Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible crytolocker variant FileLocker.exe? Please help


  • Please log in to reply
5 replies to this topic

#1 wickerstick

wickerstick

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 26 September 2014 - 01:49 PM

Hello, 

 

I am working an important jobs here at the shop, attempting to help a tech with a important high level client job.  Client brought in 2 notebooks with very important case files on them, we knew both were highly infected units, one appears to have all files encrypted. 

 

both systems, did not have the normal crypto-locker splash page. removed most infections but on one we found ESET Endpoint found 22,000 files flagged as filelocker.exe Classified as Trojan. spoke with clients and they state they have never encrypted anything on any of there machines. even after full Virus removal and optimization, i cannot open the files, i checked several files against the https://www.decryptcryptolocker.com/ which states the file is not a crypto-locker file. I assume this is either a variant of cypto that fire eye doesn't have 

the private key in there database or possibly it really isn't crypto but is corrupted past the point of retrieval or possibly some new variant of encryption software

 

things i have tried are 

 

previous version (shows there are none) 

shadow explorer (no luck)

and everything here http://support2.microsoft.com/kb/2362088

 

The System Does have Restore points available

 

pretty much looking for any suggestions to help me get the data out of the most important case file for the client. 

 

looks like most of the files like this were uploaded from dropbox. told clients not to use dropbox until we verified its contents are safe to use. 

 

Please Help!



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:31 AM

Posted 26 September 2014 - 02:03 PM

Hi wickerstick,
 
Please download this file from here, extract the zip and then run IDTool.exe. Wait for the tool to load and then click the Generate Text Friendly Report for Forums button. Copy the content of the box that appears into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 wickerstick

wickerstick
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 26 September 2014 - 03:12 PM

Hi wickerstick,
 
Please download this file from here, extract the zip and then run IDTool.exe. Wait for the tool to load and then click the Generate Text Friendly Report for Forums button. Copy the content of the box that appears into your next reply.
 
xXToffeeXx~

Do you mean you want me to run this on my machine? or on the one that the files are encrypted on ? I'm Assuming the later but please specify 



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:31 AM

Posted 26 September 2014 - 03:17 PM

Hi wickerstick,

On the computer with the encrypted files please :)

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 wickerstick

wickerstick
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 29 September 2014 - 10:07 AM

the results were blank when i tried to generate the report. what does this mean ?



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:31 AM

Posted 29 September 2014 - 10:13 AM

Hi Wickerstick,
 
Do you not see anything like this when clicking on the Generate Text Friendly Report for Forums button?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users