Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker affected files


  • This topic is locked This topic is locked
11 replies to this topic

#1 Shambhusn1989

Shambhusn1989

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 08 June 2015 - 06:19 AM

Cryptolocker trojan has affected my laptop which contains PhD thesis files of 10 years of experimentation. In no way I can lose these files. They are all encrypted now. Deadline for ransom payment is also gone some 15 days back. I have to recover my files. please help. First and addition files are attached.Attached File  FRST.txt   33.1KB   6 downloadsAttached File  Addition.txt   22.84KB   4 downloads



BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 13 June 2015 - 12:13 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 5 days will result in this thread being closed.


Hello Shambhusn1989,

My name is mAL_rEm018, but feel free to call me mAL.  I'm an undergraduate trainee and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Since you are infected with ransomware, please be aware that we might be unable to recover your files.  I advise you to save your personal data and if we are unable to get it back now, it might be possible to do so in the future.  The instructions for backing up your computer can be found in the following links:

Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:
  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".


I am currently reviewing you logs and will return as soon as possible, with additional instructions.

 

Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 14 June 2015 - 11:40 AM

Hello Shambhusn1989,

It seems you were infected with PClock.  Fortunately, we might be able to recover your files using a software, however please be aware that there is a possibility this method might not work.  This depends entirely on the specific variant of PClock you were infected with.

Since we can't be a 100% certain that there won't be any remnants of PClock left even after removing the infection, I propose the following.. We try to recover your personal files and then you should perform a reformat and re-install of Windown 7.  The choice is yours to make, so please let me know how you would like to proceed in your next reply and then I will provide you with further instructions.

mAL


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#4 Shambhusn1989

Shambhusn1989
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 15 June 2015 - 07:46 AM

Hi mAL,

 

 Thanks for the reply. 

  There is one back up file of 23 GB stored in D drive. But I need to recover very few personal files which are important to me. I have no issue in reformatting and reinstalling, but I don't know how to do them. Though I am positive some of my friends may help me out in this here.



#5 Shambhusn1989

Shambhusn1989
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 16 June 2015 - 02:30 AM

Hi mAL, Tried Fabian's emisoft decryptor. I am not able to run it. It says "there is no previous Plock malware infection in your computer. So the program will be closed". 

And I think Plock malware has been removed from the antivirus.


Edited by Shambhusn1989, 16 June 2015 - 02:32 AM.


#6 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 17 June 2015 - 10:15 AM

Hello Shambhusn1989,

I'm afraid I have some bad news..
 

And I think Plock malware has been removed from the antivirus.

The decryptor uses part of the infection itself to get access to the decryption key.  This means that since PClock is no longer present on your computer, there is no way for the moment to retrieve your personal files.  The only thing we can do now is to backup the encrypted files in case a solution presents itself in the future.


Please answer the following question:

  • What model of computer are you using?  Please be as specific as possible.

Please do the following..


  • Navigate to the following locations:

     

    • C:\Users\srivani\enc_files.txt
    • C:\Users\srivani\Desktop\enc_files.txt

     

  • Copy both enc_files.txt to a USB flash drive.

Next..



There is one back up file of 23 GB stored in D drive.

If you have not already done so, please backup your computer to an external hard drive.  We will perform a factory restore of your laptop, which means that the backup drive will be erased.  The information for backing up your laptop can be found here.


Please post back to let me know that you have done all of the above and I will provide you with the steps to reformat and re-install Windows 7.


Edited by mAL_rEm018, 17 June 2015 - 10:52 AM.

Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#7 Shambhusn1989

Shambhusn1989
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 18 June 2015 - 04:08 AM

Hello Shambhusn1989,

I'm afraid I have some bad news..
 

And I think Plock malware has been removed from the antivirus.

"The decryptor uses part of the infection itself to get access to the decryption key.  This means that since PClock is no longer present on your computer, there is no way for the moment to retrieve your personal files.  The only thing we can do now is to backup the encrypted files in case a solution presents itself in the future." 

 

Can I reinfect my PC with Plock once again so that the decryption code is found from the virus? if yes please give the link to download the virus.



 

 



#8 Shambhusn1989

Shambhusn1989
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 18 June 2015 - 04:13 AM

I have computer technicians in my institute who will be able to do the formatting and reinstalling the windows.

I will do the back up to the external hard drive as you said but extracting affected PhD files from this back up is what more important to to me rather than formatting and reinstalling. Because I have two other desktops at my workplace to work with. And the recovery of these PhD files is what the thing which is necessary right now.



#9 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 18 June 2015 - 11:04 PM

Hello Shambhusn1989,
 

Can I reinfect my PC with Plock once again so that the decryption code is found from the virus? if yes please give the link to download the virus.

I'm afraid this is not an option.  If you were to re-infect yourself with PClock your files would be encrypted a second time, which means that you would now need 2 decryption keys in order to recover your files.  We also have no idea which variant of PClock you were infected with since your antivirus removed it.  The only thing you can do is to backup your files and hope a solution presents itself in the future.  Do not try to re-infect your computer!
 

I have computer technicians in my institute who will be able to do the formatting and reinstalling the windows.

No problem.  I will give you a few tips below to help prevent this type of situation from happening again.

Always have a proper backup in place.
I make a full backup of my computer on an external hard drive every week.  Everytime I add or modify an important document, I back it up right-away to a USB flash drive and my external drive.  If you follow this method and get re-infected with ransomware again in the future, then you can re-format your computer immediately, since you will have all your important files stored externally.  More information regarding this subject can be found here.

Stay away from cracked software!

2015-05-15 12:53 - 2015-06-08 15:58 - 00000000 ____D C:\Users\srivani\Desktop\ESET NOD32 ANTIVIRUS 7 CRACK (32 64 BIT) THADOGG

Using cracked software is not only illegal, it's the easiest and fastest way to get infected.  Most cracked files are infected in some way, therefore if you value the security of your computer at all, stay away from them.


You should find the following information useful..


I would really appreciate it if you could reply to this post to let me know that you've seen it, so that I can request for this topic to be closed.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#10 Shambhusn1989

Shambhusn1989
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 June 2015 - 03:52 AM



Stay away from cracked software!

2015-05-15 12:53 - 2015-06-08 15:58 - 00000000 ____D C:\Users\srivani\Desktop\ESET NOD32 ANTIVIRUS 7 CRACK (32 64 BIT) THADOGG

Using cracked software is not only illegal, it's the easiest and fastest way to get infected.  Most cracked files are infected in some way, therefore if you value the security of your computer at all, stay away from them.

 

Yes I used temporarily thinking I will get rid of the Plock virus as my paid antivirus did not work. And it removing the virus became even more bigger mistake.

And finally,thanks for being there. Will follow your guidelines about safety.

You can now close this topic. 



#11 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 21 June 2015 - 09:57 AM

And finally,thanks for being there.

It's my pleasure and I hope everything works out for you.  I will request for this topic to be closed.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#12 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 21 June 2015 - 11:19 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users