So I decided to be a good tenant and help my landlord with his computer and fix his router. (ie get it to broadcast wifi.) After getting wifi running I noticed the computer was not up to date and had 3 expired Antivirus on it. I ran windows update and deleted the expired bloatware hp gives you, trial for nortons, and kaspersky. Ran windows defender and set up the firewall and also set up Advanced System Care, Advanced Defrag, and Iobit’s uninstaller tool. I called it a night and was going to come down and have him buy antivirus. I came down today and my laptop about 3 hours prior got an attempted hit and avira blocked it. He complained about his store manager saying I encrypting files and I about shat a brick.
Saw the typical paytordmbdekmizq.tor4pay BS and got it in safe mode and installed avast and mbam. Avast won’t run. Mbam found some stuff. I have the attached logs.
Moar Logs. AswMBR is taking forever to finish logging. Files that are encrypted include Quickbooks Pro 2008 files and office files. Also attached the ransom message.
Saw another topic with the same virus and aswmbr not completing a scan. attaching the unfinished log and running IDTool by Nathan. Still running aswmbr.
Threats actually. Umm, Poweliks, C, and a restricton set to Kaspersky.
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files <====== ATTENTION
If the files are toast without paying… Should I have the guy pay the ransom? It’s a business computer and has plenty of files needing recovery I was reading the reddit on this about 3 weeks ago but never thought I’d see this in person.
Never, ever pay ransom. There isn’t a garuantee it’ll work. Remember, they are out to scam you. Who says they won’t do it a second time?
The team might have a trick. Does your landlord have backups? If not, tell him to start backing his data up at least weekly. (If need be, buy an Ext. Hard Drive)
Edit: Can you landlord wait a few hours? The removal team is almost all live somewhere in EU, except one. So it may be a few hours until they can get online to assist you. In the mean time. If possible. take the connection from his computer out. He has Poweliks, which is probab;y calling home.
I agree about not paying the ransom just figured I’d ask so I have an adequate answer for the guy. Ill disconnect the cable after I post this. Do I need to worry about a secondary attack to my laptop or android device on the shared Wifi? And he has a couple backups on USB drives for payroll and stock, nothing automated nor indepth.
Should I install either of those or Combofix or wait until the recovery team is awake?
Finished Log. And yes he has time to wait but it’s important that I can rectify it or at least show where we’re heading on terms of fixing it. I bet his store manager clicked a executable and ran it like a mouthbreather.
On the bright side of life I was told to grab a case of beer when I finish up tonight fixed or not fixed.
Hashtag:brofist
On the downside I cancelled a date and it’s snowing and my motorcycle is uncovered. SMH.
Umm. CF is a def no. Those can wait. The CryptoBit program might be able to take a shot at decrypting. Although as I understand, they’ve switched to a server held key. Which is very bad.
CP, won’t do anything currently. It only blocks changes to the Roaming folder I think.
Risk of infections through WiFi, won’t happen. I havebn’t seen it happen, unless he has a worm. Not an expert. So Id just wait it out.
Hi there, well he appears to have just about everything, the files are toast I am afraid unless he has a backup
Download the attached fixlist.txt to the same location as FRST
Start FRST and press fix
On completion rebbot
A log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
So someone decided to overrule me and took it to Geek Squad at Best Buy. I’m sure they are gonna fuck it up and we will be back to fixing it soon enough. I’ll post as soon as that happens as I have zero faith in geek squad.
THey think GeekSquad will be able to decrypt those files? Unless they decide to pay the ransom, I very mich so doubt they will. Thanks for the information!
When they are done, let us know and I will re-PM Essex to continue this thread
Edit: Don’t know if you got the fixlist running. If not… When GeekSquad is done, see if you can locate any of the decryption files.
It’ll read something like this.
What happened to your files ?
[u][i][b]All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
[/b][/i][/u]
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
Welp I’m back. The computer is supposedly cleaned and the eternal stupidity that is geek squad removed all of the programs I used for logging and also deleted MBam and Avast and now I’m stuck with webroot secure anywhere. I’m going to re-log everything because imagine that… They still have this crytolocker on here and they said the computer didn’t have any viruses when it came in. :facepalm:
Logs. I’ll be running Mbam shortly. Those fuckers deleted iobit, all of my previous logs and all my logging tools.
Best part of this… They copied all the files on the hard drive and put them on his new computer he bought for only business use with the intentions of him only having access to avoid the issue. I will be starting a new topic and data logging that one just in case. :facepalm:
Should I disable Webroot or MBam when I apply fixes? Also I don’t have avast downloaded since my landlord had to pay for the webroot and it’s a year subscription. Any idea on the effectiveness of it?
