Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP SP3 Desktop with Encryption Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 KBenning

KBenning

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 11:12 AM

Please excuse the length of this post and any lack of clarity.  I have never posted here before.  Thank you for taking the time to read about my problem, and thank you for any help you can provide.

 

The only good thing is that my infected computer is a backup computer that I don't use much and I don't connect it to other computers.  It is not on a network.  However, it has several documents and photos I would like to preserve.  It is also useful as a stand alone computer for basic web browsing (but I still intend to get rid of it once Windows 10 comes out).

 

The infected computer is a desktop with Windows XP Pro SP3.  It has Microsoft Security Essentials on it.  While the computer is an XP computer, it is as up to date as an XP computer still can be (i.e., the few updates Microsoft still does I make sure to install).  Unfortunately, the main login has Admin privileges.

 

I was not aware of any problem with the computer until yesterday.  Yesterday afternoon, I was using the computer and I noticed it was very sluggish.  I checked the Task Manager and saw that 2 different "explorer.exe" processes were running.  One of the explorer.exe processes kept taking up more and more memory.  Instead of taking up 20,000-50,000 K, the growing explorer.exe process reached all the way to 1,400,000 K.

 

In my ignorance, I didn't realize the computer had somehow been infected by a virus/trojan/etc.  At first I thought the growing explorer.exe process was caused by some routine system error (not a malicious virus).  I kept using Task Manager to "End Process", but the second explorer.exe kept coming back.

 

I tried booting into Safe Mood (without Networking), but I got the Blue Screen of Death when I tried booting into Safe Mood.  I left the computer unplugged (no electricity) over night.  I woke up early and tried the computer again.

 

I saw that one DOC and two TXT text tiles had weird extensions added to the end, i.e., after the ".doc" and ".txt" for the files, there was a "." with seven letters (the same seven letters for all three files).  Not being familiar with ransonware/encryption viruses, I didn't immediately understand what was going on.

 

After about 15 minutes of web searching, I realized the computer was infected with some type of ransomware/encryption virus.  I did not get any sort of ransom message.

 

I realized the Microsoft Security Essentials was not running.  I could not get it to run.  I have Malwarebytes installed.  I tried running it.  Malwarebytes would not run.  I tried downloading Kaspersky TDSSkiller.  I could download it and start the Unzip, but it would not run.

 

Eventually, after some guesswork and reading on this website and others (such as Malwarebytes forums), I went into the   Documents and Settings\All Users\Application Data in Safe Mode to look for suspicious files or subdirectories.  There I found two suspicious looking folders that had "Date Modified" timestamps from yesterday and today.  I tried accessing the directories but was not able to.  I then realized that those were mostly the core virus directories.  I opened a Command Prompt and tried deleting the directories through a command line, but I got a standard DOS message that the access was denied.  So I went to the Task Manager and did an "End Process" on both "explorer.exe" processes.  The Windows desktop and icons went blank, but the Command Prompt window remained, and after using I believe "-r" or similar DOS commands, I was able to delete both of the troublesome directories.

 

I see now that accomplished something positive, but I still have many problems.  The second version of "explorer.exe" has not returned (I have since rebooted both into a normal Windows session and into Safe Mode; I am currently in a normal Windows session).

 

I do have Spybot installed, and at least I was able to run Spybot.  Spybot detected W32.Palevo and a registry change that seemed to have disabled Windows Antimalware Service by toggling from 0 to 1.  I've run Spybot 3 times since then and it hasn't found anything else.  I still cannot run Microsoft Security Essentials, I still cannot run Malwarebytes, and I still cannot install TDSSKiller.

 

In digging through the different directories that have photos and documents (DOC, TXT, PDF, and PPT) on this computer, I see that it does seem that (at least for now) I have stopped any more files from being encrypted.  Also, the second "explorer.exe" has not returned, and the one explorer.exe that is running is takiing up what seems like a normal 30,000-40,000K.

 

I did not get any pop-up demand or wallpaper demand from the ransonware/virus senders/creators.  I did find what seems to have been several identical TXT files that were created by the virus.  They are titled "Decrypt All Files".  They say:
 

 

====================

Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.
 
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
 
If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.
 
Open http://sgqjml3dstgmarn3.onion.cab or http://sgqjml3dstgmarn3.tor2web.org 
in your browser. They are public gates to the secret server. 
 
If you have problems with gates, use direct connection:
 
1. Download Tor Browser from http://torproject.org
 
2. In the Tor Browser open the http://sgqjml3dstgmarn3.onion/
   Note that this server is available via Tor Browser only. 
   Retry in 1 hour if site is not reachable.
 
