Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer and ransomware


  • This topic is locked This topic is locked
5 replies to this topic

#1 santare

santare

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 16 April 2016 - 05:22 AM

I was hit by locky ransomware and my computer got slower than usual, perhaps, because of it. I tried to recover my files using

Shadow Explorer, but C: drive was empty, while D: wasn't. It didn't encrypt pdf files just txt files and jpgs. The other stuff is intact as of now.

There were two processes in task manager 326 I had to shut down. I found locky in registry, but not anywhere else. I've since

got mbawr.

I'd like to know why is my computer slower, since it wasn't days ago. About a week ago, I could access C: drive on Shadow Explorer as

well as D:, but now I can only access D:.

I'd like to know something, when I had cryptowall, two times, it never encrypted FRST file, however locky did.



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:23 PM

Posted 19 April 2016 - 07:42 AM

santare:
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and I am a trainee in the Bleeping Computer Malware Removal Study Hall.  If you would permit me to address you by your first name, I would prefer to do that since we will be working together.
 
I will be assisting you with your computer issues.  I am very sorry to hear that you have been a victim of Locky ransomware.
 
All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Team member or instructor.  This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I am not sure that I understand your comment about FRST logs.
 
I'd like to know something, when I had cryptowall, two times, it never encrypted FRST file, however locky did.
 
Are you say when you ran the FRST scan, that the logs were immediately encrypted by the Locky ransomware?  Can you run the FRST scans (FRST, plus "Addition.txt") from Safe Mode?  If so, please copy and paste the FSRT.txt and Addition.txt files into your next reply,, providing that they are not encrypted.
 
Please do not run Combofix or any other malware removal tools, except as directed.  That could make your bad situation even worse.
 
Awaiting your response so that I can consult with an instructor about the best way to proceed.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#3 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 19 April 2016 - 07:56 AM

The log that was locked was performed a while ago, so the old log was saved to the desktop, not the current one.

No, it locked an old log which was saved to the desktop.  I can still run FRST.



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:23 PM

Posted 20 April 2016 - 11:36 AM

santare:

 

Thank you for your post.  That is great news that you are able to boot normally, from what you are saying, and that it was an old FRST log that was encrypted.

 

Please boot your computer normally.  Please follow the instructions here to submit a FRST.txt log and the associated "Addition.txt" log.

 

You should know that currently there is no known way, except paying the ransom, to decrypt files encrypted by the Locky ransomware.  However, it is important that you make a full backup of your disk as soon as possible, so that in the future, should information be discovered that would enable Locky file decryption, you will have copies of all of your encrypted files.

 

Awaiting the two FRST scan logs.  Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:23 PM

Posted 23 April 2016 - 11:33 AM

santare:

 

Three day bump.  Do you still require assistance?

 

If you don't respond in the next 48 hours, a moderator will close this thread.

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:23 PM

Posted 25 April 2016 - 12:32 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users