Jump to content

Recommended Posts

Hello everyone, I am new to this forum. I have just been hit by that dang CryptoWall virus last night. While googling around about it, I came upon this forum and saw that excellent detailed help and guidance was offered by forum members and moderators... I'm hoping someone can help me please.

   I'm running a fairly old IBM Thinkpad laptop with XP. I'm not so concerned with recovering the files as I have a good backup... I just want to ensure that the virus itself is completely gone from my computer. I've read several things about it, but haven't really noticed any kind of consistent approach to cleaning. I went into Safe Mode and looked around for any suspect executables but couldn't find any that were obvious to me. There are however, 8779 entries of the "HELP_ENCRYPT*.*"  (.txt, .png, .html) files on my system.. not sure if I should delete these also in Safe Mode or it's okay to delete in normal mode. Hoping someone can help me out please.

 

Thank You

    Shawn

 

Link to post
Share on other sites

I may not have posted this in the proper section, Im afraid. I saw similar situations to mine in the "Resolved HijackThis Logs" sub-section, but it seems I'm not able to post a new topic in that particular section. Could someone offer any advice please?

 

Thank You

   Shawn

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products, Windows), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 Please enable your system to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Make sure the rootkit scan is enabled

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

You can also use this version of RogueKiller which works on both 32 and 64 bit:

RogueKiller 32 & 64 bit

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Sometimes when clearing out an infection the winsock stack will become corrupt and you'll loose your internet connection. To resolve this....reset the stack as outlined HERE

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Thank you so much for helping me MrCharlie. OK, I've attached all the reports you requested. Regarding setting the System Restore point, I just don't have enough free HD space to do so. I'm running a fairly old IBM Thinkpad laptop with XP... I have only about 3 gigs of free space remaining.

   Also, I'm a Windows Delphi programmer and in my software  I employ a couple of security modules - CodeLock and PC-Guard. Sometimes anti-virus scanners pick these up in my EXE files, don't know what to make of them, and flag them as infected. So I just wanted to let you know about that as you evaluate the reports in case you discover something that looks like a virus.

 

Thanks!

    Shawn

 

Addition.txt

FRST.txt

MalwareBytes-Log.txt

RogueKillerRpt.txt

Link to post
Share on other sites

Your logs look pretty good, this virus usually deletes itself after it does it's damage.

=============================

IObit <-------we don't recommend programs from this company

==============================

You have system restore disabled but you have all of these restore points still on the system. Way too many and they're taking up a large amount of disk space.
You should delete all of them except the most recent couple.
Then move the Disk Space Slider way down to about 2%

clip_image00241.jpg
 

ATTENTION: System Restore is disabled
20-08-2015 15:02:04 System Checkpoint
21-08-2015 17:39:16 System Checkpoint
22-08-2015 18:01:43 System Checkpoint
23-08-2015 19:06:59 System Checkpoint
24-08-2015 20:53:39 System Checkpoint
25-08-2015 16:11:08 Removed QuickTime 7
26-08-2015 20:43:06 System Checkpoint
27-08-2015 20:54:20 System Checkpoint
29-08-2015 09:43:03 System Checkpoint
30-08-2015 16:41:14 System Checkpoint
01-09-2015 00:27:26 System Checkpoint
02-09-2015 02:31:23 System Checkpoint
03-09-2015 03:07:24 System Checkpoint
04-09-2015 15:44:01 System Checkpoint
05-09-2015 16:40:24 System Checkpoint
07-09-2015 14:31:05 System Checkpoint
08-09-2015 17:16:16 System Checkpoint
10-09-2015 01:11:26 System Checkpoint
11-09-2015 02:56:54 System Checkpoint
12-09-2015 03:00:04 System Checkpoint
14-09-2015 00:37:02 System Checkpoint
15-09-2015 01:05:57 System Checkpoint
16-09-2015 14:48:27 System Checkpoint
17-09-2015 17:48:25 System Checkpoint
18-09-2015 18:49:13 System Checkpoint
20-09-2015 16:50:19 System Checkpoint
21-09-2015 22:32:12 System Checkpoint
23-09-2015 00:19:30 System Checkpoint
24-09-2015 00:50:09 System Checkpoint
25-09-2015 00:51:04 System Checkpoint
26-09-2015 14:20:45 System Checkpoint
27-09-2015 15:54:02 System Checkpoint
28-09-2015 20:39:57 System Checkpoint
29-09-2015 20:56:42 System Checkpoint
01-10-2015 00:09:04 System Checkpoint
02-10-2015 03:02:17 System Checkpoint
03-10-2015 04:22:28 System Checkpoint

 

==============================================

There are however, 8779 entries of the "HELP_ENCRYPT*.*" (.txt, .png, .html) files on my system.. not sure if I should delete these also in Safe Mode or it's okay to delete in normal mode.

