Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Cryptowall 3.0 Infectee


  • Please log in to reply
11 replies to this topic

#1 Jazzass

Jazzass

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 April 2015 - 04:16 AM

Hi all,

 

Since a couple of days I have been trying to get the computer of my parents-in-law back in shape. To my amazement, it turns out their antivirus license ran out about two years ago and it appears they were online with their pants down for such a long time...

 

They asked me to look at their computer, because there were these pop-ups coming up every time they started up the computer. They didn't even notice yet that all their data had been encrypted. Because there are more then 10 years of family pictures on it combined with the high probability of no back-ups whatsoever, I'm trying to retrieve them, but to be honest I'd be happy already if the PC is clean again.

 

I did a bit of homework on this site and other public forums regarding Cryptowall 3.0 (CW3) and have done the following:

 

1. I installed and ran diagnostics with Spyhunter 4, it found almost 700 infections, including CW3. A pitty it doesn't remove it without any cost though, it feels as if you need to pay a smaller ransom to get rid of the bigger...

 

2. So I also installed a couple of AV & AM programs (AVG, IOBit, Spybot), ran multiple scans with these. None of those found CW3, although yesterday AVG found a reference to CW1.0 in the registry. It removed that, but upon startup the popups were still there. After couple of those scans & repairs, Spyhunter is still finding 64 threats...

 

3. I've downloaded and scanned with the FARBAR thingy. Logs are in attachment.

 

4. Manually searched in windows for *decrypt*, and deleted all the files. Doubt it did any good though...

 

 

Hope to get some feedback and thank you for your time!

Attached Files


Edited by Jazzass, 11 April 2015 - 04:33 AM.


BC AdBot (Login to Remove)

 


#2 Jazzass

Jazzass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 April 2015 - 05:45 AM

I just rebooted, it no longer pops up! Also a diagnostic rerun of spyhunter cannot find it anymore!

 

It seems safe now to try to recover the encrypted files... Any help (tips n tricks) in that direction will be much appreciated.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:19 AM

Posted 12 April 2015 - 09:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

We are unable to restore the compromised files.
This is the infection - CryptoWall and HELP_DECRYPT Ransomware Information Guide
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Other than paying the ransom if it's not too late there is nothing we can do to restore your files.
I know one thing I would not trust them, your call.
===

Remove this process using the Add/Remove Programs applet.
Torch (HKU\S-1-5-21-2718181613-183483859-182824946-1001\...\Torch) (Version: 23.0.0.2397 - Torch Media Inc.) <==== ATTENTION
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [3033112 2015-04-06] ()
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKLM-x32 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=420&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=4034351349514315&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={3EC83FCA-1EEF-4491-A60C-10C2A6A888B8}&mid=732d5eb3d26647cda276012ea3eb0781-7da97b1cf012af38b418ebdb4abf92a9a840b13b&lang=nl&ds=AVG&coid=avgtbavg&cmpid=0215pit&pr=fr&d=2015-04-06 15:02:45&v=4.1.0.411&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=420&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=4034351349514315&q={searchTerms}
FF SelectedSearchEngine: AVG Secure Search
FF Homepage: https://mysearch.avg.com/?cid={3EC83FCA-1EEF-4491-A60C-10C2A6A888B8}&mid=732d5eb3d26647cda276012ea3eb0781-7da97b1cf012af38b418ebdb4abf92a9a840b13b&lang=nl&ds=AVG&coid=avgtbavg&cmpid=0215pit&pr=fr&d=2015-04-06 15:02:45&v=4.1.0.411&pid=wtu&sg=&sap=hp
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.4.0\\npsitesafety.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF user.js: detected! => C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\user.js [2015-04-10]
FF SearchPlugin: C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\searchplugins\ask-web-search.xml [2014-07-29]
FF SearchPlugin: C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\searchplugins\avg-secure-search.xml [2015-04-06]
FF SearchPlugin: C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\searchplugins\my-web-search.xml [2013-03-04]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wtu-secure-search.xml [2015-04-06]
CHR HKLM-x32\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files (x86)\1ClickDownload\1click12.crx [2012-06-12]
CHR HKLM-x32\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\Paeleman\AppData\Local\Torch\Plugins\TorchPlugin.crx [2013-01-22]
R2 vToolbarUpdater18.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe [1875480 2015-04-06] (AVG Secure Search)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [X]
C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\searchplugins\ask-web-search.xml
C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\searchplugins\avg-secure-search.xml
C:\Users\Paeleman\AppData\Roaming\Mozilla\Firefox\Profiles\u0rqh45d.default-1360774916267\searchplugins\my-web-search.xml
C:\Users\Paeleman\AppData\Local\Torch

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#4 Jazzass

Jazzass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 13 April 2015 - 04:18 PM

Hi nasdaq, thanks for helping me out.
 
