New
#1
Locker 1.2 Virus. Help 70 hours left! Encryption virus.
What steps should I take ? How do I resolve this issue
What steps should I take ? How do I resolve this issue
yupp8,
Not aware that there is anyone in this forum who is a crypto malware expert. If there is one, the person may come and help.
Lockerv1.20 (and there are other versions used, but it is all the same ransomware) appears to encrypt files using an RSA encryption algorithm. This is very difficult to decrypt. Also,
if you pay the ransom, there is no guarantee that you will get your files back!
Do you have a backup of your files?
It appears that the malicious executables are found in %ProgramData%\rkcl
Before running any AntiMalware software or trying to restore your files, copy the encrypted files, the Bitcoin wallet address, and the C:\ProgramData\rkcl folder to an external hard drive, or a USB pen drive. If a decryption tool becomes available, you may have a chance at regaining your files.
The C:\ProgramData\rkcl folder contains several files such as data.aa0, data.aaX (X=a number)...
data.aa0 lists infected files
data.aa6 has the bitcoin payment address key
The rkcl folder also contains ldr.exe and rkcl.exe
There may also be folders in your system, like the following, running like services:
C:\ProgramData\steg\steg.exe
C:\ProgramData\tor\tor.exe
The ransomware you have appears to be related to CryptoLocker. Try uploading encrypted files to the following website and see if you can get them back. No harm in trying.
https://www.decryptcryptolocker.com/
More info: How to restore files encrypted by CryptoLocker using Shadow Volume Copies
CryptoLocker Ransomware Information Guide and FAQ
If no joy, follow this thread:
Infected with Locker v1.7 How can i recover files? ransomware - Am I infected? What do I do?
Also, please give Malwarebytes Anti-Malware a whirl.
Download > https://www.malwarebytes.org/products/
Select the FREE version!
Save to the Desktop.
On the Desktop. double-click mbam-setup-2.X.X.XXXX.exe to install (X's = current version)
Allow the file to run.
Follow the setup wizard to Install.
Place a checkmark next to Launch Malwarebytes Anti-Malware, then click: Finish
However, please make sure to uncheck the PREMIUM version Trial checkmark, if it appears near the end of the installation.
Once MBAM opens, click the Settings tab at the top, and, in the left column, select Detections and Protections
If not already checked, select: Scan for rootkits
Click the Scan tab at the top of the program window, and select: Threat Scan
Next, click: Scan Now
If you receive a message that updates are available, click: Update Now
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.
If potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions
While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.
Please post the MBAM report in your reply.
Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2, If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
dear cottonball, Thank you so much for your assistance! I hope together we can resovle this issue since I have only 58 hours left.
I actually do not care about the files, It would be nice if I could decrypt them, but I have backups for the important files.
Should I try and delete the files you mentioned ?
Is this some kind of a new virus?
right now I'm running the MBAM I'll post the logs soon.
P.S.
tried https://www.decryptcryptolocker.com/
"The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."
as of right now I took these steps:
and I think everything is gone now.Only do this if you know you don't need to pay the ransom as many cryptolockers destroy the private key it uses to encrypt if you clean it.
Open Task Manager and end process for any of these processes: rkcl.exe, steg.exe, tor.exe, ldr.exe
Go to %programdata% folder and delete the following folders as listed earlier: "rkcl, steg, tor, Digger"
Download and run Malwarebytes. Do this again in a few days in case newer definitions find any more of the infection.
To be really safe, format and re-install, but the above should get rid of the bulk of the infection.
For future prevention: Backup backup backups. Install CryptoPrevent. Practice safe-browsing, use Ad Block on suspcious websites.
Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software
Scan Date: 25/05/2015
Scan Time: 13:20:22
Logfile: lgg2.txt
Administrator: Yes
Version: 2.01.6.1022
Malware Database: v2015.05.25.03
Rootkit Database: v2015.05.24.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Daniel
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 682084
Time Elapsed: 20 min, 57 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 1
Backdoor.MSIL.PGen, C:\Windows\SysWOW64\surrasiltshawks.exe, 1804, Delete-on-Reboot, [f5e2781f830758de46cab09cac5615eb]
Modules: 0
(No malicious items detected)
Registry Keys: 4
Backdoor.MSIL.PGen, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ConkAuralQuoth, Quarantined, [f5e2781f830758de46cab09cac5615eb],
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [3c9bbed9f694e452eb99670842c3c937],
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [2aad5e3981091d19a7dd4e21bc49649c],
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}, Quarantined, [8d4a30673d4de5517b08abc4c144af51],
Registry Values: 10
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DisplayName, default-search.net, Quarantined, [3c9bbed9f694e452eb99670842c3c937]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, http://www.default-search.net/search?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}, Quarantined, [0dcae7b0aedc53e36321c0afbc4906fa]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SuggestionsURL_JSON, http://www.default-search.net?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}&ft=json, Quarantined, [d007dcbb2e5cca6c81030c63b84dfc04]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DisplayName, default-search.net, Quarantined, [2aad5e3981091d19a7dd4e21bc49649c]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, http://www.default-search.net/search?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}, Quarantined, [9f3870277614c1754e3674fbfd0851af]
PUP.Optional.DefaultSearch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SuggestionsURL_JSON, http://www.default-search.net?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}&ft=json, Quarantined, [795e98ff90faec4a265e77f838cd58a8]
PUP.Optional.MySearchResults.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{90FFB6C9-B59E-4620-88B6-5450D860C7EA}|URL, http://www.mysearchresults.com/search?c=3513&t=07&q={searchTerms}, Quarantined, [14c37c1b6129ab8bb23a0dcfb94a6c94]
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|DisplayName, default-search.net, Quarantined, [8d4a30673d4de5517b08abc4c144af51]
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|URL, http://www.default-search.net/search?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}, Quarantined, [a334a8efc5c5a096f58eeb8455b0f010]
PUP.Optional.DefaultSearch.A, HKU\S-1-5-21-2583720070-748624027-3842895589-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}|SuggestionsURL_JSON, http://www.default-search.net?sid=492&aid=199&itype=n&ver=12565&tm=386&src=ds&p={searchTerms}&ft=json, Quarantined, [3b9cdcbbe2a862d49be8e08fd92c08f8]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 1
Backdoor.MSIL.PGen, C:\Windows\SysWOW64\surrasiltshawks.exe, Delete-on-Reboot, [f5e2781f830758de46cab09cac5615eb],
Physical Sectors: 0
(No malicious items detected)
(end)
yupp8,
If you backed up your files using an external hard drive or other media, you are good.
