Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locky infection??


  • This topic is locked This topic is locked
1 reply to this topic

#1 RichardUrban

RichardUrban

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 06 April 2016 - 12:35 PM

I ran CCleaner registry cleaner and the following 2 entries were displayed.

 

Obsolete software key 2A29103eiF1HFbd HKCU\Software\2A29103eiF1HFbd
Obsolete software key Locky HKCU\Software\Locky

 

I cleaned out the entries and rebooted. A few hours later I ran the registry cleaner again. The same two entries again showed up.

 

None of my files have been encrypted (yet).

 

Am I infected?  What are my next steps?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 07 April 2016 - 05:32 AM

If you discover that your computer is infected with ransomware you should immediately shutdown the computer and if possible create a copy or image of your hard drive. Doing that allows you to save the complete state of your hard drive in the event that a free decryption solution is developed in the future. If you do not plan on paying the ransom and can restore from a backup, then scan your computer with an anti-virus or anti-malware program and let it remove everything. Crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware.
 
If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes Anti-Malware and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Locky will store various information in the registry under the following keys:
HKCU\Software\Locky\id - The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey - The RSA public key.
HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer

Locky related Files
%UserpProfile%\Desktop\_Locky_recover_instructions.bmp
%UserpProfile%\Desktop\_Locky_recover_instructions.txt
%Temp%\[random].exe

Locky related Registry entries
HKCU\Software\Locky
HKCU\Software\Locky\id
HKCU\Software\Locky\pubkey
HKCU\Software\Locky\paytext
HKCU\Software\Locky\completed 1
HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"

Locky Ransomware Encrypts Local Files and Unmapped Network Shares

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in the above support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users