paytordmbdekmizq virus issues

Viruses and worms
1

The message listed below has popped up on my PC. I also notice that there seems to be a lot of attempts for C:\windows\syswow64\dllhost.exe to send traffic out from my PC. Any help you can give would be greatly appreciated!! I have attached the required files, though the aswMBR scan ran for over 17 hours and did not complete, I attached the log for what it had.

I can still get to the internet, Outlook not functioning and cannot open Office based files.

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdekmizq.tor4pay.com/1R5ag1g
2.https://paytordmbdekmizq.pay2tor.com/1R5ag1g
3.https://paytordmbdekmizq.tor2pay.com/1R5ag1g
4.https://paytordmbdekmizq.pay4tor.com/1R5ag1g

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/1R5ag1g
4.Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal page: https://paytordmbdekmizq.tor4pay.com/1R5ag1g
Your personal page (using TOR): paytordmbdekmizq.onion/1R5ag1g
Your personal identification number (if you open the site (or TOR 's) directly): 1R5ag1g

2

Looks like you had a bad day here

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

 HKLM-x32\...\Run: [zzzHPSETUP] => E:\Setup.exe
HKU\S-1-5-21-1218431557-1384969546-3736296599-1000\...\Run: [muisfld] => C:\Windows\system32\rundll32.exe "C:\Users\Wiesemann\AppData\Local\muisfld.dll",muisfld <===== ATTENTION
HKU\S-1-5-21-1218431557-1384969546-3736296599-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Run: [SearchProtect] => \SearchProtect\bin\cltmng.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1142338
SearchScopes: HKCU - {1E5D1BAA-3D2C-425F-B6C7-9146594F92E3} URL = 
SearchScopes: HKCU - {7CCAE996-E650-4D93-9488-4D05992FBAA8} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3282137&CUI=UN26257229253005715&UM=2
SearchScopes: HKCU - {8D3D8D5D-DAD1-4888-A4EF-86143756A25D} URL = 
BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {930F1200-F5F1-4870-BAC6-E233EC8E7023} -  No File
2014-10-21 18:51 - 2014-10-21 18:51 - 00008544 _____ () C:\Users\Wiesemann\DECRYPT_INSTRUCTION.HTML
2014-10-21 18:51 - 2014-10-21 18:51 - 00004216 _____ () C:\Users\Wiesemann\DECRYPT_INSTRUCTION.TXT
2014-10-21 18:51 - 2014-10-21 18:51 - 00000278 _____ () C:\Users\Wiesemann\INSTALL_TOR.URL
2014-10-21 18:45 - 2014-10-21 18:45 - 00008544 _____ () C:\Users\Wiesemann\Downloads\DECRYPT_INSTRUCTION.HTML
2014-10-21 18:45 - 2014-10-21 18:45 - 00004216 _____ () C:\Users\Wiesemann\Downloads\DECRYPT_INSTRUCTION.TXT
2014-10-21 18:45 - 2014-10-21 18:45 - 00000278 _____ () C:\Users\Wiesemann\Downloads\INSTALL_TOR.URL
2014-10-21 18:42 - 2014-10-21 18:42 - 00008544 _____ () C:\Users\Wiesemann\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-21 18:42 - 2014-10-21 18:42 - 00004216 _____ () C:\Users\Wiesemann\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-21 18:42 - 2014-10-21 18:42 - 00000278 _____ () C:\Users\Wiesemann\Documents\INSTALL_TOR.URL
2014-10-21 18:41 - 2014-10-21 18:41 - 00008544 _____ () C:\Users\Wiesemann\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-21 18:41 - 2014-10-21 18:41 - 00008544 _____ () C:\Users\Wiesemann\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-21 18:41 - 2014-10-21 18:41 - 00004216 _____ () C:\Users\Wiesemann\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-21 18:41 - 2014-10-21 18:41 - 00004216 _____ () C:\Users\Wiesemann\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-21 18:41 - 2014-10-21 18:41 - 00000278 _____ () C:\Users\Wiesemann\AppData\Roaming\INSTALL_TOR.URL
