Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Crypto Huge Mess


  • This topic is locked This topic is locked
9 replies to this topic

#1 accentaa

accentaa

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 23 September 2014 - 07:46 PM

I’ve been trying to recover my computer by myself for over six weeks and am finally asking for help.  I know I’ve probably caused much more damage by doing so.

I was trying to get my files organized – I wasn’t the system administrator and was having problems with my user profile.  

  •  I tried to get on to Windows server 2008 – start a domain! (I’m a single computer in my home with two others who need to share the printer occasionally.)
  • Lost my User profile and the restore point I had set before I started. – Lost everything under that profile – meaning……everything! – Three years of research, a book I’ve been writing for years……
  • I started following the Microsoft Tech directions for changing the settings for domain administrators – I messed with  a lot of “group settings.” --- Creating an even deeper maze that I couldn’t figure my way out of.
  • Mapped a network file
  • Did a “sync”
  • Ended up with all my files being encoded – either encrypted as per some action of mine or hijacked by a cryping virus.

Ran:

  • NetAdapter Repair All in One
  • AdwCleaner
  • ComboFix
  • Did Crypto Virus research on your site – Did not use ListCWall utility because a lot of other risky steps that had to be taken first. – Lost me!
  • Malwarebytes
  • Junkware Removal Tool.
  • Windows Repair
  • Driver Fusion
  • Process Explorer
  • Probably a few more

 

  1.  I wiped the hard drive.  (Using a thumb drive, as per instructions.)  My CD drive has been obliterated – quite a while ago - no sign of it anywhere, no matter which drivers or software I’ve put on the task.
  2. I reinstalled Windows 7 professional – found my key somewhere in ancient emails (online).
  3. The disk drives did not install properly.
  4. I downloaded all the Toshiba drives, etc. that were recommended. (Ran some software to see if there were any conflicts.)

OF NOTE:

 

** FRST – Can’t be run because no matter where I save it - it says that the word pad results have to be stored where FRST was first launched.  I tried multiple times to match them.  (No idea what my primary drive is anymore or what the “network” really means.

** TestDisk – Found that I had no partitions

** Process Explorer – Revealed a lot of things I don’t understand – regardless of the excellent tutor files on your site.  I did try to compare many of the questionable files with “Virus Total” as well as the “online” option, but I’m afraid of making a bigger mess.

** My “network” is a mess – mostly because I thought I understood the differences between Home, domain,  public……. I now realize I have no clue what the different network concepts are – and SO don’t care anymore.

** I just want my computer and documents back.  Please help me.

 

Also Note: 

 I did put all my files on a separate hard drive (USB connection). 

And, I use my computer to work 9 hours a day teaching English to executives in Korea.  I depend on it – desperately need it to work – not to mention all my personal files in which  I’ve invested years & half my heart.

 

I know this is a jumbled mess.  If there is someone with the patience to help me,  I promise to do exactly as I’m told and stop farting around with the innards of this ISIS machine.  (Please know that I’m clueless.  I thought I’d learned a lot through all of this but I’ve accepted that I’ll never “get” computers and the flow of logic they require.  Please assume ignorance and instruct as you would a five-year-old!)

 

Thank you sincerely,

…….and please help me.


Edited by hamluis, 24 September 2014 - 09:39 AM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,854 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 23 September 2014 - 09:22 PM

  • I wiped the hard drive.
  • I reinstalled Windows 7 professional

Any data on that drive now is gone. You will not be able to recover any files on the drive you wiped and reinstalled Windows on.



#3 accentaa

accentaa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 23 September 2014 - 09:33 PM

Hi and thanks for taking the time.....   I downloaded all the "encrypted" files - actually, everything on the computer that I could to an external hard drive before I wiped it.  Is that what you needed?



#4 JohnC_21

JohnC_21

  • Members
  • 24,854 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 23 September 2014 - 09:43 PM

You don't know how the files were encrypted? What happens when you open a text file?

Edit: Are the file names themselves also encrypted?

Edited by JohnC_21, 23 September 2014 - 09:45 PM.


#5 accentaa

accentaa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 23 September 2014 - 10:04 PM

I can show you an example if you'd like.  I honestly don't know if they're encrypted legitimately or hijacked.  I put some of the files on my computer (from the external where I saved them) in a folder.  I'm just afraid that if they are a virus that they've now corrupted my new installation.  My biggest concern in the network situation and how my disk drives are divided up.  I don't know how to sort it out.



#6 accentaa

accentaa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 23 September 2014 - 10:25 PM

There are several VBScript Files with a "$" icon in from of them.  My recycle bin also has a $ in front of it.  This is a snip of one folder I moved from the external disk to my computer.  I've also included a snip of my file set-up as it is now.  I'm so lost in this now, I don't know how to undo any of it.

 

I'm not sure how to add a snip/jpg to this. 

I've tried several things!



#7 JohnC_21

JohnC_21

  • Members
  • 24,854 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 23 September 2014 - 10:38 PM

For the Network concern, I would start a new thread in the Networking Forum and reference this thread. A $ sign in front of a file or folder usually indicates it's hidden. If you right click on a file with the $ in front and select properties does it list the file as hidden?

