My home computer haa been infected by the same virus as Mr Quasar http://www.bleepingcomputer.com/forums/topic456569.html/page__pid__2726791#entry2726791
and oboe22 (topic 4569). In my case the id on the warning.txt message in each directory where files have been encrypted is 1372 and the message is:
YOUR ID: 1372
YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.
STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.
STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at firstname.lastname@example.org. Indicate your ID in the message
title and provide MoneyPak number.
STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.
Q: How I can make sure that you can really decipher my files?
A: You can send ONE any ciphered file on email email@example.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.
Q: Where can I purchase a MoneyPak?
A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.
Q: How do I buy a MoneyPak at the store?
A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
https://www.moneypak.com/StoreLocator.aspx - here you find a store near .
Luckily, I was able to kill the virus before it had completed encrypting all my files. The virus blocked my attempts to open task manager and I was unable to reboot in safe mode using F8 but after switching off power during a boot I was able to enter a recovery mode and go to the command prompt. There, after running FRST.exe, I located the virus in \\Users\Richard\AppData\Roaming\vsdsrv32.exe and removed it. There was also a 32 bit file cconf.txt.enc which I believe may be related to the encryption key. I have saved both these files.
From the time that the infected files were encrypted, it is clear that the virus worked through all subdirectories of My Documents for first .txt files followed by .xls, .doc, .rtf, .htm, .chm, .ppt and .pdf files. I managed to kill it before it had finished encrypting the .pdf files.
I can recover most if not all of my encrypted files from my other machines. However, I am wondering whether the cconf.txt.enc and the exe file might be enough to help break the encryption key and reverse the encrytion process. If so this might be some help to other users infected by this virus.