The rest we should be able to take care of.
Did you reboot after running MBAM?
Please open MBAM, and go to History tab > Application Logs
See if there is a recent Scan log there and post it in your reply.
The one posted appears to be a second run, but, I could be wrong.
Are you still getting the ransomware notice with the time remaining rubbish? Hopefully not.
MBAM detected Backdoor.MSIL.PGen, and deleted on reboot. However, there are other files associated with the ransomware that are not showing.
Please, use the herdProtect Anti-Malware Scanner and let's see what it shows...
Download > Download herdProtect - Free Anti-Malware Platform
Select the Portable Version (green button on the right), and save to the Desktop
Double-click the herdProtectScan_Portable file to run the setup.
On the last prompt, make sure Launch herdProtect is checked, and press: Finish
Next, when presented with the Scanner window, press the green Scan button. (An Internet connection needs to be available.)
OK the next prompt.
The scan goes through various stages, and, when done, the scan Results are presented (Files scanned: xxx, Processes scanned: xxxx, etc.
Press (at the top): Save Results
Please do not remove any entries, and attach the herdProtect Scan_2015-(date) in your reply.
Also, please use the Farbar Recovery Scan Tool to look for suspicious files or folders.
Download: > Farbar Recovery Scan Tool Download
Select the version that applies to your system (64-bit?).
Save it to your Desktop.
Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.
Press the Scan button.
When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply.
The first time the tool is run, it also creates another log: Addition.txt
Also post the Addition.txt in your reply.
Last edited by cottonball; 25 May 2015 at 17:44.
May 25, 2015
I got this same notice when I booted up my computer this morning only mine was Locker v2.53. It shows I have a little over 64 hours to pay them and they will then decrypt my photos. Thousands of my jpegs are now unreadable so will not open and since my external hard drive was plugged in when I booted up, it even got all the backup jpegs I had on that drive too. The gifs and pngs are still fine as well as thousands of movies & text files are also fine. I thought all I needed to do was restore my system to a date from a day or two ago and it would take care of this but now Im leery of doing that.
HOW DID YOU MAKE OUT yupp8, I MEAN AFTER GETTING RID OF THE LOCKER, WERE YOUR PHOTOS BACK VIEWABLE?
Sher,
The version of Locker means nothing. The criminals are using all sorts of versions, guess they plan on keeping us confused.
Would take action to safekeep the files that are still fine, and keep a copy of those that are not.
As far as I am aware, using System Restore to a previous date has not worked. Neither has using the CryptoLocker decryptor. The Locker Vx.xx may be related to CryptoLocker, but it is a new method of operation.
yupp8 has an issue somewhat different from yours, since he backed up some important files and the backup device was not connected to the computer.
My suggestion to you is to start your own topic on this forum, and we can take it from there:
https://www.sevenforums.com/system-security/
@carwiz,
This monster has been able to fool all sorts of antivirus programs.
There are lots of people posting about it at forums all over the web!
Info:
If you lost photos, a possibility is to restore them using Shadow Volume Copies, particularly if the files were not in the C:\ drive.
Tutorial by Brink > How to Restore Files and Folders in Windows 7 with Previous Versions
Previous Versions - Restore Files and Folders
Recuva may be another option, running a Deep Scan.
Download > Recuva - Undelete, Unerase, File and Disk Recovery - Free Download
There is also PhotoRec.
PhotoRec - Digital Picture and File Recovery
Tutorial by Jumanji > Guide to Using PhotoRec Recovery Software
Guide to using PhotoRec recovery software.
Important!
From Locker expert at BC:
Grinler, on 24 May 2015 - 6:32 PM, said:
If you do decide to pay the ransom, which should be avoided if at all possible, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.
If you plan on paying the ransom, though, you will need to keep the ransomware malware running on your computer