Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crytowall 3.0 on Win 7


  • This topic is locked This topic is locked
9 replies to this topic

#1 2531rah

2531rah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 20 March 2015 - 01:22 PM

Yes i am running a VM in Parallels on my mac and I got CryptoWall 3.0. I have ran a scan with FRST and here are my logs. I ran and removed most of the issues with SpyHunter4 but still see a few files encrypted. here are my scan logs from FRST.

 

Thanks for the help.

Attached Files



BC AdBot (Login to Remove)

 


#2 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:44 PM

Posted 25 March 2015 - 07:08 AM

Hello 2531rah,

 

My name is Dave and I'll be helping you with your troubles here.  Please allow me some time to review the logs you've provided.  While I do so, I would ask that you refrain from making additional changes to your computer as this can make it difficult for me to assist you. 

 

I will post back here with instructions when I have them!


//Dave

#3 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:44 PM

Posted 26 March 2015 - 06:43 AM

2531rah,

 

Before we delve to deeply into this issue, I have one main question:  Do you have any snapshots of this virtual machine?  If so, snapshots are the easiest way to revert your virtual machine to a time prior to the infection.  This is also a good way to gain access to files that have since been encrypted (within the VM). 

 

In lieu of snapshots, do you have any other backups that you keep of the mac itself (e.g. a time machine backup)?


//Dave

#4 2531rah

2531rah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 March 2015 - 10:02 AM

Sorry I have niether of them. but I will start that as soon as we get this resolved.



#5 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:44 PM

Posted 29 March 2015 - 10:11 AM

2531rah,

 

Sorry I have niether of them.

 

Well, there are a couple things that can be tried to recover your data.  If those things fail however, your options for recovery become rather limited.  Basically, if we cannot recovery any data, the only remaining option is to pay the ransom and have the files decrypted.  Otherwise, given the method in which the data is encrypted, there is currently no way to recover your files.  Bleepingcomputer has a fairly extensive article on Cryptowall which can be found here.  It details a few methods of recovery that we will attempt.

 

These procedures have been known to work in the past, although to be very honest with you, their success rate is somewhat limited.  This is due to the fact that the malware acts in such a way as to make recovery of files difficult. 

 

Before we try to recover data, I would like to  run a fix with FRST.  The items we will be fixing are not of huge importance, although I would like to clean them up to avoid other potential problems that might occur during our recovery efforts. 

  • Please copy the code shown below to a file and save it to the same location as FRST as fixlist.txt
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab <====== ATTENTION
    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
    HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    2015-03-20 09:16 - 2015-03-20 09:16 - 00000000 _____ () C:\autoexec.bat
    
    2015-03-12 00:32 - 2015-03-20 10:31 - 00000112 _____ () C:\ProgramData\12YIR2t.dat
    2015-03-12 00:30 - 2015-03-20 05:38 - 00000000 ____D () C:\Users\Default\AppData\Local\ivewah
    2015-03-12 00:30 - 2015-03-20 05:38 - 00000000 ____D () C:\Users\Default User\AppData\Local\ivewah
    Task: {0C4299CB-3AF6-4452-B88A-B4E51F09D99F} - System32\Tasks\SomotoUpdateCheckerAutoStart => C:\Users\roland.hoffman\AppData\Local\FilesFrog Update Checker\update_checker.exe <==== ATTENTION
    Task: {6D4EA59C-424B-4B39-9CC2-0B8032F532F9} - \bench-Updater removing No Task File <==== ATTENTION
    Task: {DE1D96BF-D763-4849-A4EB-15C534324F55} - \bench-sys No Task File <==== ATTENTION
    
    MSCONFIG\startupfolder: C:^Users^roland.hoffman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.HTML => C:\Windows\pss\HELP_DECRYPT.HTML.Startup
    MSCONFIG\startupfolder: C:^Users^roland.hoffman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.PNG => C:\Windows\pss\HELP_DECRYPT.PNG.Startup
    MSCONFIG\startupfolder: C:^Users^roland.hoffman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.TXT => C:\Windows\pss\HELP_DECRYPT.TXT.Startup
    MSCONFIG\startupfolder: C:^Users^roland.hoffman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HELP_DECRYPT.URL => C:\Windows\pss\HELP_DECRYPT.URL.Startup
    inspasio; C:\Program Files\biforder\inspasio.exe run  [X]
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

//Dave

#6 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:44 PM

Posted 01 April 2015 - 06:40 PM

2531rah,

 

Are you still in need of our assistance?  If so, please respond to this topic (even if just to say you need more time to respond).  If this topic remains inactive, it will be closed in approximately 48 hours. 


//Dave

#7 2531rah

2531rah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 03 April 2015 - 11:29 PM

I think i am running better. went through and deleted a bunch of stuff.



#8 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:44 PM

Posted 04 April 2015 - 08:07 AM

Good to hear!  Is there anything else that I can help you out with?


//Dave

#9 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:44 PM

Posted 07 April 2015 - 07:08 AM

2531rah,

 

Are you still in need of our assistance?  If so, please respond to this topic (even if just to say you need more time to respond).  If this topic remains inactive, it will be closed in approximately 48 hours.


//Dave

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:44 PM

Posted 10 April 2015 - 01:50 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users