Last evening I noticed that some zipfiles I was about to extract info from where tagged with an extra extension “.crypt”. I am running version 7.0.1426 w/ definitions version 120327-1. All shields, firewall and auto updates are on and the system is supposedly “Secure”.
Had I not gone to unzip one of those files, I probably would not have noticed anything was amiss. The system runs fine. What are my options since Avast failed to alert me or stop the virus altogether?
Just discovered a readme, left behind by the intruders, in part it reads: Your files was blocked because of copyright violation, you can’t access your files. Please visit sopacrystal dot com for more information and follow step by step instructions. It then has a four line key code below it. Needless to say, I’m not going to go to the suggested website.
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the URL in the address bar and post it here for us to see (if scanned before, click rescan)
This is ransomware, and a new kid on the block, from the site it downloads HTML-malware, like “Get Data Decryptor” and then serves up a “^img src=”/sopa dot png" Bright Cloud files it as index yellow 40 "Suspicious There is a higher than average probability that the user will be exposed to malicious links or payloads,
You have some options open. There is a specific Windows Unlocker utility from Kaspersky’s to come to the rescue for victims of this banner ransom malware, but I will advise you to perform the unlocking under guidance of one of our qualified removal experts. Maybe you had a lucky escape…
Thanks Polonius,
A final question; Will I be able to recover all the infected files that were renamed? If not, then it will most likely be more advantageous for me to simply wipe everything clean and start all over again. My computer is about 90% Flight Simulator. I have 2 large HDD and both are chocked full of payware licenses, product installers, key codes, custom designed aircraft and scenery files, not to mention the Simulator itself and all the irreplaceable items contained inside. As it stand right now, the Sim does not function anymore because of the encryption of files needed to launch the programs. Unless I can get everything back as it was. . .I will have to reinstall everything anyway, so I might as well do a reformat and clean reinstall of everything that took me 4 years to accumulate.
The best options you have is to use Kaperskys Windows Unlocker from a pendrive, but this is only to desinfect the registry files. You could dop that in combination with a rescue disk. But I would go for the option to do it under the guidance of one of our malware removal experts. I will ask essexboy to look into your issue and advice you. He will appear here in the evening, follow up his instructions meticulously, because during the process manual; assitence is required from a qualified removal expert,
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
C:\commands.txt echo list vol /raw /hide /c
/wait
C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
Ok Essexboy. . . .here’s the OTL.txt log and Extra log.
Also, speaking to your question if I had any files encrypted. . .the answer is definitely yes. That’s why I came here. Thus far, the ones that stand out the most are the following. . .files with the following extensions:
zip, rtf, doc, txt, xml. One other that you may or may not be familiar with is a file that ends with “key”. These are unlock keys for Flight Simulator Payware Addons. Those were also tagged with the “crypt” extension. There don’t appear to be any exe or dll files encrypted at this point.
Press the scan button
You will then be asked for the location of one of the encrypted files
Locate it and Kas should then continue
I have never had recourse to use this in anger before so I am not sure if it will produce a log
If it does could you attach that please
The malware has also inserted some proxies in your systen, but I will remove them dependant on the Kas result
Thanks! It’s running right now. The directions mention that a log will be generated in the root directory, so it appears I will have something to post. I don’t know how the scanner actually works. . . .it’s been running now for around 25 minutes and has looked at a ton of files with the crypt extension, however it hasn’t “Processed, Found or Decrypted” anything at this point. I’m hoping that what it’s doing is reading everything, then it’ll go back and start actually processing and decrypting the files. If not, then it isn’t working, lol. I have to leave right now and won’t be back for several hours. I don’t have any screensavers that will run or anything else that should interrupt the scan process, so I’ll see what the results are when I return. Thanks for the assistance!!
My Ransom note doesn’t read like that, but the files it encrypts are the same. . .add to that the “zip” files. If what I read is what I have to look forward to, then I’ll be reformatting this baby very soon. The program that “essexboy” gave me to run has been scanning now for over 4 hours. It hasn’t processed anything, it hasn’t found anything and it hasn’t decrypted anything despite the fact that all it’s looking at are files that have been encrypted, lol.
Ok, I’ve stopped the scan being done by the decrypting tool. It ran for 6.5 hours, looked at close to a half million files all tagged with the “crypt” extension and never did anything. Lost cause I’m afraid and I have work that needs to be done on the computer so I’ll be shutting it down, reformatting both HDD’s and starting over. Thanks to “Essexboy” and “Polonus” for their assistance in trying to get this cleared up. I do appreciate it.
Brief Update: I’ve already formatted and reinstalled Win7. I still have to Wipe the second HDD as that was also infected, but at least for now, the C: drive is clean. Thanks again guys!