Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ALL my files have been encrypted -ransom malware I think


  • This topic is locked This topic is locked
8 replies to this topic

#1 Mitsa123

Mitsa123

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 11:34 AM

Couple of days ago I thought I would back up all my pictures videos and songs onto an external hard drive...I thought I'd just check a few pictures for some unknown reason first, when I did windows photo viewer said
WINDOWS PHOTO VIEWR CAN'T OPEN THIS PICTURE BECAUSE EITHER IT DOESN'T SUPPORT THIS FILE FORMAT OR YOU DOMT HAVE THE LATEST UPDATES TO PHOTO VIEWER.

I spent ages trying to open the pictures in paint and other apps but nothing worked.....then...
I noticed a document on my desktop like a notepad...it said WARNING so I opened it, that's when I realised what happens....it said all my files have been encrypted and pay 100 and we will encrypt etc etc, all word docs, music, vids , pics all don't open, either states the above or that the file is corrupt.

I know this is a virus/ scam but what can I do, I have years and years worth of work on there, I don't care about the rest but its the family pics that mean so much to me.

I know I should have backed everything up but it's too late now.

I would really appreciate any help, I have windows 7 on my

my pc boots up just fine, can access everything and Internet, just can't view files....have tried anti virus scans but no luck


Please help!!!

Thank you so much.

BC AdBot (Login to Remove)

 


#2 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 02:08 PM

I have run toss killer and it found
Unsigned file
Service:IBUPdaterService
I put it into quarantine? Is that correct or do I delete?

#3 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 02:16 PM

Iv been looking through some of your threads to try help myself as I know you guys are really busy, im no computer genius at all lol il tell you now :-)
anyway i ran Roguekiller and the report is below.

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Imran [Admin rights]
Mode : Remove -- Date : 01/20/2013 19:13:26

Bad processes : 1
[SERVICE] IBUpdaterService -- "C:\ProgramData\IBUpdaterService\ibsvc.exe" /SERVICE -> STOPPED

Registry Entries : 4
[Services][BLSVC] HKLM\[...]\ControlSet001\Services\IBUpdaterService ("C:\ProgramData\IBUpdaterService\ibsvc.exe" /SERVICE) -> DELETED
[Services][BLSVC] HKLM\[...]\ControlSet002\Services\IBUpdaterService ("C:\ProgramData\IBUpdaterService\ibsvc.exe" /SERVICE) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:
[Del.Parent][FILE] mmc169.exe : C:\Users\Imran\AppData\Roaming\Adobe\plugs\mmc169.exe --> REMOVED
[Tr.Karagany][FOLDER] ROOT : C:\Users\Imran\AppData\Roaming\Adobe\plugs --> REMOVED
[Tr.Karagany][FOLDER] ROOT : C:\Users\Imran\AppData\Roaming\Adobe\shed --> REMOVED

Driver : [LOADED]

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: WDC WD3200AAJS-22L7A0 ATA Device +++++
--- User ---
[MBR] a1145d1b73316ca2d1b3f4517471b6e4
[BSP] a496b22288711797e12e61511eb68829 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 305143 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01202013_02d1913.txt >>
RKreport[1]_S_01202013_02d1912.txt ; RKreport[2]_D_01202013_02d1913.txt

#4 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 02:19 PM

I keep getting a pop up saying run jucheck.exe as adminstrater, i keep saying no to it...dont know what it is

#5 jburd1800

jburd1800

  • Members
  • 426 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 20 January 2013 - 02:22 PM

Look like it is a part of Java...

http://java.com/en/download/faq/jucheck.xml

“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#6 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 02:33 PM

Do I download that jucheck?

Also I looked at another post and it said run aswMBR.exe whilst running my computer rebooted, microsoft said thre was a problem and it said..


Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 2057

Additional information about the problem:
BCCode: d1
BCP1: 00000000
BCP2: 000000FF
BCP3: 00000008
BCP4: 00000000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\012013-18517-01.dmp
C:\Users\Imran\AppData\Local\Temp\WER-46706-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

#7 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 02:50 PM

aswMBR log



aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-20 19:35:36
-----------------------------
19:35:36.413 OS Version: Windows 6.1.7601 Service Pack 1
19:35:36.413 Number of processors: 2 586 0x603
19:35:36.423 ComputerName: IMRAN-PC UserName: Imran
19:36:44.434 Initialize success
19:36:59.863 AVAST engine defs: 13012000
19:37:07.683 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:37:07.683 Disk 0 Vendor: WDC_WD3200AAJS-22L7A0 01.03E01 Size: 305245MB BusType: 3
19:37:07.773 Disk 0 MBR read successfully
19:37:07.783 Disk 0 MBR scan
19:37:07.793 Disk 0 Windows 7 default MBR code
19:37:07.813 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
19:37:07.903 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
19:37:07.973 Disk 0 scanning sectors +625139712
19:37:08.273 Disk 0 scanning C:\Windows\system32\drivers
19:37:41.243 Service scanning
19:37:54.526 Disk 0 MBR has been saved successfully to "C:\Users\Imran\Desktop\MBR.dat"
19:37:54.526 The log file has been saved successfully to "C:\Users\Imran\Desktop\aswMBR.txt"
19:38:25.212 Service MpKsl54b27d8f c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{89E452CE-7A21-49EA-9CBA-0F039A478BDD}\MpKsl54b27d8f.sys **LOCKED** 32
19:38:32.005 Disk 0 MBR has been saved successfully to "C:\Users\Imran\Desktop\MBR.dat"
19:38:32.012 The log file has been saved successfully to "C:\Users\Imran\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-20 19:35:36
-----------------------------
19:35:36.413 OS Version: Windows 6.1.7601 Service Pack 1
19:35:36.413 Number of processors: 2 586 0x603
19:35:36.423 ComputerName: IMRAN-PC UserName: Imran
19:36:44.434 Initialize success
19:36:59.863 AVAST engine defs: 13012000
19:37:07.683 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:37:07.683 Disk 0 Vendor: WDC_WD3200AAJS-22L7A0 01.03E01 Size: 305245MB BusType: 3
19:37:07.773 Disk 0 MBR read successfully
19:37:07.783 Disk 0 MBR scan
19:37:07.793 Disk 0 Windows 7 default MBR code
19:37:07.813 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
19:37:07.903 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
19:37:07.973 Disk 0 scanning sectors +625139712
19:37:08.273 Disk 0 scanning C:\Windows\system32\drivers
19:37:41.243 Service scanning
19:37:54.526 Disk 0 MBR has been saved successfully to "C:\Users\Imran\Desktop\MBR.dat"
19:37:54.526 The log file has been saved successfully to "C:\Users\Imran\Desktop\aswMBR.txt"
19:38:25.212 Service MpKsl54b27d8f c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{89E452CE-7A21-49EA-9CBA-0F039A478BDD}\MpKsl54b27d8f.sys **LOCKED** 32
19:38:32.005 Disk 0 MBR has been saved successfully to "C:\Users\Imran\Desktop\MBR.dat"
19:38:32.012 The log file has been saved successfully to "C:\Users\Imran\Desktop\aswMBR.txt"
19:38:49.497 Modules scanning
19:39:02.322 Disk 0 trace - called modules:
19:39:02.342 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
19:39:02.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85969030]
19:39:02.352 3 CLASSPNP.SYS[88bad59e] -> nt!IofCallDriver -> [0x85896918]
19:39:02.352 5 ACPI.sys[886403d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8587b908]
19:39:04.412 AVAST engine scan C:\Windows
19:39:07.982 AVAST engine scan C:\Windows\system32
19:43:28.070 AVAST engine scan C:\Windows\system32\drivers
19:43:49.497 AVAST engine scan C:\Users\Imran
19:49:12.910 Disk 0 MBR has been saved successfully to "C:\Users\Imran\Desktop\MBR.dat"
19:49:12.968 The log file has been saved successfully to "C:\Users\Imran\Desktop\aswMBR.txt"

#8 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:56 AM

Posted 20 January 2013 - 03:01 PM

i have just read on another post you say not to run anything untill told as it has to be done in order...sorry!

I will stop at this point and wait for your directions if you are able to help me out in anyway.

Thanks

Edited by Mitsa123, 20 January 2013 - 03:12 PM.


#9 hamluis

hamluis

    Moderator


  • Moderator
  • 44,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:56 AM

Posted 25 January 2013 - 02:43 PM

OP has open topic in MRL, this topic is now closed.

http://www.bleepingcomputer.com/forums/topic483001.html/page__p__2953270__fromsearch__1#entry2953270

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users