Infected with hard drive encrypting trojan

Discussion in 'other anti-virus software' started by roger_m, Feb 18, 2014.

Thread Status:
Not open for further replies.
  1. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    Tonight I made the mistake of downloading an infected file. Shortly after running it I got a popup message saying my file would be encrypted, and I think it gave me the option of taking action (i.e. paying to decrypt my files) then or else I would be notified about it when I restarted Windows.

    Anyway, so far I have run scans with 360 Internet Security, MBAM and Hitman Pro, and TDSSKiller - all of which did not detect the Trojan.

    Currently I am running scans with both Avast and Baidu PC Faster in the hope of finding it.

    I know that it is active in my system as the hard drive light is constantly showing activity, which is not normal.

    I have checked the run and runonce sections of the registry and found nothing unusual.

    It is quite possible that the Trojan is running as iexplore.exe as I don't have IE running and whenever I kill the process it returns. However it is running from the usual IE install location, but interestingly What's My Computer Doing? shows the process name in all uppercase letters (task manager doesn't)

    In case Avast finds nothing, has anyone got any suggestions on what else to try? I scanned the infected download with VirusTotal (after my system became infected) and it was only detected by Trend Micro, and then just as a generic Trojan, so I don't have any specific name for it to use to search for removal instructions or AVs which detect it.

    I do realise that restoring from a clean image is the best option here. But, while I do have one, it is not recent. Doing a clean install is quite simply never an option for me. The only time I ever do a clean install is in cases of extreme corruption to Windows which is not possible to fix, and I don't have a backup.
     
  2. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    Re: Infected with hard drive encryting trojan

    How about Avira, BitDefender, and McAfee ?
    Scan your PC with these major antivirus product's
     
  3. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Re: Infected with hard drive encryting trojan

    If its encrypted all your files you are pretty screwed anyway. You may have to roll back your system even if an AV detects it if you want your documents back, that is if its a legitimate encrypter program.
     
  4. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,085
    Re: Infected with hard drive encryting trojan

    The CryptoLocker malware
    http://techblog.avira.com/2013/11/07/ransomware-in-the-wild-the-cryptolocker-malware/en/

    All Avira products detect this malware as „TR/Fraud.Gen2″.


    Try a scan with Avira Rescue System
    http://www.avira.com/en/download/product/avira-rescue-system
    How to use Avira Rescue System
    http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/267
    or
    Avira PC Cleaner
    http://techblog.avira.com/2014/01/09/avira-pc-cleaner-a-second-opinion-scanner/en/
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Re: Infected with hard drive encryting trojan

    Sorry, there is no way you can clean up the infection whatever tool you will use. Actually, running AV will break the virus and your chance to pay and get the data back.

    Two solutions only: Pay or restore from a backup.

    Here below you have a complete guide:
    http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

     
  6. Malware fighter

    Malware fighter Registered Member

    Joined:
    Jan 31, 2011
    Posts:
    253
    Re: Infected with hard drive encryting trojan

    not cool.....:mad:
     
  7. phyniks

    phyniks Registered Member

    Joined:
    Jun 3, 2011
    Posts:
    258
    Re: Infected with hard drive encryting trojan

    scan the file with virustotal to see which AV can detect the malware
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Re: Infected with hard drive encryting trojan

    not so quick. Honestly, try WSA or Eset on it.:thumb:
     
  9. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA
    Re: Infected with hard drive encryting trojan

    I was under the impression that Webroot would reverse any damage done by the encryption as long as it was running BEFORE the infection occurred.

    Is this not the case?
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Re: Infected with hard drive encryting trojan

    eheh... too much confidence in AV products :D
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Re: Infected with hard drive encryting trojan

    I don't know if those encrypting trojans also encrypt external drives, but if you can still access your files, perhaps you can still back them up to an external drive.(Do make sure that the external drive contains no important files in case it also gets encrypted.)

