Infected by the CryptoWall ransomware

My computer was acting strangely over the weekend, with Avast alerting me to something that was trying to open a malicious web site every few minutes. I also found some processes running (dllhost.exe*32 - COM Surrogate) that I didn’t recognize, and they regenerated each time I killed them. I’ve tried Boottime scans with Avast and Malwarebytes, but the problem is still with me.

I’ve downloaded and run the programs you usually advise and attached the log files below.
Looking forward to your help.
Jim

Hi, MBAM is incomplete, try reattaching it.

If CryptoWall is on your computer, your files should be encrypted. Is that so? You should also have a Police Page opening on bootup OR everytime you open a webpage… Can you confirm that aswell?

You also appear to be infected with tor4pay (Aka, cryptowall)

InternetURL: C:\Users\Kathy-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INSTALL_TOR.URL → hxxps://paytordmbdekmizq.tor4pay.c0m/d6Ypiv

2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\Documents\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\AppData\Roaming\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\AppData\Local\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\AppData\INSTALL_TOR.URL
2014-10-21 11:27 - 2014-10-21 11:27 - 00008516 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:27 - 2014-10-21 11:27 - 00004198 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:27 - 2014-10-21 11:27 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL

I will notify Essexboy immediately so you can get help, as I believe this is extremely serious.

Edit: Took out the active malicious link

A programme has recently been released that has some success in decrypting files

Prior to the tor malware did you have alerts about blocked websites, if so did you disable Avast webshield ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

InternetURL: C:\Users\Kathy-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INSTALL_TOR.URL -> https://paytordmbdekmizq.tor4pay.com/d6Ypiv  
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
2014-10-21 11:28 - 2014-10-21 11:28 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00008516 _____ () C:\Users\Kathy-\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00004198 _____ () C:\Users\Kathy-\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\Documents\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\AppData\Roaming\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\AppData\Local\INSTALL_TOR.URL
2014-10-21 11:28 - 2014-10-21 11:28 - 00000272 _____ () C:\Users\Kathy-\AppData\INSTALL_TOR.URL
2014-10-21 11:27 - 2014-10-21 11:27 - 00008516 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-21 11:27 - 2014-10-21 11:27 - 00004198 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-21 11:27 - 2014-10-21 11:27 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-10-21 11:20 - 2014-10-21 11:20 - 00000944 ____H () C:\ProgramData\@system2.att
2014-10-21 11:20 - 2014-10-21 11:20 - 00000448 ____H () C:\Users\Kathy-\AppData\Roaming\麽鎒駓覜
2014-10-19 17:57 - 2014-10-20 22:37 - 00003860 _____ () C:\Windows\System32\Tasks\{4338BE20-A819-41BE-16E1-ECF3242666FA}
2014-10-19 17:57 - 2014-10-19 17:57 - 00070656 _____ () C:\Windows\system32\fxvajc.dll
2014-10-19 17:57 - 2014-10-19 17:57 - 00000000 _____ () C:\Windows\system32\wxqed.dll
2014-10-17 19:11 - 2014-10-20 22:37 - 00003014 _____ () C:\Windows\System32\Tasks\{9AE62403-C30D-475C-B07A-EC21B695A037}
Task: {65280C26-3085-41C9-8FB6-55FA4C43C86C} - System32\Tasks\{4338BE20-A819-41BE-16E1-ECF3242666FA} => C:\Windows\system32\fxvajc.dll [2014-10-19] ()
EmptyTemp: 
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

Here’s the log file from the most recent run of FRST64, and thanks for your help.
Oh, one last thing. I really don’t care at all about the encrypted files that I’m going to lose. There really isn’t anything of value on this computer. It’s used solely for online gaming. No important docs, images, movies, no attached storage, and no links to cloud storage. My goal is to ensure that they can’t be back into the computer again, not to recover the files.

Jim

How is the computer behaving now ?

My Apologies. I’ve been very tied up with a project at work and practically living there. No time to put in to this computer till today.
The problem is still with me. Avast still reports that it’s repeatedly blocking malicious web sites. Is there a next step that I can take?

Yes, could I have a fresh FRST scan please and a screenshot of the Avast alert

In response to your request

Could you manually delete the following folder please as my tools cannot handle the coding

C:\Users\Kathy-\AppData\Roaming\麽鎒駓覜

Also could you post the additions txt that was generated

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1699977870-1126029260-2032547726-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
CMD: netsh advfirewall reset 
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog 
CMD: netsh int ip reset c:\resetlog.txt  
CMD: ipconfig /release 
CMD: ipconfig /renew

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Done. Here’s the Addition file from the previous run and the fixlog from tonight’s run.

Run this and let me know what problems are outstanding

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Task: {75602269-F6A3-4E14-8431-1D9554B6D1FC} - \{9AE62403-C30D-475C-B07A-EC21B695A037} No Task File <==== ATTENTION CustomCLSID: HKU\S-1-5-21-1699977870-1126029260-2032547726-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

The log from the last run of FRST

How is the computer behaving now ?

Seems to be back to normal, no anomalous behavior at all. And I greatly appreciate your help.

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: