Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question before trying the virus removal section here.


  • Please log in to reply
7 replies to this topic

#1 UnkownBmovieActress

UnkownBmovieActress

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Texas&Georgia
  • Local time:07:39 AM

Posted 23 November 2014 - 08:26 PM

Hi, I have a HP G60 Notebook, running Windows 7 Home Premium 64 bit, Security Essentials, Windows Firewall, and I think Malwarebytes. (currently shut down) All kept fully updated at all times. No email program and no mail sent or received on that computer. It is nevertheless infected with Dllhost.exe*32 com surrogate, which took control of security settings, allowed other worms, viruses, trojans, malware through, looks like literally 100s. I went to a reccomended website, qmalwareremoval.freeforums.net, and began working with them. I have completed their fact finding, downloaded their tool (think same one used here) Farbar Removal Tool? Did scanning, and submitted results, but that is as far as they have gone, seem to have abandonned my thread. While this was going on it became clear a crypto ransomware had executed and was in the process of encrypting files, had just started. I've never had any further response from the website in completing, or even starting the removal part of the process. I know they are very overloaded, sounded on verge of breakdown of services last message, suspect I may never hear anything further. I know there is a waiting period everywhere, but it has been over 10 days. I finally shut the machine down, but looks like the crypto got everything while I sat around not making another move as instructed.

 

Does anyone here have any advice about what I should do next? Most places have stringent instructions not to have tried any removal tools or anything else before they do their process, so I don't know if they will accept my situation here. I also don't know if the crypto has changed the whole game. Far as I can find out, there is no hope once everything is encrypted.

 

I had to do everything from a cell phone and have lost track of where all I have been asking for advice, but have only actually started that one removal program, have done nothing else.



BC AdBot (Login to Remove)

 


#2 UnkownBmovieActress

UnkownBmovieActress
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Texas&Georgia
  • Local time:07:39 AM

Posted 23 November 2014 - 08:42 PM

I would like to add that the website I was using was helping free of charge, and that they were very professional, polite, and are probably very effective. I just think they might have more people signed on at this time than they can help in time for some of them. Or could be I made them mad when the crypto came up. I did get off-subject.  



#3 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:39 AM

Posted 23 November 2014 - 09:50 PM

Best advice I can give you is to do a clean reinstall. I hope you have a recent backup of any valuable files you had on that

computer.

Most likely from what you describe the original culprit poweliks. That could be removed but it has the ability to do whatever

it is hired to do. From ad fraud to keylogging and ransomware. Anything....


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 UnkownBmovieActress

UnkownBmovieActress
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Texas&Georgia
  • Local time:07:39 AM

Posted 23 November 2014 - 11:03 PM

Hi, thanks very much for answering. I had to have a reinstall after start-up or boot failed three months ago, at a tech service, and they saved the files, so have back-up from that I suppose, but nothing since. It was very expensive. My thought was go ahead and try removal, if anyone would or could do it, knowing the crypto also executed. Then see what is left if anything. But I guess reinstall again.

 

Did you mean the virus you think started it can't be removed? Will just keep morphing? Is it like a rootkit?

 

Do you know why none of the anti-virus and security I had caught it? I don't download free stuff, that kind of thing, no email either. I don't believe I could have downloaded it myself without knowing it. Looks like crypto executed as a fake adobe flash automatic update. But I think that was let in or came from the first one, as you say. That's the one I can't figure why or how it wasn't stopped.

 

Thank you again for the advice.



#5 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:39 AM

Posted 24 November 2014 - 05:55 AM

DO NOT connect any external device such as a flash drive or disk drive to the infected computer until the OS has been

reinstalled. Any file on those devices could be encrypted, too.

 

Once you have done a clean reinstall which will reformat the drive, the malware will be gone. If you have a Windows DVD

then the reinstall can be easily done by yourself.

 

The malware...poweliks...I only saw reference to recently. Until Eset came out with a removal tool a short time ago it required 

the use of tools that are used by pros in the malware removal forums to find and remove it. That's the short answer.

 

If you have programs such as ALL Adobe products including Flash, Reader; Java (not java script) that are not updated

then that could of been the source of the first or next malware which downloaded all the rest. Very important on Windows machines 

to get those updates as soon as they are released to avoid being exploited by just visiting an infected web page.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 UnkownBmovieActress

UnkownBmovieActress
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Texas&Georgia
  • Local time:07:39 AM

Posted 25 November 2014 - 05:14 PM

Hi, thank you. Some more information - There are no external devices connected to the Notebook, CDs or any discs, so ok there. It does have Logmein, with a Dell desktop as the host computer, and the Notebook as the remote. Notebook has not had a Logmein connection open since symptoms started. But the symptoms seemed to be dllhost.exe32 com surrogate. If Poweliks was there before, some of the descriptions I am just now reading say it comes as a Word doc in an email attachment, and operates silently with no symptoms at first? I don't send or receive email on the Notebook, not even a program, and I never access email online. Email has been disabled on the desktop as well for over a year. I haven't opened Word doc or other email attachments for a long time, years. Java was the only thing that needed an update, but it had just sent notification about same time symptoms started. An Adobe Flash auto update notice came up, looked identical to a normal one, and I accepted it, didn't bother to check if needed, because I knew I was keeping things updated. I know that was false. So that was a huge mistake.

 

The first symptoms were very sudden, almost no response, in task Manager scores of unknown exe's, multiple copies of many, and seems like unecessary multiples of valid processes, 100% CPU at all times. After starting the preliminary pre-removal, found two Notepad files in many folders with the ransomware threats and instructions, but files were not yet encrypted, they are now though. Apparently it did not encrypt large files like large image or mp3s. they all work, look undamaged and there are none of the crypto notice files in those folders. I would like to save some of the image files if possible as they are not all backed up. That's why I had hoped I could clean up the Notebook and at least save those files, then do a reinstall afterwards. Do you think that would be possible?

 

Thanks again so much for your advice.



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 25 November 2014 - 05:30 PM

This is only posted as you state >> I also don't know if the crypto has changed the whole game. Far as I can find out, there is no hope once everything is encrypted. <<

 

A repository of all current knowledge regarding CryptoWall & CryptoWall 2.0 is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall & CryptoWall 2.0 etc. does and provide information for how to deal with it and possibly decrypt/recover your files.

At this time there is prevention, but no fix tool for CryptoWall.

CryptoWall 2.0 uses its own TOR gateways...see Updated CryptoWall 2.0 ransomware released that makes it harder to recover files.

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Helpers -

If you are infected with this malware and have a sample of the installer or a copy of the email / program that started all of this, please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3



#8 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:39 AM

Posted 25 November 2014 - 05:51 PM

I know of one safe way to retrieve those files. Using a Linux Live CD or DVD. Using the CD you can mount the drive

that the images are on and transfer those files to another device. Doing it that way would not allow the malware to run.

A live CD only runs in RAM and does not require a hdd.

 

‪072 07 - Using The Ubuntu Live CD to Recover Files From an Un-Bootable Computer‬‏ - YouTube


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users