sure were dangerous.

 

3. Lastly, after ComboFix failed the first time, you never directed me to use it again. Have we moved past it? I know you directed me to use FRST again, but I thought we were just starting over from square one since you told me to uninstall ComboFix.

 

Basically, there's just a few loose ends I'd like to tie up, as this virus/bug/malware - whatever it is - is still attacking files and altering data in my computer.

Link to post
Share on other sites

malwarebytes removed my cryptowall virus but i have many leftover files named "INSTALL_TOR" and "DECRYPT_INSTRUCTION.TXT/HTML"
do you know how i can get rid of these en masse ? Also, i assume my virus is gone, but i see here that you have many more programs i should use --FRST and Roguekiller........ should i start over and follow these steps or is it possible i am rid of this horror.


Go to Start > Search > Files/folders > copy and paste this in DECRYPT_INSTRUCTION > Search
When all are found > Select all > Delete
Repeat for any other folders you want to delete

========================================

2. When you instructed me to use RogueKiller and MalwareBytes, you said only to quarantine. I sent you the logs but you never replied to which files should be deleted, assuming I'm supposed to delete any.

You don't have to delete anything

========================================

3. Lastly, after ComboFix failed the first time, you never directed me to use it again. Have we moved past it? I know you directed me to use FRST again, but I thought we were just starting over from square one since you told me to uninstall ComboFix.

We used FRST instead to delete the files.

 

========================================

 

Basically, there's just a few loose ends I'd like to tie up, as this virus/bug/malware - whatever it is - is still attacking files and altering data in my computer.

What exactly do you mean????

Please re-scan with FRST and Make sure the Addition Box is checked.
Post or attach the 2 logs FRST(64).txt and Addition.txt

 

MrC

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.