Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 3.0


  • This topic is locked This topic is locked
4 replies to this topic

#1 jbrower

jbrower

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 05 February 2015 - 11:01 PM

Help-

I clicked on cab66.org looking for low-level software programming issue, and got Cryptowalled 3.0 (I can give the full http link if it helps anyone).
 
I have attached my FRST.txt and Addition.txt files.
 
I have not taken any steps to remove this.  I understand that I will not be able to decrypt files -- I have enough backups and just need the machine usable again.
 
Please let me know if you can help.  Thanks.
 
-Jeff

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by Administrator (administrator) on CORONA-1D800B03 on 05-02-2015 17:12:13
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: jshen & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [802816 2006-08-02] (Intel Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [696320 2006-08-02] (Intel Corporation)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [169984 2008-04-13] (Microsoft Corporation)
HKU\S-1-5-21-2000478354-261478967-1417001333-500\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torpaysolutions.com/3LUQR8

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2000478354-261478967-1417001333-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKU\S-1-5-21-2000478354-261478967-1417001333-500 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://mavenir1.webex.com/client/WBXclient-T28L10NSP12EP20-10001/webex/ieatgpc.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{AEBBF856-C9FB-422B-998A-EB650D1356E2}: [NameServer] 8.8.8.8

FireFox:
========
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [434176 2006-08-02] (Intel Corporation) [File not signed]
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [647680 2014-02-18] (Macrovision Europe Ltd.) [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2006-08-02] (Intel Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [937984 2006-08-02] (Intel Corporation ) [File not signed]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2014-02-10] (Meetinghouse Data Communications) [File not signed]
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2317504 2005-04-19] (Realtek Semiconductor Corp.)
R2 bh560eth; C:\WINDOWS\System32\Drivers\bh560eth.sys [97776 2010-11-17] (Blackhawk)
S3 bhdtcusb; C:\WINDOWS\System32\Drivers\bh560v2u.sys [27280 2013-02-27] (Blackhawk)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [12544 2006-08-02] (Intel Corporation) [File not signed]
R2 sdiont; C:\WINDOWS\system32\drivers\sdiont.sys [4576 1999-05-24] (Spectrum Digital Inc.) [File not signed]
R3 w29n51; C:\WINDOWS\System32\DRIVERS\w29n51.sys [2206720 2006-06-29] (Intel® Corporation)
R3 XDS560; C:\WINDOWS\System32\DRIVERS\xds560.sys [25768 2013-08-20] (Blackhawk)
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [299424 2012-03-27] (Marvell)
S0 cerc6; No ImagePath
S3 DisplayLinkFilter; system32\DRIVERS\DisplayLinkFilter.sys [X]
S3 DisplayLinkUsbIo; system32\DRIVERS\DisplayLinkUsbIo_7.5.52277.0.sys [X]
S3 dlusbaudio; system32\DRIVERS\dlusbaudio.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 17:12 - 2015-02-05 17:12 - 00006399 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-02-05 17:11 - 2015-02-05 17:12 - 00000000 ____D () C:\FRST
2015-02-05 17:11 - 2015-02-05 17:11 - 01123328 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-02-05 16:22 - 2015-02-05 16:22 - 00008632 _____ () C:\HELP_DECRYPT.HTML
2015-02-05 16:22 - 2015-02-05 16:22 - 00004256 _____ () C:\HELP_DECRYPT.TXT
2015-02-05 16:22 - 2015-02-05 16:22 - 00000300 _____ () C:\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00008632 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00004256 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 00000300 _____ () C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
2015-02-05 15:49 - 2015-02-05 15:49 - 00008632 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-02-05 15:49 - 2015-02-05 15:49 - 00004256 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
2015-02-05 15:49 - 2015-02-05 15:49 - 00000300 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2015-01-20 23:36 - 2015-01-20 23:36 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\20150120-UAG5.2 transcoding debug session(2078055261)

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 17:12 - 2014-02-07 20:26 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-02-05 17:10 - 2014-02-18 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Skype
2015-02-05 16:48 - 2014-07-04 13:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\ATCA
2015-02-05 16:38 - 2014-02-18 13:18 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-05 16:23 - 2014-07-06 11:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Corporate
2015-02-05 16:22 - 2014-02-18 15:10 - 00000000 ____D () C:\ti
2015-02-05 16:00 - 2014-11-29 10:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Sig Documentation
2015-02-05 16:00 - 2014-08-02 09:48 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Textron
2015-02-05 16:00 - 2014-06-15 10:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Texas Inst
2015-02-05 16:00 - 2014-06-13 17:23 - 00000000 ____D () C:\Documents and Settings\Administrator\workspace_v5_5
2015-02-05 16:00 - 2014-02-18 13:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\.TI
2015-02-05 16:00 - 2014-02-18 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Skype
2015-02-05 16:00 - 2014-02-07 20:26 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-02-05 15:59 - 2014-07-14 10:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\NetVM
2015-02-05 15:59 - 2014-06-08 15:42 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\RDRTec
2015-02-05 15:59 - 2014-04-24 23:55 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\NSF
2015-02-05 15:58 - 2014-05-24 08:54 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Marketing
2015-02-05 15:58 - 2014-02-25 17:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Mavenir Lab
2015-02-05 15:57 - 2014-02-18 13:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\L-3 Mustang Lab
2015-02-05 15:55 - 2014-10-18 23:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\DARPA
2015-02-05 15:55 - 2014-09-10 09:58 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Gazoo
2015-02-05 15:55 - 2014-07-02 14:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\L-3
2015-02-05 15:55 - 2014-03-26 13:20 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\CIM
2015-02-05 15:55 - 2014-03-05 14:08 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Jeff Personal
2015-02-05 15:55 - 2014-02-27 17:16 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Job Applicants
2015-02-05 15:51 - 2014-07-23 15:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Advantech
2015-02-05 15:51 - 2014-02-25 18:02 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Boeing
2015-02-05 15:49 - 2014-04-27 10:40 - 00000000 ____D () C:\Audio.temp
2015-02-05 15:49 - 2014-02-18 16:07 - 00000000 ____D () C:\Documents and Settings\Administrator\.TI-trace
2015-02-05 15:49 - 2014-02-18 13:00 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Adobe
2015-02-05 15:49 - 2012-06-25 10:42 - 00000000 ____D () C:\DELL
2015-02-05 15:47 - 2012-06-25 10:41 - 01873338 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-05 13:57 - 2014-03-24 10:19 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-05 13:57 - 2012-06-25 22:33 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-05 13:57 - 2008-04-13 17:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-05 12:51 - 2014-02-07 20:26 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-02-05 12:51 - 2012-06-25 22:33 - 00032554 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-05 11:04 - 2014-05-17 22:43 - 00000600 _____ () C:\Documents and Settings\Administrator\Application Data\winscp.rnd
2015-02-04 21:52 - 2012-06-24 19:51 - 00450392 _____ () C:\WINDOWS\setupapi.log
2015-02-01 23:02 - 2014-03-02 14:36 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\CutePDF Writer

