Infected with hard drive encrypting trojan

That's great. Good thing I use WSA. Useful thread. I can now be more careful with all the advices.

 

I'm sorry but your wrong WSA will rollback even an Unknown Cryptolocker https://www.wilderssecurity.com/showpost.php?p=2340396&postcount=1 Also Webroot had a Web Cast about this issue! https://www.brighttalk.com/webcast/8241/95617

TH

 

Just wondering about something. If a malware or trojan is saying that your files are going to be encrypted and see that your HDD drive light is on continuously which is not normal, wouldn't it be better to right away shut down your computer and then take that HDD to a different computer and then try copying all your important data off or do any sort of analysis? At least this way, the virus or whatever it was is not "active" any longer so if it really was in the process of encrypting your files, it get halted right? Or am I missing something here?

EDIT: Just to clarify, I know you will lose files but at least you won't lose more files than if you continue to leave the computer on and trying to stop or remove the crypting trojan.

 

More than 50/50 I'd bet Kaspersky has a clean tool or unencrypter for this.

 

http://techblog.avira.com/2013/11/07/ransomware-in-the-wild-the-cryptolocker-malware/en/

 

WSA's journal is unlimited. Personally, I've only tested Cryptolocker up to 15GB but as long as you have free disk space, it will continue journaling any changed files, even if we miss Cryptolocker upfront.

 

Rollback RX will prevent CryptoLocker and similar zero day malware attacks. All you have to do is revert to a point in time before the trojan installed itself on your Windows system.

Since it works on the principle of virtualizing Windows, you can revert from an infected snapshot and recover your files before they were encrypted, upon reverting to a clean snapshot, you can then safely delete the infected one. Poof - CryptoLocker or whatever malware you have is gone!

And it saves you from your own mistakes that screw up Windows.

 

Please make that video public to all of us Malwar, or PM me a link if it is ok with you.

/E

 

Are you sure?
It can help you to retrieve your data but I doubt about prevention....

 

Does system restore works in crypto infection i.e system restore works successfully & files are back to normal?

I do tests. During 2 of my tests I had crypto infection & my pictures, my videos in system drive c were encrypted. Restore the system with comodo time machine & the files were back to normal. So I think if you have snapshot program installed it helps.

Does crypto also encrypts files in other partition? I have partitioned drive into c & e. I keep all my things in e.

 

Perhaps using a recovery software like recuva may help if the malware has deleted the original files before encrypting them. But before this the malware should be removed using a rescue disc like that of Kaspersky. For recovery lazesoft freeware has the option to create winpe disc. It is better to create rescue discs in another clean system.

 

sm1 has it correct

If it's the case that this malware is actively encrypting files in the background then continuing to run the system while attempting to fix the problem is self-defeating.

The first priority should be to run a PE based boot disc to see exactly what damage has been caused while preventing further issues.It'll take some time to encrypt everything,so some files should be unaffected as yet,it's a priority to back these up before anything.

 

Trust me dude, malwares won't usually knock knock before kicking in. Likewise, they won't let u know what's going on in the background, I mean it's not like "oh man the bastard says it's messing with my files, it's encrypting them, etc." otherwise that's exactly what a pro user would do in that situation.

 

I wouldn't be so quick to say he's wrong when it's very likely a much older version of WSA had been used by Taliscicero; the link you posted to is for a product release that's still quite new.

 

Well who in there right mind be on an older version? But the new released version adds (Generic blocking of threats like Cryptolocker) to the client as with the Monitoring and Rollback was always there! Good info on Cryptolocker https://www.wilderssecurity.com/showthread.php?t=360332 & the one I posted earlier.

TH

 

Haha true. Malware won't usually tell you anything. But that's exactly what I'm trying to say. OP said that the HDD was continuously on and it was suspicous. The malware already said that the files are being encrypted. At that point, it's best to do what elementary teachers teach you about being caught on fire. STOP, DROP, AND ROLL. In this case, STOP, DROP, and use WinPE. Instead the OP continued to use the computer and tried to find the trojan. Obviously the trojan won't make it easy to find so while he's doing that, it continued to do its job of encrypting the files.

So, the good thing is that it sort of tells you what it's doing. The bad thing is... it still sucks either way.

 

I wasn't meaning he's using an older version currently. I was under the impression he's referring to when he last used WSA, and this is where he draws his conclusions from.

I do agree though that in such cases the journaling and rolback should kick in, but it's good to see improvements have been made to blocking such malware generically in the latest build.

 

We've been adding in extra blocking just to prevent any execution of Cryptolocker, but the journaling functionality has always fully covered Cryptolocker without any change.

 

&

I just don't get how that's possible, if you have a 300GB hard drive full of 180GB's of photo's how is it possible for Webroot to restore them, even if it remembers exact copies, how could it have the 180GB of space to store them on your 300GB hard drive. that would be 360GB of space required. I'm not quite understanding how that works.

My one experience with the rollback/replace system was a failure and it did not work, you guys fixed it since then. I'm just confused of how the journal can work when your storage space is more then half full.

 

WSA compresses files as it backs them up and only backs up changed bytes, so there is some space saving. Most hard drives are < 10% full and Cryptolocker doesn't target every file type, but of course, we are limited by the available storage space (as would be any backup solution).

And, the issue you ran into was unrelated to repairing files: it was because we were identifying the system file being replaced and not running the rollback feature at all and instead first running the system file repair logic (which was what wasn't working). Even builds from a year ago will block Cryptolocker (if someone didn't upgrade, for whatever reason).

 

How about using a recovery disk "linux recovery disk" to find where the bad files are and removing it or try ULTRA VIRUS KILLER.

I think UVK is your best bet to disinfect you and find it and get rid of it.

Here is a tutorial video on what and how to use uvk.

watch it: -https://www.youtube.com/watch?v=1yLJUSeWlEs

the tool is here and the free version can solve your issue. Its your best help.

-http://www.carifred.com/uvk/

Try it and among all the infection cleaning product, I think this is the best for your situation.

 

It turned out I did not have an encryptor trojan.
https://www.wilderssecurity.com/showpost.php?p=2342160&postcount=48

 

doesn't matter, no one cares about you anymore it's funny no one have seen your previous post (except me :d)

 

Well it has turned into an interesting discussion about encryptors

 

Great. Still UVK is a great tool to have just incase.