Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3457 replies to this topic

#76 Elise

Elise

    Bleepin' Blonde


  •  Avatar image
  • Malware Study Hall Admin
  • 65,974 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:23 AM

Posted 10 September 2013 - 11:40 AM

Hi,
 
We have been able to remove this by creating a Kaspersky Rescue Disk: http://support.kaspersky.com/viruses/rescuedisk#downloads
 
Once booted into this you can use the File Manager and register editor to remove the start up entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate the random file (this will also show you where on the system this is loading from. Remove this reg entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
 
Once the reg entry is deleted the use the File Manager function to browse to where this file is located and delete this file.
 
Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker screen appears, you should then run a scan with your current AV software or download Malwarebytes:  http://www.malwarebytes.org/ and run a scan with this. It maybe best to run this scan with the computer in safe mode.

This method works to remove the malicious files/registry entries (which really is not the issue with this infection variant), it does nothing however to decrypt any encrypted files.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter 


Malware analyst @ Emsisoft | Follow me on Twitter


animinionsmalltext.gif


BC AdBot (Login to Remove)

 


#77 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 AM

Posted 10 September 2013 - 11:42 AM

Ok..we are getting somewhere then. You can download this tool to generate a list of encrypted files:

http://download.bleepingcomputer.com/grinler/ListCrilock.exe

Let me know if there are any issues. Working on a way to semi-automate this process for you.

#78 adrian26

adrian26

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 10 September 2013 - 11:56 AM

We got infected on a client machine which then infected the server shares.  Thinking it was the typical malware that we have all seen where it hides your files and tries to blackmail you, we removed the infection.  is there any way to recover the encrypted files now that we have removed the infection?



#79 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 AM

Posted 10 September 2013 - 11:59 AM

Adrian, read through the whole topic. At this point there is currently no way to restore the files other than the methods described above.

#80 adrian26

adrian26

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 10 September 2013 - 12:01 PM

I have read throught the whole topic, but I wasn't sure if there was a way to reinfect my machine so I could pay the ransom (I can't believe I just typed that either).  I am afraid that it will double ecrypt my files and I will be really screwed.



#81 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 AM

Posted 10 September 2013 - 12:04 PM

Ahh... I am sorry. I misunderstood.
 

(I can't believe I just typed that either).


Yeah...this is mind boggling to say the least. I honestly don't know what would happen if you reinfected yourself. Theoretically it shouldn't reinfect as the file will already be listed as encrypted under the HKCU\\Software\\CryptoLocker\\Files key. I wouldn't want to bet on that though.

#82 jonathan020

jonathan020

  •  Avatar image
  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 10 September 2013 - 12:47 PM

Here is the update I receieved today from Trend Micro.....

 

 

Bad news.

 

We found that the files appears to be encrypted using RSA encryption. This type of encryption uses a public and a private key pair.  If this is true, the restoration of the affected files may be close to impossible.  Though we're still checking the affected files and the sample malicious file provided.

 

This is the update from our malware team.

 



#83 JimBuck

JimBuck

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 10 September 2013 - 01:27 PM

Hi all, I am a home user. Malware bytes pro spots and blocks and presumably will clean this virus but can't unencrypt the files. I am missing any backup for some files. (que abuse!) i think i have no option but to pay the ransom however my problem is that the virus no longer pops up the dialogue to allow me to do so although I don't think I am beyond the time it said I had to do so! Any ideas anyone?

#84 JimBuck

JimBuck

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 10 September 2013 - 01:29 PM

Btw I should add I have only detected and not cleaned the virus although malware bytes does give me the chance to do so

#85 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 AM

Posted 10 September 2013 - 01:32 PM

Malwarebytes has a quarantine that you can restore the infection from if you need to.

#86 JimBuck

JimBuck

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 10 September 2013 - 01:41 PM

Thanks Grinler but have done that and it still wont demand it's ransom, can't believe I am asking how to activate a virus but still....

#87 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 AM

Posted 10 September 2013 - 02:03 PM

You prob need to start the executable or restart the computer if mbam never cleaned it. It should eventually pop up the screen. The executable is named something like: {231e2-21312-12e12-123a2}.exe

Btw, this is untested and i don't know of anyone who has tried rerunning the infection like this. SHould work, but not sure.

#88 dgusto7

dgusto7

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 10 September 2013 - 02:37 PM

Can we have a discussion on what possible ways these files can be decrypted based on each user needing a private key and that key being impossible to attain.  What conceivable way could this be done?



#89 kenoindallas

kenoindallas

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 September 2013 - 02:38 PM

Hi all,

 

We are currently working with this virus now, and wanted to see if anybody still has the original executable that it created. We want to infect one of our test machines to see if we can figure out a fix for the encryption, as well as see how it functions.

 

Please shoot me a PM if you can help us out.

 

Thanks!



#90 Chuck Sp

Chuck Sp

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 September 2013 - 02:51 PM

I have a machine quarrantined with the virus...






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users