CryptoWall 3.0.

[REDACTED]

Hi,
my computer was probably attacked by CryptoWall 3.0. virus. The virus encrypts files in my computer and leaves HELP_DECRYPT.PNG, HELP_DECRYPT.HTML and HELP_DECRYPT.TXT files in the attacked folders. Avast shows numerous alerts, that is it moving virus to Chest. It shows 'help_decrypt.url' as name, original location of attacked files,and "INI:Shortcut-inf[Trj]" as virus. However it still continues encrypting of other and other files. Do you please know, how can I stop it and remove the virus from my computer? I am not interested in recovery of the encrypted files at the moment, I just want to stop the virus doing it and remove it from my computer forever.

Thank you for advice

[Pondus]

Follow Instructions here https://forum.avast.com/index.php?topic=53253.0
Attach Malwarebytes and Farbar Recovery Scan Tool logs ....  3 logs total


See below the box you write in ... Attachments and other options

[Eddy]

Follow the instructions in the sticky at the top of this forum and attach the logs to your post.

Please do not empty the chest as there can be files that are needed for decryption.

[REDACTED]

Hi,
attached are logs as specified in instructions. Thank you for your help

[essexboy]

Did you get this as an e-mail attachment ?

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-2342202695-1248839866-1428999424-1000\...\Run: [e7c6391] => C:\Windows\syswow64\regsvr32.exe C:\e7c63910\e7c63910.dll
HKU\S-1-5-21-2342202695-1248839866-1428999424-1000\...\Run: [e7c63910] => C:\Windows\syswow64\regsvr32.exe C:\Windows\system32\config\SYSTEM~1\AppData\Roaming\e7c63910.dll <===== ATTENTION
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
R1 {d3f6ae1b-5020-49f7-b46f-4feada63b7e5}Gw64; C:\Windows\System32\drivers\{d3f6ae1b-5020-49f7-b46f-4feada63b7e5}Gw64.sys [48776 2015-11-07] (StdLib)
2015-11-08 13:43 - 2015-11-09 20:14 - 00000000 ____D C:\curaci
2015-11-07 23:33 - 2015-11-07 23:33 - 00000000 ___HD C:\e7c63910
2015-11-07 21:19 - 2015-11-07 08:25 - 00048776 _____ (StdLib) C:\Windows\system32\Drivers\{d3f6ae1b-5020-49f7-b46f-4feada63b7e5}Gw64.sys
2015-11-07 23:33 - 2015-11-07 23:33 - 0166912 _____ (Oracle Corporation) C:\Users\Martin\AppData\Roaming\e7c63910.dll
Task: {DF4D2655-B8AE-481E-A73E-85046E23058F} - System32\Tasks\ProgramRefresh-ATFST => C:\Program Files (x86)\File Type Assistant\tsasetup.exe [2014-06-08] (                                                            ) <==== ATTENTION
C:\Program Files (x86)\File Type Assistant
C:\Users\Martin\AppData\Roaming\e7c63910.dll
C:\e7c63910
CMD: del /F /Q /S "C:\HELP_DECRYPT.TXT"
CMD: del /F /Q /S "C:\HELP_DECRYPT.HTML"
CMD: del /F /Q /S "C:\HELP_DECRYPT.PNG"
CMD: del /F /Q /S "C:\HELP_DECRYPT.URL"
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

I have ran the fix as described. Fix finished, it wanted to restart the computer, but when I came back to windows after restart, the folder with FRST and log was deleted. Do you know, what happened? Should I run it again?

I did not get it as e-mail attachement, I probably got it, when I downloaded mkv player or somewhere, when browsing the internet, I am not sure..

[REDACTED]

sorry, i did not realize, that the folder was moved to Quarantine under FRST folder. log is attached. thank you

[essexboy]

Could you re-run the fix please as it did not appear to take

Download Farbar Recovery Scan Tool  to your desktop
Download the attached fixlist.txt to the same location as FRST
Start FRST and press fix
After the reboot there should be a log on your desktop please post that

[REDACTED]

I ran  it again, log is attached. thank you

[essexboy]

OK that has killed the encryptor and removed all HELP_DECRYPT files.. 

How many of your files are encrypted ?

Scan with IDTool
 
Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

• Enter the IDTool directory, right-click on icon and select Run as Administrator to start the tool.
  
• IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
• Wait patiently until the tool will collect necessary data
• Once the main console is loaded, please press Rescan Computer and Generate a New Report.
  
• When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
  
• Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience

Please include that contents in your next reply.

[REDACTED]

Attached is report from id tool..

[REDACTED]

according to log, farbar deleted 755 help_descrypt.txt files, so i guess, this is number of encrypted files...

[essexboy]

No it just dumps those files all over the system

Well it was cryptowall here is some data on it

Unfortunately as to whether you can recover any files is moot

Previous Versions

• Right-click the file/folder and click Properties.
  
• Click Previous Versions.
  
• This tab will list all copies of the file and the date they were backed up.
• To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
  
• If you wish to restore the selected file and replace the existing one, click Restore
  
• If you wish to view the contents of the file before restoring, click Open.
   
  

ShadowExplorer

• Please download ShadowExplorer and save the file to your Desktop
  
• Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract
  
• Right-Click ShadowExplorer.exe and select to run the programme.
  
• You will see a drop-down menu with the shadow copies of all partitions and disks present.
• Click C:\ from the drop-down menu.
  
• To the right, pick a date prior to the infection from the drop-down menu.
  
• To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.
  

File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

• R-Studio
  
• Photorec
  
• Recuva
  

[REDACTED]

ok, thank you.. does it mean, that the virus is out of my computer now?

[essexboy]

As far as I can see it has gone, are you experiencing any problems ?