Author Topic: Removing Ransomware  (Read 7825 times)

0 Members and 1 Guest are viewing this topic.

June 18, 2015, 01:58:56 AM

DonnaSkidmore

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Removing Ransomware
« on: June 18, 2015, 01:58:56 AM »
Hi, I've recently been the victim of some ransomeware (CryptoWall 3.0 Virus) and have been going through the motions of removing the virus. I ended up with some software called SpyHunter, which apparently removed it.
However, Malwarebytes, which I have been using for years and years, is still picking up a bunch of stuff on my computer, but will not work anymore. It finds hundreds of objects, but when I click to remove them, it tells me it removed zero objects and stops working.
I've even uninstalled Malwarebytes and reinstalled it again.
Further Googling led me to RogueKiller today, which I downloaded and ran with the following results. These look nothing like the Malwarebytes results and I was wondering if anyone could tell me whether I should delete these things or not?

RogueKiller V10.8.4.0 [Jun 15 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Donna [Administrator]
Started from : C:\Users\Donna\Downloads\RogueKiller.exe
Mode : Scan -- Date : 06/17/2015  18:34:46

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 24.116.0.53 24.116.2.50 [UNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 24.116.0.53 24.116.2.50 [UNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 24.116.0.53 24.116.2.50 [UNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{81D57D73-E9E9-416B-A52A-02F56C4B4EB5} | DhcpNameServer : 24.116.0.53 24.116.2.50 [UNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81D57D73-E9E9-416B-A52A-02F56C4B4EB5} | DhcpNameServer : 24.116.0.53 24.116.2.50 [UNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{81D57D73-E9E9-416B-A52A-02F56C4B4EB5} | DhcpNameServer : 24.116.0.53 24.116.2.50 [UNITED STATES (US)][-]  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 76101a3af9edca1b7559b6aadf7b98f2
[BSP] aab83534d19c2a76d425e4eec8dfbad6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 462937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 948097024 | Size: 14001 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_06172015_144440.log

Reply #1June 19, 2015, 12:05:39 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: Removing Ransomware
« Reply #1 on: June 19, 2015, 12:05:39 PM »
Hi Donna,

Welcome to Adlice.com Forum.
CryptoWall is a very troublesome infection since it uses asymmetric encryption to encrypt files.

First of all, do you have backups of your personal files in an external device storage ? If that's not the case, are your files already encrypted ?
Could you please post Malwarebytes full report in your next post ?

Regards.

Reply #2June 19, 2015, 08:21:24 PM

DonnaSkidmore

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: Removing Ransomware
« Reply #2 on: June 19, 2015, 08:21:24 PM »
Yes, my files were all encrypted (except for some which were saved as more unusual type file extensions)
I was unable to decrypt them because I had no restore points saved and no previous versions saved. I ended up deleting all the encrypted files but I do have backups of almost everything as I backup regularly.
Getting all the weird stuff that has shown up since then is proving very bothersome though!
Here are the scan results from Malwarebytes.
Thank you so much for helping!!

PS: The report is HUGE. Way, way too many characters even to put into a Facebook note to post a link on here.
I've uploaded the report as a text file to my photography website contact page (right above the word "contact" where you can click on it a view it in Notepad. I'm sorry, I didn't know how else to show it to you.
Here is a link to the page it's on

http://pukekophotography.com/contact/4586694325?preview=Y
« Last Edit: June 19, 2015, 10:11:59 PM by DonnaSkidmore »

Reply #3June 21, 2015, 06:19:50 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: Removing Ransomware
« Reply #3 on: June 21, 2015, 06:19:50 PM »
Hi Donna,
Quote from: Donna
Yes, my files were all encrypted (except for some which were saved as more unusual type file extensions)
I was unable to decrypt them because I had no restore points saved and no previous versions saved. I ended up deleting all the encrypted files but I do have backups of almost everything as I backup regularly.
This will greatly facilitate things. Please do not transfert back your files until your system has been cleaned of the infection.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Quote from: Donna
PS: The report is HUGE. Way, way too many characters even to put into a Facebook note to post a link on here.
I've uploaded the report as a text file to my photography website contact page (right above the word "contact" where you can click on it a view it in Notepad. I'm sorry, I didn't know how else to show it to you.
If a report is too huge to be copy/pasted, you could upload it using the attachement option in "Attachments and other options". ;)

Regards.

Reply #4June 25, 2015, 03:21:47 PM

DonnaSkidmore

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: Removing Ransomware
« Reply #4 on: June 25, 2015, 03:21:47 PM »
Thank you so much for helping. I've downloaded that tool, but Trend Micro keeps blocking me from installing it saying it is a suspicious file??

Reply #5June 25, 2015, 10:16:41 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: Removing Ransomware
« Reply #5 on: June 25, 2015, 10:16:41 PM »
Hi Donna,

FRST is perfectly safe to run.
If you cannot find a way to allow it, please disable Trend Micro before executing the tool.

Regards.

Reply #6June 26, 2015, 12:55:34 AM

DonnaSkidmore

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: Removing Ransomware
« Reply #6 on: June 26, 2015, 12:55:34 AM »
Thank you. I will.