Copy and paste the following public key in the input form on server. Avoid missprints.
[Four lines of key follow]
 
Follow the instructions on the server.
====================
 
I also found the same message in "BMP" picture form.  The message is the same except that it has a large font first line that says:
 
"Your personal files are encrypted by CTB-Locker"
 
 
While I would like to "save" this Windows XP Pro SP3 computer if possible, I don't care much about doing that, because like I said it is only a backup that I had planned to replace anyway since it is so out of date and underpowered (it also is not networked and does not maintain critical files).
 
Is there a way for me to clean (or attempt to clean) the computer?  i.e., Get Malwarebytes and other antivirus and antirootkit software working on the computer?  Also, is there a decent chance I might be able to break the encryption (I have read there are a couple of websites and programs from Fireeye, Kaspersky, and hopefully others, that do so).
 
Does it seem likely that the virus/malware also might have included a keystroke logger or other extra nasty things besides just encrypting my files (while I don't use the computer for anything important, I am still concerned that anything I do, including what I am doing now, might be monitored).
 
Thank you again for your time, patience and help.  I greatly, greatly appreciate it.


BC AdBot (Login to Remove)

 


#2 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 11:20 AM

Forgot a couple of other things:

 

I have deleted several "Temp" directories and I deleted every entry in Windows Task Scheduler (there were no suspicious looking tasks, but I deleted them all anyway; they were Google and Adobe updates, and I figured that since Adobe Flash and Acrobat can be compromised perhaps the task was compromised or fake).  I did not see a toggle or menu option in Windows Task Schedule to "Hide" or see "Hidden" tasks.



#3 TheDcoder

TheDcoder

  • Members
  • 175 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth
  • Local time:03:40 AM

Posted 13 January 2015 - 11:42 AM

I don't know about encryption but, looks like the virus injected itself into explorer.exe

 

Steps to Kill The Virus Process & GETTING YOUR JOB DONE:

 

:exclame: CAUTION: YOU HAVE THE RISK OF GETTING YOUR EXPLORER.EXE DELETED 

 

 

1. Download and Install any file manager (7zip or WinRar should work fine)

2. Open the file manager and don't minimize it

3. Open command prompt as admin and enter taskkill /im explorer.exe /f /t (Important: DON'T CLOSE IT)

4. Use the File Manager & Install any virus removal software which you were unable to install previously

5. Now you can scan and possibly decrypt your files

After you finish, type explorer.exe in command prompt to get you taskbar and desktop back

 

If you get someting like this:

'explorer.exe' is not recognized as an internal or external command,
operable program or batch file.

This means: Your AV Software has deleted your explorer.exe

 

Hope it helps  :)


Edited by TheDcoder, 13 January 2015 - 11:45 AM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 13 January 2015 - 11:47 AM

You have been infected with the CTB-Locker Cryptoware. You can read more about it here:

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

There's currently a support topic for the people infected with it here:

http://www.bleepingcomputer.com/forums/t/542564/ctb-locker-or-decryptallfilestxt-encrypting-ransomware-sets-extension-to-ctbl/

I suggest you to check the support thread for assistance on getting your files decrypted and the Cryptoware removed.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 01:11 PM

I don't know about encryption but, looks like the virus injected itself into explorer.exe

 

Steps to Kill The Virus Process & GETTING YOUR JOB DONE:

 

:exclame: CAUTION: YOU HAVE THE RISK OF GETTING YOUR EXPLORER.EXE DELETED 

 

 

1. Download and Install any file manager (7zip or WinRar should work fine)

2. Open the file manager and don't minimize it

3. Open command prompt as admin and enter taskkill /im explorer.exe /f /t (Important: DON'T CLOSE IT)

4. Use the File Manager & Install any virus removal software which you were unable to install previously

5. Now you can scan and possibly decrypt your files

After you finish, type explorer.exe in command prompt to get you taskbar and desktop back

 

If you get someting like this:

'explorer.exe' is not recognized as an internal or external command,
operable program or batch file.

This means: Your AV Software has deleted your explorer.exe

 

Hope it helps  :)

 

Thank you for the suggestion.  Unfortunately, doing what you suggested still did not allow me to run my existing install of Malwarebytes or Microsoft Security Essentials, and I could not install TDSSKiller or any other antivirus program that I tried.



