Jump to content

Recommended Posts

I recently made a post on here that was ruined by an unauthorized user posting an answer. However, being as that post does not include new information I just found out, it is no longer needed.

On January 26th, my computer started running very slowly. After that, it started freezing after only being up for roughly 5 minutes, so I system restored back to an earlier date. However, upon it booting from the system restore, it told me it was unsuccessful, so I tried another restore. This one had the same result, however it made the computer actually work. It wasn't until I clicked to go to my manuscript for my novel that I realized it said it was corrupted. After searching through files and libraries, I found the HELP_DECRYPT files and realized I had a CryptoWall 3.0 virus. At that time, it had encrypted a few photos, old emails and every document on my computer. However, now I'm seeing that more files are becoming encrypted as time goes on. I had run Avast! anti-virus scans and Malwarebytes anti-malware scans and it found a bunch of %Temp% files that were malicious and it deleted them, but the files are still being encrypted. I don't have $500 or $1000 to give to the scammers, so I guess I'll just have to deal with every file on my computer being encrypted slowly over time. I'm very poor, very sick, live in an abusive household, and my computer is virtually my only portal to the outside world. I need help from a Registered User or whatever it is that can help me personally, and I need it soon. Please, someone help me before it encrypts any more of my files. I'm worried sick and I'm very scared. I'm not overly tech savvy, so please don't give me any EXTREMELY complicated answers as the unauthorized answerer on my other post gave me. I've read plenty of posts on here where someone has helped out even the "dumbest" of computer users, so I know it can't be impossible. not everything has to include a bunch of technological jargon and impossible suggestions. Thanks so much.

Link to post
Share on other sites

  • Root Admin

I removed your other topic. Well we can help you to scan your computer to remove the actual infection but any damage done to your data will not be able to be restored.

 

Did the infection actually run and infect your data or it was just found certain pieces of the infection?

 

If your data was encrypted then you might want to consider formatting the drive and reinstalling Windows for peace of mind. But as said we can help you to scan to clean the PC.

 

Please read the following as well and let me know what you'd like to do.

 

The complexity of finding, preventing, and cleanup from malware
 

 

Thanks

Link to post
Share on other sites

I have to fix the computer without the reinstalling of Windows. First of all, I have no idea how to do that and I don't have any type of disc with Windows 7 on it. And second, I have a TON of other files on here that are not yet corrupted and I don't know if that would delete those files or not. if it did, it wouldn't just be my stuff we're losing, it would be things like pictures from other members of the household's cameras and what have you, so I'm sure you can understand it isn't up to me to format and lose them or whatever it would take to reinstall Windows. I don't care about the already infected files. Nothing overly important has been touched yet. However, I need to remove it before it gets to something that is. Please help me to scan the computer and remove it rather than reinstalling Windows. And, even though it isn't my preferred route, maybe provide a bit more information on how someone would go about reinstalling Windows without a CD of software. Thanks.

Link to post
Share on other sites

  • Root Admin

Okay, please read and follow the directions below and we'll look at cleaning the computer.

 

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

 

 

 

Link to post
Share on other sites

I just wanted to post that I will be continuing on with your provided answer soon. I have been having to take care of my grandmother, running her to the hospital and filling her prescriptions, and have simply not had any time to work on the computer. Thanks so much for the reply and I will get to work on it as soon as possible. Thanks again.

Link to post
Share on other sites

I have read all of the article your provided and I'll admit it has me scared. I am terrified that I am going to wind up with another virus of some kind or that my computer will react to this new program by having a fatal error of some kind. Like I said, I'm not overly tech savvy, and being as this computer is not just my own, I'm very scared. Can you please reassure me there are no viruses associated with downloading ComboFix? I am so worried...

Link to post
Share on other sites

  • Root Admin

There are not viruses or other malware contained or associated with Combofix. It is a very common tool used many times every day on the Internet by many trained helpers.

 

This is a direct download link so that you don't have to worry about clicking the wrong link either. Save it - don't run it from your browser. Then close your browser and locate it where you saved it and run it.

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Thanks

Link to post
Share on other sites

  • Root Admin

That was not the complete log. Please look for the original file C:\combofix.log and post that back.

 

Then run the following steps.

 

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.


  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Link to post
Share on other sites

I'm posting the other files I have saved, but I don't see one that has the title you told me to find. Is there any particular place it would be? Perhaps you can help me by telling me where to find it.

 

I'll run those other scans over the next few days and give you each one as I do it.

 

Thanks so much for the help. I'm going crazy over this stupid computer...

ComboFix.txt

ComboFix Log.txt

Link to post
Share on other sites

  • Root Admin

Just a reminder that we cannot remove the encryption from your data and any data not backed up before the attack cannot be recovered. The data is lost. All we can do is attempt to clean the computer of the infection.

Please right click over FRST64.exe and choose "Run as administrator"
Copy and paste the following in the Search Field or type it in exactly as shown

*decrypt*

Click on the Search File(s) button
Once completed click OK and a "Search.txt" log file will open.
The file may be large so please find it in the same location where you ran FRST64 and click on the "More Reply Options" button on the forum and attach the file.
If needed please zip or archive the file and upload it.
 

 

Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

  • Root Admin

Great, okay let me have you run the following please
 
 
Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:
 
Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Next:Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Next:

 

Please restart the computer again and run a new FRST scan and make sure you place a check mark in the Additions.txt check box and post back both new logs.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply as well.


 

Link to post
Share on other sites

I have to ask before I take this step; why do I have to uninstall Java? The thought of doing that is scary to me because we use it so much for the websites we visit and things we do. I'm wondering if this is a step I can avoid or if you could please explain to me what this will do? I wouldn't be bothered by it if I knew that System Restore could undo anything that was wrong, but the last time I tried System Restore it was unsuccessful both times. I'm just worried and I hope you can understand. I'm also wondering how many more steps there are to removing this virus. It doesn't seem to be causing anymore problems. No more files have become encrypted, the only problem is the speed of the computer's performance has dropped a bit, but nothing I can't handle. Is it possible that the infection is gone? Thanks so much.

Link to post
Share on other sites

  • Root Admin

It's up to you. Java is the typically #1 or #2 of the methods used to infiltrate and infect your computer. This is due to hackers finding methods to compromise older versions of Java. Java gets updated often but does not clean out or remove it's old code and sometimes this can be used as a means to get control of your system.

 

I'm not saying you can't reinstall and use Java (though if at all possible I would highly suggest trying to not use it) if you feel you need to. But a good clean removal (as best as possible) and then install just the latest version of Java would be a good thing in general. I myself actually have to use an older version of Java due to a Server component it manages that the new version of Java is not supported on the server.

 

 

If you think you're okay with the Java and the issue appear to be abated that's good because for the most part the computer does look okay now. However as I mentioned - personally I would NEVER trust this computer for any type of operations that require trust such as banking, medical, etc. as there is simply no way to guarantee 100% that it has been completely eradicated.

 

You can read more about the issue here

The complexity of finding, preventing, and cleanup from malware
 

 

Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!


 

Link to post
Share on other sites

 Here are the results of the Security Check:

 

Results of screen317's Security Check version 0.99.96 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Trend Micro Titanium Internet Security  
avast! Antivirus                        
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 40 
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31 
 Adobe Reader 10.1.13 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast avastui.exe 
 Trend Micro Titanium TiMiniService.exe 
 Trend Micro Titanium TiResumeSrv.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

  • Root Admin

Well if there is nothing else then it looks like the infection has been removed as best we can tell.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.
 
 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.