Got all my files encrypted by RSA2048/AES-128 NASTY!

Page 1 of 3 123 LastLast

  1. Posts : 8
    Windows 10
       #1

    Got all my files encrypted by RSA2048/AES-128 NASTY!


    Hi! I am new here and here is what happened. I opened an email which had an attachment. It was an electricity bill. I know I should not have opened the attachment but I did! wrong move!
    Found an overlay message in large red letters on my desk top and all my documents, videos, photos encrypted. I never paid the .5 Bitcoin.
    I have VIPRE and malwarebytes did not stop it. I have windows 10 so I then established the Administrator entry.
    So now, I have two ways of getting into W10, through my local name account and through administrator.
    Thank god for administrator because all signs of encrypted files are gone! Its a clean fresh version, Great! Only problem is I cannot upload anything!.
    If I login with my old account then all the encrypted files are there and that threatening message from Russia saying send us money!
    What I would like is for someone to point me in the right direction. I can lose all my files I have no choice, but I need a functioning windows 10. How can I clean out my old one? Thanks for any help and I am reasonably literate in computer usage but I need clear step by step explanations if you don't mind! Thanks!
      My Computer


  2. Posts : 16,325
    W10Prox64
       #2

    Lancaster said:
    Hi! I am new here and here is what happened. I opened an email which had an attachment. It was an electricity bill. I know I should not have opened the attachment but I did! wrong move!
    Found an overlay message in large red letters on my desk top and all my documents, videos, photos encrypted. I never paid the .5 Bitcoin.
    I have VIPRE and malwarebytes did not stop it. I have windows 10 so I then established the Administrator entry.
    So now, I have two ways of getting into W10, through my local name account and through administrator.
    Thank god for administrator because all signs of encrypted files are gone! Its a clean fresh version, Great! Only problem is I cannot upload anything!.
    If I login with my old account then all the encrypted files are there and that threatening message from Russia saying send us money!
    What I would like is for someone to point me in the right direction. I can lose all my files I have no choice, but I need a functioning windows 10. How can I clean out my old one? Thanks for any help and I am reasonably literate in computer usage but I need clear step by step explanations if you don't mind! Thanks!
    Hi Lancaster and welcome to Tenforums, albeit under less-than-ideal circumstances.

    I assume you have the Locky infection? If so, there is currently no hope of getting your files decrypted. Some older versions of encryption viruses have been defeated though. What are the names and/or extensions of the files now? Does each folder have a "How to decrypt" or something similar in it? (for instance, are all *.jpg photo files now *.ecc or something else?)

    You say you have Malwarebytes on the system - is it functioning? If so, can you update the virus definitions and run of full scan of the entire operating system drive? (usually C ) Or, is it disabled and not working properly?

    I really would like to identify the name of the Ransomware you have, as there is hope for recovering your files from some of them. Is there any way for you to post a screen shot of the ransom note? From a phone perhaps?

    Edit: You say you are unable to upload, but are you able to download?
    Last edited by simrick; 05 Apr 2016 at 19:42.
      My Computer


  3. Posts : 149
    Windows 10 Pro x64
       #3

    There's very little you can do now, other than hope you had a file backup or system image taken recently to roll back to
      My Computer


  4. Posts : 8
    Windows 10
    Thread Starter
       #4

    simrick said:
    Hi Lancaster and welcome to Tenforums, albeit under less-than-ideal circumstances.

    I assume you have the Locky infection? If so, there is currently no hope of getting your files decrypted. Some older versions of encryption viruses have been defeated though. What are the names and/or extensions of the files now? Does each folder have a "How to decrypt" or something similar in it? (for instance, are all *.jpg photo files now *.ecc or something else?)

    You say you have Malwarebytes on the system - is it functioning? If so, can you update the virus definitions and run of full scan of the entire operating system drive? (usually C ) Or, is it disabled and not working properly?

    I really would like to identify the name of the Ransomware you have, as there is hope for recovering your files from some of them. Is there any way for you to post a screen shot of the ransom note? From a phone perhaps?

