Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker current virus


  • Please log in to reply
3 replies to this topic

#1 donpatti

donpatti

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 30 September 2015 - 06:17 AM

Hello. I am new to this site. About six months ago my network was encrypted and my IT representative tried to pay the ransom but the key failed. Yesterday my wife hung up on a caller with a foreign accent who said 'i hear that you are having trouble with your computer."

 

1. Is there any connection? 

2. Can I try again to remove the encryption by payment or otherwise? It is important to me.


Edited by hamluis, 30 September 2015 - 07:37 AM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,601 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:51 AM

Posted 30 September 2015 - 09:07 AM

I suspect that these are unrelated.  I too received a similar call.  I politely told them that I build and repair computer and suggested they quit pulling this scam... and then hung up.

 

If you believe that you are infected with CrytorLocker you may want to read this article here at Bleeping Computer.

 

I would suggest that you open a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

 
Before posting your topic you will need to read and follow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
 
The members of the Malware Response Team who respond to these topics are constantly inundated do to the high volume of requests for help in this forum.   For this reason it may take a couple of days before a Team member may be able to get to your topic.  
 
Do not add anything or bump your topic once you have posted your log.  The Malware Removal Team members look for topics which have not been addressed, if you post any additional information it will make it appear that the topic is being addressed.
 
After you have posted your new topic a Moderator will close this topic.  If it is determined that there is a softare or hardware problem after cleaning the infection you can contact a Moderator to have this topic reopened.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:51 AM

Posted 01 October 2015 - 04:22 AM

Unsolicited phone calls (aka Tech Support Scamming) from "so-called Support Techs" advising your computer is infected with malware has become an increasing common and prolific scam tactic over the past several years. In the majority of these cases the caller lies by claiming to be an employee affiliated with Microsoft or Windows Support. However, there have been reports of callers claiming to be affiliated with major computer manufacturers such as Hewlett Packard, Lenovo and Dell or familiar security vendors like Symantec and McAfee. Typically, the scammers attempt to trick their victims into believing that their computer is infected, often by having them look at a Windows log that shows dozens of harmless or low-level error entries. The scammer instructs their victim to type "eventvwr" in the RUN box to open Windows Event Viewer and then scares them by pointing out all the warnings and error messages listed under the various Event Viewer categories. In other cases the caller pretends to provide free security checks or direct the download and use of a bogus registry cleaner which purports to find thousands of problems.

The scammer then attempts to talk (scare) their victims into giving them remote access to the computer in order to fix it and/or remove malware. If the victim agrees, the support usually costs hundreds of dollars and often leaves the victim's computer unchanged or intentionally infected with malware/ransomware. More nefarious scammers will install a backdoor Trojan or Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.

Not answering any questions and hanging up the telephone is the best way to deal with phone scammers...then report them to the appropriate authorities.Scamming Tech Support Scammers::Tech Support Phone Scamming Resources::Phone Scamming from Bogus Microsoft Techs:Other articles related to Phone Scamming:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:51 AM

Posted 01 October 2015 - 04:25 AM

The original CryptoLocker Ransomware infection does not exist anymore and hasn't for over a year. Any references to CryptoLocker and retrieving keys for it will not work anymore. There are several copycat and fake ransomware variants which use the CryptoLocker name but those infections are not the same.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, About_Files, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_<user name>.txt, DecryptAllFiles_******.txt file (where * is 6-7 random characters)
RECOVERY_FILES.html, RECOVERY_FILES.txt, Recovery_File_*****.html, Recovery_File_*****.txt
restore_files_*****.html, restore_files_*****.txt (where ***** are random characters)

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Another option is to download and run IDTool created by Nathan Scott (DecrypterFixer), a BleepingComuter Security Colleague. IDTool is a small utility that scans certain files, folders, registry keys and signatures of a system for evidence (known flags) of various crypto malware which helps identify what kind of ransomware infection you are dealing with. The tool will provide a list or text generated report of what was found and then provide the correct support links where you can receive assistance with that specific ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users