Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected with CryptoLocker Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 WyoGuy

WyoGuy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 30 May 2015 - 11:19 AM

This is first time to post any where - Note Second Try

I did Restart on XP Pro service pack 3 on 05/29/2015 an received following message

 

DIALOG WINDOW MESSAGE

All your documents, photos, databases and other important files have been encrypted

with strongest encryption RSA-2048 key, generated for this computer.

 

Private decryption key is stored on a secret Internet server and nobody can

decrypt your files until you pay and obtain the private key.

 

If you see the main encryptor red window, examine it and follow the instructions.

Otherwise, it seems that you or your antivirus deleted the encryptor program.

Now you have the last chance to decrypt your files.

Open in your browser one of the links:

https://www.reomesoess.com

http://fjuran43na48ef4.fmriamsdfl.com

https://tlunjscxn5n76iyz.tor2web.blutmagie.de

They are public gates to the secret server.

Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.

1FbUBpeWdtXHzjCa9y15qF3ZAzw4hTNDyc

Follow the instructions on the server.

 

If you have problems with gates, use direct connection:

1. Download Tor Browser from http://torproject.org

2. In the Tor Browser open the

   Note that this server is available via Tor Browser only.

   Retry in 1 hour if site is not reachable.

Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.

1FbUBpeWdtXHzjCa9y15qF3ZAzw4hTNDyc

Follow the instructions on the server.

 

SYSTEM INFORMATION and ACTION AFTER MESSAGE  

My system has 3 External USB Hard Drives and 2 Internal Hard Drives I immediately Removed External Hard Drives and contacted Norton by phone Norton moved me to level 2 support.  Lady from Norton came into my system and did a scan of system.  She also looked in the registry and deleted something related to IE.  I missed some of what else she did but saw her RUN – msconfig and disable

 

HELP_RESTORE_FILES_ikixt.TXT    

      ( this is the file that contained the message posted above )

 

In Startup NOTE: this file was down loaded to my system on 5/19/2015

Norton Lady did not give me any reassurance that my system is clear of CryptoLocker Virus

She said Norton Internet Security must have stop the virus BUT NIS did not stop an addition to my startup in msconfig

 

I did not get the impression she found CryptoLocker Virus -- I.E exe type file or wherever viruses reside  

 

My system has 29,000 file of the Doc – xls and pdf files

So far I have not had any trouble opening any file

 

My Question is How do I know if CryptoLocker Virus or similar virus is on my system

 

I have several Norton Ghost image backup of C: Drive

I think Restore of 03/30/2015 Image backup should take care of C Drive provided that there is not a E-mail attachment that I saved that can reinfect my system if it was infected in the first place

 

ANY ADVICE WOULD BE GREATLY APPRECIATED

 



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:20 PM

Posted 30 May 2015 - 11:25 AM

Hi there,

Do your files have a .exx extension tacked on them?

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:20 AM

Posted 30 May 2015 - 06:35 PM


- TeslaCrypt leaves files (ransom notes) named:
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt
%Desktop%\HELP_RESTORE_FILES.txt
My Documents\RECOVERY_KEY.txt

Any files that are encrypted with TeslaCrypt will have the .ecc extension added to the end of the filename.
Any files that are encrypted with Alpha Crypt (TeslaCrypt renamed) will have the .ezz extension added to the end of the filename. Any files that are encrypted with the newer unnamed variant will have the .exx extension added to the end of the filename.

A repository of all current knowledge regarding TeslaCrypt and Alpha Crypt is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:
TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt

There are ongoing discussions in these topic:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff

Note: If the extension by chance is anything different than above, please send me a PM and I will reopen this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users