Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help with Win32/filecoder/crtorjan virus


  • Please log in to reply
1 reply to this topic

#1 happer7

happer7

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 07 May 2015 - 09:34 PM

It;'s got jpg, txt, & doc files up for ransom

 

How do I recover the data & kill the virus?



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:56 AM

Posted 08 May 2015 - 04:31 AM

What type of crypto ransomware are you dealing with?

Are there any file extensions appended to your files...such as .ecc, .ezz, .CTBL, .CTB2, .XTBL, .encrypted or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL

These are common locations malicious executables may be found:
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
C:\<random>\<random>.exe

Does it look like one of these or something else...?
* PClock (WinCL variant)
* PClock (newer Windsk variant)
* Alpha Crypt
* TeslaCrypt
* TorLocker (Scraper)
* CryptoWall
* TorrentLocker
* Crypt0L0cker
* CryptoFortress
* CTB-Locker
* KEYHolder
* CryptoTorLocker2015 <- utilizes a password prompt
* International Police Association/Sopa/PIPA <- utilizes a password prompt
* CryptoLocker (original)

If the ransomware does not look like any of those in the above links...reading through the following information may assist with identifying the crypto malware infection you are dealing with.Once you have identified which particular ransomware you are dealing with, a Moderator can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users