Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crpytowall Virus infection. Uhg


  • This topic is locked This topic is locked
8 replies to this topic

#1 jangoom

jangoom

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 February 2015 - 12:10 AM

Hi my name is Sean and I have an Asus win 8.1, and it's infected with Cryptowall virus.



BC AdBot (Login to Remove)

 


#2 jangoom

jangoom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 February 2015 - 12:14 AM

For some reason, I cant paste my FRST or Addition... perhaps because there are links in it?



#3 jangoom

jangoom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 February 2015 - 12:24 AM

I just decided to browse for the folder, sorry but it doesnt let me just copy paste it here.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:15 AM

Posted 26 February 2015 - 10:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.optionstorpay22.com/1k6hp1f
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.optionstorpay22.com/1k6hp1f
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
AutoConfigURL: [S-1-5-21-2620687529-3044412405-3113263306-1001] => file://C:/ProgramData/Hotspot Shield/config/hsspx/proxy.pac
FF Plugin HKU\S-1-5-21-2620687529-3044412405-3113263306-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Extension: (RanndomPPriicE) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\null [2015-01-05]
CHR Extension: (takeorleave) - C:\ProgramData\lkmnjpfbiknllpmifgmknolpbejhefli\ [2014-12-03]
CHR Extension: (dollarkeeper) - C:\ProgramData\nalgmpmpdmmmppmggbfgdeecafhafbln\ [2014-12-03]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-02-21]
S3 EagleX64; \??\C:\WINDOWS\system32\drivers\EagleX64.sys [X]
S2 npf; \??\C:\WINDOWS\system32\drivers\npf.sys [X]
Duplicate Cleaner Free 3.2.6 (HKLM-x32\...\Duplicate Cleaner Free) (Version: 3.2.6 - DigitalVolcano Software Ltd) <==== ATTENTION
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
C:\ProgramData\DP45977C.lfl
C:\ProgramData\SetStretch.cmd
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\null
C:\ProgramData\lkmnjpfbiknllpmifgmknolpbejhefli
C:\ProgramData\nalgmpmpdmmmppmggbfgdeecafhafbln

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#5 jangoom

jangoom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 26 February 2015 - 11:27 AM

Thank you for your help, sir.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Sean at 2015-02-25 23:22:25 Run:1
Running from C:\Users\Paul\Downloads
Loaded Profiles: Sean (Available profiles: Sean)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.optionstorpay22.com/1k6hp1f
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.optionstorpay22.com/1k6hp1f
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
AutoConfigURL: [S-1-5-21-2620687529-3044412405-3113263306-1001] => file://C:/ProgramData/Hotspot Shield/config/hsspx/proxy.pac
FF Plugin HKU\S-1-5-21-2620687529-3044412405-3113263306-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Extension: (RanndomPPriicE) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\null [2015-01-05]
CHR Extension: (takeorleave) - C:\ProgramData\lkmnjpfbiknllpmifgmknolpbejhefli\ [2014-12-03]
CHR Extension: (dollarkeeper) - C:\ProgramData\nalgmpmpdmmmppmggbfgdeecafhafbln\ [2014-12-03]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-02-21]
S3 EagleX64; \??\C:\WINDOWS\system32\drivers\EagleX64.sys [X]
S2 npf; \??\C:\WINDOWS\system32\drivers\npf.sys [X]
Duplicate Cleaner Free 3.2.6 (HKLM-x32\...\Duplicate Cleaner Free) (Version: 3.2.6 - DigitalVolcano Software Ltd) <==== ATTENTION
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
C:\ProgramData\DP45977C.lfl
C:\ProgramData\SetStretch.cmd
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\null
C:\ProgramData\lkmnjpfbiknllpmifgmknolpbejhefli
C:\ProgramData\nalgmpmpdmmmppmggbfgdeecafhafbln