    You can also try install the latest HitmanPro.Alert beta, it blocks the encrypting behaviour, perhaps it can also halt the encryption process:
    -http://dl.surfright.nl/hmpalert26.exe-

    EDIT: Have you tried scanning in EWS mode with HitmanPro? You might need to enable it first in the settings.

    That is the concept afaik, but if the computer gets locked on booting then it is probably unable to start, so not able to reverse the process.

    Indeed :D
     
  12. Rompin Raider

    Rompin Raider Registered Member

    Joined:
    May 6, 2010
    Posts:
    1,228
    Location:
    North Texas
    Re: Infected with hard drive encryting trojan

    He wasn't using WSA. None the less, hope you get it cleared Roger_M. Not a fun day!
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Re: Infected with hard drive encryting trojan

    That's what they claim. I know Webroot has put a lot of resources into detecting and remediating CryptoLocker.
     
  14. Rompin Raider

    Rompin Raider Registered Member

    Joined:
    May 6, 2010
    Posts:
    1,228
    Location:
    North Texas
    Re: Infected with hard drive encryting trojan

    You're correct from what I have read. I keep Crypto-Prevent in line (just in case) as it has no impact...I don't think Roger_M uses AV normally according to his signature but those aren't always up to date. I'm curious to see if he can get around this without restoring.....
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Re: Infected with hard drive encryting trojan

    Judging from OP signature (i.e. "no antivirus")... no WSA was running on the system. ;)
     
  16. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Re: Infected with hard drive encryting trojan

    Now you know your protection from the signature is not enough.
    Try with multi-layered approach...
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Re: Infected with hard drive encryting trojan

    He was running no AV when this happened. He did use WSA but didnt like the popup of having it clean the system. My point is, and in fairness to WSA, had he left it on there I bet we wouldnt even have this thread. My suggestion is to install it and see what happens.
     
  18. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    Re: Infected with hard drive encryting trojan

    So are your files encrypted ? Do you still have the pop up demand ?
    Some of these programs are just scams, they do not actually carry out their threat to encrypt
     
  19. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    Re: Infected with hard drive encryting trojan

    Guys- No third party product will de-encrypt files. An AV can certainly detect the initial trojan, and something like Crypto-Prevent will protect files from such manipulation. If they could actually decrypt the files these trojans would be trivial. Assuming Roger's files are actually encrypted (easy enough to tell, and wish Roger will) he is lost without paying/restoring.

    And Roger, if you do try to restore an image from an external drive, I STRONGLY suggest you use something like Darik's Boot and Nuke on the infected drive BEFORE attaching the external. Although I've never seen a cryptor jump, one never knows.,
     
    Last edited: Feb 18, 2014
  20. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Re: Infected with hard drive encryting trojan

    I recommend HitMan Pro to get rid if it.

    You can download Shadow Explorer, select date when everything was OK and export files that you need.

    Once done use Malwarebytes.

    At the end use CryptoPrevent to prevent prevent that in the future.
     
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    973
    Location:
    Paris
    What would be the point of using anything to delete a trojan on a drive that has to be re-imaged?
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    for starters it may not be encrypted.
     
  23. Alhaitham

    Alhaitham Registered Member

    Joined:
    May 18, 2013
    Posts:
    173
    Location:
    Egypt
    how about backing up your important files and system and then uploading them to the web because it would be risky to attach an external drive

    it would take a long time but it is better than nothing
     
  24. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    yes, you can only hope for that. Otherwise pay or backup. No other ways around it.
     
  25. Austerity

    Austerity Registered Member

    Joined:
    Jun 21, 2013
    Posts:
    367
    Location:
    Georgia / USA
    How much money are these ransomware Trojans asking for to decrypt the files? I can't believe in today's day and age that cyber criminals can get away with money actually going to an account and them receiving the money without any repercussions from some sort of law enforcement.
     
Loading...
Thread Status:
Not open for further replies.