Received numerous Avast warnings after opening page from Google (first page of search string results for ‘planer sled’ (woodworking site)).
Closed browser as more warnings were popping up and rebooted.
Checked logs. Numerous files on a thumb drive I use as temp storage were Quarrantined. Also a couple C: files. Virus Chest shows numerous instances of ‘help_decrypt.url’, INI:Shortcut-inf[Trj].
Tried to run scan. Avast scan name comes up as three question marks and Boot scan is the only option.
Boot scan shows Infected Files, but Show is unresponsive.
I’ve downloaded the files listed on https://forum.avast.com/index.php?topic=53253.0 (mbam, FRST, aswmbr, and MCShield) using another computer. They’re on a thumb drive ready to move and install.
Do they need to be on the Desktop, or is it OK to put them in a folder on the Desktop?
Eddy - the link you provided (in case needed or wanted) gives error 'An Error Has Occurred! The topic or board you are looking for appears to be either missing or off limits to you.
’
My first reply containing this info never showed up. Trying again.
How was it detected? the back-ground scanner. Message come from the avast Network Shield or Webshield.
What was the source of the file, where did the file come from?.: I opened a Google search result in a new tab (first page of search string results for ‘planer sled’ (woodworking site)). Address unknown. When Avast messages began popping up I closed the browser and rebooted. (Described in OP).
When was it downloaded or received? Morning (Central time) July 6, 2015
What is the exact file name with extension. Quarrantined files are help_decrypt…url and files showing on a thumbdrive that I use for temp files have extensions html, txt, and tor(?).
What was the exact wording of the message that the AV program came up with? This is important for later.
Avast File System Shield has blocked a threat.
No further action is required.
Object: C:.…\HELP_DECRYPT.URL
Infection: INI:Shortcut-inf[Trj].
Action: Moved to chest
Process: C:.…\ SearchProtocolHost.exe
The threat was detected and blocked just before the file was opened.
-However- some hours later there’s an open web page describing how to have the ransomware removed.
HELP_DECRYPT.URL as well as “HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT” are files belong to CryptoWall ver. 3.0, and unfortunately, we can’t restore your files.
Most current AntiVirus like avast and others, AntiMalware like Malwarebytes and Emisoft software knows for this danges pease of malware and will target all his files. As for USB’s, MCShield has Anty-Crypto routine that addresses all of these types of USB related malware files (trigers).
Also, meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.
I filed a report with the FBI. This is cyber-criminal activity, and also violates telecommunications laws since I have cable Internet and a wireless router.
Questions for anyone knowing:
How can I verify that a drive is clean without contaminating it in the process or spreading anything by putting it in a different computer?
My D: drive is all data and I haven’t accessed since it I got hit. MCShield indicated it was clean on its first scan, but that scan took only seconds for four drives.
I also have a USB stick plugged into my router. If MCShield looks for all traces on the stick, I guess I could plug it into the already-infected computer and see what the report is, but my same concern would exist. Is there a better way?
MCShield only scan root of the drive, and it only look for malware types that use removable drives to spread…
So if you plug in a full 1TB drive, it will not check all files on that drive that is a job for your antivirus program
So when MCShield say clean it means there are no network worms on it
Your signature say you have avast! and AdAware
AdAware is now a full Antivirus program using Bitdefender AV engine … and there can only be one
Now that I’m recovering from the shock and dismay of this disaster and nearing the start of a post-mortem and see what I can recover, I’m very curious as to why Avast didn’t prevent/block this.
Cryptowall 3 seems to been out there a while and Avast did recognize it once it had already done its damage. I understand that there are often new variants, but Avast saw it - afterwards.
Since it also seems to corrupt part of Avast in the process, it seems that Avast would take a big interest in it.
I guess I could gloat - for once I’m on the cutting edge and found something before the pros did… .
:
I don’t think I ever considered that an AV wouldn’t be hardened at least to the point it couldn’t be modified by something external, and yet be smart enough to tell you that you just got screwed but not prevent it.
Kind of like a speaking car telling you - “Your engine is in the middle of the freeway behind you. Please contact your dealer for service”.
