Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker_0338


  • Please log in to reply
2 replies to this topic

#1 smartbrains

smartbrains

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 29 October 2013 - 10:00 AM

One of our customers has a Windows 2008 Terminal Server which was infected by someone opening an attachment in Outlook. About 2 hours after, they noticed some files were corrupt so after I investigated, I found the 2 running EXE files. Both are located in the users profile directory.

 

cakaqdecyszi.exe (i think this is Cutwail)

https://www.virustotal.com/en/file/8d90b652ba19352e5a823c1c6dfc45097a178f0278d762963a8e552c540f5028/analysis/

 

volcizgizxyr.exe (i think this is Zbot)

https://www.virustotal.com/en/file/e7f92386e4891f328d645f19eb32763a87328df81e830e7dbc69f143bbadfe02/analysis/

 

Also, the registry key is now:

HKEY_CURRENT_USER\Software\CryptoLocker_0388

 

I backed up that key and actually imported it into a clean user, but there is no sign of the unlock page. I did a backup, and now i logged back into the user with the virus. I'm running Process Monitor, but I don't see it encrypting more files. It just keeps trying to make HTTP and SMTP connections.

 

What's my next step? Do I just leave the bad user logged on until it shows me the unlock screen? Can someone PM the 0338 unlock program so I can run that from the clean user?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:50 PM

Posted 29 October 2013 - 01:02 PM

Grinler (aka Lawrence Abrams), the site owner of BleepingComputer, has also created this tutorial:
CryptoLocker Ransomware Information Guide and FAQ

There is a lengthy ongoing discussion in this topic: Cryptolocker Hijack program.

Since this infection is so widespread, rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions or comments in that thread.

Thanks
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CryptoLocker_Refund

CryptoLocker_Refund

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 29 October 2013 - 04:12 PM

leave the virus there.
 

1. Check for backups - NO?

*Delete & Restore

2. check for previous version - NO?
Delete virus - Restore previous version

3. Pay them - but look into my posts

 

 

I just paid them, and might have screwed them

http://www.bleepingcomputer.com/forums/t/512282/300-cryptolocker-refund/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users