Cryptolocker 3.0 Infection

[randomname]

Hi,

 

Both the PC for the logs and the external hard drive are infected. Already ran malware bytes to remove the virus, need help getting my files back. 

 

Thanks for the help

FRST.txt

Addition.txt

[MrCharlie]

Welcome to the forum.

Here's some info on that infection:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Your files are most likely gone unless you pay....you can try the methods listed below:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

=================================

There are some items in the log that need to be cleaned up:

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

MrC

fixlist.txt

[randomname]

Welcome to the forum.

Here's some info on that infection:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Your files are most likely gone unless you pay....you can try the methods listed below:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

=================================

There are some items in the log that need to be cleaned up:

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

MrC

Here is the fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:15-09-2015

Ran by Roger (2015-09-20 15:32:44) Run:1

Running from C:\Users\Roger\Desktop

Loaded Profiles: Roger &  (Available Profiles: Roger)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

CreateRestorePoint:

HKU\S-1-5-21-555399903-68560212-2811420054-1001\...\Run: [KESI Appointment Calendar] => [X]

HKU\S-1-5-21-555399903-68560212-2811420054-1001\...A8F59079A8D5}\localserver32:  <==== ATTENTION

HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie

SearchScopes: HKLM -> {CEC019A3-2714-47A9-8D78-0B71F2C46863} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKLM-x32 -> {CEC019A3-2714-47A9-8D78-0B71F2C46863} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKU\S-1-5-21-555399903-68560212-2811420054-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear

SearchScopes: HKU\S-1-5-21-555399903-68560212-2811420054-1001 -> {CEC019A3-2714-47A9-8D78-0B71F2C46863} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL No File

BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File

BHO-x32: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\progra~1\mcafee\msk\mskapbho.dll No File

BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL No File

Toolbar: HKU\S-1-5-21-555399903-68560212-2811420054-1001 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File

Toolbar: HKU\S-1-5-21-555399903-68560212-2811420054-1001 -> &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} -  No File

Toolbar: HKU\S-1-5-21-555399903-68560212-2811420054-1001 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File

FF DefaultSearchEngine: Ask.com

FF SearchEngineOrder.1: Ask.com

FF SelectedSearchEngine: Ask.com

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]

FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\Ask.xml [2014-12-15]

CHR DefaultSearchURL: Default -> hxxp://dts.search.ask.com/web?q={searchTerms}

CHR DefaultSuggestURL: Default -> hxxp://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.93\ppGoogleNaClPluginChrome.dll => No File

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.93\pdf.dll => No File

CHR Plugin: (McAfee SiteAdvisor) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll => No File

CHR Plugin: (McAfee SiteAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll => No File

CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File

CHR Plugin: (CANON iMAGE GATEWAY Album Plugin Utility) - C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL => No File

CHR Plugin: (Picasa) - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll => No File

CHR Plugin: (Google Update) - C:\Users\Roger\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File

CHR Plugin: (McAfee SecurityCenter) - c:\progra~2\mcafee\msc\npmcsn~1.dll => No File

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

U2 ERSvc; no ImagePath

2015-07-03 17:50 - 2015-07-03 17:50 - 0008620 _____ () C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.HTML

2015-07-03 17:50 - 2015-07-03 17:50 - 0045540 _____ () C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.PNG

2015-07-03 17:50 - 2015-07-03 17:50 - 0004250 _____ () C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.TXT

2015-07-03 17:50 - 2015-07-03 17:50 - 0000288 _____ () C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.URL

2015-07-03 17:48 - 2015-07-03 17:48 - 0008620 _____ () C:\Users\Roger\AppData\Local\HELP_DECRYPT.HTML

2015-07-03 17:48 - 2015-07-03 17:48 - 0045540 _____ () C:\Users\Roger\AppData\Local\HELP_DECRYPT.PNG

2015-07-03 17:48 - 2015-07-03 17:48 - 0004250 _____ () C:\Users\Roger\AppData\Local\HELP_DECRYPT.TXT

2015-07-03 17:48 - 2015-07-03 17:48 - 0000288 _____ () C:\Users\Roger\AppData\Local\HELP_DECRYPT.URL

2015-07-03 17:07 - 2015-07-03 17:07 - 0008620 _____ () C:\ProgramData\HELP_DECRYPT.HTML

2015-07-03 17:07 - 2015-07-03 17:07 - 0045540 _____ () C:\ProgramData\HELP_DECRYPT.PNG

2015-07-03 17:07 - 2015-07-03 17:07 - 0004250 _____ () C:\ProgramData\HELP_DECRYPT.TXT

2015-07-03 17:07 - 2015-07-03 17:07 - 0000288 _____ () C:\ProgramData\HELP_DECRYPT.URL

EmptyTemp:

[MrCharlie]

That's only half of the log, that's the fixlist content:

Where's the rest of it???

 

MrC

[randomname]

That's only half of the log, that's the fixlist content:

Where's the rest of it???

 

MrC

 

Sorry about that, here it is.

 

*****************

 

Restore point was successfully created.

HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Microsoft\Windows\CurrentVersion\Run\\KESI Appointment Calendar => value removed successfully

"HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => key removed successfully

"HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => key removed successfully

HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully

"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEC019A3-2714-47A9-8D78-0B71F2C46863}" => key removed successfully

HKCR\CLSID\{CEC019A3-2714-47A9-8D78-0B71F2C46863} => key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{CEC019A3-2714-47A9-8D78-0B71F2C46863}" => key removed successfully

HKCR\Wow6432Node\CLSID\{CEC019A3-2714-47A9-8D78-0B71F2C46863} => key not found. 

"HKU\S-1-5-21-555399903-68560212-2811420054-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully

HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found. 

