When is paytordmbdekmizq.tor4pay Virus NOT paytordmbdekmizq.tor4pay Virus

OK, I’ve followed the directions at https://forum.avast.com/index.php?topic=53253.0

The question in the subject line is because I preemptivly went to https://www.decryptcryptolocker.com/ and uploaded several files and it said none of them were cryptolockered. When you look at my MBAM.txt file you’ll see I had the thing and I still can’t access my files.

UPDATE I tried http://download.bleepingcomputer.com/cryptorbit/Anti-CryptorBitV2.zip and it was worthless…made the copies of the files but everyone of them was corrupted.

Thank you in advance.

Jason

Do you have an image or system restore from prior to the infection ?

Have you tried the "restore previous version " option

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-10-16 07:24 - 2014-10-16 07:24 - 00008490 _____ () C:\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:24 - 2014-10-16 07:24 - 00004182 _____ () C:\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:24 - 2014-10-16 07:24 - 00000268 _____ () C:\INSTALL_TOR.URL 2014-10-16 07:17 - 2014-10-16 07:17 - 00008490 _____ () C:\Documents and Settings\e0147506\My Documents\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:17 - 2014-10-16 07:17 - 00008490 _____ () C:\Documents and Settings\e0147506\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:17 - 2014-10-16 07:17 - 00008490 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:17 - 2014-10-16 07:17 - 00004182 _____ () C:\Documents and Settings\e0147506\My Documents\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:17 - 2014-10-16 07:17 - 00004182 _____ () C:\Documents and Settings\e0147506\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:17 - 2014-10-16 07:17 - 00004182 _____ () C:\Documents and Settings\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:17 - 2014-10-16 07:17 - 00000268 _____ () C:\Documents and Settings\INSTALL_TOR.URL 2014-10-16 07:17 - 2014-10-16 07:17 - 00000268 _____ () C:\Documents and Settings\e0147506\My Documents\INSTALL_TOR.URL 2014-10-16 07:17 - 2014-10-16 07:17 - 00000268 _____ () C:\Documents and Settings\e0147506\INSTALL_TOR.URL 2014-10-16 07:12 - 2014-10-16 07:12 - 00008490 _____ () C:\Documents and Settings\e0147506\Local Settings\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:12 - 2014-10-16 07:12 - 00008490 _____ () C:\Documents and Settings\e0147506\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:12 - 2014-10-16 07:12 - 00004182 _____ () C:\Documents and Settings\e0147506\Local Settings\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:12 - 2014-10-16 07:12 - 00004182 _____ () C:\Documents and Settings\e0147506\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:12 - 2014-10-16 07:12 - 00000268 _____ () C:\Documents and Settings\e0147506\Local Settings\INSTALL_TOR.URL 2014-10-16 07:12 - 2014-10-16 07:12 - 00000268 _____ () C:\Documents and Settings\e0147506\Local Settings\Application Data\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0147506\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\Local Settings\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\e0026605\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00008490 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0147506\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\Local Settings\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\e0026605\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\Default User\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00004182 _____ () C:\Documents and Settings\Default User\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0147506\Application Data\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\Local Settings\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\Local Settings\Application Data\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\e0026605\Application Data\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\Default User\INSTALL_TOR.URL 2014-10-16 07:08 - 2014-10-16 07:08 - 00000268 _____ () C:\Documents and Settings\Default User\Application Data\INSTALL_TOR.URL 2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\Local Settings\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:07 - 2014-10-16 07:07 - 00008490 _____ () C:\Documents and Settings\Administrator\Application Data\DECRYPT_INSTRUCTION.HTML 2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\All Users\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\All Users\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\Local Settings\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:07 - 2014-10-16 07:07 - 00004182 _____ () C:\Documents and Settings\Administrator\Application Data\DECRYPT_INSTRUCTION.TXT 2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\All Users\INSTALL_TOR.URL 2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\All Users\Application Data\INSTALL_TOR.URL 2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\Local Settings\INSTALL_TOR.URL 2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\INSTALL_TOR.URL 2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\INSTALL_TOR.URL 2014-10-16 07:07 - 2014-10-16 07:07 - 00000268 _____ () C:\Documents and Settings\Administrator\Application Data\INSTALL_TOR.URL EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

You’ll see everything in the fix failed as I manually deleted all of those files using the search function.

No there isn’t any backup. My corp. in it’s infinite wisdom puts that in the hands of the users (in this case a salesman) and gives them 0 training to know how. What good is a personal drive on the server if the user doesn’t know it exists? Also, any kind of automatic backup is disabled on the corp. PCs.

I assume that since you asked the question about backups that you and I are in agreement that my user is SOL for his data…for the record best I can tell it attacked his My Documents folder and encrypted everything in it…including email archives (which salesmen live by). :frowning:

I am afraid so, bur there is a preventative programme for this which I recommend you install on all systems

For the e-mails if you use a web mailhost you may be able to recover them from there (if you do not have purge on download selected)

Apart from that how is the system behaving ?

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

OK well so my user has lost all of his work for the last 2 years. He doesn’t seem too upset. I’ll never play poker with him!

But his laptop was slated to be replaced this month anyway so I’m having his replacement over nighted so maybe by Friday he’ll have his new laptop.

Thanks essexboy for all of your help. I consider this case closed.

Sorry we couldn’t get the files back