Author Topic: Avast constantly blocking xmlka and all files are encrypted  (Read 4614 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Avast constantly blocking xmlka and all files are encrypted
« on: April 28, 2016, 09:37:12 PM »
My computer has been running slowly lately, and I keep getting an avast popup blocking htxp://xmlka.com/click?app=app18&click=f7bc9e0d-8632-4e93-b94f-5e7c2992d3ac&search=cc2eb43b-f74f-489a-b1bc-9d588393c90f&feed=25106&subid=1917  with the process C:\Windows\System32\msiexec.exe andC:\Windows\System32\conhost.exe and htxp://104.193.252.236/adsc.php?sid=1917  with the process C:\Windows\System32\explorer.exe
I've ran a full and boottime scan in avast, malwarebytes scan, FRST64 and aswMBR and also I'm being flooded by dllhost processes.

And last, I lost all my data, I got all my files encrypted, the file extension is .crypt


Please help!  :'(


Here are the logs from the scans.
« Last Edit: April 28, 2016, 10:13:52 PM by pechin04 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #1 on: April 28, 2016, 09:47:17 PM »
It appears that you have been hit by a ransomeware Trojan

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
2016-04-27 08:40 - 2016-04-27 14:28 - 00000000 ___HD C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2016-04-27 08:40 - 2016-04-27 08:40 - 00000003 _____ C:\ProgramData\9D52BB4580A0.dat
2016-04-27 08:23 - 2016-04-27 08:23 - 00000000 ____D C:\Users\Pechin_2\AppData\LocalLow\{30B3526A-FC72-4909-AD53-4A60090BA363}
2016-04-24 11:49 - 2016-04-27 13:35 - 02234901 _____ C:\Users\Pechin_2\Downloads\products.pdf.crypt
2016-04-22 10:52 - 2015-09-14 00:09 - 02073600 ____N C:\WINDOWS\SysWOW64\DlgSearchEngine.dll
2016-04-22 10:52 - 2015-03-11 21:43 - 00226424 _____ C:\WINDOWS\system32\SBuySupplies.exe
2016-04-22 10:52 - 2015-03-11 21:43 - 00158016 _____ C:\WINDOWS\system32\us003ci.exe
2016-04-22 10:52 - 2015-03-11 21:43 - 00089600 _____ (SS) C:\WINDOWS\system32\us003ci.dll
2016-04-22 10:52 - 2015-03-11 21:43 - 00022528 _____ () C:\WINDOWS\system32\us003lm.dll
CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\Display.dll => No File <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32 -> C:\Program Files\Bandizip\bdzshl64.dll (Bandisoft.com)
CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\Display.dll => No File <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-308377861-1605807132-3586080931-1006_Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32 -> C:\Program Files\Bandizip\bdzshl64.dll (Bandisoft.com)
C:\Users\Pechin_2\AppData\Local\Temp\{4B934FFA-9360-4A1D-88A3-A2619F905355}
C:\Users\Pechin_2\AppData\LocalLow\{30B3526A-FC72-4909-AD53-4A60090BA363}
C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: del /F /Q /S "C:\de_crypt_readme.HTML"
CMD: del /F /Q /S "C:\de_crypt_readme.PNG"
CMD: del /F /Q /S "C:\de_crypt_readme.URL"
CMD: del /F /Q /S "C:\de_crypt_readme.URL"
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that


Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34044
  • malware fighter
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #2 on: April 28, 2016, 09:48:11 PM »
Break these live links please like with htxp:// etc.
See: https://www.virustotal.com/nl/url/c1b73520098dfc97c31b7c942a6a80b11d2f172dfe2888628f2c15611f42ac9d/analysis/1461872509/
We do not want live links to malicious websites: https://www.virustotal.com/nl/url/1c3c120db903b982bff0174a6b3328872f582d072654120c0ce0516f416c2fc7/analysis/1461872661/
Although it seems that file may be safe (now)  to use and then we had a lucky escape. But wait for a qualified removal expert here to give a final verdict on your log files, see instructions here: https://forum.avast.com/index.php?topic=53253.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #3 on: April 28, 2016, 09:51:25 PM »
Unfortunately tesla crypt cannot be decoded do you have a backup ?

REDACTED

  • Guest
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #4 on: April 28, 2016, 10:15:03 PM »
No, no backup  :-[

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #5 on: April 28, 2016, 11:05:49 PM »
Ok run the fix and I will see if any one has a solution

REDACTED

  • Guest
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #6 on: April 29, 2016, 01:44:30 AM »
I run the fix and here is the log of it ... another thing ... how can I be sure that the virus that encrypted my files is out?

Thanks for your help!

REDACTED

  • Guest
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #7 on: April 29, 2016, 02:31:36 AM »
Quote
Unfortunately tesla crypt cannot be decoded do you have a backup ?

Teslacrypt has been decrypted already though by Talos: blogs.cisco.com/security/talos/teslacrypt

« Last Edit: April 29, 2016, 02:43:09 AM by thecheevosyndicate »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31073
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #8 on: April 29, 2016, 07:56:25 AM »
That tool only works on the old Teslacrypt, not on later variants of it.

Offline Lotan

  • Sr. Member
  • ****
  • Posts: 289
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #9 on: April 29, 2016, 11:47:17 AM »
may be useful
https://blog.kaspersky.com/cryptxxx-ransomware/11939/
was recently posted in the technical post in the general section on the avast forums to decrypt .crypt encryption

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes

REDACTED

  • Guest
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #11 on: April 30, 2016, 04:41:24 AM »
OK, thanks, I will try it!, also, how can I know that the virus that encrypted my files is out of my computer? so it doesn't happen again


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast constantly blocking xmlka and all files are encrypted
« Reply #12 on: April 30, 2016, 11:37:40 AM »
It came in as an attachment to an e-mail which you opened so clear your mail