Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryto virus , need HELP ASAP PLEASEEEE


  • Please log in to reply
18 replies to this topic

#1 dacey14

dacey14

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 11 August 2014 - 04:45 PM

Hi i was online just like usually and then a virus came up (ransomware) claiming if i dont pay up i will not get my files back.
Ive come across viruses etc before so i safe moded it etc removed it from app data roaming and so on and did regedit to remove it aswell as using : Bitdefender/YAC/HitmanPro/Antilogger/Malwarebytes/ShadowExplorer/Anti-CryptorBitV2 and so on i didnt have a back up restored as it would always fail :(
so now i have the virus removed and still all my files are encryted ive spent about trying EVERYTHING i can to research it and defeat it but when i try the usual programmes to detect the key and the decrypt etc it says i have no files encrytped and trust me everything is encrypted :@
Ive even tried decrypt_cryptodefense.exe and https://www.decryptcryptolocker.com/ but nothing is working im honestly begging for any help ???


Edited by dacey14, 11 August 2014 - 05:18 PM.


BC AdBot (Login to Remove)

 


#2 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 11 August 2014 - 04:54 PM

This is the name of it : a077ead69703e3bf1fd373a3c9376faa_af26b189-4926-4217-8860-5324fb84c3af
In the folder :S-1-5-21-2702855375-3431380830-2730608571-1000
In the folder : RSA
In the folder : Crypto



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 12 August 2014 - 09:09 PM

A repository of all current knowledge regarding Cryptolocker is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoLocker Ransomware Information Guide and FAQ

A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptorBit and HowDecrypt Information Guide and FAQ

A repository of all current knowledge regarding CryptoDefense is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

A repository of all current knowledge regarding CryptoWall is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 13 August 2014 - 02:31 AM

Thank you boopme ! I will have a look after work later thanks for the help so far !



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 13 August 2014 - 05:17 AM


Once you have identified which particular ransomware you are dealing with, we can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 13 August 2014 - 02:15 PM

I am guessing its NOT: cryptolocker as i tried decryptolocker web site and says nothing as been encrypted...
I am guessing its NOT: cryptobit as i have tried Anti-CryptorBit and its also says nothing as been encrypted...

I am guessing its NOT: cryptodefence as i have tried Emsisoft CryptoDefense Decrypter un able to aquire crypto defnce context...
So im guessing it is cryptowall ? / The file was made in 2012 ? so im hoping there has been some progress in 2 years ?
I didnt really pay much attention to the screen shot as i was to busy removing the programme but its none that i have seen on the 4 forums :/

68.32.234.143 thats the ip adress


Edited by dacey14, 13 August 2014 - 02:40 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 13 August 2014 - 05:34 PM

Since you're unsure (guessing)...this is a brief summary of things to look for which may help with identification.

CryptoLocker is a ransomware program that will scan all physical or mapped network drives on your computer and encrypt files with the following extensions using a mixture of RSA & AES encryption.
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

CryptorBit (HowDecrypt) is a ransomware program that encrypts any data file it finds regardless of the file type or extension (i.e. JPG, PST, MP3, PDF, .DOC, .XLS, .XLSX, .PPTX, .and DOCX documents). When it encrypts a file, CryptorBit (HowDecrypt) will create a HowDecrypt.txt file and a HowDecrypt.gif in every folder that a file was encrypted. The GIF and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.

CryptoDefense is a ransomware program that encrypts data files such as text files, image files, video files, and office documents using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods...CryptoDefense will create a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom. Though this infection has numerous similarities to CryptoLocker or CryptorBit, there is no evidence that they are related.

CryptoWall is essentially a new variant of CryptoDefense.
- ransom is $1000 USD.
- leaves files named DECRYPT_INSTRUCTION:
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.URL

CTB Locker (Critroni, Onion) will encrypt all data files and rename them as a file with a .CTBL extension.
- Creates a image file called AllFilesAreLocked <user_id>.bmp in the My Documents/Documents folder.
- Creates a text file called DecryptAllFiles <user_id>.txt in the My Documents/Documents folder that contains ransom instructions.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 13 August 2014 - 07:02 PM

omg !!! break through its called ZeroLocker !!!! just been looking through EVERYTHING and come across it !!



#9 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 14 August 2014 - 06:56 PM

still need help ? but with zerolocker guys ?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 14 August 2014 - 07:53 PM

I have advised two of our Security Colleagues who specialize in crypto malware with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 15 August 2014 - 05:56 PM

We now have a topic for this infection...see ZeroLocker - a new destructive encrypting ransomware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 15 August 2014 - 07:32 PM

just read it so .. so far basically because the developer is a douch he messed it up so even if you do pay the ransome you cant get your key what a spazz !!



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 15 August 2014 - 07:37 PM

Yes... paying the ransom gets you nowhere.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 dacey14

dacey14
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 15 August 2014 - 07:43 PM

-_- so is there no way so far ? since you have delt with crypto etc ... do you think a decryption service will be in future or is this one gonna be the end on my files forever...  :(



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,062 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 15 August 2014 - 07:51 PM

There is, though, some light at the end of the tunnel. This infection does not delete the Windows System Restore points so you can restore your files using a program like Shadow Explorer or Windows built-in Previous Version. For information on how to restore your files via these methods, please read this section from our CryptoLocker guide: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users