Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

am I infected?


  • Please log in to reply
4 replies to this topic

#1 finky46

finky46

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 23 June 2016 - 06:35 AM

Mod Edit: moved to Ransomware from AII ~~ boopme

I recently tried "360 Total Security" and had a problem immediately. I couldn't download my security updates.
I deleted the software and everything was ok again, except it left a couple of items in the registry that I can't get rid of.
 
1. 91g3b62lyN7  
2. locky               google says this could be ransom ware or a virus????
 
They're located in all HKEY Software sections.
I don't seem to have any issues, but am wondering why these items keep returning after deleting.
 
thanks John
 
forgot, I have Windows 7 OS

Edited by boopme, 23 June 2016 - 11:13 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:30 AM

Posted 23 June 2016 - 02:47 PM

Any files that are encrypted with Locky Ransomware will be renamed with random alpha-numerical characters and have the .locky extension appended to the end of the encrypted data filename in the following format [unique_id][identifier].locky...(i.e. something like F67091F1D24A922B1A7FC27E19A9D9BC.locky). Locky Ransomware will leave a file (ransom note) named _Locky_recover_instructions.txt, _HELP_INSTRUCTIONS.txt.

Older Locky variants will store various information in the registry under the following keys:
HKCU\Software\Locky\id - The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey - The RSA public key.
HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer

The newest Locky variants do not create HKCU\Software\Locky registry entries anymore. If these keys are present, then either the system is infected with an older variant or some security/anti-ransomware software was installed and added the entries as a vaccine to prevent infection...the old Locky variant is not able to encrypt any files if these registry entries are present. According to several users commenting here, Bitdefender Crypto-Ransomware Vaccine will create the HKCU\Software\Locky\ entry. Other security products may create the same entries as protection against infection.

If your files are not encrypted and there are no ransom notes...I doubt your system is infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 finky46

finky46
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 25 June 2016 - 09:38 AM

I've run a number of online anti-viruses and none have detected anything,
except Bitdefender keeps finding infected "temp" files since this issue started?

Other than that everything seems fine.

thanks John

#4 finky46

finky46
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 25 June 2016 - 04:07 PM

after a bit of research and downloading Bitdefender anti ransomware on my XP, I found the same locky file, and the other file is written slightly different.

 

 "360 Total Security" uses Bitfender Anti Virus as one of it's database sources so it looks like these files belong to Bitdefender.

 

But I'm still wondering why Bitdefender is finding infected temp files, since I've deleted the 360 Total Security.

 

It doesn't seem to be an issue but a little unnerving.

 

John

 

 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:30 AM

Posted 26 June 2016 - 03:55 PM

If you want a more comprehensive look at your system for possible malware by experts, then more advanced tools are needed to investigate. Many of the scanning tools tools we use in this forum are not capable of detecting (removing) all malware variants. Before that can be done you will need to create and post a FRST log for further investigation.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing that, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users