==================== Files in the root of some directories =======

2015-02-05 15:49 - 2015-02-05 15:49 - 0008632 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
2015-02-05 15:49 - 2015-02-05 15:49 - 0000131 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.PNG
2015-02-05 15:49 - 2015-02-05 15:49 - 0004256 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
2015-02-05 15:49 - 2015-02-05 15:49 - 0000300 _____ () C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL
2014-05-17 22:43 - 2015-02-05 11:04 - 0000600 _____ () C:\Documents and Settings\Administrator\Application Data\winscp.rnd
2015-02-05 16:00 - 2015-02-05 16:00 - 0008632 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 0000131 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.PNG
2015-02-05 16:00 - 2015-02-05 16:00 - 0004256 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 0000300 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
2015-02-05 16:00 - 2015-02-05 16:00 - 0008632 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
2015-02-05 16:00 - 2015-02-05 16:00 - 0000131 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.PNG
2015-02-05 16:00 - 2015-02-05 16:00 - 0004256 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
2015-02-05 16:00 - 2015-02-05 16:00 - 0000300 _____ () C:\Documents and Settings\All Users\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\converter.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1412139716394125397.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1894285026724559924.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext37290307915708640.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext4646817356197714655.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext7421327649996926586.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsf3F.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsf5E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsr1F.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsr2E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nss43.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu1B.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv5A.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx67.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SCC.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SymCCIS.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Attached Files


Edited by nasdaq, 10 February 2015 - 10:01 AM.
FRST log posted.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:47 PM

Posted 10 February 2015 - 10:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled.

refer to this page:
http://support.microsoft.com/kb/310405

Under the last section Steps to turn on System Restore follow the instructions to restore it.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torpaysolutions.com/3LUQR8
SearchScopes: HKLM -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKU\S-1-5-21-2000478354-261478967-1417001333-500 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S0 cerc6; No ImagePath
S3 DisplayLinkFilter; system32\DRIVERS\DisplayLinkFilter.sys [X]
S3 DisplayLinkUsbIo; system32\DRIVERS\DisplayLinkUsbIo_7.5.52277.0.sys [X]
S3 dlusbaudio; system32\DRIVERS\dlusbaudio.sys [X]
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\Administrator\Local Settings\Temp\converter.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1412139716394125397.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext1894285026724559924.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext37290307915708640.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext4646817356197714655.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ext7421327649996926586.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsf3F.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsf5E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsr1F.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsr2E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nss43.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu1B.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv5A.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsx67.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SCC.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\SymCCIS.dll
C:\HELP_DECRYPT.HTML
C:\HELP_DECRYPT.TXT
C:\HELP_DECRYPT.URL
C:\Documents and Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\HELP_DECRYPT.HTML
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\All Users\HELP_DECRYPT.HTML
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.HTML
C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Administrator\HELP_DECRYPT.HTML
C:\Documents and Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\HELP_DECRYPT.TXT
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\All Users\HELP_DECRYPT.TXT
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.TXT
C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Administrator\HELP_DECRYPT.TXT
C:\Documents and Settings\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\Local Settings\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\HELP_DECRYPT.URL
C:\Documents and Settings\Default User\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\HELP_DECRYPT.URL
C:\Documents and Settings\All Users\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\Local Settings\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\Local Settings\Application Data\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\HELP_DECRYPT.URL
C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.HTML
C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.TXT
C:\Documents and Settings\Administrator\Application Data\HELP_DECRYPT.URL

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#3 jbrower

jbrower
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 11 February 2015 - 10:30 AM

nasdaq-

 

Thanks very much for your reply.  I have been getting help from Dakeyras on the spybot.info forum, topoic here:

  http://forums.spybot.info/showthread.php?71980-CryptoWall-3-0

So don't worry about me and take care of others.  My laptop is clean now and I have only a few final steps to perform under Dakeyras' supervision.

 

-Jeff

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:47 PM

Posted 11 February 2015 - 02:35 PM

Thank you for the feedback.
I'm closing this topic.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:47 PM

Posted 11 February 2015 - 02:35 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users