I am just recovering from an Osiris (Locky?) infection contracted from an attachment to an email. The email purported to be from the US Postal Service regarding a lost package. The USPS actually had lost a package of mine lately, so this was not a suprise communication. Everything I tried came from a forum, so maybe something in my experience will help someone else. And I have some clean-up questions at the end that I hope somebody has some ideas for.
All my text files were encrypted and a text ransom note (“Osiris-xxxx.htm.”) had been planted in each affected folder. No other file types appear to have been affected. All encrypted files and ransom notes had been "modified" during the same 15-20 minutes that I had tried to open the attachment.
When I tried to delete or isolate encrypted or Osiris files into folders, I was told that the action required “Permission” from myself.
When I searched my computer for “Osiris,” it returned 7,600-some files – all my encrypted text files plus a ransom note in each affected folder. From this Search Results list, I located the affected folders and made an effort to recover Shadow copies.
Following your instructions, I right-clicked the folder, went to Properties, and selected “Previous Versions.” Then I selected the most recent version, just a week or so ago, and copied the previous version to an external drive. “Restore” required “permission” from myself, but “Copy” worked. It worked on multiple layers of folders, but I am not sure how many.
Once my files were safe, I turned to the system. Norton (provided free by Comcast) found no threats. Spybot found only a handful of cookies. MBAM, downloaded from BC, would not work. "Unable to connect service." Not after Rkill. Not renamed with multiple aliases. Not with MBAM file names added to Norton's “Exceptions” list. Not with Norton turned completely off.
This was interesting: MBARW found (and removed?) Trojan.fileless.MTGen, identified as a Registry Value. But MBAM still would not work – kept telling me “Unable to connect Service.”
So I used System Restore to reset the system. The available set point with the date that matched my recovered files identified itself as being when “Backups of Service Pack removed.” I don't know anything about any recent Service Packs, backups, or the removal of such, so went further back and restored to the previous date, about a month earlier. Then installed all the Win Updates since then.
Ran MBAM successfully from the trial available at the MBAM site. No download required. No threats found.
Next I expect to copy my text files back into my hard drive.
But a new search of the HD for “Osiris” shows over a dozen Osiris files and their respective ransom notes (text files named “Osiris-xxxx.htm.”) Attempting the previously successful method, not even copying allows me to acess these without “permission.” Querying the individual files, no Previous Version exists.
These residual files were all “modified” (created?) in the ten minutes following the initial infection. They did not appear when I searched for Osiris files before (perhaps because they were not indexed yet?)
They are mostly in the C:\Program Data folder.
It seems that if they were part of my own encrypted text files, they would have been recovered with the rest of my text files.
And it seems that if they were part of the system files, they would have been eliminated or replaced during System Restore.
So can I safely delete them all?
Is there anything else I should do before moving my files back onto my HD?
Mozilla Thunderbird text settings have also been impacted, so I performed a manual update, but that did not help. Or maybe it caused some of these issues?
All dictionaries had been removed, so the spellchecker appeared but was blank until a dictionary was re-installed.
View/ Message Body had been changed from "Original html" to "Simple html," causing the "View Remote Content" bar to disappear. It came back when I changed View/ Message Body back to "Original html."