CryptoWall Got Me - What should I do now?

Hello. It appears that I have contracted the CryptoWall virus. I’m not sure what I opened or downloaded that was infected. I don’t recall anything suspicious. I try to be very cautious, but apparently I messed up somewhere. I did update Java last week and have now read that it is vulnerable. Perhaps I got it from that? Anyways… Saturday afternoon I started receiving Web Shield popup warning alerts, one right after another. They were coming up so fast you couldn’t read them. An example:

Object: C:\Users\Gery\AppData\Local\Apple Computer\Safari\LocalStorage\DECRYPT_INSTRUCTION.URL
Infection: URL:Mal
Process: C:\Windows\explorer.exe

I ran a full system scan with Avast. It found the following files:

C:\ProgramData\Windows Genuine Advantage{73DF2915-E5AC-47B3-A863-90AA33CDCFA8}\msiexec.exe
C:\ProgramData\Windows Genuine Advantage{8FADCCF2-C9C0-4917-9227-64AA60A631DF}\msiexec.exe
C:\ProgramData\Windows Genuine Advantage{4214961A-ACEE-4564-8C7B-E32FC6647729}\msiexec.exe
C:\ProgramData\Windows Genuine Advantage{8FADCCF2-C9C0-4917-9227-64AA60A631DF}\msiexec.exe

I did the auto fix and Avast moved the first and third files to the Chest. The second and fourth appear to be the same file, which kicked back this error message: “Error: The system cannot find the file specified.”

The popups persisted. I held off on doing a boot time scan and started poking around the internet for info, which is when I learned about CyrptoWall. I also noticed that all my folders now have those dreaded DECRYPT_INSTRUCTION.html & DECRYPT_INSTRUCTION.txt files within them and all my files are corrupted so-to-speak (or encrypted).

I found a link to this instruction page off the Avast forum: http://www.precisesecurity.com/rogue/remove-cryptowall

I attempted Option 1. I downloaded, installed, & ran Malwearebytes Anti-Malware program (free version). It found 23 infected items which it threw into quarantine. I then deleted the files out of quarantine. I’ve attached the scan log for reference (MBAM_scan_log_111014a). I still get a warning every so often, but I’m not bombarded like before. Example:

Object: http://www.movieroomreviews.com/jamie-dornan/fifty-shades-grey-get-special-x-rated-version-184451?utm_source=29021&utm_medium=cpc&utm_campaign=clickpayz_29021
Infection: URL:Mal
Process: C:\Program Files\Internet Explorer\iexplore.exe

or

Object: http://www.abcmedine.net/|{gzip}
Infection: HTML:Framer-inf[Trj]
Process: C:\Program Files\Internet Explorer\iexplorer.exe

I’ve also started getting…

regsvr32.exe - Application Error: The exception Breakpoint
A breakpoint has been reached.
(0x80000003) occurred in the application at location 0x7775805d.

…messages every so often.

I take it deleting the quarantined files was a no no and I possibly screwed stuff up even more? (Why on earth did I do it?!?) At least I having a bad feeling about it because… I came across another thread where the postee appeared to have the same issue as me (https://forum.avast.com/index.php?topic=158653.msg1143795#msg1143795). Someone responded and said not to do anything until someone helped. So now I’m afraid to continue on with the instructions from precisesecurity.com. I saw the postee ran several different scans and attached the generated logs. After some more poking around I found the post that provided the links to those same scanning programs. Since I’d already ran MBAM, I skipped to FRST64. The logs for it are attached (FRST.txt and Additions.txt). Next I ran aswMBR, but it seems to hang after so long. 4.5 hours went by and the time stamp & scanning location had not changed. In the meantime I was re-reading the “Logs to assist in cleaning maleware” post. I noticed that the instructions for MBAM said to checkmark “Scan for rootkits” under Settings > Detection and Protection. (I did not have this checked during the first scan.) So I checked that setting and re-ran the scan. It detected one additional malicious file which I quarantined BUT did not delete (MBAM_scan_log_111014b). And since it needed to restart the computer to do so, I went ahead and stopped the aswMBR scan (it didn’t seem like it was doing anything anyway) and saved the log for it thus far. When the computer restarted I started a new aswMBR scan. Once again it hung about 1.5 into the scan. After another 4 hours of just sitting there the time stamp and “Scanning” line finally updated. Then it’s updated about once an hour since then. (Last time stamp was 9:19am CT.) With no type of progress bar I have no idea how long it will take to finish. It’s already been going for 9 hours. I’ll continue to let it sit here and run, but wanted to get a post up in the meantime. I’ll provide the log file once available.

Additional info: I have an HP Pavilion dv6t laptop that is running Windows 7. If you needs any other stats, please let me know.

Not sure what my next step should be. I’m completely lost when it comes to virus issues. Is there any hope in recovering some of the encrypted/corrupted files? I have some work items that would be nice to retrieve if possible. Do I need to use my restore disc and reset the laptop to get rid of everything, such as those blasted DECRYPT_INSTRUCTION files ALL over the place? Will doing so get rid of the virus or will it still be lurking somewhere? Any help – suggestions, recommendations, directions, etc – would be greatly appreciated.

The aswMBR scan finally finished. I’ve attached the log.

You have a lot more then just Cryptowall.

Remover Notified. Seems Avast! caught it red handed? Atre your files encrypted (Or did Avast! succesfully block it? (Video/Audio, Images and documents would be afffected))

OK lets get at it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-447642792-1532267071-825928583-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! CHR HKU\S-1-5-21-447642792-1532267071-825928583-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION URLSearchHook: HKCU - (No Name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {E14E7429-1120-4E0E-B064-494A0B60249C} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File Toolbar: HKU\S-1-5-21-447642792-1532267071-825928583-1001 -> No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File Toolbar: HKU\S-1-5-21-447642792-1532267071-825928583-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File 2014-11-10 11:11 - 2014-11-10 11:11 - 00008542 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.HTML 2014-11-10 11:11 - 2014-11-10 11:11 - 00008542 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML 2014-11-10 11:11 - 2014-11-10 11:11 - 00008542 _____ () C:\Users\Gery\DECRYPT_INSTRUCTION.HTML 2014-11-10 11:11 - 2014-11-10 11:11 - 00004214 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.TXT 2014-11-10 11:11 - 2014-11-10 11:11 - 00004214 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT 2014-11-10 11:11 - 2014-11-10 11:11 - 00004214 _____ () C:\Users\Gery\DECRYPT_INSTRUCTION.TXT 2014-11-10 10:17 - 2014-11-10 10:17 - 00008542 _____ () C:\Users\Gery\Downloads\DECRYPT_INSTRUCTION.HTML 2014-11-10 10:17 - 2014-11-10 10:17 - 00004214 _____ () C:\Users\Gery\Downloads\DECRYPT_INSTRUCTION.TXT 2014-11-10 10:07 - 2014-11-10 10:07 - 00008542 _____ () C:\Users\Gery\Documents\DECRYPT_INSTRUCTION.HTML 2014-11-10 10:07 - 2014-11-10 10:07 - 00004214 _____ () C:\Users\Gery\Documents\DECRYPT_INSTRUCTION.TXT 2014-11-10 09:40 - 2014-11-10 09:40 - 00000000 ____D () C:\Users\Gery\AppData\Local\{2750119E-B160-4BF8-95DB-54A01295A1AE} 2014-11-10 09:18 - 2014-11-10 11:35 - 00000000 __SHD () C:\ProgramData\USB Adapter Updater 2014-11-09 15:28 - 2014-11-09 15:28 - 00008542 _____ () C:\Users\Gery\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-11-09 15:28 - 2014-11-09 15:28 - 00008542 _____ () C:\Users\Gery\AppData\DECRYPT_INSTRUCTION.HTML 2014-11-09 15:28 - 2014-11-09 15:28 - 00004214 _____ () C:\Users\Gery\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-11-09 15:28 - 2014-11-09 15:28 - 00004214 _____ () C:\Users\Gery\AppData\DECRYPT_INSTRUCTION.TXT 2014-11-09 15:24 - 2014-11-09 15:24 - 00008542 _____ () C:\Users\Gery\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-11-09 15:24 - 2014-11-09 15:24 - 00004214 _____ () C:\Users\Gery\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-11-09 15:04 - 2014-11-09 15:04 - 00008542 _____ () C:\Users\Gery\AppData\Local\Apps\DECRYPT_INSTRUCTION.HTML 2014-11-09 15:04 - 2014-11-09 15:04 - 00004214 _____ () C:\Users\Gery\AppData\Local\Apps\DECRYPT_INSTRUCTION.TXT 2014-11-09 15:01 - 2014-11-09 15:01 - 00008542 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-11-09 14:35 - 2014-11-10 14:07 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage 2014-11-10 12:35 - 2013-09-10 15:46 - 00000000 ____D () C:\Users\Gery\AppData\Roaming\Search Protection CustomCLSID: HKU\S-1-5-21-447642792-1532267071-825928583-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {348DE246-36B3-48A3-97BC-C6049D2E9D20} - \ProgramUpdateCheck No Task File <==== ATTENTION Task: {EC32C6BC-1A35-49A9-93E5-9973DFDB8107} - \ProgramRefresh-ATFST No Task File <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

FINALLY

Run a fresh FRST scan and this time also select shortcuts.txt

essexboy,

I’ve followed the instructions you provided for me (thank you btw) and have attached the requested files:

Fixlog.txt
FSS.txt
FRST_2.txt
Shortcut.txt

Sorry to interupt…

I suspect if you check out your hard drive space, you’ll have close to 13GB’s more then you did before, if not more…

EmptyTemp: => Removed 12.7 GB temporary data.

Michael (and anyone else),

I do not recall what my hard drive space was before I was hit with all the viruses. Currently I have 252 GB free out of 452 GB.

And to answer your earlier question, Avast’s Web Shield pop up did pick up the DECRYPT_INSTRUCTION.URL and attempted to block it, but it did not. It is all over the computer (the DECRYPT_INSTRUCTION.html & DECRYPT_INSTRUCTION.txt files in all folders, including on my desktop) and has affected all files. I cannot open anything… images, docs, videos, etc. Microsoft Office Outlook fails too because it cannot find/sync my folders.

I’m guessing the virus is still hidden on the computer somewhere. Apparently the computer restarted for some kind of windows update while I was asleep. When I logged back on the CryptoWall text file message popped up again.

I work from home via my computer so this will be down day #3 for me. Can anyone tell me…

  1. Is it’s possible to fix the laptop as is?
  2. Do I need to give up and use my restore disc?
  3. If I do use the restore disc, will that get rid of any and all viruses or could they still be lurking somewhere?
  4. Do I need a new hard drive instead?
  5. Or is everything so far gone that I need a new computer?

I have about 2GB worth of client data that is affected in addition to all my work emails I had saved. I’ve had an ill family member and have been running from home to do quick bits of work and back to their house for the past 7 weeks so I’ve not had time to do my normal back up routine. Figures right? That’s normally when something like this (virus or other failure) hits. There are a couple files in particular I’d like to save if at all possible. If not oh well. It’d be awesome if the computer would just go back to normal as it was prior to the attack, but I’m realistic and doubt that will happen.

And not that it makes any difference, but the notifications started this past Sunday, not Saturday as I’d previously mentioned. (My days are all screwed up.) I used the computer all last week for work, to look at news on Yahoo, Facebook, check the weather, visit a couple online stores, and I believe last week is when I updated Java. Other than that I’ve not done anything out of the ordinary. I shut the computer down Friday evening. Did not use it Saturday. Turned it on Sunday afternoon and that’s when the popup warnings started. I run a daily Avast Quick Scan at noon and it did not pick anything up last week. As soon as the popups started on Sunday I did the full scan and it found those 4 files I mentioned earlier. It wasn’t until I ran Malwarebytes that it picked up the Crypto (and apparently other) stuff.

Hi, Essexboy will try his hardest too fix your computer.

It is possible to decrypt your files, but the programme is under construction still, and doesn’t have a 100% success rate. So, while possible, it isn’t a definitive yes.

  1. As for Restore, not normally needed, I’ve yet to see a case involving reinstalling windows.
  2. Yes, a full format would rid yourself of everything, including your files (Do you have a backup?)
  3. Nope.
  4. Definitely NO! There is nothing out there, that I’ve seen successfully damage hardware (CPU, RAM, GPU, HDD). Only the standard wear and tear from standard use (Browsing, typing etc).

Now, that’s just Cryptowall. Poweliks, which was also present is easily removed, no issues there. The backdoor (If it actually was) might require a bit more attention.

All in all, reformatting shouldn’t be needed, your data might be able to be saved (FINGERS CROSSED).Wait for essex to come back. He’ll have more instructions.

Unfortunately there is not much hope for the encrypted files as they use a one time code. But, a two week old backup is better than none

There are a few pieces remaining, if you could let me know how the computer is behaving after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Startup: C:\Users\Gery\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML () Startup: C:\Users\Gery\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT () 2014-11-11 10:52 - 2014-11-11 10:52 - 00008538 _____ () C:\Users\Gery\Desktop\DECRYPT_INSTRUCTION.HTML 2014-11-11 10:52 - 2014-11-11 10:52 - 00004212 _____ () C:\Users\Gery\Desktop\DECRYPT_INSTRUCTION.TXT 2014-11-02 09:31 - 2014-11-02 09:32 - 00000000 ____D () C:\Users\Gery\AppData\Local\{BEFBDB19-D17F-4CD0-A7C8-212675AE5255} EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Michael – Thanks for responding to my questions. Good to know that a restore would take care of anything and that I do not need a new hard drive or computer.

essexboy – I ran the new fixlist.txt file and have attached the fixlog.

You asked how the computer is acting. When it restarted after the fix, neither the decryption instruction text file nor the web page popped up this time. I take it that’s a good sign? I haven’t noticed any avast web shield popup warnings yet either. Obviously none of my files can be opened. The decryption instruction text & web page files are still all over. I ran a search for “DECRYPT_INSTRUCTION” from the Start button. It found the following: Documents (5208), Music (414), Pictures (5318), Videos (2), Files (5517). When I click the “See more results” link it kicks back a total of 6,047 items. I also tried opening some programs, which I had yet to do. (I didn’t want to do any more than I had to in case the more I used the computer the worse it would get.) Here are some findings:

  • Outlook: “Cannot open your default e-mail folders. The file C:\Users\Gery\AppData\Local\Microsoft\Outlook\Outlook.pst is not a personal folders file.” When I click Ok it closes the program.
  • Word: “The file Normal cannot be opened because there are problems with the contents. … The file is corrupt and cannot be opened.” When I click ok I get another message about not being able to open “Normal.” I click ok again and then I get a blank doc I can type in & save.
  • I can open other programs I use for work without issue such as: Photoshop, Excel, Expression Web, Ipswitch WS_FTP, Adobe Acrobat Pro, Calculator, and of course Firefox, Internet Explorer, and Notepad.

You said “there is not much hope for the encrypted files. … But a two week old backup is better than none.” I do not do full backups of my computer (like a complete copy of its current state or a restore point … appears only way to do restore points is to backup to a hard drive or burn it on multiple discs) that I could use to roll the computer back. Which yeah, I guess is bad and full backups would come in handy in situations like this. Instead I only back up files I want to keep on disc. For instance I have a disc for each of my clients, discs for photos, and discs for my personal files. I believe I might have one full backup/restore point from last summer (2013) on my external hard drive. Although I’ve never used one of those to restore a computer before. Otherwise I just have the restore discs to reset the computer back to factory settings. So the question becomes, what do I do with all these “dead”/encrypted files laying around and the programs that are not functioning properly? Would using the restore disc from HP and then loading all my programs back on be the way to go?

And thanks again for all your help thus far.

That would be one way to go … You would need to re-install the programmes and then copy your backups to the right location to make this work. You will still lose some data though

This is a programme that I would recommend everyone to install

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

essexboy,

Are there any other fixes, etc that can be done? If not, I’ll go ahead and use my HP restore disc and the put all my programs back on.

I’ll definitely install CryptoPrevent. Thanks for the recommendation.

No I am afraid not as the code is held online and is unique for each infection

Okay. Wish there was a way to decrypt my stuff. Oh well. Nothing I can’t survive without.

I’ll get to it … restoring my computer.

Thanks again for all your help.

Sorry there wasn’t a better resolution