Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected with Cryptowall 3.0 [Solved]


  • This topic is locked This topic is locked

#1
BlazeHeatnix

BlazeHeatnix

    Member

  • Member
  • PipPip
  • 39 posts

Hello. After doing some research, it appears one of my computers, running Windows XP Service Pack 3 has been infected with Cryptowall 3.0. Doing a little more research...I figured I would try this first:
http://www.geekstogo...ove-cryptowall/

After downloading/installing/running MWB, nothing has changed. If anything, it has become worse. During the scan (I ran a full scan with MWB), the desktop background was changed; what it looks like now: White lines surrounding the edges, with a little red X in the top left corner. Also, during the scan, MWB continuously displayed hat it was blocking outbound threats to random IP addresses. This has since stopped.

If I right click and select Properties, the box is only displayed for a few seconds before disappearing on its own, not allowing me to select anything. When I shut down/restart the computer, the box disappears and I see my desktop background image again.

Worst case scenario, I am OK with reformatting the computer as there aren't many files at all on the hard drive. I have back-ups of any important files.

The only thing that has changed since running MWB and removing any threats is that I no longer get the pop-ups at start-up, telling me that my files are encrypted . Here's the log file from the scan:







 

- <mbam-log>
- <header>
  <date>2015/03/24 20:52:35 -0500</date>
  <logfile>mbam-log-2015-03-24 (20-52-32).xml</logfile>
  <isadmin>yes</isadmin>
  </header>
- <engine>
  <version>2.01.4.1018</version>
  <malware-database>v2015.03.24.09</malware-database>
  <rootkit-database>v2015.02.25.01</rootkit-database>
  <license>trial</license>
  <file-protection>enabled</file-protection>
  <web-protection>enabled</web-protection>
  <self-protection>disabled</self-protection>
  </engine>
- <system>
  <osversion>Windows XP Service Pack 3</osversion>
  <arch>x86</arch>
  <username>Norton</username>
  <filesys>NTFS</filesys>
  </system>
- <summary>
  <type>threat</type>
  <result>completed</result>
  <objects>665955</objects>
  <time>6066</time>
  <processes>0</processes>
  <modules>0</modules>
  <keys>6</keys>
  <values>7</values>
  <datas>1</datas>
  <folders>1</folders>
  <files>18</files>
  <sectors>0</sectors>
  </summary>
- <options>
  <memory>enabled</memory>
  <startup>enabled</startup>
  <filesystem>enabled</filesystem>
  <archives>enabled</archives>
  <rootkits>disabled</rootkits>
  <deeprootkit>disabled</deeprootkit>
  <heuristics>enabled</heuristics>
  <pup>enabled</pup>
  <pum>enabled</pum>
  </options>
- <items>
- <key>
  <path>HKU\S-1-5-18\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409}</path>
  <vendor>Adware.OneStepSearch</vendor>
  <action>success</action>
  <hash>530641080f7b2c0af8b334120df6b54b</hash>
  </key>
- <key>
  <path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409}</path>
  <vendor>Adware.OneStepSearch</vendor>
  <action>success</action>
  <hash>530641080f7b2c0af8b334120df6b54b</hash>
  </key>
- <key>
  <path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}</path>
  <vendor>Search.Hijacker</vendor>
  <action>success</action>
  <hash>0d4cf059e4a6bd79f16c60edf50e6c94</hash>
  </key>
- <key>
  <path>HKU\S-1-5-21-1292428093-412668190-839522115-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{9034A523-D068-4BE8-A284-9DF278BE776E}</path>
  <vendor>Trojan.Zlob</vendor>
  <action>success</action>
  <hash>bb9e72d71773d462c1a69fbd798ac739</hash>
  </key>
- <key>
  <path>HKLM\SOFTWARE\MICROSOFT\ESENT\PROCESS\Adparatus</path>
  <vendor>Adware.Adparatus</vendor>
  <action>success</action>
  <hash>77e2d07999f12d095d0a513148bc8977</hash>
  </key>
- <key>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\RelevantKnowledge</path>
  <vendor>PUP.Optional.RelevantKnowledge</vendor>
  <action>success</action>
  <hash>5009ae9b612983b37814d4dda1631de3</hash>
  </key>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
  <valuename>{20d82918-b7f5-9324-df1e-546846476ac2}</valuename>
  <vendor>Trojan.Agent.ED</vendor>
  <action>success</action>
  <valuedata>"C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe"</valuedata>
  <hash>1f3afb4e3e4cbc7a30668986a65c2dd3</hash>
  </value>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>
  <valuename>{20d82918-b7f5-9324-df1e-546846476ac2}</valuename>
  <vendor>Trojan.Agent.ED</vendor>
  <action>success</action>
  <valuedata>"C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe"</valuedata>
  <hash>1f3afb4e3e4cbc7a30668986a65c2dd3</hash>
  </value>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>
  <valuename>1622466268</valuename>
  <vendor>Trojan.Agent</vendor>
  <action>success</action>
  <valuedata>"C:\Documents and Settings\All Users.WINDOWS\mswhsrocj.exe"</valuedata>
  <hash>1b3e45048cfe89adb0831310e51d46ba</hash>
  </value>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN</path>
  <valuename>1070511867</valuename>
  <vendor>Trojan.Agent</vendor>
  <action>success</action>
  <valuedata>"C:\Documents and Settings\All Users.WINDOWS\mstesrzb.exe"</valuedata>
  <hash>64f585c48efc8fa742f181a24db54eb2</hash>
