Infected with hard drive encrypting trojan

Discussion in 'other anti-virus software' started by roger_m, Feb 18, 2014.

Thread Status:
Not open for further replies.
  1. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Varies. I've seen as little as $150 and as much as $600. You have to remember also that it's just one infection on one computer. Depending how many infection they have could be talking 200 infected computers at $200 a pop. Not saying that everyone is going to pay. It's a wide net but even if 1/4 pay its still 10K.
     
  2. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    What can one use to PREVENT/block this?
     
  3. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    67,898
    Location:
    U.S.A.
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Sorry to hear this Roger, unlucky I guess, shame you didn't download this particular file while you were trying out one of the AV's you've had installed lately WSA, ESET, 360 etc..then you did at least have some kind of defense in place that possibly could have stopped it.
     
  5. Virmaline

    Virmaline Registered Member

    Joined:
    Feb 2, 2014
    Posts:
    16
    Location:
    Rhode Island
    I always have recent backups, but screw paying. Even if I didn't have a backup I would rather lose everything than pay some ~ Snipped as per TOS ~ a ransom.
     
    Last edited by a moderator: Feb 18, 2014
  6. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
  7. Inside Out

    Inside Out Registered Member

    Joined:
    Sep 17, 2013
    Posts:
    421
    Location:
    Pangea
    Re: Infected with hard drive encryting trojan

    They have a decryption tool too.
     
  8. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    67,898
    Location:
    U.S.A.
  9. AVusah

    AVusah Registered Member

    Joined:
    Dec 24, 2012
    Posts:
    274
    Just out of curiosity, what was this infected file and where did it come from?
     
  10. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    542
    Location:
    Nottingham
    Re: Infected with hard drive encryting trojan

    Prisonlocker ,exactly where the creators belong :D

    How does that work ? If you need an exact copy of the original file to enable decryption, why not just use the original as a back up.
    I am having yet another senior moment :doubt:
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Why would you just download and run an infected file? Was it from a trusted source?

    I would salvage what I can in a LiveCD or another computer, and restore from the image.
     
  12. Austerity

    Austerity Registered Member

    Joined:
    Jun 21, 2013
    Posts:
    372
    Location:
    Georgia / USA
    That was my next question.
     
  13. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    907
    Location:
    Canada
    There is CryptorBit and CryptoLocker, which one do you have? If CryptoLocker you are hosed, nothing you can do except restore from a backup if you have one or reinstall your operating system.

    If your infected with CryptorBit there may be a bit of hope. Theres someone in the Bleeping Computer forum who has written a tool in which he is having some success decrypting several types of files. Might be worth a shot.

    Prevention would be a backup, Hitman Pro Alert or CryptoPrevent. Unsure how AV's programs react to these programs, some may detect, none can fix that I am aware of, somebody correct me if wrong.
     
  14. DX2

    DX2 Guest

    What about Combofix?
     
  15. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
     
  16. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I am amazed at how little some people here on this forum know about how Cryptolockers work. You pay, or you loss your files. Its designed this way, no AV will fix it. You have to have a resident AV running before infection to block the file and not the result.
     
  17. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    Soooo is Hitman pro alert a good tool to have installed for this??
     
  18. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Webroot monitors the changes that a malware makes if it does not detect it then when it does detect it Webroot rolls back the changes.
     
  19. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    I had not heard of Cryptolockers.
    Will any of the top AVs block it? How about MBAM or is there too little information on this trojan to be able to tell?
    Thanks,
    Jerry
     
  20. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,293
    I think Webroot Security Anywhere with its rollback and journaling feature has a good chance to save the day even after infection.

    The user "Malwar" seems to had a good experience with Webroot roolback feature.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    No response from the OP since the initial post.
     
  22. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Yes, it was a test I conducted I turned off the real time protection from webroot installed cryptolocker let it encrypt all of the documents and did a scan without turning realtime protection back on and it removed cryptolocker and restored the documents to the stage before they was encrypted.

    Thanks, Malwar
     
  23. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,999
    I've been busy trying to get this sorted out, and also sleeping too - it was very late at night here in Australia when I started this thread. Thanks for all the suggestions.

    The good news is that it turns out that I never had CryptoLocker or anything similar infecting my system. I only found a couple or minor things with Avast. Next I installed WSA which found no active infections. MBAM did a scheduled threat (quick) scan and found a few things (I had only run a Hyper (flash) Scan myself).

    Also while I was doing that I did a full system backup with the excellent free Todo Backup.

    My computer was running at snails pace after installed and then uninstalling several antiviruses, but I did not want to reboot my computer in case I could not access my data upon rebooting.

    I then ran rkill which found some problems with the run entries in the registry, and then ComboFix (which took 90 minutes to run) which deleted a few infections.

    I opened the backup I had created, on another computer and restored a few files. I was able to open the files - they had not been encrypted, so I figured it was safe to reboot. I rebooted and Windows thankfully started normally, and I was able to access my files. I received the popup again after Windows started. It was asking me if I wanted to backup my file encryption certificate and key, and said that if I did not back it up I could lose access to my encrypted file system.

    You can see images of the popup here.

    This is a message from Windows when you have encrypted files. I have never encrypted any files myself, so had never seen this message before, which lead me to believe I had nasty infection.

    Edit: If I had taken more notice of the original popup and Googled the text from it then and there I would have know I had nothing to worry about.


    So I guess now I need to find what on my system has been encrypted. One website I went to showed a command to run from a command prompt which would list any encrypted files and folders. It ran for a few minutes, but found nothing.
     
  24. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I have used Webroot on some computers for a while. I can tell you almost surely, it would not be able to reverse Cryptolocker. If you can prove me otherwise go ahead, but really its not going to happen with the way Webroot works now. I am also not talking about the tests with 3 or so document and picture files as that's pretty rudimentary. I'm talking about a whole drive with stored documents, PDF's and pictures. Webroot does not have a journal system big enough to cope with that many files.
     
  25. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Is 4 GB of files good enough for you? If so I will make a video and post it here(or send it to you through a file sharing service of your choice).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.