Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All my files have been encrypted by a virus! Ransom malware I think


  • Please log in to reply
39 replies to this topic

#1 Mitsa123

Mitsa123

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 29 January 2013 - 01:55 PM

Couple of days ago I thought I would back up all my pictures videos and songs onto an external hard drive...I thought I'd just check a few pictures for some unknown reason first, when I did windows photo viewer said
WINDOWS PHOTO VIEWR CAN'T OPEN THIS PICTURE BECAUSE EITHER IT DOESN'T SUPPORT THIS FILE FORMAT OR YOU DOMT HAVE THE LATEST UPDATES TO PHOTO VIEWER.

I spent ages trying to open the pictures in paint and other apps but nothing worked.....then...
I noticed a document on my desktop like a notepad...it said WARNING so I opened it, that's when I realised what happens....it said all my files have been encrypted and pay £100 and we will encrypt etc etc, all word docs, music, vids , pics all don't open, either states the above or that the file is corrupt.

I know this is a virus/ scam but what can I do, I have years and years worth of work on there, I don't care about the rest but its the family pics that mean so much to me.

I know I should have backed everything up but it's too late now.

I would really appreciate any help, I have windows 7 on my

my pc boots up just fine, can access everything and Internet, just can't view files....have tried anti virus scans but no luck


Please help!!!

Thank you so much.

BC AdBot (Login to Remove)

 


