Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows 10 Pro - files encrypted by: wxdsys.exe & kovter

  • This topic is locked This topic is locked
4 replies to this topic

#1 MickyMouse


  • Members
  • 2 posts
  • Gender:Female
  • Location:Bucharest
  • Local time:02:04 PM

Posted 24 June 2017 - 04:44 AM

Hi everyone!

I'm new here and this is my first post, so bare with me, I will provide as much info as I can (and know) following your guidelines.


My operating system is windows 10 pro, we re-installed it maybe 2-3 months ago, unfortunately my boyfriend didn't install an antivirus program that we usually use (for the likes of me i don't know why he was counting on the one that the windows has....but anyway..)


Short note: my boyfriend is a photographer, and we have a really large amount of files on our HDDs - the encryption managed to block more than 160 000 files (at least 1,5 TB of data), most of the work was handed over to clients, for other we have backup, BUT, we don't have backup for his latest event, and also around 300-400 photos from other 2 events - for this ones we will try to retrieve the data from the SD's cards...and hope for the best


Wednesday (21.06) i gave a friend control of my computer via team viewer to help me install some presets in Lightroom, when i opened Lightroom, there was a message on the photos : there was an error working with the photo....long story short we tried to check the jpg and reimpirt them and discovered that none of them were working (after panicking because all the files were being encrypted - raw,nef,jpg,pdf,etc ), when running a scan on the computer the first thing that poped up was this executable: wxdsys.exe found in C/User/AppData/Roaming, also while scanning with kaspersky and spy hunter we found:


with kaspersky:  trojan win32/dynamer!ac first entering our system on 07.06,  trojan:win32/miuref/rfn entering 09/10/11/12/13/14.06 and trojan win32/dynamer!rfn entering 22.06


with spy hunter: Malware generic, Trojan.kovter, unknown rootkit, searcs.newtabvsearch.com


We stopped the encryption so we still have files that work, for the rest (depending on the extension) we get a different message that says the file can't be read - all the files keep the same extension and size that it had before the encryption, nothing obvious seems to be changed on them.

We pulled out all of the HDDs we have, fortunately not everything was encrypted, but the most important HDD is encrypted :(


There was no request for payment nor any message displayed on the screen; the only thing I found by googleing what i perceive as being the root cause (wxdsys.exe) is this link: http://www.forospyware.com/t531285.html (it is most in Spanish), as i was in such distress and panic over the photos of the events i haven't yet finished editing, i sent an e-mail to the emails addresses provided on the link above, here are the emails: 


Cat01 <cat01@protonmail.com>  Jun 23 at 2:14 PM
Download decryptor sendspace.com / file / ifpvhr (remove spaces). Archive password: chubaka
Run decryptor, in title of window must be bitcoin address
Send it to me
Sent with ProtonMail Secure Email.
-------- Original Message --------
Subject: Re: Please advise! Filed encrypted
Local Time: June 23, 2017 9:59 AM
UTC Time: June 23, 2017 9:59 AM
From: me
To: Cat01 <cat01@protonmail.com>
I think it all started with this executable: wxdsys.exe running in the back (it is the first one i found) and all the rest proceded after this one.. i dont find any other message on my computer... and i didn't get any texts saying that my files are locked... where else should i look?
Thank you
On 22 Jun 2017, at 21:54, Mihaela M <me_myself_and_i2785@yahoo.com> wrote:
I don't find any of the things you mention bellow, i don't have a text on my desktop, nor anything in my user menu, all i found at a scan was the attached file. 
I dont find anything else, just this trojan. 
On 22 Jun 2017, at 14:37, Cat01 <cat01@protonmail.com> wrote:
On your desktop (and in root of local disks) should be one or more text files "You files are locked!".
This file contains bitcoin-address to pay and amount to pay.
Please search google about buying bitcoins - "how to buy bitcoins"
After you pay i send to You decryptor + You private key.
If you dont see this files:
Please send to me file located at: C:\Users\YouUserName\cl_data_#.bak
(where # is bitcoin-wallet specified for You, for example cl_data_171d9uXiEvm1kgkHLC6GviHNCbW2KFUEcb.bak)
And I tell You amount to pay.
Sent with ProtonMail Secure Email.
-------- Original Message --------
Subject: Please advise! Filed encrypted
Local Time: June 21, 2017 9:57 PM
UTC Time: June 21, 2017 9:57 PM
From: me
To: cat01@protonmail.com, cat01@t.pl
Please advise on this situation: i have files i need, encrypted by some spyware, how can i get them restored? As i understand i have to pay a fee to get a key and get them back?
All i got was this link:
Waiting for your reply!
Thank you!
I did not find any of the files he mentions in the 1st mail, nor did I access the link he provided, I passed that to a friend to look into it - waiting to hear from him


As it was in my best interest to resolve the issue i tried to be as polite as i could....because i still need to recover files, if my files are lost, in the end i don't care, if you are stupid like i was you have to pay....but i really need to recover the photos we have to hand over....


We tried running files via https://id-ransomware.malwarehunterteam.com/, no result, just this:


Please reference this case SHA1: ffd80087266afc7f500601cf69dc6b83c795595d - for an excel


Please reference this case SHA1: 8a0bafbe3405eaa5c74d2ca3fe7cf1322352aee3 - for a jpg


While running Kaspersky, a window blocking the following address was poping up: https://uromatalieslave.space/index.php (which can be traced to Netherlands)


I still have the Kovter on my computer, i will follow the steps provided here to remove it.


I need to mention that while running the scans and everything, i saw somewhere between the malware being removed trojan pClock (something like that), after 3 days of reading about cryptolocker and everything malware, i know that if i do have pClock i stand little to no chance of recovering the files as there is no decrypter for now.


We will keep all the encrypted files, as we have 2 HDD's running in RAID, both presumed to be encrypted, we will check them both this weekend.


ALSO, we talked to some of our friends that could help on the issue, and one of them managed to open an encryped jpg with a program, but the photo was not in the original size and data, it has been reduced to a really tiny photo - at this point I cant say with what he managed to open the file, he runs on macOS, I will ask him and provide the info if it's helpful.


I tried my best to provide as much info as i could/know, many of the steps above were taken by my boyfriend. If you have any advice, that would help me decrypt the files or at least find what is encrypting them, it's much appreciated, if you need any more info please let me know and i will try to provided.


Thank you in advance!









Please reference this case SHA1: 8a0bafbe3405eaa5c74d2ca3fe7cf1322352aee3

BC AdBot (Login to Remove)


#2 McDano


  • Members
  • 8 posts

Posted 24 June 2017 - 07:48 AM

I have the same problem as you...also noticed wxdsys.exe and other things..I described it here 



Edited by McDano, 24 June 2017 - 07:49 AM.

#3 MickyMouse

  • Topic Starter

  • Members
  • 2 posts
  • Gender:Female
  • Location:Bucharest
  • Local time:02:04 PM

Posted 24 June 2017 - 10:28 AM

I have the same problem as you...also noticed wxdsys.exe and other things..I described it here 



Thank you! 

#4 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:07:04 AM

Posted 24 June 2017 - 05:50 PM

Afraid it is PClock, cannot be decrypted. Restore from backups. You can try data recovery software such as Recuva and ShadowExplorer, but no guarantees. You should have better backups if you truly cared about your data tbh.

Edited by Demonslay335, 24 June 2017 - 05:53 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,921 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:04 AM

Posted 24 June 2017 - 06:01 PM

Since the infection has been confirmed, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users