    Edit: You say you are unable to upload, but are you able to download?
    oke with a guy from malware in Santa Clara and There is no way out of the encryption but malware can deal with infection.
    As far as I can see through running full scans there is NO infection on my system.
    I am resigned to losing my files. I would appreciate advice on how to deal with cleaning out the encrypted files. As I indicated I have a clean version of Windows 10 but it is administrator priviledged and so I cannot get anything into the clean files. Hope that answers your queries.
    Thank you for your reply. all the filesare encrypyed with .LOCKY I don,t want to post a picture of the ransom note as it has my recovery info on it. I sp
      My Computer


  5. Posts : 16,325
    W10Prox64
       #5

    Lancaster said:
    oke with a guy from malware in Santa Clara and There is no way out of the encryption but malware can deal with infection.
    As far as I can see through running full scans there is NO infection on my system.
    I am resigned to losing my files. I would appreciate advice on how to deal with cleaning out the encrypted files. As I indicated I have a clean version of Windows 10 but it is administrator priviledged and so I cannot get anything into the clean files. Hope that answers your queries.
    Thank you for your reply. all the filesare encrypyed with .LOCKY I don,t want to post a picture of the ransom note as it has my recovery info on it. I sp
    Yes, okay, there is no way at present to decrypt Locky. The best you can do right now is copy the encrypted files to another drive and store them in the hopes something will break through, or the servers get confiscated by the authorities, and you can get your personal key.

    You could check the volume shadow service on the computer, to see if the ransomware was unsuccessful in turning it off - sometimes this does happen. See here:
    CryptoLocker Ransomware Information Guide and FAQ
    Scroll down to Using ShadowExplorer -

    A full scan of the operating system drive with Malwarebytes Antimalware or ESET Online Scanner should remove all traces of the ransomware. Note that, once the encryption is completed and the ransom note appears, its work is finished, and it shouldn't be doing anything further on the system (basically rendered harmless once finished).

    If you are unable to run these, you could try Kaspersky's Rescue Disk. It would need to be downloaded and burned to disk from a working, clean computer and then run on the infected system at boot.

    Kaspersky Rescue Disk 10


    How to Use the Kaspersky Rescue Disk to Clean Your Infected PC


    Make A Bootable USB Kaspersky Rescue Disk 10 - gHacks Tech News

    .
      My Computer


  6. Posts : 16,325
    W10Prox64
       #6

    To get rid of the infected files, simply copy to another drive (if you're going to save them), or just delete them from the computer.
    I'm not sure I understand what you mean by this:
    I have a clean version of Windows 10 but it is administrator priviledged and so I cannot get anything into the clean files.
    Last edited by simrick; 06 Apr 2016 at 16:04.
      My Computer


  7. Posts : 8
    Windows 10
    Thread Starter
       #7

    simrick said:
    To get rid of the infected files, simply copy to another drive (if you're going to save them), or just delete them form the computer.
    I'm not sure I understand what you mean by this:
    I have Windows10 I have access by : 1 User name 2 Administrator. when I open using Administrator the Ransome message is gone from my Desk Top and I have ALL my file folders without the .LOCKY 's. In Admin sign in I am not allowed to get photos from my camera. That is why I need to get back to using my User Name entry.
    Thanks for taking the time to help me here. It is appreciated. Could you offer me some advice on how to get the Ransome note off my Desk Top? and also best way to delete my Photo files my music files etc? Thanks again and to this great site.
      My Computer


  8. Posts : 16,325
    W10Prox64
       #8

    Lancaster said:
    I have Windows10 I have access by : 1 User name 2 Administrator. when I open using Administrator the Ransome message is gone from my Desk Top and I have ALL my file folders without the .LOCKY 's. In Admin sign in I am not allowed to get photos from my camera. That is why I need to get back to using my User Name entry.
    Thanks for taking the time to help me here. It is appreciated. Could you offer me some advice on how to get the Ransome note off my Desk Top? and also best way to delete my Photo files my music files etc? Thanks again and to this great site.
    You're welcome. Yes, this is a great site!

    The Administrator account - you've enabled the hidden Admin account?