End
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML not found.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG not found.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT not found.
C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-2620687529-3044412405-3113263306-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value deleted successfully.
"HKU\S-1-5-21-2620687529-3044412405-3113263306-1001\Software\MozillaPlugins\ubisoft.com/uplaypc" => Key deleted successfully.
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll not found.
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\null directory not found.
C:\ProgramData\lkmnjpfbiknllpmifgmknolpbejhefli\ => Moved successfully.
C:\ProgramData\nalgmpmpdmmmppmggbfgdeecafhafbln\ => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => Key deleted successfully.
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
EagleX64 => Service deleted successfully.
npf => Service deleted successfully.
Duplicate Cleaner Free 3.2.6 (HKLM-x32\...\Duplicate Cleaner Free) (Version: 3.2.6 - DigitalVolcano Software Ltd) <==== ATTENTION => Error: No automatic fix found for this entry.
C:\ProgramData\SetStretch.exe => Moved successfully.
C:\ProgramData\SetStretch.VBS => Moved successfully.
C:\ProgramData\DP45977C.lfl => Moved successfully.
C:\ProgramData\SetStretch.cmd => Moved successfully.
"C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\null" => File/Directory not found.
"C:\ProgramData\lkmnjpfbiknllpmifgmknolpbejhefli" => File/Directory not found.
"C:\ProgramData\nalgmpmpdmmmppmggbfgdeecafhafbln" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-02-25 23:24:56)<=

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => File could not move.

==== End of Fixlog 23:24:56 ====



#6 jangoom

jangoom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 26 February 2015 - 12:42 PM

this is the adwcleaner i got after scan and reboot

 

 

# AdwCleaner v4.111 - Logfile created 26/02/2015 at 00:37:09
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Sean - SEAN
# Running from : C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\IE\ALUXCG10\adwcleaner_4.111.exe
# Option : Cleaning

***** [ Services ] *****

Service Deleted : NATService
[#] Service Deleted : iSafeKrnlMon

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Paul\Favorites\StumbleUpon
Folder Deleted : C:\ProgramData\ExstrraCCoupuoon
Folder Deleted : C:\ProgramData\FunDeallS
Folder Deleted : C:\ProgramData\FunDEalSa
Folder Deleted : C:\ProgramData\NetoCeoupoin
Folder Deleted : C:\ProgramData\NetooCouponn
Folder Deleted : C:\ProgramData\ReggulArDealS
Folder Deleted : C:\ProgramData\RegulaRuDeals
Folder Deleted : C:\ProgramData\18199409587848218007
Folder Deleted : C:\ProgramData\fc914a9875880597
Folder Deleted : C:\Program Files (x86)\NAT Service
Folder Deleted : C:\Program Files (x86)\DiigiSavEr
Folder Deleted : C:\Program Files (x86)\ExStraCCouupoon
Folder Deleted : C:\Program Files (x86)\Isaiver
Folder Deleted : C:\Program Files (x86)\NewSavEEr
Folder Deleted : C:\ProgramData\ipgjedjdadaeopjcnoemapafnfmaglla
Folder Deleted : C:\ProgramData\null
File Deleted : C:\WINDOWS\System32\log\iSafeKrnlCall.log
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage-journal

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D37BD00-E9FD-40D1-80E7-1795E510ECAA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{230332DF-D235-47EE-BC42-60860EF144CD}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKCU\Software\anchorfree
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CA6C4F90-F1C1-4CE9-AF2E-B09CD2939671}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842C4394-47F7-60DE-480B-C09116B63559}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Google Chrome v40.0.2214.115

*************************

AdwCleaner[R0].txt - [3540 bytes] - [25/02/2015 23:30:55]
AdwCleaner[S0].txt - [3376 bytes] - [26/02/2015 00:37:09]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3435  bytes] ##########



#7 jangoom

jangoom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 26 February 2015 - 12:44 PM

Yay. TY Sir, there is no more Help_Decrypt and cryptowall doesnt pop up when turning the pc on



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:15 AM

Posted 26 February 2015 - 02:37 PM

Looking good.

Glad we could help.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:15 AM

Posted 04 March 2015 - 09:18 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users