paytordmbdekmizq.tor4pay Virus

Yesterday my computer began to slow down, and it opened a bunch of google chrome windows with random html code. When i closed them they would reopen, so i turned off my laptop. Now every time i restart my computer a txt document opens and chrome opens and displays this stupid website asking me to pay them: http://paytordmbdekmizq.tor4pay.com/sUeoU4 and a bunch of my files seem to have been changed to chrome HTML files.

After seeing this i ran Malwarebytes and removed and it removed a few objects, then ran I ran a full scan with Avast, but didn’t find anything. I also went through my hard drive looking for suspicious programs and removed them. But my files haven’t gone back to normal and i still get the chrome page with the website every time i restart.

Someone PLEASE HELP!

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Thank you for the fast reply Asyn

I attached my logs that you requested.

Good job, now you’ve to wait a bit…

I see that you have run combofix, could you attach the log for that please

Also what type of files are encrypted

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-2080235330-2162388421-4261430106-1001\...\Run: [chromium] => C:\Users\TJ\AppData\Local\Google\Chrome\Application\chrome.exe [852808 2014-09-03] (Google Inc.) HKU\S-1-5-21-2080235330-2162388421-4261430106-1001\...\Run: [Google Update] => C:\Users\TJ\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-12-25] (Google Inc.) HKU\S-1-5-21-2080235330-2162388421-4261430106-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [chromium] => C:\Users\TJ\AppData\Local\Google\Chrome\Application\chrome.exe [852808 2014-09-03] (Google Inc.) HKU\S-1-5-21-2080235330-2162388421-4261430106-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Google Update] => C:\Users\TJ\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-12-25] (Google Inc.) InternetURL: C:\Users\TJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INSTALL_TOR.URL -> https://paytordmbdekmizq.tor4pay.com/kvcw02 SearchScopes: HKCU - {C77518A9-7A6C-4E3B-99B6-99B0DC39237C} URL = CHR StartMenuInternet: Google Chrome - C:\Users\TJ\AppData\Local\Google\Chrome\Application\chrome.exe CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION S3 X6va011; \??\C:\WINDOWS\SysWOW64\Drivers\X6va011 [X] S3 X6va012; \??\C:\WINDOWS\SysWOW64\Drivers\X6va012 [X] 2014-10-14 21:27 - 2014-10-14 21:27 - 00008518 _____ () C:\Users\TJ\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-14 21:27 - 2014-10-14 21:27 - 00008518 _____ () C:\Users\TJ\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-14 21:27 - 2014-10-14 21:27 - 00004200 _____ () C:\Users\TJ\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-14 21:27 - 2014-10-14 21:27 - 00004200 _____ () C:\Users\TJ\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-14 21:27 - 2014-10-14 21:27 - 00000274 _____ () C:\Users\TJ\AppData\Roaming\INSTALL_TOR.URL 2014-10-14 21:27 - 2014-10-14 21:27 - 00000274 _____ () C:\Users\TJ\AppData\INSTALL_TOR.URL 2014-10-14 21:26 - 2014-10-14 21:26 - 00008518 _____ () C:\Users\TJ\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-14 21:26 - 2014-10-14 21:26 - 00004200 _____ () C:\Users\TJ\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-14 21:26 - 2014-10-14 21:26 - 00000274 _____ () C:\Users\TJ\AppData\Local\INSTALL_TOR.URL 2014-10-14 21:23 - 2014-10-14 21:23 - 00008518 _____ () C:\Users\Guest\DECRYPT_INSTRUCTION.HTML 2014-10-14 21:23 - 2014-10-14 21:23 - 00008518 _____ () C:\Users\Guest\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-14 21:23 - 2014-10-14 21:23 - 00008518 _____ () C:\Users\Guest\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-14 21:23 - 2014-10-14 21:23 - 00004200 _____ () C:\Users\Guest\DECRYPT_INSTRUCTION.TXT 2014-10-14 21:23 - 2014-10-14 21:23 - 00004200 _____ () C:\Users\Guest\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-14 21:23 - 2014-10-14 21:23 - 00004200 _____ () C:\Users\Guest\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-14 21:23 - 2014-10-14 21:23 - 00000274 _____ () C:\Users\Guest\INSTALL_TOR.URL 2014-10-14 21:23 - 2014-10-14 21:23 - 00000274 _____ () C:\Users\Guest\AppData\Local\INSTALL_TOR.URL 2014-10-14 21:23 - 2014-10-14 21:23 - 00000274 _____ () C:\Users\Guest\AppData\INSTALL_TOR.URL 2014-10-14 19:51 - 2014-10-14 19:51 - 00008516 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-14 19:51 - 2014-10-14 19:51 - 00004198 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-14 19:51 - 2014-10-14 19:51 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL C:\ProgramData\hash.dat EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Ok, I have attached the combo fix logs. The affected files all seem to be movies pictures and music, so mp3’s, jpg/png, and movies and various formats. Also when i ran that fix it restarted my computer when it was done but did not provide a log, should i just run it again?

Ok, I didn’t see that the fixlog was saved. Found it.

Is this the text which shows up for you?
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdekmizq.tor4pay.com/gLsmm
2.https://paytordmbdekmizq.pay2tor.com/gLsmm
3.https://paytordmbdekmizq.tor2pay.com/gLsmm
4.https://paytordmbdekmizq.pay4tor.com/gLsmm

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/gLsmm
4.Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal page: https://paytordmbdekmizq.tor4pay.com/gLsmm
Your personal page (using TOR): paytordmbdekmizq.onion/gLsmm
Your personal identification number (if you open the site (or TOR 's) directly): gLsmm

yea that is exactly it.

Do not go to the tor4pay pages as they are not certificated and may be dangerous

Use this page https://www.decryptcryptolocker.com/

You will need to upload one file for analysis, if they can unlock it they will e-mail you the link for a decryption programme

If not you have lost those files

wow that sucks, okay but the virus is indeed off my comp then?

Yes the virus has gone but you will need to upload a file to see if they can be decrypted

Could you confirm that Chrome no longer opens on boot

Yes, it is no longer opening on boot, thank you so much for the help. The decrypter you linked doesn’t seem to be working though so I guess ill just have to lose the files. Thanks so much for your help.

The best thing to do is have a prevention in place first…

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Okay all of those things are done. Thanks so much! Ill re post in 24hrs to let ya know how things are going! :slight_smile:

OK Cryptoprevent will be your first line of defence against this sort of attack

So it’s 24hrs later and the virus is still gone. The only problem im having now is trying to play games. Whenever i try and play league of legends I get a “server could not be contacted” message. I have tried to uninstall and re install multiple times and i still get the same message when i try and log in. This has only started happening since i removed the virus.

Open an elevated command prompt and type in the following commands, pressing enter after each :

ipconfig /flushdns
netsh int ip reset c:\resetlog.txt
ipconfig /release
ipconfig /renew

Then reboot and try again

Didn’t work, still getting a “did not receive response from server” error message when i try to log in.

Is it just LOL that is giving problems ?