One of my machines (referred to as machine 1 - was XP running under an admin account - its being rebuilt with windows 7) got infected with cryptodefense (and I've got a load of files which are encrypted with "!crypted!somenumbers" - as detailed in your FAQ.
(Effected file extensions not mentioned elsewhere also included .h / .c* / .obj)
I noticed that on that machine - there were the How_Decrypt* files in various folders, BUT files in that directory were untouched (but files in the child directories were encrypted). With your FAQ I've been able to find which files are encrypted and which weren't (by searching for the !crypted! prefix).
As a pre-caution, on my 2nd machine (old netbook, windows 7 starter - UAC set at default), I updated my antivrus, installed the Malwarebytes Anti-Malware - and ran a full scan - they both reported as being clean.
Then from my 2nd machine I then searched local drives/backup external HDs for all files containing !crypted!.
My external USB/backup HDS are clean
the search DID Find various encrypted .GIF files in the temp IE folder on machine 2 in
C:\Users\Wizzie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZDD0EEWO
C:\Users\Wizzie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SDEH4C3D
YET the AV/Malware run said the machine 2 was clean??? (And the anti virus hasn't had any historical detections?)
I also noticed that there's no corresponding HOW_DECRYT* files in the temp IE folder.
Main questions are :-
1. How does this thing infect you?
Machine1 - Had Reg keys for auto starting
Machine2 - No reg keys - no virus/spyware detection - yet something has run to encrypt some files in the IE temp folder?
All the !crypted! fileswere created at 19 April 2014, 07:40:48.
Looking at event viewer - I logged on at 07:34:59.
Using "browsing history viewer" (which reads index.dat files from http://www.nirsoft.net/) - there's some page vists at 07:37 - but nothing obvious to any "warez/adult sites" - which is how this is supposed to be infected. (Also I didn't open an attachments received via email)
I'm using a router with firewall enabled, there's no open ports inbound - so something must have connected out and downloaded/run the encrypter? Presumably due to file permissions - only the temp IE folder was "accessible" BUT what happened to the actual exe/encrypter - where's it gone? But why didn't it create the HOW_DECRYPT files if its due to file permissions (ie how was it started/what account was it running under)?
Is it possible that the decrypter was picked up earlier and scheduled to run at a future point, or does the encrypter usually run as soon as its downloaded.
2.Is machine 2 really safe?- no additional files have been infected since the 19th?
3. Is there anything to stop something similar from happening? Its really frigtning that something can just encrypt all your files.
The AV "heristics" on machine 1 didn't detect a load of files being re-written in rapid succession - but IE would have been running under an admin account.
Eg starting IE in a batch file - but have the batch file reset the %appdata% enviroment variable to c:\ie-temp and then have that folder deleted when IE shuts down? (And enable some group policy to stop exes from running from that folder)?
Sorry for the rambling post, but most of the talk has been, understandibly, about how to get your files back, but I'm really confused as to how machine 2 picked up ransomeware in the 1st place, and why/what happened to the encrypter exe.
Thanks in advance