AnotherNewVictim

Hi, Adam! I see that I mis-phrased when I said System Mechanic antivirus. I should have made it clear that I meant the antivirus component of System Mechanic. The version I have, System Mechanic 12 Pro, does include antivirus, antispyware and antimalware components. I went with System Mechanic when the technician I was working with heard that I had a license. He stated it was a good product (completely unrelated to his comment that it was developed as a joint product between Iolo and Dell, I'm sure). I know that it definitely got my pc running better when I first bought it (SM). I will read over the article you linked to and decide whether or not to abandon it and use Avast instead. I will also review all the other links you've so thoughtfully provided. I want to be sure I have (and keep) my machine as well-protected as possible. I'm not happy with my pc yet, but I'm very happy about the direction it's going. I may not receive the OS disk from Dell until Monday, so I may not be able to rebuild until then. I will check back once I've finished it and leave a comment indicating so if the thread is still open then. Thank you so much for all your help in this time of crisis! Tom

No, No and No. It was also the ONLY image in the Recovery Partition and was labeled "Factory Image," which I know is not true. Catching up: I spoke to Dell Support on Sunday. The tech I spoke to helped me restore the "factory image" and then ran tons of diagnostics and scans against it to be sure it was virus and malware free. I wanted to go back and start over from scratch, but this was the path he indicated would be faster and equally safe. I went with his recommendations and got my machine working again. Each scan I did with System Mechanic antivirus and Malwarebytes came up clean. I did the port scan available at GRC and that showed no open ports. For the next few days, it worked pretty well, but was sometimes slow coming up or shutting down. It was behaving really hinkily on Wednesday, so I contacted Dell again to see about a fresh start, as no one has any idea what was on my 8/13/13 starting point. The guy had me do the pre-load (?!?) diagnostics (available via F12 during boot-up) and we received an error message regarding the hard drive. I purchased a new hard drive and plan to install it as my primary once I receive the OS disk from Dell. They are sending that, along with another disk containing drivers and <something else>. Once my OS is installed and stable, I will load and update antivirus, malware and Windows updates. Do you want me to update this later, or do you want to close it, as the immediate malware/virus threats are now gone? I want to mention one thing that I couldn't find on the web when I needed it. While running the CyberWall decrypter.exe, it will hang once in a while. Mine did on my Outlook file, so no one had any idea about how far along it was. Once I finally stopped the program, I found that it had hung on a final step and had actually completed decrypting the file. Typically, this program creates a copy (at 0 bytes) of the file being decrypted. Once it finishes, the 0 byte file disappears and your original file is decrypted and has a new modified date. If the program seems to be hanging and the copy file shows a size of 500 bytes, the program will hang there indefinitely. I ended mine (processing different files) at least 3 times (including Outlook) and it decrypted successfully each time, but left the work file out there once I stopped the process. Thank you for all your help with this issue, Adam! I'm really glad there are people like you around helping people fight these thieves.

XPS 8500

Dell XPS. I just noticed that the tag with the Service Tag and Express Service Code indicates that the Manufacturing Date was 11/08/2012. Is there any legitimate reason why the only Factory Image wouldn't be the same date, or one that precedes it?

Hi, Adam! I got to a point where I had all my files decrypted and then copied off to my backup drive. I went into Dell Backup and Recovery to select the factory image. The strange thing is that the ONLY choice of image said "Factory Image - 8/13/2013 2:24:00 Local Time. I bought this PC in December of 2012. How could the Factory Image be dated 8 months after purchase? Is this something known to be targeted by viruses/malware? I'm going to get some sleep now and hope you might have an explanation or suggestion before I continue. Thanks! Tom

It appears that decryption time increases with file size. That seems to imply that all bytes in the file are encrypted, not just some "header section". Does that sound like something I should expect?

Thanks (again)! What is the effect of holding down the shift when I plug in a USB device?