 

You say you are concerned on how the drives are divided up. How many drives do you have? Are you trying to get Windows 7 installed correctly and then it would be a matter of connecting to an existing network?

 

I am going off until tomorrow because it's late here. Hopefully somebody will be available in the Networking forum. Edit: I will be on till about 12AM my time.

 

Edit: Edit: you have to select more reply options in order to get the attachment option. Then you can attach your jpg files.


Edited by JohnC_21, 23 September 2014 - 10:44 PM.


#8 accentaa

accentaa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 23 September 2014 - 11:02 PM

Thanks so much for your time, John.  They are file folders, not documents.  An example is $AVG and $VAULT.  They are not "hidden" but Read-only.  They aren't shared and I have security access to the files. 

 

I'll go to the Network forum for the other.  I'll wait to hear back from you.  (And try to attach the jpg files.)

 

Attached Files



#9 JohnC_21

JohnC_21

  • Members
  • 24,854 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 24 September 2014 - 07:35 AM

Most of those are script files. Are these the only files on the drive? I don't see any extensions. In Folder Options allow file extensions. I believe having a $ in front of recycle bin is normal on other partitions. The Xclas file has to do with modifying permissions on the computer which I am not familiar with.

 

Have you tried opening one of the script files with notepad?'



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:44 AM

Posted 24 September 2014 - 02:41 PM

The following information may assist with identifying the crypto malware infection you are dealing with.

1. A repository of all current knowledge regarding Cryptolocker is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoLocker Ransomware Information Guide and FAQ

CryptoLocker is a ransomware program that will scan all physical or mapped network drives on your computer and encrypt files with the following extensions using a mixture of RSA & AES encryption.
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

Please note that the guide was updated 08/06/14 to include the following information.

FireEye and Fox-IT have released a method of possibly retrieving your private decryption key and a decrypter to use to decrypt your files...To try and retrieve your key, please visit their site http://www.decryptcryptolocker.com/ and enter your email and upload a copy of one of your CryptoLocker encrypted files. The service will then try attempt to decrypt that file using all of the known encryption keys. If they are able to successfully decrypt your file, they will then email you the decryption key with instructions on how to use it.

* FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker
* CryptoUnlocker GUI
* CryptoUnlocker has been updated to utilize the CryptoLocker Database in the registry
 

I want to make something very clear to any users just now getting to this thread because they were infected by "CryptoLocker"! The real Cryptolocker has been down, and has not returned for awhile now! This means that what ever infection you have, is a new one / Fake one! Before EVER considering paying for the ransom you should always make it first priority to ask on the thread first or PM any member to ask for help! Things that will help us identify your infection is Screenshots of any windows, The Ransom Note, and the EXE if you have it. I cannot stress this enough, you may not have to pay a DIME to get your files back if you take a few moments to ask before paying...

Nathan (DecrypterFixer), Security Colleague Post #3223

2. A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptorBit and HowDecrypt Information Guide and FAQ

CryptorBit (HowDecrypt) is a ransomware program that encrypts any data file it finds regardless of the file type or extension (i.e. JPG, PST, MP3, PDF, .DOC, .XLS, .XLSX, .PPTX, .and DOCX documents). When it encrypts a file, CryptorBit (HowDecrypt) will create a HowDecrypt.txt file and a HowDecrypt.gif in every folder that a file was encrypted. The GIF and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.

Also see Nathan (DecrypterFixer)'s Analysis, decompilation, and cracking of CryptorBit encrypting infection.

3. A repository of all current knowledge regarding CryptoDefense is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

CryptoDefense is a ransomware program that encrypts data files such as text files, image files, video files, and office documents using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods...CryptoDefense will create a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom. Though this infection has numerous similarities to CryptoLocker and CryptorBit, there is no evidence that they are related.


4. A repository of all current knowledge regarding CryptoWall is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

CryptoWall is essentially a new variant of CryptoDefense.
- ransom is $1000 USD.
- leaves files named DECRYPT_INSTRUCTION:
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.URL


Note: Although CryptoDefense and CryptoWall have numerous similarities to CryptoLocker, there is no evidence that they are related other than that they do the same thing.

5. A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

CTB Locker (Critroni, Onion) will encrypt all data files and rename them so that they end with a CTBL or the CTB2 extension.

...Creates a image file called AllFilesAreLocked <user_id>.bmp in the My Documents/Documents folder.
...Creates a text file called DecryptAllFiles <user_id>.txt in the My Documents/Documents folder that contains ransom instructions.

Also see New Critroni variant offers free test decryption and now uses CTB2 extension. Unfortunately, there is still no known method of decrypting your files without paying the ransom.

Other Crypto Ransomware topics
TorrentLocker Support and Discussion Thread (CryptoLocker copycat)
ZeroLocker - a new destructive encrypting ransomware
How-To-Decrypt PowerShell Ransomware
SynoLocker ransomware targets Synology NAS Devices
New file-encrypting ransomware called CryptoGraphic Locker
New CryptoLocker copycat ransomware in the wild going by the infamous CryptoLocker name
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users