    Running Malwarebytes Antimalware and/or ESET online scan should remove the ransom note when it removes the infection.

    You could try this:
    Create a new admin-level user, a different name than your current username. See option #3 here:

    User Account - Add in Windows 10 - Windows 10 Forums

    Then log out of the Administrative Account, and log into your newly-created admin-level account. Then follow the instructions in this tutorial to delete the old user account, choosing to *not* keep files and folders:
    User Account - Delete in Windows 10 - Windows 10 Forums

    Then be sure to re-hide (disable) the hidden administrator account, if you did indeed enable it.

    Use the newly-created user account now as your normal user account.
      My Computer


  9. Posts : 8
    Windows 10
    Thread Starter
       #9

    simrick said:
    You're welcome. Yes, this is a great site!

    The Administrator account - you've enabled the hidden Admin account?

    Running Malwarebytes Antimalware and/or ESET online scan should remove the ransom note when it removes the infection.

    You could try this:
    Create a new admin-level user, a different name than your current username. See option #3 here:

    User Account - Add in Windows 10 - Windows 10 Forums

    Then log out of the Administrative Account, and log into your newly-created admin-level account. Then follow the instructions in this tutorial to delete the old user account, choosing to *not* keep files and folders:
    User Account - Delete in Windows 10 - Windows 10 Forums

    Then be sure to re-hide (disable) the hidden administrator account, if you did indeed enable it.

    Use the newly-created user account now as your normal user account.

    Hi againand thanks I think we are on the right track.
    Firstly I don't know if I have the hidden Administrator because it will not allow me to upload photos from my camera. it ses you are not allowed to upload from your camera drive. I tend to be very literal so do get confused by having a user account (the one where they encripted) and I have a PIN to sign into that. I somehow got my Administrator account and it says ADMINISTRATOR. I use a password to enter that one and I am on it now. I get confused when I have a Microsoft P/W and two Windows accounts presently one with a PIN the other(Administrator) with a P/W. When I create the family/other user account can I do it from my User/name account(my old one) or my Administrator? Be honest I don,t know if it is THE hidden Administrator.
    I tried using a USB Drive E to send my Picture file contents which are all Locky files and I think it looks like I am sending them to E drive and then I check and my Picture file is NOT empty so It is not moving them.
      My Computer


  10. Posts : 16,325
    W10Prox64
       #10

    Lancaster said:
    Hi againand thanks I think we are on the right track.
    Firstly I don't know if I have the hidden Administrator because it will not allow me to upload photos from my camera. it ses you are not allowed to upload from your camera drive.
    Okay, you do not have the hidden administrator account enabled. My mistake. I was confused.
    I would not try to do any uploading from the camera until you have the system cleaned. That is probably what is preventing it. Were you able to run the ESET Online Scan or Malwarebytes Antimalware?

    Lancaster said:
    I tend to be very literal so do get confused by having a user account (the one where they encripted) and I have a PIN to sign into that. I somehow got my Administrator account and it says ADMINISTRATOR. I use a password to enter that one and I am on it now. I get confused when I have a Microsoft P/W and two Windows accounts presently one with a PIN the other(Administrator) with a P/W.
    So you have 2 accounts, one called Administrator which uses a password, and one with a username (local account) which uses a PIN, correct? and the user account with the PIN is the one that was encrypted, right? Do they both have admin rights on the system?

    Lancaster said:
    When I create the family/other user account can I do it from my User/name account(my old one) or my Administrator? Be honest I don,t know if it is THE hidden Administrator.
    You can do it from either account. Only an "admin-rights" account will have authority to do this. If the account you're in doesn't allow you to create a new user, then it's not an admin-level account, so try the other one. Make sure the new account you create has admin rights as well (not a child account).

    Lancaster said:
    I tried using a USB Drive E to send my Picture file contents which are all Locky files and I think it looks like I am sending them to E drive and then I check and my Picture file is NOT empty so It is not moving them.
    It could be that you are "copying" and not "moving". In that case, once the files are all copied to the flash drive, you can just select them all on the computer and right-click, then Delete.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:32.
Find Us




Windows 10 Forums