Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Ransomware victim: please help


  • This topic is locked This topic is locked
5 replies to this topic

#1 Computernoob31

Computernoob31

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 18 October 2016 - 03:10 PM

Hi everyone,

I got hit on Oct 17th and need help, they where sneaky enough to send a FedEx email saying a packing didn't get delivered. When I open the .rar file marked (shipping label) thats when it got installed.

My mcafee detected it as Trojan-powelike!nk

Searching I found this

http://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan

I messed up, I didn't let the (roadkill) red kill finish and installed the eset removal tool in safemode. I thought everything was fixed.

I've been working on this project for almost 8 hours now installing every antivirus, using every Eset removal tools,malwarebytes and nothing works.

The minute I go into normal computer mode, a txt file pops up telling me to pay and everything will get deleted in 3 days.

My defender keeps finding files and I keep deleting them.

Running all the clean tools from Eset, they can't find anything on my computer.

where are the files hiding????

I've also made things worse because I installed the bloodwise decryptor with the master pasword and it selected all my files and I clicked the button to unlock everything.

Looks like my .jpeg files have turned into txt files.

i've looked into those programs from Kaspersky but I don't know what stupid program they used locking up my pictures.

I can't do system restore because it disabled it..I'm just very scared as I don't know if they can really delete all my files. if I really pay does anything work.

I just really need help as I'm completely lost.

Thank you


Edited by Computernoob31, 18 October 2016 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 AM

Posted 18 October 2016 - 03:14 PM

The first step is to identify what ransomware it is. You may upload a ransom note and encrypted file to the service in my signature (ID Ransomware). It will guide you to the information you need.

 

The ransom note popping up is not necessarily the malware. Usually, the ransomware will delete itself when the dirty work is done, and the ransom note is just st to open on startup as a simple text file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Computernoob31

Computernoob31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 18 October 2016 - 04:14 PM

The first step is to identify what ransomware it is. You may upload a ransom note and encrypted file to the service in my signature (ID Ransomware). It will guide you to the information you need.

 

The ransom note popping up is not necessarily the malware. Usually, the ransomware will delete itself when the dirty work is done, and the ransom note is just st to open on startup as a simple text file.

 

Hi,

 

Thank you for the advice, I don't know how to even find the note? I did upload an image from your site and got this

 

Nemucod

 

I downloaded and scanned my computer looking for Kovter and it found nothing, I plan on swapping the Hard drive tonight because I upgraded to this 1tb about 4 months ago from a 750gb drive as I only have one computer.

 

Plus I would have the original pictures to help crack codes, but I think I already messed things up using that crystal program from the blood gang to unlock everything.

 

I'm hoping using a simple dock I can still run all the scans and maybe fix this mess.

 

Thanks again for your help, I wont be-able to reply until in the morning when I have the old drive installed and a good internet connection.

 

I'm just very scared using this computer and my files getting deleted, plus ebay, paypal are all linked to this one laptop. 


Edited by Computernoob31, 18 October 2016 - 04:15 PM.


#4 Computernoob31

Computernoob31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 18 October 2016 - 04:44 PM

These are the programs running in safemode

116j6ns.jpg

4pupgh.jpg

r8c6th.jpg



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 AM

Posted 18 October 2016 - 05:28 PM

The bit about deleting files is a flat out lie to scare you into paying them. Nemucod doesn't delete any files after any kind of timer or anything. If your system is clean of the Kovter trojan (I recommend MalwareBytes and HitmanPro to be sure), then you are probably fine. The ransomware runs its course and deletes itself.

 

You can check out the Nemucod support topic for more information.

 

http://www.bleepingcomputer.com/forums/t/608045/nemucod-ransomware-crypted-decrypttxt-support-help-topic/

 

You just need to get any file of which you have a clean copy of from backup in order to decrypt the rest of your files using the Emsisoft decrypter. As Fabian says:

 

Even you will have at least one file where you can get the original version of the file of. A picture you shared with your family. The default wallpapers shipped with your version of Windows. A file you downloaded from the internet that you can download again.

 

In the years I have been doing this, there hasn't been a single case where decryption failed because someone could not possibly find at least one file where they could somehow find the original file as well.

 

Alternatively, if you have the original fake FedEx email with the attachment, I can reverse a key from that and we can use another method.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 AM

Posted 18 October 2016 - 05:54 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users