Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do i know if I have been infected with CryptoLocker Ransomware?


  • Please log in to reply
4 replies to this topic

#1 ImBubba

ImBubba

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kissimmee, FL, USA
  • Local time:03:40 PM

Posted 28 December 2013 - 10:49 PM

Several days ago while browsing with IE 10 in Win 7 I received a pop-up warning that my files were being encrypted.  I closed my browser immediately and shutdown the system.  Today I received another similar pop-up complaining that I had illegal files on my computer, they were being encrypted, and my browser was being locked.  There was an offer in the message that said I could get the key to undo the encryption for a $300 MoneyPak.  There was a count-down timer counting down from about 43 hours.  Again, I shut down the browser and powered down the system.  The system re-booted okay, and I don't get any nagging warnings when I open my browser.  I decided to Google 'ransomware'.  Google led me to several articles of recent vintage describing CryptoLocker, and those articles scarred the hell out of me when they described pretty much what I was seeing in the pop-ups. 

 

I exited the browser and shutdown the system so fast that I didn't read the whole screen when the pop-ups popped up.  So I don't know if this was threatware or for real.  So far, I haven't seen any indication of encrypted files, but I have literally thousands of .mp3 files and .jpg files at stake, and years of correspondence!

 

How can I tell if I am infected with real ransomware, and if I am will paying the ransom likely free me from this evil ... this time?



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:40 PM

Posted 28 December 2013 - 11:29 PM

I'll report this topic to appropriate helpers.

1. Please let us know what Windows version you have and if it's 32- or 64-bit.
2. Is the computer bootable in any mode?

Hold on there....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 ImBubba

ImBubba
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kissimmee, FL, USA
  • Local time:03:40 PM

Posted 28 December 2013 - 11:51 PM

I'm running Windows 7 - 64-bit.  Yes, the computer is bootable in every mode.

 

So far I haven't seen any indication (other than two ominous and threatening messages) that anything is wrong.  My music files are on a USB-connected external drive (as are most of my jpgs, and there is no apparent activity on them.



#4 ImBubba

ImBubba
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kissimmee, FL, USA
  • Local time:03:40 PM

Posted 31 December 2013 - 12:40 AM

Well, it might be a bit early to celebrate, but I haven't seen the countdown timer for two days, and as far as I can tell all my data files are still unencrypted and accessible.  While waiting for the hammer to fall I have kept most of my music and videos (which are on external USB-attached media) disconnected from my system on the theory that if an encryption time-bomb DOES go off it can't hurt what it can't access.  I also picked around in my anti-virus (Norton Internet security) configuration and noticed that some sort of protection from CryptoLocker IS included/configured.  I guess I'll run several other virus scanner/clean-up programs, and if all still looks okay in a couple of days I'll go buy a couple more 2-TB external drives and copy my data to drives that I will keep off line except when they are backing performing scheduled back-ups.

 

Does anyone have any words of caution as I move forward?   



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:40 PM

Posted 05 January 2014 - 02:50 PM

Back up your important data to some external drive (just in case) and let's run some checks...

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users