since yesterday I am waiting for reply from dr.web, can you suggest any more possibilities
Try resubmitting using this link to Dr Web https://vms.drweb.com/sendvirus/?lng=en You probably have to create a ticket first rather than emailing Vladimir direct. I don't know any other service so stick with it. It does work.
iwolf has pointed out the solution I had to adopt...
The virus encrypted all the music files on the infected machine, including the default sample music. All I had to do to get an original copy of an unencrypted file was to grab a copy of one of the sample music files from another PC.
I tell you, I've never listened to it before but "Sleep Away" by Bob Acri has never sounded so good! - On a Windows 7 machine, it can be found in C:\Users\Public\Music\Sample Music\Sleep Away.mp3
Perhaps a more ideal file (smaller filesize) would be one of the sample pictures in C:\Users\Public\Pictures\Sample Pictures. The Koala.jpg looks a pretty cute and suitable hero.
Apologies if I am teaching anyone to suck eggs (sorry ryko), but it may be worth explaining that although you can easily replace the corrupted (encrypted) files if you have original back up copies, the issue is you may not remove the infection if you do not use the appropriate scanning/fixing tool and you may not have backup copies of all files that have been encrypted.
The most important function is to stop and remove the infection and then recover any lost files. You will need antivirus/anti-malware tools to do this, and Dr Web or Kaspersky both provide a specific tool for this particular job. However as many sufferers do not have back up copies of files required to reverse the encryption this trojan performs, it hampers chances of recovering the files. Fortunately however as the trojan encrypts the sample music and pictures that come installed on Windows, it is much easier to get an unencrypted original of one of those files and hence restore your own files.
Good luck to anyone unfortunate enough to have been infected and troubled by this problem.
@egghead, that's a good summary of what needs to be done.
This particular attack appears to be winding down. That probably means there's a new variant about to be released.
btw, I see a user earlier in the thread posted a link to fixpcyourself (or something like that) which I hope no-one bothered to follow up. Nothing much wrong with the advice per se, but it's the same generic advice for absolutely everything (rkill + malwarebytes). Okay but not good enough.
Hayton wrote:
btw, I see a user earlier in the thread posted a link to fixpcyourself (or something like that) which I hope no-one bothered to follow up. Nothing much wrong with the advice per se, but it's the same generic advice for absolutely everything (rkill + malwarebytes). Okay but not good enough.
I thought it just looked like somebody peddling their own software in a spam like manner. Thing is, there is perfectly good and capable software available for free which we know definitely fixes the problem. The recommended fix for this particular problem (the encrypted files variant) is the Kaspersky or Dr Web tool. Then I would recommend updating and running your antivirus tool, and also having a sweep with something like the Microsoft Safety Scanner and old favourite Malwarebytes Anti Malware.
Some of the other recommended tools will definitely help clear an infecxted system, so give Combofix or the McAfee Stinger a run too.
That post with a link has now been deleted.
egghead wrote:
I thought it just looked like somebody peddling their own software in a spam like manner.
Maybe. I went through the site and checked it for nuisances; it's a perfectly reasonable if slightly amateurish setup. There's no suspect software being peddled, no urging to phone premium-rate numbers for remote assistance, no links to malware sites. It just looks like someone set up a self-help site but hasn't got much beyond the basics yet. The only part of it that looked slightly fishy was the user-comments section. Some genuine, many not, if I'm any judge. And, yes, Mr Patel posted twice with two usernames to promote what may well be his pet project. Give him 6 out of 10 for a good effort, and at least not recommending anything that's going to mess up someone's system 🙂
The tools that work for the West Yorkshire Police variant may not work properly for the next variant. Each release of this ransomware has included some new refinement. I'm going to have to go back to that French security site I found and see if Malachi (or whatever his name is) has spotted anything new.
Hello all, found out I was infected with this virus last night at 11.30pm. Finally managed to get to sleep at 4.00am by following Step 1 & Step 2 on this page (this links to a product other than a McAfee product - don't know if this is allowed).
What I did:
I don't normally post in forums such as these (as you can see, 1st post) but seeing as how I've never had a virus before I thought I'd chip in and help others with this issue, as I sh*t myself when I saw the fake message. My PC is used for my work and is kept cleaner than clean, no dodgy 3rd party applications etc and I'm always careful about what I install - my anti-virus (always McAfee) is always kept upto date so I've no idea how I got infected with this virus. My PC has always run like a dream with no issues at all.
Anyway, hope this helps and apologies for posting a link to a non-Mcafee link (I have no affiliation, honest).
I'll keep you posted if there are any further issues with my PC.
Cheers all.
Message was edited by: mdb1974 on 7/10/12 5:34:56 AM CDTmdb1974, the link appears to be OK so I will leave it in place. Glad you are sorted out.
Cheers - My only question - Now I've run Malwarebytes - does this pretty much guarantee (within reasonable doubt based on other users' experiences) that the virus is gone from my PC?
Obvviously you can't guarantee, but you know what I mean...
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA