Help After Cryptowall 3 attack

Hi Here are the log files as requested from Logs to assist page.

Is there any way of recovering my files?

I have a folder that may contain the original copies of files that I am struggling to get access to as I believe Cryptowall delets all orginal files and hides them away and then creates copies and encrypts them. I’m bit of a novice at computer related items but with some good help and instructions I can hopefuuly recover some files that are very important to me and needed urgently.

Hope someone out there can help.

Thanks to all in advance

Vip Measuria

Here is the name of the folder that I feel that the orginal files are stored in as its a large file 5.4gb unsure if its encrypted or not?

Will post the aswMBR file as soon as its completed scanning.

{b712c0ab-ed06-11e4-b51e-3860771541bc}{3808876b-c176-4e48-b7ae-04046e6cc752}

Here is the aswMBR file as requested

Hope someone can help

Do you have a disc image ?

As you appear to have been hit by not one but two ransomware programmes… The chances of decrypting them is near impossible
Are you opening any attachments that come in your e-mail as that is the method of transmission

Re-install Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Then I need you to go Google Sync and sign into your account
  3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
  4. Now we need to uninstall chrome.
    Note: When asked about user data or settings you must remove this also so please check the box.
  5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome Although I would recommend against this
  6. Import your bookmarks back into Chrome
  7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM Group Policy restriction on software: %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION HKU\S-1-5-21-1605447441-1683609426-2665698310-1000\...\Run: [YtrjPack] => C:\Windows\System32\regsvr32.exe C:\Users\Retailer\AppData\Local\Ezrtion\loader_u.dll HKU\S-1-5-21-1605447441-1683609426-2665698310-1000\...\Run: [YwdtPack] => regsvr32.exe C:\Users\Retailer\AppData\Local\YwdtPack\loader_u.dll <===== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKLM\...\Chrome\Extension: [Äÿ] - No Path Or update_url value CHR HKU\S-1-5-21-1605447441-1683609426-2665698310-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [Äÿ] - No Path Or update_url value R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [6079848 2015-01-14] (Reimage®) 2015-04-29 18:09 - 2015-04-27 12:14 - 1543503872 _____ () C:\Users\Retailer\Desktop\{b712c0ab-ed06-11e4-b51e-3860771541bc}{3808876b-c176-4e48-b7ae-04046e6cc752}.sys 2015-04-28 18:06 - 2015-04-28 18:53 - 00000000 ____D () C:\Users\Retailer\AppData\Roaming\Seryahis 2015-04-28 18:06 - 2015-04-28 18:06 - 00000000 ____D () C:\Users\Retailer\AppData\Roaming\Okcaadevabso 2015-04-26 19:45 - 2015-05-01 18:42 - 00000000 ____D () C:\Program Files\buyaNdbrowsea 2015-04-26 19:45 - 2015-04-27 18:49 - 00000000 ____D () C:\Program Files\QUicksHop 2015-04-26 19:45 - 2015-04-27 18:48 - 00000000 ____D () C:\Program Files\offerrsofot 2015-04-26 19:45 - 2015-04-27 12:44 - 00000000 ____D () C:\Program Files\Translate This 2015-04-26 19:45 - 2015-04-27 12:31 - 00000000 ____D () C:\ProgramData\4864267212473542845 2015-04-26 11:25 - 2015-05-02 08:57 - 00000000 ____D () C:\ProgramData\salesale 2015-04-06 19:06 - 2015-04-29 20:24 - 00000000 ____D () C:\Users\Retailer\SupTab 2015-04-06 19:05 - 2015-04-27 12:31 - 00000000 ____D () C:\ProgramData\34b5270e00006a7e C:\Users\Retailer\AppData\Local\YwdtPack C:\Users\Retailer\AppData\Local\Ezrtion C:\Program Files\Reimage CMD: del /F /Q /S "C:\HELP_RESTORE_FILES.HTML" CMD: del /F /Q /S "C:\HELP_RESTORE_FILES.PNG" CMD: del /F /Q /S "C:\HELP_RESTORE_FILES.URL" CMD: del /F /Q /S "C\HELP_RESTORE_FILES.txt" CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML" CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG" CMD: del /F /Q /S "C:\HELP_DECRYPT.URL" CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File CustomCLSID: HKU\S-1-5-21-1605447441-1683609426-2665698310-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Retailer\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File Task: {AD9582FF-E5C7-482F-B32D-7F9240F8D7E8} - \WSE_Vosteran No Task File <==== ATTENTION Task: {B44A1B12-D4DD-4E1C-8FC0-CEFF685AE6B1} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2015-01-14] (Reimage®) <==== ATTENTION C:\Users\Retailer\Desktop\HeLP_ReSTORe_FILeS.bmp Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Hi Please see attached after Chrome was removed…I think as Chromw wasnt listed in the add/remove programs section did a quick search and couldn’t find it in the start menu program list either so unsure if it has been removed or not.

Many Thanks

Vip

Hi Please find attached the adware cleaner log file.

Did you run the FRST fix ? As the entries I deleted appear to have returned

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Your system is badly infected.
The quickest and best way to solve the problems is to install Windows, drivers and such from scratch.
Unless you have a clean backup, consider your data gone.

Thanks again Essexboy for all your help

I think buy the looks of things ive been hard hit and the chance of recovering my files is going to be impossible.

Please find attached log file as requested, I was unable to stop eset antivirus as it was preloaded onto this computer when i got it and have found it difficult to remove as a password is requested. But i guess with a format and clean install. It will dissapear.

Many Thanks

I think you are spot on and i certainly have learnt from my mistakes.

computer can always be reinstalled, but data is gone unless you have backup

there a lots of free online storage out there
Gmail mail account give 15GB onlie storage, Outlook the same, you can buy more. there is dropbox and many similar
or use a extrnal drive with windows backup http://windows.microsoft.com/en-us/windows/back-up-files#1TC=windows-7

recomended program if you use external drives/cameracards/usb stick MCShield http://www.mcshield.net it protect against network worms

Concur a re-install would be the quickest and safest option… There are some good free image tools out there, once up and running they can be a godsend http://www.geekstogo.com/forum/topic/345434-macrium-reflect-imaging-tool/

Interesting reading about CryptoWall 3.0:
http://blogs.cisco.com/security/talos/cryptowall-3-0

TeslaCrypt file recovery tool:
http://blogs.cisco.com/security/talos/teslacrypt

If you are lucky, you can retrieve (some?) files with the tool.
Warning: Use it at your own risk!

Found the key.dat file but seems it already has the master key removed wondering if there was any other way o role it back? I’ve tried restore previous verisons but none were detected.

There is no way to “roll back” to retrieve your files.
If that tool isn’t working for you, you are out of luck.
The data is gone.

I know it is a hard way, but I hope you have learned from this.
This time it was malware but their are other things that can happen and destroy your data.
I hope it will never happen ofcourse, but your hard-drive can break down, your house can go up in flames etc.
That is why you always should have a backup of data and even better a image of the working system.
And never store the backup/image near your own system.

Some providers give the user some web-space for their own internet site.
That space can also be used to store a backup/image, if there is enough space ofcourse.
A other option is to use e.g. Google Drive.

To create a image/backup there are many free tools for it.
Find one that you like and use it.

Thanks for all your help…Guess i’m just going to have to re-write my work.

Lesson also learnt and backup program in place from last week onwards…hopefully will not have to learn another repeat of this infection.

Great forum and very informative

Many Thanks

Maybe i should keep the files just incase one day there is a fix

I do not think so as they are one time codes that are kept on the malware server