Infected with Cryptowall 3.0 [Solved]

Hello. After doing some research, it appears one of my computers, running Windows XP Service Pack 3 has been infected with Cryptowall 3.0. Doing a little more research...I figured I would try this first:
http://www.geekstogo...ove-cryptowall/

After downloading/installing/running MWB, nothing has changed. If anything, it has become worse. During the scan (I ran a full scan with MWB), the desktop background was changed; what it looks like now: White lines surrounding the edges, with a little red X in the top left corner. Also, during the scan, MWB continuously displayed hat it was blocking outbound threats to random IP addresses. This has since stopped.

If I right click and select Properties, the box is only displayed for a few seconds before disappearing on its own, not allowing me to select anything. When I shut down/restart the computer, the box disappears and I see my desktop background image again.

Worst case scenario, I am OK with reformatting the computer as there aren't many files at all on the hard drive. I have back-ups of any important files.

The only thing that has changed since running MWB and removing any threats is that I no longer get the pop-ups at start-up, telling me that my files are encrypted . Here's the log file from the scan:

- <mbam-log>

- <header>

</header>

- <engine>

<malware-database>v2015.03.24.09</malware-database>

<rootkit-database>v2015.02.25.01</rootkit-database>

<license>trial</license>

<file-protection>enabled</file-protection>

<web-protection>enabled</web-protection>

<self-protection>disabled</self-protection>

</engine>

- <system>

<osversion>Windows XP Service Pack 3</osversion>

<username>Norton</username>

</system>

- <summary>

<type>threat</type>

<result>completed</result>

</summary>

- <options>

<memory>enabled</memory>

<startup>enabled</startup>

<filesystem>enabled</filesystem>

<archives>enabled</archives>

<rootkits>disabled</rootkits>

<deeprootkit>disabled</deeprootkit>

<heuristics>enabled</heuristics>

<pup>enabled</pup>

<pum>enabled</pum>

</options>

- <items>

- <key>

<path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409}</path>

<vendor>Adware.OneStepSearch</vendor>

<action>success</action>

</key>

- <key>

<path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409}</path>

<vendor>Adware.OneStepSearch</vendor>

<action>success</action>

</key>

- <key>

<path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}</path>

<vendor>Search.Hijacker</vendor>

<action>success</action>

</key>

- <key>

<path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{9034A523-D068-4BE8-A284-9DF278BE776E}</path>

<vendor>Trojan.Zlob</vendor>

<action>success</action>

</key>

- <key>

<path>HKLM\SOFTWARE\MICROSOFT\ESENT\PROCESS\Adparatus</path>

<vendor>Adware.Adparatus</vendor>

<action>success</action>

</key>

- <key>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\RelevantKnowledge</path>

<vendor>PUP.Optional.RelevantKnowledge</vendor>

<action>success</action>

</key>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>

<vendor>Trojan.Agent.ED</vendor>

<action>success</action>

<valuedata>"C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe"</valuedata>

</value>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>

<vendor>Trojan.Agent.ED</vendor>

<action>success</action>

<valuedata>"C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe"</valuedata>

</value>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>

<vendor>Trojan.Agent</vendor>

<action>success</action>

<valuedata>"C:\Documents and Settings\All Users.WINDOWS\mswhsrocj.exe"</valuedata>

</value>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>

<vendor>Trojan.Agent</vendor>

<action>success</action>

<valuedata>"C:\Documents and Settings\All Users.WINDOWS\mstesrzb.exe"</valuedata>

</value>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}</path>

<vendor>Trojan.BHO</vendor>

<action>success</action>

</value>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD</path>

<valuename>SSODL</valuename>

<vendor>Trojan.BHO</vendor>

<action>success</action>

</value>

- <value>

<path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER</path>

<vendor>Trojan.BHO</vendor>

<action>success</action>

</value>

- <data>

<path>HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE</path>

<valuename>DisableConfig</valuename>

<vendor>Windows.Tool.Disabled</vendor>

<action>replaced</action>

</data>

- <folder>

<path>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013</path>

<vendor>Trojan.Agent</vendor>

<action>success</action>

</folder>

- <file>

<path>C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe</path>

<vendor>Trojan.Agent.ED</vendor>

<action>delete-on-reboot</action>

</file>

- <file>

<path>C:\Documents and Settings\All Users.WINDOWS\mswhsrocj.exe</path>

<vendor>Trojan.Agent</vendor>

<action>delete-on-reboot</action>

</file>

- <file>

<path>C:\Documents and Settings\All Users.WINDOWS\mstesrzb.exe</path>

<vendor>Trojan.Agent</vendor>

<action>delete-on-reboot</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\My Documents\Downloads\WinRAR_3.71_Corporate_Edition.exe</path>

<vendor>Trojan.Dropper</vendor>

<action>success</action>

<hash>31282f1aacde290d589beab256ac8c74</hash>

</file>

- <file>

<path>C:\WINDOWS\system32\H@tKeysH@@k.DLL</path>

<vendor>HackTool.HotKeyHook</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\fixutil.exe</path>

<vendor>Trojan.Crypt.NKN</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\repfix.exe</path>

<vendor>Trojan.Crypt.NKN</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\urepair.exe</path>

<vendor>Trojan.Crypt.NKN</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\15A.tmp</path>

<vendor>Trojan.Ransom.ED</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\KB02621203.exe</path>

<vendor>Trojan.Agent.DED</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\errfix.exe</path>

<vendor>Trojan.Crypt.NKN</vendor>

<action>success</action>

</file>

- <file>

<path>C:\WINDOWS\Installer\2af0c69.msi</path>

<vendor>PUP.Optional.RelevantKnowledge</vendor>

<action>success</action>

<hash>14457ccdbad02f07c7b3619d5ea73fc1</hash>

</file>

- <file>

<path>C:\WINDOWS\Installer\{FF0AF4F6-CD67-4109-B800-DCFF216342BA}\msiexec.exe</path>

<vendor>Trojan.Agent.ED</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.HTML</path>

<vendor>CryptoWall.Trace</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.PNG</path>

<vendor>CryptoWall.Trace</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.TXT</path>

<vendor>CryptoWall.Trace</vendor>

<action>success</action>

</file>

- <file>

<path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.URL</path>

<vendor>CryptoWall.Trace</vendor>

<action>success</action>

</file>

- <file>

<path>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini</path>

<vendor>Trojan.Agent</vendor>

<action>success</action>

</file>

</items>

</mbam-log>

Edited by BlazeHeatnix, 24 March 2015 - 10:54 PM.

#1
BlazeHeatnix

Posted 24 March 2015 - 10:51 PM

Advertisements

#2
BlazeHeatnix

Posted 25 March 2015 - 11:42 PM

#3
Essexboy

Posted 27 March 2015 - 05:56 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

Infected with Cryptowall 3.0 [Solved]

#1 BlazeHeatnix Posted 24 March 2015 - 10:51 PM

Advertisements

#2 BlazeHeatnix Posted 25 March 2015 - 11:42 PM

#3 Essexboy Posted 27 March 2015 - 05:56 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

Sign In

#1
BlazeHeatnix

Posted 24 March 2015 - 10:51 PM

#2
BlazeHeatnix

Posted 25 March 2015 - 11:42 PM

#3
Essexboy

Posted 27 March 2015 - 05:56 AM