#2 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 29 January 2013 - 01:59 PM

~~~~~~~~~~~~~DDS LOG~~~~~~~~~~~~~~~~~~~



DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
Run by Imran at 21:04:02 on 2013-01-21
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.1918.1059 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
C:\Program Files\Seagate\Seagate Dashboard 2.0\NBCore.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>
uURLSearchHooks: {687578b9-7132-4a7a-80e4-30ee31099e03} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Community SmartbarEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} -
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Community Smartbar: {ae07101b-46d4-4a98-af68-0333ea26e113} -
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
uRun: [Google Update] "c:\users\imran\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [Uploader] c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.Uploader.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [DBAgent] "c:\program files\seagate\seagate dashboard 2.0\DBAgent.exe" /WinStart
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{0503C123-4124-4CA8-B28D-9FEC0B5F65DB} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{B8B67B98-8A35-495B-A92B-BBE3DC659FBF} : DHCPNameServer = 109.249.185.224 109.249.186.32
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 99272]
R2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files\seagate\seagate dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2012-11-8 15552]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-2-1 278560]
S1 MpKsl33ccb251;MpKsl33ccb251;c:\programdata\microsoft\microsoft antimalware\definition updates\{89e452ce-7a21-49ea-9cba-0f039a478bdd}\MpKsl33ccb251.sys [2013-1-20 29904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\drivers\BTHPRINT.SYS [2009-7-13 50688]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-1-29 30576]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-5-10 18432]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-9 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-9 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-13 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2013-01-21 18:58:21 -------- d-----w- c:\programdata\Nero
2013-01-21 18:58:06 -------- d-----w- c:\program files\Seagate
2013-01-21 18:49:59 -------- d-----w- c:\programdata\Seagate
2013-01-21 18:49:57 -------- d-----w- c:\users\imran\appdata\roaming\Seagate
2013-01-20 19:47:36 -------- d-----w- c:\users\imran\appdata\local\APN
2013-01-20 19:47:35 -------- d-----w- c:\program files\Ask.com
2013-01-20 19:47:34 -------- d-----w- C:\Firefox
2013-01-20 19:37:15 -------- d-----w- c:\programdata\Ask
2013-01-20 19:36:57 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-20 19:15:04 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{89e452ce-7a21-49ea-9cba-0f039a478bdd}\mpengine.dll
2013-01-20 19:07:42 -------- d-----w- C:\TDSSKiller_Quarantine
2013-01-20 01:23:37 -------- d-----w- c:\users\imran\New folder
2013-01-19 18:48:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-01-19 18:48:47 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-01-18 22:17:20 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-01-18 22:12:49 46592 ----a-w- c:\windows\system32\fpb.rs
2013-01-18 22:10:34 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-18 22:10:32 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-01-18 18:32:42 -------- d-----w- c:\users\imran\appdata\roaming\Malwarebytes
2013-01-18 18:32:18 -------- d-----w- c:\programdata\Malwarebytes
2013-01-18 18:32:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-18 18:31:57 -------- d-----w- c:\users\imran\appdata\local\Programs
2013-01-01 19:57:57 -------- d-----w- c:\users\imran\Dropbox
2013-01-01 19:50:50 -------- d-----w- c:\users\imran\appdata\roaming\Dropbox
.
==================== Find3M ====================
.
2012-12-07 12:26:17 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-11-30 04:53:34 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-11-30 04:47:45 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 02:55:25 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:56:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-11-22 04:45:03 626688 ----a-w- c:\windows\system32\usp10.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-09 04:43:04 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-11-09 04:42:49 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 05:11:31 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 04:47:54 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-10-25 20:24:08 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-10-25 20:24:08 746984 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 21:04:48.00 ===============

#3 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:26 PM

Posted 02 February 2013 - 09:12 PM

Greetings Mitsa123 and Welcome to the Forums,

Please read through These Instructions and see if you think that's something you would like to try. Let me know...thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#4 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 03 February 2013 - 04:21 PM

Hi. Thank you for your suggestion....I will try this shortly and update you.

#5 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 03 February 2013 - 05:57 PM

No luck...here is the report from that scan.

22:53:34.0357 0284 Trojan-Ransom.Win32.Xorist decryptor tool 2.2.119.0 Jan 28 2013 11:45:25
22:53:34.0770 0284 ============================================================
22:53:34.0770 0284 Current date / time: 2013/02/03 22:53:34.0770
22:53:34.0770 0284 SystemInfo:
22:53:34.0770 0284
22:53:34.0770 0284 OS Version: 6.1.7601 ServicePack: 1.0
22:53:34.0770 0284 Product type: Workstation
22:53:34.0770 0284 ComputerName: IMRAN-PC
22:53:34.0780 0284 UserName: Imran
22:53:34.0780 0284 Windows directory: C:\Windows
22:53:34.0780 0284 System windows directory: C:\Windows
22:53:34.0780 0284 Processor architecture: Intel x86
22:53:34.0780 0284 Number of processors: 2
22:53:34.0780 0284 Page size: 0x1000
22:53:34.0780 0284 Boot type: Normal boot
22:53:34.0780 0284 ============================================================
22:53:34.0780 0284 Initialize success
22:54:05.0167 4748 Can't init decryptor on file C:\Users\Imran\Desktop\of iphone 4 a\IMG_2003.JPG
22:54:12.0329 3732 Can't init decryptor on file C:\Users\Imran\Desktop\of iphone 4 a\IMG_2004.JPG
22:54:32.0576 2748 Can't init decryptor on file C:\Users\Imran\Desktop\of iphone 4 a\IMG_2069.JPG
22:54:50.0382 4832 Can't init decryptor on file C:\Users\Imran\Desktop\Taken of Iphone\IMG_0281.JPG
22:55:00.0188 0684 Can't init decryptor on file C:\Users\Imran\Desktop\Taken of Iphone\IMG_0315.JPG
22:56:00.0671 5464 Can't init decryptor on file C:\Users\Imran\Desktop\Taken of Iphone\Roxy\IMG_1044.JPG
22:56:17.0865 5712 Can't init decryptor on file C:\Users\Imran\Desktop\Taken of Iphone\Roxy\IMG_1383.JPG
22:56:19.0837 5828 Can't init decryptor on file C:\Users\Imran\Desktop\Taken of Iphone\Roxy\IMG_0991.JPG
22:56:23.0039 1912 Can't get encrypted file path

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:26 PM

Posted 03 February 2013 - 06:27 PM