2014-10-21 18:41 - 2014-10-21 18:41 - 00000278 _____ () C:\Users\Wiesemann\AppData\INSTALL_TOR.URL
2014-10-21 18:37 - 2014-10-21 18:37 - 00008544 _____ () C:\Users\Wiesemann\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-21 18:37 - 2014-10-21 18:37 - 00004216 _____ () C:\Users\Wiesemann\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-21 18:37 - 2014-10-21 18:37 - 00000278 _____ () C:\Users\Wiesemann\AppData\Local\INSTALL_TOR.URL
2014-10-21 17:57 - 2014-10-21 17:57 - 00008544 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-21 17:57 - 2014-10-21 17:57 - 00008544 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML
2014-10-21 17:57 - 2014-10-21 17:57 - 00008544 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-21 17:57 - 2014-10-21 17:57 - 00004216 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-21 17:57 - 2014-10-21 17:57 - 00004216 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-10-21 17:57 - 2014-10-21 17:57 - 00000278 _____ () C:\Users\Public\INSTALL_TOR.URL
2014-10-21 17:57 - 2014-10-21 17:57 - 00000278 _____ () C:\Users\Public\Documents\INSTALL_TOR.URL
2014-10-21 17:53 - 2014-10-21 17:57 - 00004216 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-21 17:53 - 2014-10-21 17:57 - 00000278 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-10-21 17:08 - 2014-10-22 08:19 - 00000000 _____ () C:\ProgramData\B8BJ28~1.EXE.dmp
2014-10-21 16:58 - 2014-10-21 17:02 - 00000336 _____ () C:\Users\Wiesemann\AppData\Roaming\a0813f55
2014-10-21 16:58 - 2014-10-21 17:02 - 00000012 _____ () C:\Users\Wiesemann\AppData\Roaming\a0813f56
2014-10-21 15:08 - 2014-10-21 17:06 - 00000000 ____D () C:\Users\Wiesemann\AppData\Roaming\Ubfaonb
2014-10-21 14:59 - 2014-10-22 07:25 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-21 14:58 - 2014-10-22 07:50 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-21 14:58 - 2014-10-22 07:25 - 00001104 ____H () C:\ProgramData\@system2.att
C:\ProgramData\b8bj2886d8.exe
C:\Users\Public\AlexaNSISPlugin.8992.dll
C:\Users\Wiesemann\hpothb07.dat
2014-10-21 14:58 - 2014-10-21 14:58 - 00000448 ____H () C:\Users\Wiesemann\AppData\Roaming\麽鎒駓覜
CustomCLSID: HKU\S-1-5-21-1218431557-1384969546-3736296599-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {D6D3BE22-2E1E-4E95-8506-574B3F635666} - \Security Center Update - 2931896390 No Task File <==== ATTENTION
C:\Users\Wiesemann\AppData\Local\muisfld.dll

EmptyTemp: 
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

3

How long should the FRST.exe with the fix take to run. I can tell that it has made some changes to the PC (for the better), but it has been running for almost 24 hours.

4

It should be done in minutes…

5

If FRST has generated a fix log then you may stop it, currently we are experiencing problems with the empty temp command

6

I have run the prescribed scans/fixes. The necessary log files are attached. A few things:

  1. The outbound traffic issue involving dllhost.exe seems to be resolved. But now I am getting outbound traffic (which Malwarebytes is blocking) from C:\Windows\SysWOW64\svchost.exe
  2. I can now open Office based files
  3. I am receiving an error on some websites I go to that they need to be debugged (can still get to the sites if I ignore error)
  4. Will the methods I am following also end up cleaning my D:?

Thank you!!

7

Could you go to control panel > internet options > advanced tab
Press the Reset button at the bottom and OK out

Once done could you let me know what problems remain

8

Have completed last task.

