Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help required identifying crypto virus

  • Please log in to reply
2 replies to this topic

#1 hamzamian


  • Members
  • 3 posts
  • Local time:07:07 PM

Posted 01 October 2013 - 01:49 AM



firstly I appreciate the time people take out here to help others so thanks a lot in advance. I am also quite happy to consider paying so if someone is able to recommend a good company/individual to help with this I'd be open to that also.


I look after a Linux based server with a samba share that is used by a small office (three users) and is accessed by 2 windows 7 machines, 2 old windows XP machines riddled with malware and a Windows "server" that is just running XP Pro but is clean. The 2 windows 7 machines are pronounced clean my MS SE also. (Its actually my dad's office... so my backup plan was a bit lax unfortunately and had a bug from the last release :( )


At the end of last week some the users reported Excel not being able to open some files on the samba share, by the time I worked out they are getting encrypted and pulled all the machines off the network most of the share had been affected. The pattern seems similar to CryptoLocker in that there were .exe files in the root with the same names as the directories and I also found porn.exe, sexy.exe and x.mpeg in the root of the share.


After verifying the windows "server" and windows 7 machines are clean (and I manually checked the registry also by searching for "CryptoLocker" and looking in HKCU\Software" to make sure its not on those machines) those have been let back on the network. The two other XP machines are still quarantined and seem riddled with various items of malware. I deliberately haven't run a scan yet to clean them. However neither of these machines have cryptolocker on them either (checked registry and AppData\ for the .exe pattern filename).


So clearly something has encrypted the data on the share but I no longer think that it is CryptoLocker which makes me think it may be possible to recover the data if its a weak encryption.... but I guess I need to identify the virus first?


In terms of remote access (in case its not a virus inside the network) some of the machines have LogMeIn and TeamViewer installed that people use to work remotely (against advice because...) and a Cicso RV042 VPN router running IPSec VPN. The windows "server" has RDP enabled. There is no port forwarding so you have to VPN into the network first before accessing any internal resources. Not sure if any of that could have led to an attack vector.


So far I have quarantined the two XP workstations and cleaned the share (manually removed all .exe files and ran MS SE on it). I have a snapshot of the share prior to cleaning it.


Thanks again for any advice or tips on where to look next.

BC AdBot (Login to Remove)


#2 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:04:07 AM

Posted 02 October 2013 - 05:19 PM

Please follow the instructions in ==>This Guide<== starting at Step #6.  If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post to ==>Malware Removal Forum<==

Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

NOTE : Please Copy / Paste all logs requested, and do not use Attach unless specifically asked -

Good luck and be very patient, as the area can get very busy.


If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

#3 scotru


  • Members
  • 20 posts
  • Local time:10:07 AM

Posted 03 October 2013 - 01:29 AM

Hey Hamzamian,


I'm in almost the exact same situation except with a larger network.  finally was able to track down the infected machine.   Looks like it was a botnet (Pushdo/Cutwail) infected.  Let me know if you make any progress on finding a way to identify the crypto.   I've got several hundred gigabytes from network shares at risk.  Good luck to you--I'll keep you posted if I make any headway on identification techniques.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users