OK, thanks. On the hope that Kaspersky may have had the edge, I suggested that tool as there are several options available...it really depends on certain factors relating to the infection so, I should probably have asked first to save the time. Tell us please, of the files you are unable to open, how are they named? Has this malware locked access to them outright, or just renamed them with various random names?

By the way, I might also add, although it is possible to remove the malicious code that brought this about, it is also quite possible that the encrypted files will be lost. I just thought it is worth trying before tossing the towel.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 04 February 2013 - 05:52 AM

H. No that's fine, anything is worth a try,,,,

The files have not been renamed...they are still called as I named them. When I double click an image the following comes up
WINDOWS PHOTOVIEWER CAN'T OPEN THE PICTURE BECAUSE EITHER PHOTO VIEWER DOESN'T SUPPORT THIS FILE FORMAT OR YOU DON'T HAVE THE LATEST UPDATES TO PHOTO VIEWER.

It doesn't matter I try to open them in as if tried paint etc as well....if indeed a file is encrypted would it say this??

I am happy to upload a picture so you can view its properties etc if that will help?

Thank you.

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:26 PM

Posted 04 February 2013 - 08:30 AM

H. No that's fine, anything is worth a try,,,,

The files have not been renamed...they are still called as I named them. When I double click an image the following comes up
WINDOWS PHOTOVIEWER CAN'T OPEN THE PICTURE BECAUSE EITHER PHOTO VIEWER DOESN'T SUPPORT THIS FILE FORMAT OR YOU DON'T HAVE THE LATEST UPDATES TO PHOTO VIEWER.

It doesn't matter I try to open them in as if tried paint etc as well....if indeed a file is encrypted would it say this??

I am happy to upload a picture so you can view its properties etc if that will help?

Thank you.

No, that's not necessary...just tell us what the file extension is, as it's likely to have been changed by the malware. This could be the reason you are currently unable to open them. Some of these malware types actually DO encrypt files, others just want to spoof you into thinking so. One way this is done is by changing either file associations or file extensions so we need to check on this to determine the easiest route for us to take in order to fix this or even if it IS fixable.

If the extension is correct and file associations haven't been tampered with, then we can conclude the files have indeed been encrypted. In this scenario, those file might be history, but we should try what we can before a surrender as previously stated.

Make sure you can view "All Files" by doing the following:
Click on start, then in the "Search programs and files" box, type the following:
Folder Options
...then press the "Enter" key. The Folder Options box will open. Please click on the "View" tab. Under the "Hidden files and folders" section, make sure the bullet has been selected for the option labeled Show hidden files, folder, and drives
...and remove the check from the option box labeled "Hide extensions for known file types". Click "Apply" and "OK" your way out to close the folder options properties box. Now, please navigate to any of the files you have trouble opening and examine the file to ascertain the file extension as it now appears. Post that information back on your next reply. Thanks!

edit added:
It would also be good to know if your on board antivirus solution has found and identified the infection. Knowing a "proper" name for the infection could assist us with a solution for you. Let us know...thanks.

Edited by 1972vet, 04 February 2013 - 08:33 AM.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 04 February 2013 - 12:01 PM

Ok I have tried that, both items needed ticking or unpicking.....however I still can't view the pics HOWEVER....when I now try to open an image it says
WINDOWS PHOTO VIEWER CAN'T OPEN THE PICTURE BECAUSE THE FILE APPEARS TO BE DAMAGED, CORRUPTED, OR IS TOO LARGE

Type of file is Jpeg.

The strange thing is that when you look at the various folders you can see a thumbnail of the contents but when you open the folder then the pics within it are blank and when you double clicke a single image the above message appears....I'm really confused!!

Only antivirus I had on there was the Microsoft one, so I can't even tell you the specific name of the virus I have unless I can run some type of check that can tell me?

#10 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 04 February 2013 - 12:06 PM

T

Edited by Mitsa123, 05 February 2013 - 06:13 AM.


#11 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 04 February 2013 - 12:15 PM

ok iv had a breakthrugh!!!!

I was messing about with one of the pics and starting checking the various tabs...i found one which says restore and clicked it (this option has not previosly been available)...presto! my pic is back!! however, I will need to do this for each and every pic which will take me forever...

Heres the screenshot for that, what do you recommend I do next? I dont fancy restoring my computer back to the 24/11/12 which is the previus restore date in case im back to square one? but will if I have to.Attached File  screenshot2.jpg   68.82KB   17 downloads

#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:26 PM

Posted 04 February 2013 - 05:06 PM

According to your thread topic title, your files "have been encrypted"...but I can now see that was just an assumption you made. It doesn't appear to be the case here. Let me ask, which of those restore points did you choose for that picture, the 16th of January or the 24th of Nov? Your pictures "Previous" versions are taken from those restore points so if you wanted to restore the "System" to the date which restored your picture format, that might be the fastest way for you to get your pictures back. If you are concerned about restoring some sort of virus from that date, it may just be the chance you'll have to take but whatever virus may be there, we should be able to remove...let's get those pictures back first. Let me know which way you would like to tackle this. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 04 February 2013 - 08:31 PM

Hi. I think it was the 24th of nov. I think your advice of unchecking and checking those boxes done the trick as previously that restore option was not showing any dates. I think I may just restore my PC to that date unless you advise otherwise.

#14 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 04 February 2013 - 08:44 PM

Oh and the encrypted part I mentioned was because there was a txt doc left on my desktop saying all my files have been encrypted so I just assumed they were as I'm not very good on computers as you can tell! :-)

#15 Mitsa123

Mitsa123
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:05:26 PM

Posted 05 February 2013 - 06:25 AM

Ok, I decided to restore my system to 24 nov 12..however, the latest restore point is 4th of Jan this year! my questions are:

1) Can I go to an earlier restore point somehow
2) windows says that if you restore then your pics etc are not affectd, does that mean it wont revert them to an earlier date/format as well

Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users