After a brief hiatus malware developers release CryptoWall 3.0

The malware will inject itself into svchost.exe and run as that process. You can usually tell on a 64-bit machine which svchost is the culprit as it will be shown as a 32-bit process with a *32 next to the name.

Thanks, I am aware there is no decrypter available yet and may never be.
More intrested in providing files to those who may be able to use them to the good. I seem to have caught this trojan before it was finished and it seemed to have come through IE (possibly flash) rather than email. It looks like it was running from an .ini file, did not drop any startup links in 'run', 'runonce', nor 'startup' and the typical reg listing of the affected files seems to reside on the HDD. It seems like it hit Adobe and Silverlight before it started in on the encrypting files.

 

Mine seems to have come in from IE, as well, and it didn't encrypt all of my files, only some. I still have the majority of my files, so I don't know if I caught it before it was complete or if it just wasn't as strong a virus. I didn't have any pop-ups, I had to really dig in order to find the reason for my files being corrupted, and that's when I found the HELP_DECRYPT files. It got all of my documents and music, but only a few of my images. I'm not sure what stopped it, but I'm thankful for it. I'm hoping someone creates a decrypter sometime, but I managed to save the most important things. Now they are on an external hard drive as well as about 10 USB drives just to be safe!

Edited by NINTR, 02 March 2015 - 12:03 AM.

Thanks for the replies. Grinler, I have a 64b machine and there is no svchost showing as *32 so should I be cautiously optimistic that it is not running?
If I find clues as to which web sit it came in from should I contact the site manager to inform them? Right now everything is pointing at a Flash Player ad or something similar.

Just some additional info...

MS Security Essentials never found anything.  I have just installed BitDefender and I am running a System Scan but the initial scan found nothing.  I have not reconnected my external backup HDD but will try that after I have the new antivirus system operational.  

It seems this infection went differently than others I have read about in the internet thus my reason for posting up here.  The general description about CryptoWall 3.0 was very helpful (along with CryptoLocker).  Here is hoping they catch these bastards and come up with an unlock database like they did with CryptoLocker.  I will not hold my breath though.

Thanks again for the replies.

By the way, I just wanted to add that I contracted the virus less than 24 hours after downloading an update of Adobe from the official site. Maybe that has something to do with it.

By the way, I just wanted to add that I contracted the virus less than 24 hours after downloading an update of Adobe from the official site. Maybe that has something to do with it.

 

From the official Adobe site? That's hard to believe as it would be reported as a widespread issue.

 

By the way, I just wanted to add that I contracted the virus less than 24 hours after downloading an update of Adobe from the official site. Maybe that has something to do with it.

 

From the official Adobe site? That's hard to believe as it would be reported as a widespread issue.

 

Yes, from the official Adobe site. I know it's hard to believe, but it's the only thing I did right before the infection started causing problems. I don't use my computer for much, so I know for certain that I did not download anything else or receive any suspicious emails.

I agree, sounds far fetched its from adobe's site. My guess is you got hit with an exploit kit that hit a vuln in some outdated software.

I agree, sounds far fetched its from adobe's site. My guess is you got hit with an exploit kit that hit a vuln in some outdated software.

Like I said, I don't use that computer much. That night, I happened to download an update for Adobe, then wrote a bit in my manuscript and went to bed. The next morning, the computer started freezing and, after using system restore unsuccessfully, My files became encrypted and I found the HELP_DECRYPT files. I know you are all ganging up on me and thinking it's far-fetched, but I'm just telling the truth. I don't receive very many emails or visit many sites, I basically use it for writing only because that's my job. To have caught the virus from anything else would be impossible. I only download updates for my programs and infrequently visit the internet to research a word or contact my publisher via email. In fact, I only receive emails from a short, tight list of contacts, no junk or other unsavory senders.

Like I said, I don't use that computer much. That night, I happened to download an update for Adobe, then wrote a bit in my manuscript and went to bed. The next morning, the computer started freezing and, after using system restore unsuccessfully, My files became encrypted and I found the HELP_DECRYPT files. I know you are all ganging up on me and thinking it's far-fetched, but I'm just telling the truth. I don't receive very many emails or visit many sites, I basically use it for writing only because that's my job. To have caught the virus from anything else would be impossible. I only download updates for my programs and infrequently visit the internet to research a word or contact my publisher via email. In fact, I only receive emails from a short, tight list of contacts, no junk or other unsavory senders.

Not ganging up on you, but its one thing to get hit by malvertising, but its another thing to actually get hit by a malware download on adobe's site. That would imply they were hacked and if that was the case we would have heard about it already.

Do you still have a sample of this download that you installed? If so, submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3

I will say one of the clients I had also reported doing a flash update prior to infection. However when I was working on the computer I noticed a flash update pop up, it was a fake flash update, it looked very, very close to the original, and when clicked it opened a webpage that again looked very similar to the adobe flash update page with a download, however the URL itself was not the official adobe flash page.

 

Are you 100% certain it was the official adobe flash update page?

Edited by zingo156, 02 March 2015 - 12:39 PM.

It looks like there are some others reporting a similar thing with fake falsh updates and cryptowall 3.0, read post #27 here: http://www.bleepingcomputer.com/forums/t/568525/new-teslacrypt-ransomware-sets-its-scope-on-video-gamers/page-2

Edited by zingo156, 02 March 2015 - 02:08 PM.

Zingo, thanks for the link, that infection method could be what caught me. I am away from my compromised computer but when I get home this evening I will post some files to the submission site. As noted, I think I have an .ini file that matches the description of other drops plus I have a number of .js files out of the IE cache as well as some dump reports that all appear to have a date and time stamp from the start of the infection.

Zingo156

I am 110% sure that I downloaded my update straight from Adobe's site. I didn't use the link from the pop-up, even though I do get those, and I believe they are from Adobe officially. I went online to their site specifically and downloaded everything. Not sure how I would have gotten it, or if perhaps it was something that was lying dormant in my computer that started working when I downloaded the update. I know I didn't use a bogus site, but could you perhaps provide a link to the actual site so that others who are viewing this page can see if their site was the same? I'm trying to help others avoid this horrible virus as best I can. It took me a full month to rid my system of it and I still have lasting effects, possibly left over from the virus or from the multitude of scans I had to run. Avast and Malwarebytes got rid of it mostly, but I'm still left with a bunch of encrypted files. Like I said, nothing overly important was lost, but I can't imagine this happening to someone who has a lot of stuff that they have not backed up. D:

Grinler, I have submitted some files via the online submission tool noted above.