Laptop infected with some ransomeware, all files now with ext .0x0

[surajthakur]

Hi

 

Please help me !

 

Today my Laptop got infected with some ransomware ? All files (video, mp3, photos, words, excel etc.) are now with extension .0x0. Tried renaming by removing .0x0 but no use.

 

There is text file kept in each folder says that if I want my files back then I should e-mail them.

 

If any1 knows about this, please help in getting my files back..

 

 

[MrCharlie]

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products, Windows), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 Please enable your system to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Make sure the rootkit scan is enabled

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

You can also use this version of RogueKiller which works on both 32 and 64 bit:

RogueKiller 32 & 64 bit

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Sometimes when clearing out an infection the winsock stack will become corrupt and you'll loose your internet connection. To resolve this....reset the stack as outlined HERE

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

[surajthakur]

Thank you Mr Charlie for taking time to volunteer to help  me with this menance..

 

Apologies for late posting...I followed all your instructions...

 

First I uninstalled utorrent, also would like to declare that I am not using any illegal software...all software are  either licensed to me or is Free/Trial version.  

 

After the infection I uninstalled AVG free edition that came with my laptop and have installed Kaspersky 30 day free version which I would eventually buy inn couple of weeks...

 

Also it has infected folder under user..that is desktop,  My Pictures, My Videos etc..No infection in C: Drive all files there are safe..

 

Infected files (word excel videos photos have ext .0x0 renaming didn't help.. Can't do system restore no restore point available before infection...

 

Here is Malwarebytes results...

Malwarebytes Anti-Malware result.txt

 

FRST Log and Addition

FRST.txt

 

Addition.txt

[surajthakur]

Also here is rogue killer report...

 

RogueKiller V10.10.6.0 (x64) [sep 21 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Pujusuju [Administrator]
Started from : C:\Users\Pujusuju\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 09/26/2015 18:06:00

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT3 +++++
--- User ---
[MBR] 64713737c037213dca130b95b334eb19
[bSP] f013ff1ae1fa18eff35f87b75b8dcc9d : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15872 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 32507904 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 32712704 | Size: 460966 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

 

Also would like to tell you that yesterday night I started off Guest user also, Previously had only 1user.that is password protected admin account..

 

Scan now shows no infection but how to get back files have running many malware anti virus..since infection like panda, trendmicro Kaspersky malwarebyte...but no luck

 

Please help me I just want to get my photos back....

[MrCharlie]

The logs show some adware/spyware but no malware that I can see.

This infection looks like something new so there's no info on it...but it looks like the typical ransomware virus.

 

It looks like you tried these methods to retrieve your files already:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

 

Let me do some more research and I'll get back to you.

 

MrC

[MrCharlie]

Please download and run this tool: IDTool v2 - Infection Detection Tool

http://www.bleepingcomputer.com/forums/t/590610/idtool-v2-help-victims-identify-what-ransomware-variant-they-have/

 

Post the log if anything is found.

MrC

[surajthakur]

Thanks MrC, I tried but IDTool didn't show anything..already dropped a message to Nathan.

 

Thanks & Regards

[MrCharlie]

OK, then you don't need my help anymore.

 

MrC

[surajthakur]

No Sir please don't say like that. I tried that only after your suggestion.

Still waiting for your help /guidance.

Please help me.

Thanks

[MrCharlie]

Well there's not much I can do for you so far as your files. I saw your post for Nathan, did you send him the files he asked for??

 

MrC

[MrCharlie]

How are we doing??

 

Do you still need help or can I close this post??

 

MrC

[surajthakur]

Hi MrCharlie,

 

Still nothing happened, tried searching a lot.

 

Did you get something to help decrypt files.

 

Thanks

[MrCharlie]

No, if something comes up, Nathan will know.

If there's no other problems, I'm going to have this topic closed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.