Jump to content

Help_decrypt infection


Sherry
 Share

Recommended Posts

I evidently picked up this ransomware.  Attached are the FRST, Malwarebytes log and Combofirst logs.  Would appreciate any help in getting rid of this bleeping virus and potentially recovering infected files (most of which appear to be in the World of Warcraft folders.

 

I understand basic PC computer actions but definitely no expert...especially since I remember punch cards in college for the university's main frame :)

 

 

FRST.txt

Addition.txt

malwarebytes scan log.txt

ComboFix.txt

Link to post
Share on other sites

You are replying to yourself so it looks like you're being helped.

You shouldn't have run ComboFix.

Here's the bible on that infection:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

You can try these methods to retrieve your files, there's a slim chance they might work:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

MrC

Link to post
Share on other sites

As recommended by the bleepingcomputer link, I ran the ListCWall program to locate and isolate all encrypted files.  Attached are the results but basically there were none to be found in the registry.  However, when I ran a search using help_decrypt as the keyword, I found 1,377 files located in various folders throughout my hard drive.  They are all various versions of the ransom note. 

ListCWall.txt

Link to post
Share on other sites

Those files are most likely lost unless you pay the ransom, I take it you tried the methods listed to recover them.

I need to see fresh logs from FRST:

Please re-scan with FRST and Make sure the Addition Box is checked.

http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png

Post or attach the 2 logs FRST.txt and Addition.txt

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

=======================

Please Update and run a Threat Scan (Malwarebytes)

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

Let me know how it is, MrC

fixlist.txt

Link to post
Share on other sites

When I do a search for all "help_decrypt" files, I still get alot of files located in various folders.  I've manually gone to each of the identified locations and deleted the files.  I then wiped the free space using CCleaner.  Rebooted and ran the search again.  Less files show up but still get quite a number.  When I go the file location, it isn't there but the search says it is.  This is true except for the following file location;

 

Startup (C:\Users\Public\Public Documents\Adobe PDF

 

When I try to open the file location, I get the following message: " C:\users\public\documents\adobe pdf\startup refers to a location that is unavailable.  It could be on a hard drive on this computer, or on a network.  Check to make sure that the disk is properly inserted or that you are connected to the internet or your network, and then try again.  If it still cannot be located, the information might have been moved to a different location."

 

 I then checked my Recovery Drive D.  On that partition, there is a file called Crypto.  Path is D:\ProgramData\Microsoft\Crypto.  Within that file are 3 folders called DSS, Keys, and RSA. Within the RSA folder is a sub-folder called MachineKeys but it's empty.  The DSS folder has the same empty sub-folder while the Keys folder is empty. This all may have nothing to do with this bleeping Cryptowall virus.  But it is curiously named.

 

I've attached a screen capture of the search window showing the various help_decrypt files.  Why do they keep popping up?

 

 

 

 

post-191799-0-65084100-1440644825_thumb.

Link to post
Share on other sites

I then checked my Recovery Drive D. On that partition, there is a file called Crypto. Path is D:\ProgramData\Microsoft\Crypto. Within that file are 3 folders called DSS, Keys, and RSA. Within the RSA folder is a sub-folder called MachineKeys but it's empty. The DSS folder has the same empty sub-folder while the Keys folder is empty. This all may have nothing to do with this bleeping Cryptowall virus. But it is curiously named.

This is OK so leave it alone.

 

==================

I've attached a screen capture of the search window showing the various help_decrypt files. Why do they keep popping up?

The way to delete them is to use Windows search feature using help_decrypt
Then > select all > delete

==================

Running a scan with ESET should also find all of them:

Please run a free online scan with the ESET Online Scanner (it may take a while to run)
Note: You will need to use Internet Explorer for this scan.
First please Disable any Antivirus you have active, as shown in This Topic
FAQ

Note: Don't forget to re-enable it after the scan.
http://www.eset.eu/online-scanner
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is unchecked and the option Scan unsafe applications is checked
Click Advanced settings and select the following:

ceba8c51-8f88-44b9-ad41-5f07ba8351b1.png

Click Start
Wait for the scan to finish
If threats were found:
Click on "list of threats found"
Click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
Put a checkmark in "Uninstall application on close"
Click on finish
Post back the log.....MrC

Link to post
Share on other sites

 

The way to delete them is to use Windows search feature using help_decrypt


Then > select all > delete

 

I have done this many many times.  Started out with over 1800 files, rebooted, searched again resulting in less files, went to each individual file location and deleted them, wiped free space, rebooted...rinse and repeat.

Attached is the Eset Scan file.

Eset Scan.txt

Link to post
Share on other sites

Good!, If there's no other problems.......

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot
Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.