Update: I finished copying my files, unplugged the new drive and tried the EXPENSIVE decryption program. I have many Terabytes of TV recordings (via a Hauppauge unit) on other USB hard drives. Luckily, I chose to record in the TS format, so those files did not get encrypted. Interspersed between them, however, I have a few MP4 files that did get encrypted on each drive. I had pulled out my Ethernet cable and all USB storage before kicking off the program. Of course, the first files it tried to decrypt were encrypted on my (currently detached) USB drives. The program pops up a message asking if you want to (attach the device) and Retry or Skip that file. I then noticed an option to browse and select a folder (includes those subordinate to it) and tried that. It seems to be doing what it is supposed to do. It is re-startable when I shut it down. It is VERY slow. Apparently, it is much faster to ruin a file than it is to recover it. The files come back with original names and create date/time intact. Modified date shows the current one, so if you know the encryption date range, you can tell at a glance whether or not each file has been decrypted or not. I have verified successful decryption of the following file types: .txt .doc .xls .jpg I just remembered that the encryption had run against my Outlook file, too, so that is the next file I will try to recover. If you think it would be helpful, I plan to write up a detailed summary of my experience once I get my machine back. If anyone is suffering and has any. Immediate questions, I will be checking back here, but my main concern now is getting my files recovered. A friend sent me an interesting article indicating that a group of good guys is able to decrypt (for free) files decrypted by the predecessor, CryptoLocker (not CryptoWall). The article has a link to a portal where one can enter one's e-mail address, upload an encrypted file and they will attempt to decrypt it and e-mail it back to you. I tried the sample xls file that I provided to the ransomware thieves as a test file, but it returned a message to the effect of "this file does not appear to have been encrypted by CryptoLocker." I will touch base with them soon regarding CryptoWall. http://www.bbc.com/news/technology-28661463 Current questions: The zip (scary) that I downloaded from them includes both an exe (scary) and a file labelled "secret.key". I opened up the key using notepad and it appears to be what I was expecting. Is it possible for me to use that (without the exe) on my external hard drives and, later, on any files I may have missed with the decryption program? Once I've got my machine recreated, cleaned, updated and safe, is having MCShield running going to be enough to protect my pc once I start reattaching my various USB disk/thumb drives to my pristine machine. Of course I mean with Avast and MWAM up, updated and running. I ran MCShield and it said that it had renamed a suspicious autorun.inf file on my new backup drive. How can I best keep my "new" machine protected from anything loaded onto these devices while they were connected to my "old" machine? Should I attach them all and rescan with MCShield before I reformat? Is there a special procedure for reconnecting them?

I'm sorry I missed your original reply. I think I saw it as part of your signature and missed it. Thanks for the additional information about Auto-Update. I like to see/know what I'm applying, but I have to not let them pile up. One more question about updates, if you don't mind - Does MS only offer updates for what is installed on my system, or offer everything available for my OS, regardless of whether I have/use the programs or not?

What about applying OS updates - should I select and apply the ones mentioning "security" first, or just apply them all in the order presented? Do you set your updates to download and apply automatically, or just download? Do you know if the automatic apply process will kill running programs if a reboot is required, or wait for them to finish?

OK, will do. I'm still copying files. As soon as the current batch finishes, I will get MCShield & install it. I'll then finish copying files. Once I have everything copied, I will then get to try my expensive new software, the decryption program. I figure that may run all night, so I hope to verify decrypted files, copy them off, too, and rebuild in the morning. I will, of course, not be able to sleep until I'm able to check some preliminary decryption results.

One thing I forgot to ask before is that when I get to OS updates, I'm going to have a boatload of them. Should I apply them in the order displayed or select the ones that mention " security" first?

I don't have a second pc. I understood I was to load Panda onto the infected PE, vaccinate it and then vaccinate the USB drive from there, as the instructions seem to indicate they are done from the same running window. At any rate, I will look into this later, as I have several other USB flash & hard drives to vaccinate.

Hi, Adam! Panda won't display my new USB External Hard Drive. If I unplug that and replace it with a flash drive, it recognizes it and the name appears in Panda's drop-down. The HD is formatted and accessible via File explorer. Does it only work on flash drives?

Wow! That's a lot of information. Unfortunately, I already had started copying files by the time I saw your response. You replied much faster than I had hoped. I had about 4 to 5 hours in, but the bulk of that was in deciding what to copy. I assume you would recommend that I start over and I don't want to skip any steps, so I am now copying my selected files back to a new subdirectory on C: drive. Once that is done, I will start with the Panda USB Vaccine program. Can you advise about any files that are not in the usual "My ..." folders? I'm talking about the stuff that's easy to forget on a reload, like Outlook (e-mails & contacts), favorites and any files saved to the desktop. Can you think of anything else? Questions after initial perusal of your procedure: Step 3: The only zip files I can think of are either ones that I created or that I downloaded from known sources. If they contain only images, videos and music (no exe suffices), then are they OK to copy? Step 4: It seems counterintuitive to download anything while who knows what is running, especially while connected to the web. Also, is it ok to initially bring it up with Windows Defender and Windows Firewall, since they will both be in the clean image? You don't mention MBAM here. It looks like you're lumping it in with other stuff in Step 10. I suppose I should install that before the other listed programs? Step 10: Java. Before I used it in a programming class, I'm pretty sure that I had been told by a website that I needed to download it for something to work properly. I'll admit I haven't read the Java links you provided yet, but it sounds as if I should reply "no" to such questions in the future for pretty much anything. Does the download pop up from my OS or from the web page? If the latter, what's to stop an unscrupulous web developer from labeling the download button as "No"?