Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware encrypted my files last night, and seemingly uninstalled itself.


  • Please log in to reply
4 replies to this topic

#1 Velrox

Velrox

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 23 June 2015 - 07:47 AM

I haven't identified quite what version of this type of malware I've been infected with

 

I have attached a text file that was added to every folder with encrypted files. The file includes English, and Norwegian instructions.

It starts with saying:

 

 

Hi boys, girls! We have sad news.

 
Your files have been crypted by 2 popular algoritms - AES and RSA. Only we have private RSA key
 
All encrypted files now starting with file_

 

I have no backups, no system restore points, shadow explorer has no files to explore.

 

Is it possible to backup all encrypted files to an external hard drive or something and format system drive while waiting for a solution to decrypting the files? Would moving the files make it harder to identify what files have been encrypted, and subsequently decrypt them?

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:45 AM

Posted 26 June 2015 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Most of the information you need to know about your infection is listed here.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

===

You should clean your computer with the following fix.

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Program Files\KMSpico\Service_KMS.exe
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll No File
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Extension: (Avast Online Security) - C:\Users\kim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-06-23]
CHR HKU\S-1-5-21-2055125233-296503703-1677857845-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-06-23]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [37888 2013-03-02] () [File not signed]
S3 COMMONFX; system32\drivers\COMMONFX.SYS [X]
S3 COMMONFX.SYS; \SystemRoot\System32\drivers\COMMONFX.SYS [X]
S3 CTAUDFX; system32\drivers\CTAUDFX.SYS [X]
S3 CTAUDFX.SYS; \SystemRoot\System32\drivers\CTAUDFX.SYS [X]
S3 CTERFXFX; system32\drivers\CTERFXFX.SYS [X]
S3 CTERFXFX.SYS; \SystemRoot\System32\drivers\CTERFXFX.SYS [X]
S3 CTSBLFX; system32\drivers\CTSBLFX.SYS [X]
S3 CTSBLFX.SYS; \SystemRoot\System32\drivers\CTSBLFX.SYS [X]
S1 hcwpgzeh; \??\C:\Windows\system32\drivers\hcwpgzeh.sys [X]
S1 nxsgwjhl; \??\C:\Windows\system32\drivers\nxsgwjhl.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\KMSpico

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If you decide to format your computer after this cleanup it's your call.

Keep me posted.

#3 Velrox

Velrox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 27 June 2015 - 05:42 AM

Hi, and thanks for looking into this for me nasdaq!

 

I had already read that faq lightly, but on your insistence I read through it on the bus to work. :)

 

There are many points there that are not relevant to my case. I'll list them, hopefully this will help you in finding out what version of the malware we're dealing with.

 

  1. No program has started at any point in time showing a payment screen, or any payment timer. The only thing I've noticed is the Read This!.txt file popping up in every folder with affected files.
  2. A user has been made called "download". I have attached a picture of the registry for that user, it seems to automatically be logged in to at startup, but I'm not quite sure about that. When I turn off my computer now it says that another user is also logged on etc.
  3. The name cryptolocker is never mentioned anywhere.
  4. There has been no wallpaper created. I still have my old one.
  5. I cannot see any strange processes in task manager
  6. I have not opened any attachments to any emails, so I must have been infected in some other way, like clicking some link, opening the wrong type of website or something.
  7. I cannot find a version of software\cryptolocker\files on any user profiles. Listcrilock cant find any files infected either. How do I make a list of infected files? Just use something like everything.exe to search for file_ ? How would I then go about extracting these files somewhere?

Hope any of this proves useful. My ultimate goal would of course to be able to get these files back in their original state, but I guess that might take some time, so in the meantime I'd settle for extracting them somewhere, like an external hard drive and formatting my computer.

 

I have also added the fixlog.txt that you requested.

Attached Files


Edited by Velrox, 27 June 2015 - 05:44 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:45 AM

Posted 27 June 2015 - 08:14 AM

This look like your infection.

Read the topic and see if you can get lucky and restore your files.

http://www.bleepingcomputer.com/forums/t/579617/unknown-ransomware-hit-company-pc-need-help-urgently/

#5 Velrox

Velrox
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 27 June 2015 - 10:29 AM

Thank you so much Nasdaq, that does look a lot like the same infection.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users