Issues still seeing:

  1. Cannot open Outlook. The error is: Cannot open your default e-mail folders. The file C:\Users\Wiesemann\AppData\Local\Microsoft\Outlook\Outlook.pst is not a personal folders file.
  2. There is outbound traffic (which Malwarebytes is blocking) from C:\Windows\SysWOW64\svchost.exe
  3. Some websites I go to (including yours) are producing an error that they need to be debugged (can still get to the sites if I say No to the debug). Please see attached snapshot.
  4. I am still finding a trio of files, that seem to be associated with the infection, in numerous directories of both the C: and D: drives. These files are called DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and a shortcut for INSTALL_TOR
9

Could you run me a fresh FRST scan please

For the debug we will fix that after the next fix

10

Attached is the latest Frst.txt. Thanks for the quick response.

11

Looks like I will need to use a stronger tool

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1218431557-1384969546-3736296599-500\...\Run: [SearchProtect] => C:\Users\Administrator\AppData\Roaming\SearchProtect\bin\cltmng.ex HKU\S-1-5-21-1218431557-1384969546-3736296599-501\...\Run: [SearchProtect] => C:\Users\Guest\AppData\Roaming\SearchProtect\bin\cltmng.exe SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 2014-10-24 18:23 - 2014-10-24 18:23 - 00000000 _____ () C:\Users\Wiesemann\AppData\Roaming\icgyzuc.dll 2014-10-24 18:22 - 2014-10-24 18:22 - 00070656 _____ () C:\Users\Wiesemann\AppData\Roaming\miqlabq.dll 2014-10-24 18:22 - 2014-10-24 18:22 - 00036352 _____ () C:\Users\Wiesemann\AppData\Roaming\svvdn.dll 2014-10-24 18:22 - 2014-10-24 18:22 - 00004074 _____ () C:\Windows\System32\Tasks\{79DADABA-532F-5001-7D57-3D79842DD8A4} 2014-10-20 23:59 - 2014-10-21 12:00 - 00000000 ____D () C:\Users\Wiesemann\AppData\Local\{AD49B8E9-F778-4BA2-B3B8-5F835A11AD59} 2014-10-20 09:46 - 2014-10-20 09:46 - 00000000 ____D () C:\Users\Wiesemann\AppData\Local\{A99D0D99-E632-4A2D-A4E5-8CD5027D9FE8} 2014-10-05 19:25 - 2014-10-05 19:25 - 00000000 ____D () C:\Users\Wiesemann\AppData\Local\{339F2510-AE60-42B4-9B59-E785C7204D52} C:\Users\Guest\AppData\Roaming\SearchProtect C:\Users\Administrator\AppData\Roaming\SearchProtect EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

12

Have completed the 2 fixs/scans and attached the logs. The Combofix took about 9 hours to run.

Issues still seeing:

  1. Cannot open Outlook. The error is: Cannot open your default e-mail folders. The file C:\Users\Wiesemann\AppData\Local\Microsoft\Outlook\Outlook.pst is not a personal folders file.
  2. Some websites will not load. I have not tried many, but as an example I cannot get to your site, nor Google.
  3. I am still finding a trio of files, that seem to be associated with the infection, in numerous directories of both the C: and D: drives. These files are called DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and a shortcut for INSTALL_TOR
13

Unfortunately your PST file is encrypted and there is nothing that can be done about that

Could you manually delete those files please as my tools are not seeing them

I will now reset your DSN once done could you let me know if you are able to get to the sites, if not what error do you get

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

14

Ran the FRST with DNS reset. I still cannot get to your site, nor search engine sites, or Facebook (randomly tried some sites) via IE. Though I do see to be able to get to them via Chrome.

Log file is attached.

15

Could you go to control panel > internet options > advanced tab and press reset
OK out then try IE again please

16

Ok…we are back up and running. IE is working as it should now. I was able to get email running again, but lost about 1 years worth of email. It is better than losing it all.

Can you please give any tips regarding prevention?

Thank you!!

17

Pay particular attention to the cryptoprevent programme as that is designed for this type of infection

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: