Comodo Antivirus let my computer get infected again and this time its bad.

comcity · July 7, 2015, 5:25pm

Somehow Comodo antivirus let a file get put into my startup on July 3. When I started my computer on July 6, I could see excessive disk drive activity and I knew there was a problem. I finally discovered the program that was running and stopped it but now I have massive damage on my disk. I can’t open any .pdf files, any .doc files, and .txt files, any .ppt files and virtually any other files. Are these files really damaged? The date and time of these files are “unaltered”. However, in every folder, there is a ransome note in .png, .html, and .txt that appears to say if I pay someone then I can get my files back. It says the following:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: RSA (cryptosystem) - Wikipedia

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://6i3cb6owitcouepv.paybalanceto.com/avzjw5
2.http://6i3cb6owitcouepv.paybrakepoint.com/avzjw5
3.http://6i3cb6owitcouepv.paytostopigil.com/avzjw5
4.http://6i3cb6owitcouepv.paytodoublemoney.com/avzjw5

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: Tor Project | Download
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: 6i3cb6owitcouepv.onion/avzjw5
4.Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal page: http://6i3cb6owitcouepv.paybalanceto.com/avzjw5
Your personal page (using TOR): 6i3cb6owitcouepv.onion/avzjw5
Your personal identification number (if you open the site (or TOR 's) directly): avzjw5

_{Fixed broken link. JoWa}

jebuchanan · July 7, 2015, 10:30pm

have you contacted the local authorities in this matter? What has happened is a crime.

comcity · July 9, 2015, 8:25pm

No, I’m in the US, there is no one in the local police department that probably even knows how to turn a computer on and they would refer me to the FBI because the source is likely Russia. However, the FBI would say they are too buy with much bigger companies than little old me and refer me to fill out some kind of complaint form that could be permanently filed away in the garbage. Are you in the US? I’m in a tiny town in Texas that probably has a total of 20 cops…none of them into espionage or Cyber Vandalism/criminality.

jebuchanan · July 10, 2015, 1:26am

Dartmouth, Nova Scotia, my friend (just find Halifax, it’s across the bridge)

Silwncer · July 10, 2015, 9:20am

Hi,your files cannot be recovered unless you have a backup. If infection is still persistent on the system,i can help you out

1)Download Farbar Recovery Scan Tool and save it to your desktop.

NOTE: If you don’t know which version is compatible with your system,try to download both of them. Working one is that you need to use.

2)Run the tool as Administrator,if you get info about Disclaimer click Yes. Before you click on scan button make sure that Addition is checked,if not do it. Program will generate two logs (FRST and Addition) which you will zip and upload to Zippyshare.

Download it from here : Download Farbar Recovery Scan Tool

BuketB · July 10, 2015, 5:00pm

Hello comcity,

Thank you very much for your detailed report, we will investigate and get back you you asap.

Kind Regards
Buket

comcity · July 13, 2015, 1:55pm

Thanks man.
I got about 20% of the files back via shadow copy and it looked pretty hopeless. I paid the ransom and got the decrypter and it has decrypted the files. It is still working on the last directory and its very slow and has been working on that directory for 24 hrs so I can’t say yet it has 100% decrypted all files but it likely has and that last directory is not that important.

I did a scan and Comodo still doesn’t even recognize the malware has a bad file. However, malwarebytes recognizes the file in the recycle bin with a renamed extension. This is my second infection with Comodo antivirus so it is time for me to find something new.

comcity · July 13, 2015, 1:58pm

Well find a tv…the US is way behind the times in handling security on the Internet…and it has been like this I’ve been on the Internet since 1995. Back then I got my first computer intrusion and there was one guy in the FBI handling the entire western part of the United States…I’m guessing they probably have 5 or 10 people now on it.

Silwncer · July 13, 2015, 2:22pm

Never pay for ransom, that way you “support” their further development. If you want infection fully removed, you can do what i suggested to you

SanyaIV · July 13, 2015, 2:37pm

Sometimes it’s not that easy, sometimes they encrypt files you kinda really need or really don’t want to lose and if you don’t have a backup then there’s not much hope of regaining those files without paying.

The takeaway lesson here is to always keep frequent offline backups if your data is important. (How do you know if your data is important? Well, would you have paid? If the answer is Yes then it’s important and if the answer is no then you should probably still keep backups for convenience sake if nothing else)

Do you still have the file? (for example in the quarantine of malwarebytes? If so could you send me the file? If yes, PM me)

I think the AV in CIS excludes files in the recycle bin by default? That may be why CIS doesn’t detect it but I can’t be sure.

If you still have them, could you send me a copy of your config file and logs?

I would like to see these things to figure out what happened here and if there’s a bug or an issue with CIS I’d like to report it to Comodo.

BuketB · July 13, 2015, 2:41pm

Hello comcity,

yes we need to get the sample as well, our QA sent you a message , please kindly check your PM box and reply back. We would be happy to help you and investigate.

Kind Regards
Buket

Silwncer · July 13, 2015, 3:09pm

Encryption ransomware usually destroys itself after he accomplish it’s mission,so i don’t believe that there’s sample on system.