system
October 22, 2014, 6:25pm
1
OK, I’ve followed the directions at https://forum.avast.com/index.php?topic=53253.0
The question in the subject line is because I preemptivly went to https://www.decryptcryptolocker.com/ and uploaded several files and it said none of them were cryptolockered. When you look at my MBAM.txt file you’ll see I had the thing and I still can’t access my files.
UPDATE I tried http://download.bleepingcomputer.com/cryptorbit/Anti-CryptorBitV2.zip and it was worthless…made the copies of the files but everyone of them was corrupted.
Thank you in advance.
Jason
Do you have an image or system restore from prior to the infection ?
Have you tried the "restore previous version " option
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
2014-10-16 07:24 - 2014-10-16 07:24 - 00008490 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:24 - 2014-10-16 07:24 - 00004182 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:24 - 2014-10-16 07:24 - 00000268 _____ () C:\INSTALL_TOR.URL
2014-10-16 07:17 - 2014-10-16 07:17 - 00008490 _____ () C:\Documents and Settings\e0147506\My Documents\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:17 - 2014-10-16 07:17 - 00008490 _____ () C:\Documents and Settings\e0147506\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:17 - 2014-10-16 07:17 - 00008490 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:17 - 2014-10-16 07:17 - 00004182 _____ () C:\Documents and Settings\e0147506\My Documents\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:17 - 2014-10-16 07:17 - 00004182 _____ () C:\Documents and Settings\e0147506\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:17 - 2014-10-16 07:17 - 00004182 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:17 - 2014-10-16 07:17 - 00000268 _____ () C:\Documents and Settings\INSTALL_TOR.URL
2014-10-16 07:17 - 2014-10-16 07:17 - 00000268 _____ () C:\Documents and Settings\e0147506\My Documents\INSTALL_TOR.URL
2014-10-16 07:17 - 2014-10-16 07:17 - 00000268 _____ () C:\Documents and Settings\e0147506\INSTALL_TOR.URL
2014-10-16 07:12 - 2014-10-16 07:12 - 00008490 _____ () C:\Documents and Settings\e0147506\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:12 - 2014-10-16 07:12 - 00008490 _____ () C:\Documents and Settings\e0147506\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:12 - 2014-10-16 07:12 - 00004182 _____ () C:\Documents and Settings\e0147506\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:12 - 2014-10-16 07:12 - 00004182 _____ () C:\Documents and Settings\e0147506\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:12 - 2014-10-16 07:12 - 00000268 _____ () C:\Documents and Settings\e0147506\Local Settings\INSTALL_TOR.URL
2014-10-16 07:12 - 2014-10-16 07:12 - 00000268 _____ () C:\Documents and Settings\e0147506\Local Settings\Application Data\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0147506\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0147506\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0147506\Application Data\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\Local Settings\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\Local Settings\Application Data\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\Application Data\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\Default User\INSTALL_TOR.URL
2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\Default User\Application Data\INSTALL_TOR.URL
2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\Local Settings\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\Application Data\DECRYPT_INSTRUCTION.HTML
2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\Local Settings\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\Application Data\DECRYPT_INSTRUCTION.TXT
2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\All Users\INSTALL_TOR.URL
2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\All Users\Application Data\INSTALL_TOR.URL
2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\Local Settings\INSTALL_TOR.URL
2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\INSTALL_TOR.URL
2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\INSTALL_TOR.URL
2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\Application Data\INSTALL_TOR.URL
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
system
October 22, 2014, 7:17pm
3
You’ll see everything in the fix failed as I manually deleted all of those files using the search function.
No there isn’t any backup. My corp. in it’s infinite wisdom puts that in the hands of the users (in this case a salesman) and gives them 0 training to know how. What good is a personal drive on the server if the user doesn’t know it exists? Also, any kind of automatic backup is disabled on the corp. PCs.
I assume that since you asked the question about backups that you and I are in agreement that my user is SOL for his data…for the record best I can tell it attacked his My Documents folder and encrypted everything in it…including email archives (which salesmen live by).
I am afraid so, bur there is a preventative programme for this which I recommend you install on all systems
For the e-mails if you use a web mailhost you may be able to recover them from there (if you do not have purge on download selected)
Apart from that how is the system behaving ?
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
system
October 22, 2014, 8:09pm
5
OK well so my user has lost all of his work for the last 2 years. He doesn’t seem too upset. I’ll never play poker with him!
But his laptop was slated to be replaced this month anyway so I’m having his replacement over nighted so maybe by Friday he’ll have his new laptop.
Thanks essexboy for all of your help. I consider this case closed.
Sorry we couldn’t get the files back