is there a fix to eliminate the locked files automatically, or am I being greedy?
I saw this in a discussion somewhere else - the Dr.Web fix creates decrypted copies of the infected files. You have to delete those files yourself.
Yup - that's how it should be, IMO.
If the decryption goes wrong, or doesn't work for whatever reason, you still have the encrypted ones to have another go at.
Hi all, have just sorted this on my mums PC thanks to DR Web, am just posting to let everyone know what to do to remove the encryption without having to read through several pages and work it out!
Download matsnu1.decrypt.exe off of Dr Webs site, link below.
Run the programe and it will guide you through the process. You need a copy of one of the files which has been decrypted, and a clean copy of the same file (see the importance of backups!).
Select the two files when prompted, and click continue and the programe will do the rest to deal with the encryption.
Hope this helps!
Message was edited by: nickc89 on 04/05/12 09:02:41 CDT
Ok, so this one has caught me as well. Brief synopsis:
- ran malewarebytes in safe mode, detected hijack and trojans, removed, no joy
- system restore, no joy
- ran stinger, detected hijack and 4 trojans, reported that it had cleared 3 but only partially cleared 2, and now...
- can no longer boot up at all - simply reports that the boot section has failed because a required device is inaccessible (status Oxc000000f) - "a recent hardware or software change might be cause"
- have tried booting from recovery disc - get the same screen
- ran Lenovo rescue, but the only choice I can see is to wipe and restore. However, was able to navigate folder structures, and see that I have many locked files.
Since I can no longer get past boot up, I'm not able to try the various other options I've seen, such as the Dr Web tool or Windows Defender Offline.
Laptop is a Lenovo T500, os is win 7.
In my 20 years of being online, this looks to be the nastiest virus I've encountered. And tbh, whilst I don't have money to throw around, I'm thinking that my only option might be to find a reputable PC Doctor.
Any help would be most gratefully received.
@dominic29 : you need to manually delete the old (encrypted) files. See post #43.
@dubedford : running all those tools must have done something to your system. The best advice I've found is to run Bootrec.exe - see http://support.microsoft.com/kb/927392
If you can't get that to work then see
There are a number of similar threads over on the Microsoft forums, but each error message seems to have a different underlying cause so I won't point you towards any specific thread : the recommendations are all different.
You may need to ask over there for assistance. The Windows 7 Miscellaneous forum might be your best bet - go to http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/threads.
Many thanks for your swift response and kind reply.
Your leads have possibly helped along the way. Whilst the bootrec won't run from my recovery disk, I have managed to download, burn and run a copy, and which allowed me to trying fixing using the repair utility and the various (internet) advised fixes through using the cmd prompt. This moved me on to at least getting a new errormessage, regarding a missing %hs, and which in googling took me to this page:
Unfortunately, that's where I'm up to now: have downloaded, burnt and run the hirens bootcd facility, and which means I'm now able to edit the registry, only that the virus at hand isn't affecting the registry in the same way as that discussed on the above page.
Will look to post on the suggested site, and will be happy to update here should I find the solution.
What a great way to spend the weekend.
If you followed the Dr Web instructions then the decryption hasn't worked, or their program has a bug in it. If the decryption isn't working then maybe the encryption method has been changed. Either way, you'll need to ask someone at Dr Web to look into this.
You still have the encrypted files? Keep them, delete all the 0-byte 'decrypted' files, and have another go once you've checked with Dr Web.
Found what the issue was. The files I was checking were on a second hard drive I had installed. There was not enough room left on it to create decrypted copies for all of the drive. The files on my C: drive have all been re-instated. But with two additional 1TB hard drives installed I have some long hours ahead removing all the locked files and freeing up space before I run the decrytor file again. Many thanks to all who contributed getting me back on track
Found this site last night (while in safe mode). I got this nasty virus last night. Managed to do a system restore and then ran Rkill followed by the program from Dr web all in safe mode. Luckily my son put a couple of pics on yesterday and still had the unencrypted files on his camera. I am so pleased it worked.
Regarding the locked files, what I did was : Search for " locked" then view more results. Select all and then delete. There was a couple of files at the bottom that I had to de-select. Worked for me . 6660 files deleted in less than five minutes