Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Locker 1.2 Virus. Help 70 hours left! Encryption virus.

24 May 2015   #1
yupp8

Windows 7
 
 
Locker 1.2 Virus. Help 70 hours left! Encryption virus.



What steps should I take ? How do I resolve this issue


My System SpecsSystem Spec
.
25 May 2015   #2
cottonball

Windows 7 Home Premium
 
 

yupp8,

Not aware that there is anyone in this forum who is a crypto malware expert. If there is one, the person may come and help.

Lockerv1.20 (and there are other versions used, but it is all the same ransomware) appears to encrypt files using an RSA encryption algorithm. This is very difficult to decrypt. Also,
if you pay the ransom, there is no guarantee that you will get your files back!

Do you have a backup of your files?


It appears that the malicious executables are found in %ProgramData%\rkcl

Before running any AntiMalware software or trying to restore your files, copy the encrypted files, the Bitcoin wallet address, and the C:\ProgramData\rkcl folder to an external hard drive, or a USB pen drive. If a decryption tool becomes available, you may have a chance at regaining your files.

The C:\ProgramData\rkcl folder contains several files such as data.aa0, data.aaX (X=a number)...
data.aa0 lists infected files
data.aa6 has the bitcoin payment address key

The rkcl folder also contains ldr.exe and rkcl.exe

There may also be folders in your system, like the following, running like services:
C:\ProgramData\steg\steg.exe
C:\ProgramData\tor\tor.exe

The ransomware you have appears to be related to CryptoLocker. Try uploading encrypted files to the following website and see if you can get them back. No harm in trying.
https://www.decryptcryptolocker.com/

More info: How to restore files encrypted by CryptoLocker using Shadow Volume Copies
CryptoLocker Ransomware Information Guide and FAQ

If no joy, follow this thread:
Infected with Locker v1.7 How can i recover files? ransomware - Am I infected? What do I do?


Also, please give Malwarebytes Anti-Malware a whirl.
Download > https://www.malwarebytes.org/products/
Select the FREE version!
Save to the Desktop.

On the Desktop. double-click mbam-setup-2.X.X.XXXX.exe to install (X's = current version)
Allow the file to run.
Follow the setup wizard to Install.

Place a checkmark next to Launch Malwarebytes Anti-Malware, then click: Finish
However, please make sure to uncheck the PREMIUM version Trial checkmark, if it appears near the end of the installation.

Once MBAM opens, click the Settings tab at the top, and, in the left column, select Detections and Protections
If not already checked, select: Scan for rootkits
Click the Scan tab at the top of the program window, and select: Threat Scan

Next, click: Scan Now
If you receive a message that updates are available, click: Update Now
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.

If potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions

While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.


Please post the MBAM report in your reply.

Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2, If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
My System SpecsSystem Spec
25 May 2015   #3
yupp8

Windows 7
 
 

dear cottonball, Thank you so much for your assistance! I hope together we can resovle this issue since I have only 58 hours left.


I actually do not care about the files, It would be nice if I could decrypt them, but I have backups for the important files.

Should I try and delete the files you mentioned ?

Is this some kind of a new virus?
right now I'm running the MBAM I'll post the logs soon.

P.S.
tried https://www.decryptcryptolocker.com/
"The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."
My System SpecsSystem Spec
.

25 May 2015   #4
yupp8

Windows 7
 
 

as of right now I took these steps:
Quote:
Only do this if you know you don't need to pay the ransom as many cryptolockers destroy the private key it uses to encrypt if you clean it.
Open Task Manager and end process for any of these processes: rkcl.exe, steg.exe, tor.exe, ldr.exe
Go to %programdata% folder and delete the following folders as listed earlier: "rkcl, steg, tor, Digger"
Download and run Malwarebytes. Do this again in a few days in case newer definitions find any more of the infection.
To be really safe, format and re-install, but the above should get rid of the bulk of the infection.
For future prevention: Backup backup backups. Install CryptoPrevent. Practice safe-browsing, use Ad Block on suspcious websites.
and I think everything is gone now.


Quote:
Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 25/05/2015
Scan Time: 13:20:22
Logfile: lgg2.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.25.03
Rootkit Database: v2015.05.24.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Daniel

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 682084
Time Elapsed: 20 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Backdoor.MSIL.PGen, C:\Windows\SysWOW64\surrasiltshawks.exe, 1804, Delete-on-Reboot, [f5e2781f830758de46cab09cac5615eb]

Modules: 0
(No malicious items detected)

Registry Keys: 4
Backdoor.MSIL.PGen, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ConkAuralQuoth, Quarantined, [f5e2781f830758de46cab09cac5615eb],
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [3c9bbed9f694e452eb99670842c3c937],
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [2aad5e3981091d19a7dd4e21bc49649c],
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [8d4a30673d4de5517b08abc4c144af51],

Registry Values: 10
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DisplayName, default-search.net, Quarantined, [3c9bbed9f694e452eb99670842c3c937]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, http://www.default-search.net/search?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}, Quarantined, [0dcae7b0aedc53e36321c0afbc4906fa]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SuggestionsURL_JSON, http://www.default-search.net?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}&ft=json, Quarantined, [d007dcbb2e5cca6c81030c63b84dfc04]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DisplayName, default-search.net, Quarantined, [2aad5e3981091d19a7dd4e21bc49649c]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, http://www.default-search.net/search?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}, Quarantined, [9f3870277614c1754e3674fbfd0851af]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SuggestionsURL_JSON, http://www.default-search.net?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}&ft=json, Quarantined, [795e98ff90faec4a265e77f838cd58a8]
PUP.Optional.MySearchResults.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{90FFB6C9-B59E-4620-88B6-5450D860C7EA}|URL, http://www.mysearchresults.com/search?c=3513&t=07&q={searchTerms}, Quarantined, [14c37c1b6129ab8bb23a0dcfb94a6c94]
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DisplayName, default-search.net, Quarantined, [8d4a30673d4de5517b08abc4c144af51]
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, http://www.default-search.net/search?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}, Quarantined, [a334a8efc5c5a096f58eeb8455b0f010]
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SuggestionsURL_JSON, http://www.default-search.net?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}&ft=json, Quarantined, [3b9cdcbbe2a862d49be8e08fd92c08f8]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Backdoor.MSIL.PGen, C:\Windows\SysWOW64\surrasiltshawks.exe, Delete-on-Reboot, [f5e2781f830758de46cab09cac5615eb],

Physical Sectors: 0
(No malicious items detected)


(end)
My System SpecsSystem Spec
25 May 2015   #5
cottonball

Windows 7 Home Premium
 
 

yupp8,

If you backed up your files using an external hard drive or other media, you are good.
The rest we should be able to take care of.

Did you reboot after running MBAM?

Please open MBAM, and go to History tab > Application Logs
See if there is a recent Scan log there and post it in your reply.
The one posted appears to be a second run, but, I could be wrong.

Are you still getting the ransomware notice with the time remaining rubbish? Hopefully not.
MBAM detected Backdoor.MSIL.PGen, and deleted on reboot. However, there are other files associated with the ransomware that are not showing.


Please, use the herdProtect Anti-Malware Scanner and let's see what it shows...
Download > Download herdProtect - Free Anti-Malware Platform

Select the Portable Version (green button on the right), and save to the Desktop
Double-click the herdProtectScan_Portable file to run the setup.

On the last prompt, make sure Launch herdProtect is checked, and press: Finish

Next, when presented with the Scanner window, press the green Scan button. (An Internet connection needs to be available.)
OK the next prompt.

The scan goes through various stages, and, when done, the scan Results are presented (Files scanned: xxx, Processes scanned: xxxx, etc.
Press (at the top): Save Results
Please do not remove any entries, and attach the herdProtect Scan_2015-(date) in your reply.


Also, please use the Farbar Recovery Scan Tool to look for suspicious files or folders.
Download: > Farbar Recovery Scan Tool Download
Select the version that applies to your system (64-bit?).
Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply.
The first time the tool is run, it also creates another log: Addition.txt

Also post the Addition.txt in your reply.
My System SpecsSystem Spec
25 May 2015   #6
Sher

Windows 7 Ultimate x64 bit
 
 

May 25, 2015
I got this same notice when I booted up my computer this morning only mine was Locker v2.53. It shows I have a little over 64 hours to pay them and they will then decrypt my photos. Thousands of my jpegs are now unreadable so will not open and since my external hard drive was plugged in when I booted up, it even got all the backup jpegs I had on that drive too. The gifs and pngs are still fine as well as thousands of movies & text files are also fine. I thought all I needed to do was restore my system to a date from a day or two ago and it would take care of this but now Im leery of doing that.
HOW DID YOU MAKE OUT yupp8, I MEAN AFTER GETTING RID OF THE LOCKER, WERE YOUR PHOTOS BACK VIEWABLE?
My System SpecsSystem Spec
25 May 2015   #7
cottonball

Windows 7 Home Premium
 
 

Sher,

The version of Locker means nothing. The criminals are using all sorts of versions, guess they plan on keeping us confused.

Would take action to safekeep the files that are still fine, and keep a copy of those that are not.

As far as I am aware, using System Restore to a previous date has not worked. Neither has using the CryptoLocker decryptor. The Locker Vx.xx may be related to CryptoLocker, but it is a new method of operation.

yupp8 has an issue somewhat different from yours, since he backed up some important files and the backup device was not connected to the computer.

My suggestion to you is to start your own topic on this forum, and we can take it from there:
http://www.sevenforums.com/system-security/
My System SpecsSystem Spec
25 May 2015   #8
carwiz

Windows 7 Pro-x64
 
 

I'm curious about what AV you guys are using.
My System SpecsSystem Spec
26 May 2015   #9
cottonball

Windows 7 Home Premium
 
 

@carwiz,

This monster has been able to fool all sorts of antivirus programs.
There are lots of people posting about it at forums all over the web!



Info:

If you lost photos, a possibility is to restore them using Shadow Volume Copies, particularly if the files were not in the C:\ drive.

Tutorial by Brink > How to Restore Files and Folders in Windows 7 with Previous Versions
Previous Versions - Restore Files and Folders


Recuva may be another option, running a Deep Scan.
Download > Recuva - Undelete, Unerase, File and Disk Recovery - Free Download

There is also PhotoRec.
PhotoRec - Digital Picture and File Recovery

Tutorial by Jumanji > Guide to Using PhotoRec Recovery Software
Guide to using PhotoRec recovery software.
My System SpecsSystem Spec
27 May 2015   #10
cottonball

Windows 7 Home Premium
 
 

Important!

From Locker expert at BC:

Quote:
Grinler, on 24 May 2015 - 6:32 PM, said:

If you do decide to pay the ransom, which should be avoided if at all possible, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.

If you plan on paying the ransom, though, you will need to keep the ransomware malware running on your computer
My System SpecsSystem Spec
Reply

 Locker 1.2 Virus. Help 70 hours left! Encryption virus.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Rootkit virus left me with BSOD
Hi everyone...I am new here and fairly new to computer problems. I handle a number of laptops but this has got me beat. Couldn't remove rootkit virus (Alureon) till downloaded Kapersky free download. Got rid quickly but now got BSOD. No backups. Its an old but newly acquired Dell Inspiron....
BSOD Help and Support
Top left hand corner not allowing clicks after virus and removal
Hey guys, I recently had the moneypak FBI virus and cleaned my registry using Ccleaner and also cleared my Temp files manually (which actually got rid of the problem). Since I cleared this, the top left hand corner of my screen (roughly 2 icon squared in size) does not allow any direct...
System Security
Only five hours left to download!
DEAR FRIENDS, KINDLY VISIT THIS WEBSITE TO DOWNLOAD THE TOP-CLASS EASEUS PARTITION MASTER PFOFESSIONAL and only five hours are left to utilize this opportunity (sorry for the bold type, it was purely for emphasis) Cogizio Freebie: EASEUS Partition Master Professional...
Software
comp BSOD's on boot only after its been left off for hours...details w
This is the most obscure thing I ever encountered on a computer. The first time I turned on my computer it froze up at "Loading ASUS express gate" this was a month ago, so after holding the power butting it reboots and I install win 7 and everything works great. I do a few reboots and...
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:11.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App