Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker Ransomware Support and Help Topic


  • Please log in to reply
634 replies to this topic

#31 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:05:07 PM

Posted 25 May 2015 - 09:46 AM

Yeah I'm not sure either that SpyHunter did that, maybe the window with the Locker just didn't pop up anymore. Anyway, I will keep all the encrypted files waiting for a solution, and will keep following this thread. 

If there's anything I can do to help with finding a solution, let me know.



BC AdBot (Login to Remove)

 


m

#32 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 AM

Posted 25 May 2015 - 09:53 AM

For those who are infected, do you have TOR installed in the following folder as well?

C:\ProgramData\tor\

#33 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:05:07 PM

Posted 25 May 2015 - 09:54 AM

For those who are infected, do you have TOR installed in the following folder as well?

C:\ProgramData\tor\

Seems that I do. Should I delete that? Didn't hear good things about it



#34 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 25 May 2015 - 09:55 AM

For those who are infected, do you have TOR installed in the following folder as well?

C:\ProgramData\tor\

Yes, i have it as well.



#35 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 AM

Posted 25 May 2015 - 09:56 AM

Hold off on deleting anything right now. I know we have a few people looking at this infection.

#36 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 AM

Posted 25 May 2015 - 09:59 AM

Please zip up the Tor folder and submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

Thanks

#37 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 AM

Posted 25 May 2015 - 10:00 AM

This ransomware is VERY widespread at the moment.

#38 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 25 May 2015 - 10:01 AM

I am currently at work and unable to upload it, i hope that our fellow victom Kuldaniss is home and able to, i'll be back home in about 3 hours..


Edited by GangXtaZz, 25 May 2015 - 10:02 AM.


#39 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:05:07 PM

Posted 25 May 2015 - 10:04 AM

Please zip up the Tor folder and submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

Thanks

Uploaded it.

 

This ransomware is VERY widespread at the moment.

Exactly  ! A lot of people have been infected, this day only. I'm still not sure how I got this virus, this is a brand new computer, doesn't even have a week and I know to stay away from weird websites/emails.



#40 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 AM

Posted 25 May 2015 - 10:05 AM

The RKCL folder. WHere is it located? ProgramData as well?

Also, if you can export the registry keys that would be helpful as well.

#41 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:10:07 AM

Posted 25 May 2015 - 10:09 AM

This is the error I get when trying to run ldr.exe.

 

2mqov3a.jpg


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#42 Zackster1

Zackster1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 25 May 2015 - 10:09 AM

There is also a folder that was created called steg with a .exe called steg in ProgramData, it came with the virus.



#43 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 PM

Posted 25 May 2015 - 10:10 AM

The RKCL folder. WHere is it located? ProgramData as well?

Also, if you can export the registry keys that would be helpful as well.

The RKCL folder is indeed located in ProgramData as well.

 

And about how the infection spread, i was working on a project the other night and opened a few PDF's via chrome..that's most ceirtanly the way i got infected as i usually know how to avoid malicious sites / sofware.

 

I will export all the registry keys related to RKCL and tor as soon as i get home, i've also performed a FRST scan the other night if that helps in any way:

 

Addition: http://www7.zippyshare.com/v/49v0Iq3g/file.html

 

FRST: http://www7.zippyshare.com/v/YsIZNTyQ/file.html


Edited by GangXtaZz, 25 May 2015 - 10:11 AM.


#44 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:05:07 PM

Posted 25 May 2015 - 10:12 AM

The RKCL folder. WHere is it located? ProgramData as well?

Also, if you can export the registry keys that would be helpful as well.

Yes, the RKCL folder is there as well. 

 

Uploaded the registry as .txt at the link you provided for tor archive



#45 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 AM

Posted 25 May 2015 - 10:14 AM

OK..this is most definitely exploit kit spread. If you can remember what PDFs that would be a huge help. Maybe check your history

Furthermore the currently folder structure is:

C:\ProgramData\rkcl
C:\ProgramData\Steg\steg.exe
C:\ProgramData\Tor\




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users