Hi,
my computer was probably attacked by CryptoWall 3.0. virus. The virus encrypts files in my computer and leaves HELP_DECRYPT.PNG, HELP_DECRYPT.HTML and HELP_DECRYPT.TXT files in the attacked folders. Avast shows numerous alerts, that is it moving virus to Chest. It shows ‘help_decrypt.url’ as name, original location of attacked files,and “INI:Shortcut-inf[Trj]” as virus. However it still continues encrypting of other and other files. Do you please know, how can I stop it and remove the virus from my computer? I am not interested in recovery of the encrypted files at the moment, I just want to stop the virus doing it and remove it from my computer forever.

Thank you for advice

Follow Instructions here https://forum.avast.com/index.php?topic=53253.0
Attach Malwarebytes and Farbar Recovery Scan Tool logs … 3 logs total

See below the box you write in … Attachments and other options

Follow the instructions in the sticky at the top of this forum and attach the logs to your post.

Please do not empty the chest as there can be files that are needed for decryption.

Hi,
attached are logs as specified in instructions. Thank you for your help

Did you get this as an e-mail attachment ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2342202695-1248839866-1428999424-1000\...\Run: [e7c6391] => C:\Windows\syswow64\regsvr32.exe C:\e7c63910\e7c63910.dll HKU\S-1-5-21-2342202695-1248839866-1428999424-1000\...\Run: [e7c63910] => C:\Windows\syswow64\regsvr32.exe C:\Windows\system32\config\SYSTEM~1\AppData\Roaming\e7c63910.dll <===== ATTENTION GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File R1 {d3f6ae1b-5020-49f7-b46f-4feada63b7e5}Gw64; C:\Windows\System32\drivers\{d3f6ae1b-5020-49f7-b46f-4feada63b7e5}Gw64.sys [48776 2015-11-07] (StdLib) 2015-11-08 13:43 - 2015-11-09 20:14 - 00000000 ____D C:\curaci 2015-11-07 23:33 - 2015-11-07 23:33 - 00000000 ___HD C:\e7c63910 2015-11-07 21:19 - 2015-11-07 08:25 - 00048776 _____ (StdLib) C:\Windows\system32\Drivers\{d3f6ae1b-5020-49f7-b46f-4feada63b7e5}Gw64.sys 2015-11-07 23:33 - 2015-11-07 23:33 - 0166912 _____ (Oracle Corporation) C:\Users\Martin\AppData\Roaming\e7c63910.dll Task: {DF4D2655-B8AE-481E-A73E-85046E23058F} - System32\Tasks\ProgramRefresh-ATFST => C:\Program Files (x86)\File Type Assistant\tsasetup.exe [2014-06-08] ( ) <==== ATTENTION C:\Program Files (x86)\File Type Assistant C:\Users\Martin\AppData\Roaming\e7c63910.dll C:\e7c63910 CMD: del /F /Q /S "C:\HELP_DECRYPT.TXT" CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML" CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG" CMD: del /F /Q /S "C:\HELP_DECRYPT.URL" Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I have ran the fix as described. Fix finished, it wanted to restart the computer, but when I came back to windows after restart, the folder with FRST and log was deleted. Do you know, what happened? Should I run it again?

I did not get it as e-mail attachement, I probably got it, when I downloaded mkv player or somewhere, when browsing the internet, I am not sure…

sorry, i did not realize, that the folder was moved to Quarantine under FRST folder. log is attached. thank you

Could you re-run the fix please as it did not appear to take

Download Farbar Recovery Scan Tool to your desktop
Download the attached fixlist.txt to the same location as FRST
Start FRST and press fix
After the reboot there should be a log on your desktop please post that

I ran it again, log is attached. thank you

OK that has killed the encryptor and removed all HELP_DECRYPT files…

How many of your files are encrypted ?

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
Scan with IDTool

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

[*]Enter the IDTool directory, right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
[*]Wait patiently until the tool will collect necessary data
[*]Once the main console is loaded, please press Rescan Computer and Generate a New Report.
[*]When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
[*]Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience

Please include that contents in your next reply.

Attached is report from id tool…

according to log, farbar deleted 755 help_descrypt.txt files, so i guess, this is number of encrypted files…

No it just dumps those files all over the system

Well it was cryptowall here is some data on it

Unfortunately as to whether you can recover any files is moot

http://i.imgur.com/y3MMIrs.png
Previous Versions

[*]Right-click the file/folder and click Properties.
[*]Click Previous Versions.
[*]This tab will list all copies of the file and the date they were backed up.
[*]To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
[*]If you wish to restore the selected file and replace the existing one, click Restore
[*]If you wish to view the contents of the file before restoring, click Open.

http://i.imgur.com/MzmiIl9.gif
ShadowExplorer

[*]Please download ShadowExplorer and save the file to your Desktop
[*]Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract
[*]Right-Click ShadowExplorer.exe and select
http://i.imgur.com/AVOiBNU.jpg
to run the programme.
[*]You will see a drop-down menu with the shadow copies of all partitions and disks present.
[*]Click C:\ from the drop-down menu.
[*]To the right, pick a date prior to the infection from the drop-down menu.
[*]To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.

http://i.imgur.com/J8xQM97.png
File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

[]
http://i.imgur.com/fSA1TL4.png
R-Studio
[]
http://i.imgur.com/C08PZmH.png
Photorec
[*]
http://i.imgur.com/uc6sByo.png
Recuva

ok, thank you… does it mean, that the virus is out of my computer now?

As far as I can see it has gone, are you experiencing any problems ?

no, I just wanted to be sure, if it is clean now. I also saw, that some files in avast folders were encrypted, so i am not sure if avast was somehow damaged or not… I will rather reinstall it…

Avast appears to have been trying to stop it from your description so I would assess that Avast is OK however, mayhap a repair would not come amiss

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

ok, it looks fine. thank you very much for all the help…