1. I've removed Torch the way you said.
 
2. I created the fixlist, but the system crashed I think. I am not totally sure it did, because I already returned the pc yesterday (since main goal was achieved: I was able to get all lost data back Photorec & Shadowexplorer), and am now trying to fix it further through teamviewer. I got kicked out of it, and apparantly the farbar fix froze or was not too responsive for at least an hour... I can imagine the scan and fix takes some time, is it possible it takes more than an hour?
 
3. I've moved on to the AdwCleaner step. The report is in attachment, as I pressed "Clean" the program became not responding and the whole system became slow and selectively non responsive: no internetbrowser, almost everything disappeared from system tray, except for avg, sound &  teamviewer.

 

Damn system crashed again, now I lost teamviewer contact again. Was gonna run another farbar scan. It'll have to wait till tomorrow.

 

I'm thinking teamviewer might be interfering with step 2 & 3?

Attached Files


Edited by Jazzass, 13 April 2015 - 04:20 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:19 AM

Posted 14 April 2015 - 07:33 AM

On occasion the AdwCleaner will restart the computer in mid stream.

Can you get them to download the tool and run it. When the log is generated have them use the clean button to remove everything that will be found?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:19 AM

Posted 19 April 2015 - 07:38 AM

Are you still with me?

#7 Jazzass

Jazzass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 20 April 2015 - 05:12 AM

Yeah i'm still with you, nasdaq. Sorry for the radiosilence, I was out for the weekend.

 

As for them DL'ing and running the tool: they are the typical elder computeruser, zero common sense & PC-knowledge. They are the target audience for dodgy lotteries and Nigerian inheretances...

 

I will have their PC back 56 hr from now. Will continue cleanup then. Thanks for your patience!


Edited by Jazzass, 20 April 2015 - 05:13 AM.


#8 Jazzass

Jazzass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 23 April 2015 - 09:12 AM

Alright, I think I nailed it.

 

With the PC right in front of me, things went easier than through Teamviewer, but all in all (scans, cleaning & recovering extra files) it took another 4h or so...

 

1. FARBAR fixlist zapped away.

 

2. AdwCleaner froze the system couple of times until i decided to do the cleaning in blocks, i selected everything under one tab to clean per run. Like that it didn't freeze...

 

3. After all the cleaning I got rid of SpyHunter (useless except for diagnostics), since it was spewing popups and eating quite some memory...

 

4. I ran another FARBAR scan.

 

5. Post-cleaning reports of FARBAR & AdwCleaner are in attachment.

 

 

Thanks for the help provided!

 

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:19 AM

Posted 23 April 2015 - 01:21 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=420&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=4034351349514315&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=420&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=4034351349514315&q={searchTerms}
FF Homepage: https://mysearch.avg.com/?cid={3EC83FCA-1EEF-4491-A60C-10C2A6A888B8}&mid=732d5eb3d26647cda276012ea3eb0781-7da97b1cf012af38b418ebdb4abf92a9a840b13b&lang=nl&ds=AVG&coid=avgtbavg&cmpid=0215pit&pr=fr&d=2015-04-06 15:02:45&v=4.1.0.411&pid=wtu&sg=&sap=hp

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 Jazzass

Jazzass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 27 April 2015 - 03:13 PM

Just done the farbar fix...

 

Fix and new log in attachment.

 

Thanks for your time!

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:19 AM

Posted 28 April 2015 - 07:56 AM


Execute this.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:


HKU\S-1-5-21-2718181613-183483859-182824946-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://mysearch.avg.com/?cid={3EC83FCA-1EEF-4491-A60C-10C2A6A888B8}&mid=732d5eb3d26647cda276012ea3eb0781-7da97b1cf012af38b418ebdb4abf92a9a840b13b&lang=nl&ds=AVG&coid=avgtbavg&cmpid=0215pit&pr=fr&d=2015-04-06 15:02:45&v=4.1.0.411&pid=wtu&sg=&sap=hp
SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=420&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=4034351349514315&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2718181613-183483859-182824946-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=420&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=4034351349514315&q={searchTerms}
FF Homepage: https://mysearch.avg.com/?cid={3EC83FCA-1EEF-4491-A60C-10C2A6A888B8}&mid=732d5eb3d26647cda276012ea3eb0781-7da97b1cf012af38b418ebdb4abf92a9a840b13b&lang=nl&ds=AVG&coid=avgtbavg&cmpid=0215pit&pr=fr&d=2015-04-06 15:02:45&v=4.1.0.411&pid=wtu&sg=&sap=hp
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - http://clients2.google.com/service/update2/crx

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know is the computer running now?

#12 Jazzass

Jazzass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 01 May 2015 - 03:22 AM

The computer is running well enough now, not slow anymore. I will load your last fixlist sometime during this weekend. Will post again after that.

 

Thanks!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users