You can delete all of those which ever way you want to.

============================================

There's some clutter on the system that we can clean up:

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
Run FRST.exe/FRST64.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.


MrC

fixlist.txt

Link to post
Share on other sites

That's great MrCharlie, that is good news!

 

I don't use the IObit software much... is there a reason it's not recommended?

 

I deleted the old System Restore points and it did free up around 2 gigs of space... excellent. I couldn't however, set the Disk Space Usage lower to 2%. I had to turn back ON System Restore in order to move the slider, then I would APPLY and OK to that, then I would go back in and turn off the System Restore and APPLY and OK that. But when I went back into the screen, the slider was all the way back up to 12% where it was before.I've attached a screenshot... it looks a little different than yours - maybe I was doing it in the wrong screen.

 

I deleted all the HELP_ENCRYPT files in Safe Mode... no problems.

 

And I ran your Fixlist... attached is the Fixlog.txt

 

Thanks so much!

   Shawn

 

Fixlog.txt

post-193596-0-36702800-1444019723_thumb.

Link to post
Share on other sites

IObit software:
https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/

=================================

You do have it on your system:

Add/Remove programs:
Advanced SystemCare 5 (HKLM\...\Advanced SystemCare 5_is1) (Version: 5.0.0 - IObit)
Smart Defrag 2 (HKLM\...\Smart Defrag 2_is1) (Version: 2.2 - IObit)

Files:
(IObit) C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
Task: C:\WINDOWS\Tasks\SmartDefrag_Startup.job => C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
2011-12-22 15:29 - 2011-04-21 17:54 - 00347024 _____ () C:\Program Files\IObit\Advanced SystemCare 5\madExcept_.bpl
2011-12-22 15:29 - 2011-04-21 17:54 - 00179088 _____ () C:\Program Files\IObit\Advanced SystemCare 5\madBasic_.bpl
2011-12-22 15:29 - 2011-04-21 17:54 - 00046480 _____ () C:\Program Files\IObit\Advanced SystemCare 5\madDisAsm_.bpl
R2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe [494424 2011-12-22] (IObit)
2015-10-03 18:35 - 2011-12-22 15:29 - 00000000 ____D C:\Documents and Settings\JD\Application Data\IObit
2015-10-04 17:18 - 2011-12-23 02:11 - 00000274 _____ C:\WINDOWS\Tasks\SmartDefrag_Startup.job
R0 SmartDefragDriver; C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys [14776 2010-11-26] ()

=================================

You have system restore turned off, that's why you can't move the slider.
Once you turn it back on it will delete all previous restore points and start creating new ones.
If you don't want to keep system restore turned on, I suggest you keep the registry backed up.
I wrote a tutorial on how to do that and it's located HERE.
It will automatically create a back-up of the registry everyday, very useful for XP users.

================================

If there's no other problems.......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • If you can't post it, attach it

MrC

Link to post
Share on other sites

Yes, of course I can uninstall IOBit's Advanced Systemcare and SmartDefrag. Shame on them for plagiarizing from MalwareBytes.

 

Well, regarding System Restore - currently I now have about 5.5 gigs of free hard drive space. Would that be enough to put System Restore back on and the percentage down to 2%? i see I also could do a "Compress old files on hard drive" to salvage another 5 gigs or so. Do you think I should do that?

 

Regarding my system's security - admittedly, it's not the best. I use COMODO firewall and have turned off the built-in Windows Firewall. I don't have an anti-virus running constantly in the background as this older old laptop doesn't have quite enough horsepower to handle something like that without slowing everything down markedly. Every now and then I do run MalwareBytes and also do a virus scan at Trend Micro Housecall. Not the best, I know. When I make some money (hopefully soon), a whole new laptop with Windows 10 is in order.

 

Here are the contents of the checkup.txt file created by SecurityCheck:

 

 

 Results of screen317's Security Check version 1.009  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Disabled!  
PC Antivirus   
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 IBM 32-bit Runtime Environment for Java 2, v1.4.2
 Java 7 Update 25  
 IBM 32-bit Runtime Environment for Java 2, v1.4.2
 Java version 32-bit out of Date!
  Adobe Flash Player     18.0.0.232 Flash Player out of Date!  
 Mozilla Firefox (41.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Comodo Firewall cmdagent.exe
 Comodo Firewall cfp.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

Thank You!

