the issue started tonight between 7 and 11 pm. I was surfing on curse.com while playing world of warcraft and I left the website open. world of warcraft started to lag horribly and ventrilo became unusable. I saw all the replication of dllhost.exe in my task manager and ended them manually only to see them replicated again. I downloaded malwarebytes and removed many of the Trojans and backdoors. I downloaded frst and created a log file and now here I am.
dllhost.exe com surrogate
- Thread starter robcham
- Start date
after further investigating the damage potentially caused to my computer I have noticed there were two 'infections' that seemed to have activated on my system. there are over 482 instances of two files. one is called 'decrypt_instruction.txt' and the other is called 'decrypt_instruction.html' and they are in many of the core folders of my harddrive. this means there are likely 241 unique folders that these are present in. there is also a third file called 'install_tor.html' in as expected 240 unique folders. these files have two different timestamps. the first 'infection' took place 10/28/2014 at 9:19pm and the second took place three hours later at 12:19am. while constantly rebooting and testing my machine to locate the cause (im not a computer expert) I also noticed that at one point it said 'powershell.exe' unable to load. this seems inline with many other users as they also have the same concurrent problems. that is to say:
powershell.exe issues, dllhost.exe replication, com surrogate issues, computer lag, unable to download from internet, backdoor and Trojan infection, fake update screens.
on a separate note: i found what looks like a good tutorial on fixing powershell.exe errors and i was wondering if i could follow those steps in order to fix or semifix my computer. i can post the link or pm it but i don't want to mislead people if it does not work.
powershell.exe issues, dllhost.exe replication, com surrogate issues, computer lag, unable to download from internet, backdoor and Trojan infection, fake update screens.
on a separate note: i found what looks like a good tutorial on fixing powershell.exe errors and i was wondering if i could follow those steps in order to fix or semifix my computer. i can post the link or pm it but i don't want to mislead people if it does not work.
so it didn't occur to me to actually try to open any of my word files earlier...or anything for that matter. the 'decrypt_instruction.html' and 'decrypt_instruction.txt' are apparently related to the fact that my computer appears to not be able to read ANYTHING. when I open word files they are encrypted. when I open movie files they will not play. my first farbar scan posted above was done in safe mode. I am now attaching my second farbar scan that was done OUTSIDE of safe mode (and current as of this post). I am also attaching the 'decrypt_instruction' file. this file is possibly harmful but perhaps it will give you a better idea of the issue on my system.
after further searching I have discovered a thread over on bleepingcomputer and it seems to me that i have a cryptowall 2.0 infection on my system. everything detailed about this malware seems identical to the problems I am having. I am nervous about having to pay 500 or more but even more nervous about losing everything on my system.
- Mar 8, 2013
- 22,627
I don't know what to say, you're familiar with the situation. Paying 500$ isn't an option, you'll never know will it work or not, and second why paying criminals.
You can try to restore your files maybe if you read bleeping computer info. Tell me what do you plan to do next? To clean your PC I can help you.
You can try to restore your files maybe if you read bleeping computer info. Tell me what do you plan to do next? To clean your PC I can help you.
would it be possible to duplicate all the encrypted files onto a separate harddrive, then I could attempt to clean the first harddrive and restore the files. and then if I could not restore the files with your help or anyone elses then as a last resort I could potentially pay the ransom and decrypt the new harddrive? or does it not work that way?
- Mar 8, 2013
- 22,627
I think you should register and ask for info here
http://www.bleepingcomputer.com/forums/t/532879/cryptowall-new-variant-of-cryptodefense/
I am not too familiar with this infection.
http://www.bleepingcomputer.com/forums/t/532879/cryptowall-new-variant-of-cryptodefense/
I am not too familiar with this infection.
i have been reading posts everywhere and I am not working this week - I am devoting 18 hours a day to solving this issue as the files that are currently encrypted are memento in nature. I am currently reading through the entire 38 pages of posts associated with the link you have given me
- Mar 8, 2013
- 22,627
I am attempting to contact one of the experts over at their forums at the moment and I am currently awaiting his response. I have told him I am in communication with you as well but I will advise BOTH of you if I decide to pursue steps with one or the other BEFORE taking those steps.
thank you again for your reference link and I hope my problem will be sorted out.
thank you again for your reference link and I hope my problem will be sorted out.
- Mar 8, 2013
- 22,627
Similar threads
- Locked