  </value>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}</path>
  <valuename />
  <vendor>Trojan.BHO</vendor>
  <action>success</action>
  <valuedata />
  <hash>570282c7e7a30a2c034f5df7de2549b7</hash>
  </value>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELLSERVICEOBJECTDELAYLOAD</path>
  <valuename>SSODL</valuename>
  <vendor>Trojan.BHO</vendor>
  <action>success</action>
  <valuedata>{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}</valuedata>
  <hash>570282c7e7a30a2c034f5df7de2549b7</hash>
  </value>
- <value>
  <path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER</path>
  <valuename>{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}</valuename>
  <vendor>Trojan.BHO</vendor>
  <action>success</action>
  <valuedata>STS</valuedata>
  <hash>570282c7e7a30a2c034f5df7de2549b7</hash>
  </value>
- <data>
  <path>HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE</path>
  <valuename>DisableConfig</valuename>
  <vendor>Windows.Tool.Disabled</vendor>
  <action>replaced</action>
  <valuedata>1</valuedata>
  <baddata>1</baddata>
  <gooddata>0</gooddata>
  <hash>411880c946441c1ae816de14d233c53b</hash>
  </data>
- <folder>
  <path>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013</path>
  <vendor>Trojan.Agent</vendor>
  <action>success</action>
  <hash>9cbd90b96b1f70c609bfe887dc27f709</hash>
  </folder>
- <file>
  <path>C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{20d82918-b7f5-9324-df1e-546846476ac2}\{20d82918-b7f5-9324-df1e-546846476ac2}.exe</path>
  <vendor>Trojan.Agent.ED</vendor>
  <action>delete-on-reboot</action>
  <hash>1f3afb4e3e4cbc7a30668986a65c2dd3</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\All Users.WINDOWS\mswhsrocj.exe</path>
  <vendor>Trojan.Agent</vendor>
  <action>delete-on-reboot</action>
  <hash>1b3e45048cfe89adb0831310e51d46ba</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\All Users.WINDOWS\mstesrzb.exe</path>
  <vendor>Trojan.Agent</vendor>
  <action>delete-on-reboot</action>
  <hash>64f585c48efc8fa742f181a24db54eb2</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\My Documents\Downloads\WinRAR_3.71_Corporate_Edition.exe</path>
  <vendor>Trojan.Dropper</vendor>
  <action>success</action>
  <hash>31282f1aacde290d589beab256ac8c74</hash>
  </file>
- <file>
  <path>C:\WINDOWS\system32\[email protected]@@k.DLL</path>
  <vendor>HackTool.HotKeyHook</vendor>
  <action>success</action>
  <hash>c39656f3642685b1a20d6864ce324bb5</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\fixutil.exe</path>
  <vendor>Trojan.Crypt.NKN</vendor>
  <action>success</action>
  <hash>b7a2db6eeb9f9c9a4c6d9201728fa060</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\repfix.exe</path>
  <vendor>Trojan.Crypt.NKN</vendor>
  <action>success</action>
  <hash>fa5fe6635b2f191d37828e05cf324bb5</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\urepair.exe</path>
  <vendor>Trojan.Crypt.NKN</vendor>
  <action>success</action>
  <hash>fa5f56f3800ad0669119e3b0ea17827e</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\15A.tmp</path>
  <vendor>Trojan.Ransom.ED</vendor>
  <action>success</action>
  <hash>e673a0a9d8b2bf77d160945ecf32f20e</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\KB02621203.exe</path>
  <vendor>Trojan.Agent.DED</vendor>
  <action>success</action>
  <hash>f66344055733181e2e11886f20e127d9</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Local Settings\Temp\errfix.exe</path>
  <vendor>Trojan.Crypt.NKN</vendor>
  <action>success</action>
  <hash>76e3d178a0ead95d3872583bb74aab55</hash>
  </file>
- <file>
  <path>C:\WINDOWS\Installer\2af0c69.msi</path>
  <vendor>PUP.Optional.RelevantKnowledge</vendor>
  <action>success</action>
  <hash>14457ccdbad02f07c7b3619d5ea73fc1</hash>
  </file>
- <file>
  <path>C:\WINDOWS\Installer\{FF0AF4F6-CD67-4109-B800-DCFF216342BA}\msiexec.exe</path>
  <vendor>Trojan.Agent.ED</vendor>
  <action>success</action>
  <hash>045587c2addd7fb7de3b280f8b77a858</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.HTML</path>
  <vendor>CryptoWall.Trace</vendor>
  <action>success</action>
  <hash>d782af9ac6c4a096bc3262e6e0254db3</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.PNG</path>
  <vendor>CryptoWall.Trace</vendor>
  <action>success</action>
  <hash>2a2feb5e1e6c12249d51dd6b759056aa</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.TXT</path>
  <vendor>CryptoWall.Trace</vendor>
  <action>success</action>
  <hash>e9702623bcce58de2ec03711ac59d42c</hash>
  </file>
- <file>
  <path>C:\Documents and Settings\Norton.NORTON-T3P0PVHT\Start Menu\Programs\Startup\HELP_DECRYPT.URL</path>
  <vendor>CryptoWall.Trace</vendor>
  <action>success</action>
  <hash>b5a4fe4b93f769cd787669df56aff50b</hash>
  </file>
- <file>
  <path>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini</path>
  <vendor>Trojan.Agent</vendor>
  <action>success</action>
  <hash>9cbd90b96b1f70c609bfe887dc27f709</hash>
  </file>
  </items>
  </mbam-log>

Edited by BlazeHeatnix, 24 March 2015 - 10:54 PM.

  • 0

Advertisements


#2
BlazeHeatnix

BlazeHeatnix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

I suppose you can label this resolved: I reformatted the HDD and everything is fine now :)


  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP