Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt0l0cker infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 biziosev

biziosev

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 July 2015 - 01:01 PM

Hello,

sorry for my poor english but I'm italian.

My pc is infected by crypt0l0cker and i would know if exists a removal tool. If not, can you tell me the right instructions to manually remove this ransomlocker virus?

All of the file in any folder are renamed whith extension "encrypted" and in all folders are present two file with extension html and txt (the two file named "istruzioni decrittazione" describe the steps to paying the ransom). My SO is Win 8.1. 

Thank you so much.

 

Fabrizio



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:35 PM

Posted 12 July 2015 - 01:08 PM

Hello,

The files responsible for the infection are usually gone when encryption is complete - the ransom notes and encrypted files are usually what is left.

You can run this to see if it catches anything.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#3 biziosev

biziosev
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 July 2015 - 01:12 PM

Thank you Alex.

I have to execute the tool in safe mode?



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:35 PM

Posted 12 July 2015 - 01:14 PM

Please run them in Normal Mode, as running it in Safe Mode will weaken the tool.

#5 biziosev

biziosev
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 July 2015 - 03:47 PM

Alex,

here is the execution log of the tool:

 

--------------------------------------------------------------------------

Emsisoft Emergency Kit - Versione 10.0
Ultimo aggiornamento: 12/07/2015 22:21:20
Account utente: xxxxxxxxxxxxxxxxxxxxxxxxxx
 
Impostazioni scansione:
 
Tipo scansione: Scansione Malware
Oggetti: Rootkits, Memoria, Tracce, Files
 
Rileva PUPs: On
Archivio scansioni: Off
Scansione ADS: On
Filtro estensione dei file: Off
Caching avanzato: On
Accesso diretto al disco: Off
 
Scansione avviata: 12/07/2015 22:23:38
 
Scansionati 74330
Rilevato 0
 
Fine scansione: 12/07/2015 22:26:48
Tempo scansione: 0:03:10
----------------------------------------------------------
 
Nothing was found, so I think my pc is "clean". Is it ok even for you? Are there other action to do? 
So, now my problem is how to recover the crypted files! It seem that there is no solution at this time. Do you know something about this? Any suggestions?
 
Thank you a lot,
Fabrizio

Edited by biziosev, 12 July 2015 - 03:47 PM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:35 PM

Posted 12 July 2015 - 03:55 PM

Looks like it's clean. Since this particular ransomware came from a document with an embedded malicious macro, you might want to check if you have opened any strange documents lately.

Unfortunately as you said there is no solution at this time aside from paying the ransom.

My suggestion is to save the encrypted files to another secure location like an external HDD and kept safe. A solution might come in the future. Until then, there is nothing we can do - brute forcing RSA encryption cannot be done in a reasonable time.

You can follow the discussion on BC here should something new arises: TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers

Let me know if you need anything.

Regards,
Alex

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:35 AM

Posted 12 July 2015 - 04:15 PM

There is also an ongoing discussion in this topic: Crypt0L0cker Ransomware Support & Discussion

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users