#6 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 01:24 PM

You have been infected with the CTB-Locker Cryptoware. You can read more about it here:

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

There's currently a support topic for the people infected with it here:

http://www.bleepingcomputer.com/forums/t/542564/ctb-locker-or-decryptallfilestxt-encrypting-ransomware-sets-extension-to-ctbl/

I suggest you to check the support thread for assistance on getting your files decrypted and the Cryptoware removed.

 

Thank you for the suggestions.  Unfortunately, I already saw those threads, and they did not help with the issue I am now dealing with: How to get an antivirus programming running so that I can scan the computer and remove whatever of the virus is left.  I realize that it may not be possible to clean the computer since I believe it was hit with a rootkit.


What about GMER as a tool?  Is there anyone who can help me if I run GMER and post the results here?  Any other such scans I should do?  Thank you.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 13 January 2015 - 06:35 PM

In order to receive malware removal assistance that includes GMER (if judged necessary), you'll need to open a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section, following the instructions in the thread below.

http://www.bleepingcomputer.com/forums/topic34773.html

I strongly suggest you to take the assistance BleepingComputer offers, since they'll also help you repair the damage caused by the malware so you can install an Antivirus after.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:10 PM

Posted 13 January 2015 - 06:49 PM

I saw that one DOC and two TXT text tiles had weird extensions added to the end, i.e., after the ".doc" and ".txt" for the files, there was a "." with seven letters (the same seven letters for all three files).

The newest variants of CTB Locker typically encrypt all data files and rename them as a file with a 6-7 length extension with random characters. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does.

The computer can be cleaned but at this time there is no fix tool and no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), opening an infected word docs with embedded macro viruses, clicking on a malicious link within an email or on a social networking site, and sometimes via exploit kits. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) such as this example that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:10 PM

Posted 13 January 2015 - 06:51 PM

BTW if you decide to seek assistance with clean up and post a log, after doing that, please reply back in this thread with a link to the new topic so we can close this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 07:17 PM

In order to receive malware removal assistance that includes GMER (if judged necessary), you'll need to open a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section, following the instructions in the thread below.

http://www.bleepingcomputer.com/forums/topic34773.html

I strongly suggest you to take the assistance BleepingComputer offers, since they'll also help you repair the damage caused by the malware so you can install an Antivirus after.

 

 

Thank you very much for your helpful and friendly response.

 

I have opened a thread in the Malware Log forum.  http://www.bleepingcomputer.com/forums/t/563145/win-xp-pro-sp3-desktop-infected-with-ctb-locker-type-virus/

 

I did not include the GMER log.  Should I go back and include it?  I was not sure if the readers would find it distracting and unnecessary if they did not ask for it.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 13 January 2015 - 07:19 PM

You don't need to include a GMER log unless the helper that will assist you asks for it :) From now on, all you have to do is to wait for a helper to post in your thread and follow their instructions.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 07:19 PM

 

I saw that one DOC and two TXT text tiles had weird extensions added to the end, i.e., after the ".doc" and ".txt" for the files, there was a "." with seven letters (the same seven letters for all three files).

The newest variants of CTB Locker typically encrypt all data files and rename them as a file with a 6-7 length extension with random characters. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does.

The computer can be cleaned but at this time there is no fix tool and no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), opening an infected word docs with embedded macro viruses, clicking on a malicious link within an email or on a social networking site, and sometimes via exploit kits. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) such as this example that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment.

 

 

 

Thank you very much for the helpful and friendly response about the new CTB Locker variants.

 

Do you think there is a decent chance that a decryption will be coming, or is that very unlikely due to the complexity of the new variants?



#13 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 07:21 PM

BTW if you decide to seek assistance with clean up and post a log, after doing that, please reply back in this thread with a link to the new topic so we can close this one.

 

 

Thank you very much.  I have opened a thread in the Malware Log forum.   http://www.bleepingcomputer.com/forums/t/563145/win-xp-pro-sp3-desktop-infected-with-ctb-locker-type-virus/



#14 KBenning

KBenning
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 January 2015 - 07:23 PM

You don't need to include a GMER log unless the helper that will assist you asks for it :) From now on, all you have to do is to wait for a helper to post in your thread and follow their instructions.

 

 

Thank you again for the helpful clarification regarding a GMER log.  The last thing I want to do is annoy anyone who is helping me and other people out, and I also don't want to waste their time.  I don't mean to bother you with all these replies, but I want to be clear that I am appreciative of the kindness, patience, and help of people here.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:10 PM

Posted 13 January 2015 - 07:26 PM

Do you think there is a decent chance that a decryption will be coming, or is that very unlikely due to the complexity of the new variants?

Not likely any time soon.


Now that your new topic is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the information or any log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users