Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to get files without cryptowall doing more damage


  • This topic is locked This topic is locked
24 replies to this topic

#1 Shredder89

Shredder89

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 14 February 2016 - 11:17 AM

Hi everyone,

So yesterday I got to my computer and all these popups came up about my files being encrypted. I disconnected from the network, stopped all unknown processes and checked my files.

My second partition with all my data looks fine but then I found out that I have cryptowall on my machine and I shut it down right away to prevent any further damage.

I'm on windows 7, 32bit. In the past when I had a nasty virus I would boot with a Linux CD to get all my files off. I just want to know if cryptowall can still do anything if I boot into Linux though.

Does anyone know? Or is there a better method to get my files off?

I don't care about formatting everything after I'm done.

Thanks!

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 15 February 2016 - 07:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This topic is devoted to the infection.

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

If you have a good backup you can restore your files.

We can help in cleaning anything that was left over by the infection.
When done then you can restore your files.


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Wait for further instructions.

#3 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 15 February 2016 - 11:35 AM

Thanks for the help!
I don't have anything backed up, that's why I was wondering if I can get the undecrypted files off without having it get worse.
I read that starting in safe mode and things like that don't work and the virus keeps encrypting files so I'm weary about starting the computer right now.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 15 February 2016 - 01:50 PM

They do not leave anything to continues to crypt the files.

Run the Farbar as previously suggested and I will clean all that is damaged or not required.

#5 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 15 February 2016 - 06:39 PM

Are you sure? As far as I can tell not everything was encrypted. It doesn't just go through the whole system?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 16 February 2016 - 07:40 AM

No read the link I first gave you.

#7 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 16 February 2016 - 11:42 PM

Yeah I read it. So there is a line that says once the encryption is complete, then it will display the message. So I guess it won't do anymore for now.
I'll run the tool tomorrow and then I'll see I guess.
Thanks!

#8 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 17 February 2016 - 06:52 PM

Ok so I just tried to run the program but the computer is not very usable. Every 3 seconds explorer.exe restarts and everything closes so I can't run anything. No programs open. Not that I got to download the program in the first place :P

What now?

 

Edit: Ok so I was able to start the computer in safe mode with command prompt and run malwarebytes. It found 2 things which I deleted but it didn't get better. As soon as there is a network connection it gets messed up and everything keeps closing all the time!


Edited by Shredder89, 17 February 2016 - 08:27 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 18 February 2016 - 09:11 AM


If possible strart the computer in safe mode with Internet explorer.
Download this Zoek tool and run it as instructed.

Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides[/b][/color][/url].

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
process; 
startupall; 
installedprogs;
firefoxlook; 
chromelook;  
srinfo;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

If that fails download the tool to a Flash drive or CD using a good computer.
Copy the file to the Desktop of the compromised computer and run it..

===

Please attach the zoek-results.log in your reply.
Also, please provide an update on how the computer is behaving after running the above script.

===

If connected via a router did you try to reset it.
What is the Manufacturer's name and model you use?

#10 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 19 February 2016 - 12:29 AM

Hey so I just ran the tool and it worked. The computer seems to run fine in safemode now.
Where do I go from here?

Thanks!

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 19 February 2016 - 09:18 AM





C:\Users\MeanMachine\AppData\Roaming\0fe6b9

Restart the computer normally is you can.

Let me know if you were successful.

----

If Normal mode is not working download this tool in Safe mode with Internet services.
If the programs executes please fix/delete everything that will be identified.
The Default settings required by the Operating system will be changed to their original values.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#12 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 20 February 2016 - 03:10 PM

Hi Nasdaq,

 

so everything worked when I started the computer normally.

 

I ran the program and attached the log file.

 

Do I have to run anything else or should the computer be clean now? Also, I have a USB stick that I used to try and get the Farbar tool on the computer. Can I just connect that and format it or do I have the risk of reinfecting the system?

 

Thank you!

Attached Files


Edited by Shredder89, 20 February 2016 - 04:31 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 21 February 2016 - 07:25 AM

Yes, lets continue.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#14 Shredder89

Shredder89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 21 February 2016 - 11:31 AM

Alright I ran it and attached the files!

 

So how does it look?

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:57 AM

Posted 21 February 2016 - 02:07 PM

Windows Firewall is disabled.

Turn System Restore ON or OFF - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===


Also, I have a USB stick that I used to try and get the Farbar tool on the computer. Can I just connect that and format it or do I have the risk of reinfecting the system?

I do not thing you had a worm infection. Just in case run this tool.

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Realtek Semiconductor Corp.) C:\Users\MeanMachine\AppData\Local\Temp\RtkBtMnt.exe
HKU\S-1-5-21-1835603024-396248755-2927325179-1000\...\Run: [AdobeBridge] => [X]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\csharpformatters@seleniumhq.org.xpi [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\javaformatters@seleniumhq.org.xpi [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\pythonformatters@seleniumhq.org.xpi [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\rubyformatters@seleniumhq.org.xpi [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\{a6fd85ed-e919-4a43-a5af-8da18bda539f}.xpi [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\simplemail@telega.phpnet.us [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\duplicate-this-tab@mozilla.org.xpi [not found]
FF Extension: No Name - C:\Users\MeanMachine\AppData\Roaming\Mozilla\Firefox\Profiles\b7p0acfy.default\extensions\undoclosedtabsbutton@supernova00.biz.xpi [not found]
S2 IGBASVC; C:\Program Files\Acer Bio Protection\BASVC.exe [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-1835603024-396248755-2927325179-1000_Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1835603024-396248755-2927325179-1000_Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1835603024-396248755-2927325179-1000_Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1835603024-396248755-2927325179-1000_Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}\InprocServer32 -> C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\wkscli.dll => No File <==== ATTENTION


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 7 Update 9 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217007FF}) (Version: 7.0.90 - Oracle)

Please let me know if you have issues with this computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users