"HKU\S-1-5-21-555399903-68560212-2811420054-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CEC019A3-2714-47A9-8D78-0B71F2C46863}" => key removed successfully

HKCR\CLSID\{CEC019A3-2714-47A9-8D78-0B71F2C46863} => key not found. 

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => key removed successfully

"HKCR\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => key removed successfully

HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key not found. 

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => key removed successfully

"HKCR\Wow6432Node\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully

"HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully

HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => value removed successfully

HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => key not found. 

HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{724D43A0-0D85-11D4-9908-00400523E39A} => value removed successfully

"HKCR\CLSID\{724D43A0-0D85-11D4-9908-00400523E39A}" => key removed successfully

HKU\S-1-5-21-555399903-68560212-2811420054-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => value removed successfully

HKCR\CLSID\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => key not found. 

Firefox DefaultSearchEngine removed successfully

Firefox SearchEngineOrder.1 removed successfully

Firefox SelectedSearchEngine removed successfully

"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully

"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully

C:\Program Files (x86)\mozilla firefox\searchplugins\Ask.xml => moved successfully

Chrome DefaultSearchURL removed successfully

Chrome DefaultSuggestURL removed successfully

C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.93\ppGoogleNaClPluginChrome.dll => not found.

C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.93\pdf.dll => not found.

C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.41.123.2_0\McChPlg.dll => not found.

C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll => not found.

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => not found.

C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL => not found.

C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll => not found.

C:\Users\Roger\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll => not found.

c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => not found.

c:\progra~2\mcafee\msc\npmcsn~1.dll => not found.

"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully

ERSvc => service removed successfully

C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.HTML => moved successfully

C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.PNG => moved successfully

C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.TXT => moved successfully

C:\Users\Roger\AppData\Roaming\HELP_DECRYPT.URL => moved successfully

C:\Users\Roger\AppData\Local\HELP_DECRYPT.HTML => moved successfully

C:\Users\Roger\AppData\Local\HELP_DECRYPT.PNG => moved successfully

C:\Users\Roger\AppData\Local\HELP_DECRYPT.TXT => moved successfully

C:\Users\Roger\AppData\Local\HELP_DECRYPT.URL => moved successfully

C:\ProgramData\HELP_DECRYPT.HTML => moved successfully

C:\ProgramData\HELP_DECRYPT.PNG => moved successfully

C:\ProgramData\HELP_DECRYPT.TXT => moved successfully

C:\ProgramData\HELP_DECRYPT.URL => moved successfully

EmptyTemp: => 552.4 MB temporary data Removed.

 

 

The system needed a reboot.. 

 

==== End of Fixlog 15:38:27 ====

[MrCharlie]

OK...Thanks

Besides the encrypted files, are there any other problems with the system??

MrC

[randomname]

OK...Thanks

Besides the encrypted files, are there any other problems with the system??

MrC

 

No other problems

[MrCharlie]

OK........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• If you can't post it, attach it

MrC

[randomname]

OK........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• If you can't post it, attach it

MrC

 

 Results of screen317's Security Check version 1.008  

 Windows 7 Service Pack 1 x64 (UAC is disabled!)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

 Windows Firewall Disabled!  

Norton 360    

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

  Adobe Flash Player 17.0.0.190 Flash Player out of Date!  

 Adobe Reader XI  

 Mozilla Firefox 15.0.1 Firefox out of Date!  

 Google Chrome (45.0.2454.85) 

 Google Chrome (45.0.2454.93) 

 Google Chrome (Plugins...) 

````````Process Check: objlist.exe by Laurent````````  

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbam.exe  

 Malwarebytes Anti-Malware mbamscheduler.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  

````````````````````End of Log`````````````````````` 

[MrCharlie]

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

===============================

Adobe Flash Player 17.0.0.190 Flash Player out of Date!

Flash Player:
Check for an update if available
Downloads are at the top of the page. (don't install the McAfee toolbar)

=======================

Mozilla Firefox 15.0.1 Firefox out of Date! <----please check for an update if available.

======================


Your Google Chrome is out of date also............

Open up Chrome > Click on the 3 bars in the upper right hand corner
Click on About Google Chrome
If there's an update available it will automatically update

=========================

A little clean up to do....

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[randomname]

Out dated programs on the system are vulnerable to malware.

Please update or uninstall them:

===============================

Adobe Flash Player 17.0.0.190 Flash Player out of Date!

Flash Player:

Check for an update if available

Downloads are at the top of the page. (don't install the McAfee toolbar)

=======================

Mozilla Firefox 15.0.1 Firefox out of Date! <----please check for an update if available.

======================

Your Google Chrome is out of date also............

Open up Chrome > Click on the 3 bars in the upper right hand corner

Click on About Google Chrome

If there's an update available it will automatically update

=========================

A little clean up to do....

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

# DelFix v1.011 - Logfile created 21/09/2015 at 19:12:06

# Updated 18/08/2015 by Xplode

# Username : Roger - ROGER-PC

# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

 

~ Removing disinfection tools ...

 

Deleted : C:\FRST

Deleted : C:\Users\Roger\Desktop\Addition.txt

Deleted : C:\Users\Roger\Desktop\dds.exe

Deleted : C:\Users\Roger\Desktop\dds.txt

Deleted : C:\Users\Roger\Desktop\Fixlog.txt

Deleted : C:\Users\Roger\Desktop\FRST.txt

Deleted : C:\Users\Roger\Desktop\FRST64.exe

Deleted : C:\Users\Roger\Desktop\securitycheck.exe

Deleted : C:\Users\Roger\Desktop\Shortcut.txt

Deleted : C:\Users\Roger\Downloads\FRST64 (1).exe

 

########## - EOF - ##########

 

 

Rebooting now

[Naathim]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!