virus help needed

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Baiting Guru Joined: 11 May 2004 Posts: 2163

My so emailed me the pic below of her laptop. She can't open any word files. She brought her laptop to some computerrepairguy (i'm still pissed about this) who said he probably cant do anything about it (even more pissed about this). and she will be missing her laptop this weekend (godd@#$!@#@#) Also now she can't do any work this weekend. (meltdown imminent banghead

)

Any ideas what I'll be dealing with here?
She told me she didn't open any email attachments
Didn't open any dodgy facebook video who redirect you to some website.

Posted: Fri Feb 20, 2015 4:09 pm

Its ransomware of some sort - the readme file would probably tell you which and you may find removal instructions on the web.

Posted: Fri Feb 20, 2015 4:12 pm

Does this help?

http://www.idigitaltimes.com/cryptolocker-virus-removal-how-decrypt-or-restore-encrypted-files-and-remove-ransomware-malware-free

http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html

Posted: Fri Feb 20, 2015 5:03 pm

I can recommend you to search for help at http://www.spywareinfoforum.com/

There are many volunteers who are specialized in removing all kinds of malware. Years ago I was one of them.
It takes some time because you have to follow the instructions they are giving you and you have to do all scanning and stuff by yourself, but it can save you a lot of money.
They will explain every step in detail so it is easy to do.

If you're from the lowlands I can recommend http://www.mivercon.be/forum/

*** BANNED *** Joined: 26 Jul 2012 Posts: 1123

That definitely looks like cryptolocker which is a nasty breed of ransomware. It would not shock me is that came with a variant of the Zeus platform known as game over as well. You can get this from dodgy files as well like word docs through a macro based vector.

Can you post up the contents of the text file? Mainly I'm curious what they have to say.

https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

I hope your SO was religious about making backups....

Posted: Fri Feb 20, 2015 10:24 pm

^^I year 'ya about back-ups. Even though I'm on a Mac--I do two complete backups every weekend (i.e., complete clones of my system). One to my 2nd internal drive, and the other to a firewire drive.

I use "Super Duper" for the Mac and the smart update--so it takes less than two hours total to do both clones.

Posted: Sat Feb 21, 2015 3:48 am

You could always try wiping the computer fully and reinstalling Windows. Or you can install Ubuntu Linux from a USB drive. I had to do that with my last Ransomware virus. They are nasty buggers, aren't they?

Baiting Guru Joined: 11 May 2004 Posts: 2163

Joker wrote:

That definitely looks like cryptolocker which is a nasty breed of ransomware. It would not shock me is that came with a variant of the Zeus platform known as game over as well. You can get this from dodgy files as well like word docs through a macro based vector.

Can you post up the contents of the text file? Mainly I'm curious what they have to say.

https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

I hope your SO was religious about making backups....

No she hasn't made a lot of backups she's a teacher and a lot of her university stuff is gone.

She gets her laptop back after this weekend. I will post try to post the txt but i can't do anything until then. We are still wondering how she got the virus

Posted: Sat Feb 21, 2015 8:07 am

^^^Does she ever get sent files by her students?

Baiting Guru Joined: 11 May 2004 Posts: 2163

No. that's the first thing I asked. She said she didn't open any attachments

*** BANNED *** Joined: 26 Jul 2012 Posts: 1123

Downloads, attachments, dodgy videos.... all par for the course with malware these days. There is a reason I say it probably came with the Game Over variant of Zeus. They tend to bind that to files on the web and on other people's computers. Start doing file sharing in the office and it gets spread like wild fire.

The malware operator sits there figuring out how to monetize his infected bots. If he can't spy and collect financial details (bank, CC, paypal, etc), they load CryptoLocker on the computer and hold it for ransom.

You can ask yourself what the attack vector was but these days, it really is boiling down to multiple with many malware operators very happy to sit back quietly for months at a time working nothing but spreading their gear. Once they feel they have a sufficient spread they hit the oldest infections not giving them financial data or already bled off of that data with stuff like this, while working newer infections to gain further coverage as they spread.

Don't beat yourself up over that one. It's seriously gone down to a very scary level these days.

Baiting Guru Joined: 11 May 2004 Posts: 2163

Well the computerguy was able to delete the virus. But the documents are still encrypted Confused

I don't know what the name of the virus was
We had a huge argument about this shit. Because 7 years of work is gone. Part of a book she was writing. wordfiles of a lawsuit. And stuff from university.

Posted: Wed Feb 25, 2015 9:53 am

She better have kept those wheelie bin photos or there'll be trouble.

Baiting Guru Joined: 11 May 2004 Posts: 2163

Do not worry I keep anything wheelie bin related on my own computer.

Posted: Wed Feb 25, 2015 9:10 pm

Klaasvaak wrote:

she's a teacher and a lot of her university stuff is gone.

University networks = very scary!!

A bunch of kids who know very little about computing tied together via a mostly open configuration....

*** BANNED *** Joined: 26 Jul 2012 Posts: 1123

^ I would agree there. My university network was definitely a scary place as it was a tech uni. Aside from the crazy bastards in the computer science/engineering wanting to "test" ideas and an open university standard that encouraged the "hacker mentality" (if you want to go all Anonymous and media driven with the definition of that screw you as I am talking old school dev.... not this skid shit). Throw on the import students who I am sure were installing malware onto uni lab computers to sell off login credentials to their buddies back home.... yeah uni computers and networks are a scary place. Laughing

Flash drives are another angle. Plugged into an infected computer, they write a "spread file" to the drive and any computer that it gets plugged into... done deal. As someone said at an IT security conference once:

"You don't want me freely plugging my flash drive into your computer. You don't know where it has been, but I do." Laughing

Baiting Guru Joined: 11 May 2004 Posts: 2163

well i've been reading about the Game over Zeus thing last few days, and thats some scary shit.

Baiting Guru Joined: 19 Mar 2007 Posts: 2628

That looks a nasty virus. I've had to remove ransomwarefrom one of my student offsprings laptop. Think it was that euro/metropolitain police one.Grrr.
Touch wood things have improved since I upgraded and installed Malwarebytes Premium, its been worth the money, you can install the Premium on up to 3 computers.

Through experience Ive learnt to back up files, upload precious pictures to flickr or picassa or even email myself important documents/pictures/files

Posted: Thu Feb 26, 2015 3:56 pm

Klaasvaak wrote:

Well the computer guy was able to delete the virus.

The virus code would also include the encryption algorithm. If it's not on board you may never be able to decrypt the files as the key is missing.

*Edit to add* If the files are locked, you'll have to brute force them open first before even starting to unscramble the contents.