    Shawn

Link to post
Share on other sites

Yes, of course I can uninstall IOBit's Advanced Systemcare and SmartDefrag. Shame on them for plagiarizing from MalwareBytes.

This stuff is useless: (uninstall it)
Advanced SystemCare 5 (HKLM\...\Advanced SystemCare 5_is1) (Version: 5.0.0 - IObit)
Smart Defrag 2 (HKLM\...\Smart Defrag 2_is1) (Version: 2.2 - IObit)



Well, regarding System Restore - currently I now have about 5.5 gigs of free hard drive space. Would that be enough to put System Restore back on and the percentage down to 2%? i see I also could do a "Compress old files on hard drive" to salvage another 5 gigs or so. Do you think I should do that?

I've never tried that but if it frees up some space...go ahead. That should let you turn on system restore, just keep an eye on it so it doesn't start creating too many restore points. You may have to tweak it again.

Regarding my system's security - admittedly, it's not the best. I use COMODO firewall and have turned off the built-in Windows Firewall. I don't have an anti-virus running constantly in the background as this older old laptop doesn't have quite enough horsepower to handle something like that without slowing everything down markedly. Every now and then I do run MalwareBytes and also do a virus scan at Trend Micro Housecall. Not the best, I know. When I make some money (hopefully soon), a whole new laptop with Windows 10 is in order.

OK but that's very risky especially on XP. Make sure you have back-ups of important stuff.

=============================

Adobe Flash Player 18.0.0.232 Flash Player out of Date!
19.0.0.185 <---should be this version
You can get the latest version at the link below:
https://get.adobe.com/flashplayer/otherversions/
(don't install the McAfee toolbar)

Java version 32-bit out of Date!

These are not in your add/remove programs so you can't uninstall them:
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM 32-bit Runtime Environment for Java 2, v1.4.2


Java 7 Update 25 <----------uninstall this one

Now go to the link below and download and install Java SE Runtime Environment 7u79
http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

Windows x86 Online 0.89 MB <---this one

=====================================

A little clean up to do....

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Thanks MrCharlie...

 

OK, got the latest Adobe Flash.

 

Actually, the IBM 32-bit Runtime Environment for Java 2, v1.4.2 *was* in my Add/Remove Programs list, so I did an uninstall of it. And I also uninstalled Java 7 Update 25 too. Then I installed Java SE Runtime Environment 7u79. After that installation, it tried to do a "verify java" action, which failed cause it said I didn't have the latest version of Java... that newer version of java is only for Windows Vista and up. So I guess I sit tight with Java 7 Update 25 too, yes?

 

And here is the Delfix.txt log file contents:

 

# DelFix v1.011 - Logfile created 06/10/2015 at 00:19:01
# Updated 18/08/2015 by Xplode
# Username : JD - IBM-CA399E2B0C9
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Documents and Settings\JD\Desktop\SecurityCheck.txt
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\Addition.txt
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\AdwCleaner.exe
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\Fixlog.txt
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\FRST.exe
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\FRST.txt
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\RogueKiller.exe
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\RogueKillerRpt.txt
Deleted : C:\Documents and Settings\JD\My Documents\Downloads\SecurityCheck.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

########## - EOF - ##########

 

 

Thanks!

   Shawn

Link to post
Share on other sites

No.......

Leave Java SE Runtime Environment 7u79 installed (that's what I have installed on my XP pro), it's the latest version that will work on XP. Support for XP has ended, that's why you see that message.

To check what version you have installed, open up the Java Control Panel (it's in your Contol Panel) click the General tab, now click About. That will give you the version installed.

controlpanel.jpg

On the Update tab, un-check "Check for updates automatically" (there are none)

 

=============================

 

 
For added computer security, it's recommended to Disable Java through the Java Control Panel in your web browser.

MrC

Link to post
Share on other sites

Oh I'm sorry there MrCharlie... when I said:

 

"So I guess I sit tight with Java 7 Update 25 too, yes?"

 

I had meant to type "So I guess I sit tight with Java SE Runtime Environment 7u79 too, yes?". Sorry for the confusion. Yes, I've got Java SE Runtime Environment 7u79 installed and I'll stick with it. I've disabled the automatic update as you suggested.

 

 

In your link with instructions to disable Java for browsers, it says this:

 

"Firefox
  1. From the Firefox menu, select Tools, then click the Add-ons option
  2. In the Add-ons Manager window, select Plugins
  3. Click Java Platform plugin to select it
  4. Click Disable (if the button displays Enable then Java is already disabled)

 

I pretty much use only Firefox exclusively. In my list of Plugins, I can't find anything Java-related... so I guess I'm good then eh?

 

Thanks!

   Shawn

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.