Avast constantly blocking xmlka and all files are encrypted

system · April 28, 2016, 7:37pm

My computer has been running slowly lately, and I keep getting an avast popup blocking htxp://xmlka.com/click?app=app18&click=f7bc9e0d-8632-4e93-b94f-5e7c2992d3ac&search=cc2eb43b-f74f-489a-b1bc-9d588393c90f&feed=25106&subid=1917 with the process C:\Windows\System32\msiexec.exe andC:\Windows\System32\conhost.exe and htxp://104.193.252.236/adsc.php?sid=1917 with the process C:\Windows\System32\explorer.exe
I’ve ran a full and boottime scan in avast, malwarebytes scan, FRST64 and aswMBR and also I’m being flooded by dllhost processes.

And last, I lost all my data, I got all my files encrypted, the file extension is .crypt

Please help!

Here are the logs from the scans.

essexboy · April 28, 2016, 7:47pm

It appears that you have been hit by a ransomeware Trojan

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2016-04-27 08:40 - 2016-04-27 14:28 - 00000000 ___HD C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0} 2016-04-27 08:40 - 2016-04-27 08:40 - 00000003 _____ C:\ProgramData\9D52BB4580A0.dat 2016-04-27 08:23 - 2016-04-27 08:23 - 00000000 ____D C:\Users\Pechin_2\AppData\LocalLow\{30B3526A-FC72-4909-AD53-4A60090BA363} 2016-04-24 11:49 - 2016-04-27 13:35 - 02234901 _____ C:\Users\Pechin_2\Downloads\products.pdf.crypt 2016-04-22 10:52 - 2015-09-14 00:09 - 02073600 ____N C:\WINDOWS\SysWOW64\DlgSearchEngine.dll 2016-04-22 10:52 - 2015-03-11 21:43 - 00226424 _____ C:\WINDOWS\system32\SBuySupplies.exe 2016-04-22 10:52 - 2015-03-11 21:43 - 00158016 _____ C:\WINDOWS\system32\us003ci.exe 2016-04-22 10:52 - 2015-03-11 21:43 - 00089600 _____ (SS) C:\WINDOWS\system32\us003ci.dll 2016-04-22 10:52 - 2015-03-11 21:43 - 00022528 _____ () C:\WINDOWS\system32\us003lm.dll CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\Display.dll => No File <==== ATTENTION CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32 -> C:\Program Files\Bandizip\bdzshl64.dll (Bandisoft.com) CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\Display.dll => No File <==== ATTENTION CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006_Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32 -> C:\Program Files\Bandizip\bdzshl64.dll (Bandisoft.com) C:\Users\Pechin_2\AppData\Local\Temp\{4B934FFA-9360-4A1D-88A3-A2619F905355} C:\Users\Pechin_2\AppData\LocalLow\{30B3526A-FC72-4909-AD53-4A60090BA363} C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f CMD: del /F /Q /S "C:\de_crypt_readme.HTML" CMD: del /F /Q /S "C:\de_crypt_readme.PNG" CMD: del /F /Q /S "C:\de_crypt_readme.URL" CMD: del /F /Q /S "C:\de_crypt_readme.URL" RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

polonus · April 28, 2016, 7:48pm

Break these live links please like with htxp:// etc.
See: https://www.virustotal.com/nl/url/c1b73520098dfc97c31b7c942a6a80b11d2f172dfe2888628f2c15611f42ac9d/analysis/1461872509/
We do not want live links to malicious websites: https://www.virustotal.com/nl/url/1c3c120db903b982bff0174a6b3328872f582d072654120c0ce0516f416c2fc7/analysis/1461872661/
Although it seems that file may be safe (now) to use and then we had a lucky escape. But wait for a qualified removal expert here to give a final verdict on your log files, see instructions here: https://forum.avast.com/index.php?topic=53253.0

polonus

essexboy · April 28, 2016, 7:51pm

Unfortunately tesla crypt cannot be decoded do you have a backup ?

system · April 28, 2016, 8:15pm

No, no backup :-[

essexboy · April 28, 2016, 9:05pm

Ok run the fix and I will see if any one has a solution

system · April 28, 2016, 11:44pm

I run the fix and here is the log of it … another thing … how can I be sure that the virus that encrypted my files is out?

Thanks for your help!

system · April 29, 2016, 12:31am

Unfortunately tesla crypt cannot be decoded do you have a backup ?

Teslacrypt has been decrypted already though by Talos: blogs.cisco.com/security/talos/teslacrypt

Eddy · April 29, 2016, 5:56am

That tool only works on the old Teslacrypt, not on later variants of it.

Lotan · April 29, 2016, 9:47am

may be useful
https://blog.kaspersky.com/cryptxxx-ransomware/11939/
was recently posted in the technical post in the general section on the avast forums to decrypt .crypt encryption

essexboy · April 29, 2016, 11:57am

A better link https://support.kaspersky.com/viruses/disinfection/8547?_ga=1.199679534.1810858362.1461930881#block1 click the disinfection link

system · April 30, 2016, 2:41am

OK, thanks, I will try it!, also, how can I know that the virus that encrypted my files is out of my computer? so it doesn’t happen again

essexboy · April 30, 2016, 9:37am

It came in as an attachment to an e-mail which you opened so clear your mail

Avast constantly blocking xmlka and all files are encrypted

Announcements