Hey there nice people of this forum. I do apologise for getting straight to the point but I'm quite desperate at the moment.
Yesterday I was infected by a strange cryptovirus that locked most txt, jpg and rar files on my pc. I got rid of all the viruses/trojans/other crap by scanning it thorughly for the last 10 hours, but all the infected files still remain encrypted and I would like to get them back.
All the information I possess about the infection at the moment:
- the infection started by opening an attachment found in an email. File was named "columnises.zip", inside the archive we had "columnises.scr" which opened a txt file with movie offers once the archive was opened (I did not extract it). "columnises.scr" is "Win32/TrojanDownloader.Elenoocka.A trojan" according to ESET NOD32 antivirus 8.0304.0, database version 11042 (20150120).
- the following file types were encrypted -> jpg, xls, doc, js, rar, txt, xlsx, docx, accdb, ppt, mdb, others I might not know about. All 0 byte files of the mentioned types were not affected.
- all affected files have been renamed in the following fashion - filename extension has been capitalised (so rar -> RAR, doc -> DOC etc.) and the following extension has been added after the changed file extension -> ".zwfhivd" which got associated with IrfanView
- removing the ".zwfhivd" extension does not fix anything. File opens, but there is only gibberish inside, rar archives report as corrupted
- "file size" remains exactly the same as before the infection (tested it). "File size on disc" is different from the original file. When compared by content with a vanilla copy using Total Commander the encrypted files are totally different so I guess encrypted. The encrypted file is longer, so not only the header changed.
- at this moment I'm not 100% sure that "Win32/TrojanDownloader.Elenoocka.A" was responsible for the encryption, because I was using the computer for a couple of hours before noticing the encrypted files. When I saw it I immediately cut all internet access to the pc and scanned the operating memory and all boot sectors removing anything suspicious (1 process). Today I removed two more suspicious files found on the PC, but unfortunately I can't provide any logs for this, because I upgraded NOD32 a couple of hours ago, and cleaned all logs while doing so (my first cryptovirus, didn't know better). Besides, according to NOD's malware database "Win32/TrojanDownloader.Elenoocka.A" is just a trojan downloader which means basically harmless if you know how to contain it.
- the bad news is windows system recovery is turned off on this pc, shadow copy as well,
- the good news is I might be able to provide unencrypted file copies and the original email that started it all.
Despite my best efforts to identify this malware and decrypt it I found nil. If you need any logs, file examples, more information or you want me to do some tests I will be happy to oblige. Thank you in advance!
It seems that my problem is very similar to the one reported in this topic -> http://www.bleepingcomputer.com/forums/t/563800/virus-renamed-and-encrypted-my-files/ although my wallpaper wasn't changed and I got no information about the ransom to pay. It MIGHT be the Critroni Ransomware, as described here http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information . The one thing I will never do is pay money to some scumbag that locks people's files.
Edited by infectedbivirus, 20 January 2015 - 10:44 AM.