Windows 10: Got all my files encrypted by RSA2048/AES-128 NASTY! Solved

Page 1 of 3 123 LastLast
  1.    05 Apr 2016 #1

    Got all my files encrypted by RSA2048/AES-128 NASTY!


    Hi! I am new here and here is what happened. I opened an email which had an attachment. It was an electricity bill. I know I should not have opened the attachment but I did! wrong move!
    Found an overlay message in large red letters on my desk top and all my documents, videos, photos encrypted. I never paid the .5 Bitcoin.
    I have VIPRE and malwarebytes did not stop it. I have windows 10 so I then established the Administrator entry.
    So now, I have two ways of getting into W10, through my local name account and through administrator.
    Thank god for administrator because all signs of encrypted files are gone! Its a clean fresh version, Great! Only problem is I cannot upload anything!.
    If I login with my old account then all the encrypted files are there and that threatening message from Russia saying send us money!
    What I would like is for someone to point me in the right direction. I can lose all my files I have no choice, but I need a functioning windows 10. How can I clean out my old one? Thanks for any help and I am reasonably literate in computer usage but I need clear step by step explanations if you don't mind! Thanks!
      My System SpecsSystem Spec

  2.    05 Apr 2016 #2

    Lancaster said: View Post
    Hi! I am new here and here is what happened. I opened an email which had an attachment. It was an electricity bill. I know I should not have opened the attachment but I did! wrong move!
    Found an overlay message in large red letters on my desk top and all my documents, videos, photos encrypted. I never paid the .5 Bitcoin.
    I have VIPRE and malwarebytes did not stop it. I have windows 10 so I then established the Administrator entry.
    So now, I have two ways of getting into W10, through my local name account and through administrator.
    Thank god for administrator because all signs of encrypted files are gone! Its a clean fresh version, Great! Only problem is I cannot upload anything!.
    If I login with my old account then all the encrypted files are there and that threatening message from Russia saying send us money!
    What I would like is for someone to point me in the right direction. I can lose all my files I have no choice, but I need a functioning windows 10. How can I clean out my old one? Thanks for any help and I am reasonably literate in computer usage but I need clear step by step explanations if you don't mind! Thanks!
    Hi Lancaster and welcome to Tenforums, albeit under less-than-ideal circumstances.

    I assume you have the Locky infection? If so, there is currently no hope of getting your files decrypted. Some older versions of encryption viruses have been defeated though. What are the names and/or extensions of the files now? Does each folder have a "How to decrypt" or something similar in it? (for instance, are all *.jpg photo files now *.ecc or something else?)

    You say you have Malwarebytes on the system - is it functioning? If so, can you update the virus definitions and run of full scan of the entire operating system drive? (usually C ) Or, is it disabled and not working properly?

    I really would like to identify the name of the Ransomware you have, as there is hope for recovering your files from some of them. Is there any way for you to post a screen shot of the ransom note? From a phone perhaps?

    Edit: You say you are unable to upload, but are you able to download?
    Last edited by simrick; 05 Apr 2016 at 19:42.
      My System SpecsSystem Spec

  3.    06 Apr 2016 #3

    There's very little you can do now, other than hope you had a file backup or system image taken recently to roll back to
      My System SpecsSystem Spec

  4.    06 Apr 2016 #4

    simrick said: View Post
    Hi Lancaster and welcome to Tenforums, albeit under less-than-ideal circumstances.

    I assume you have the Locky infection? If so, there is currently no hope of getting your files decrypted. Some older versions of encryption viruses have been defeated though. What are the names and/or extensions of the files now? Does each folder have a "How to decrypt" or something similar in it? (for instance, are all *.jpg photo files now *.ecc or something else?)

    You say you have Malwarebytes on the system - is it functioning? If so, can you update the virus definitions and run of full scan of the entire operating system drive? (usually C ) Or, is it disabled and not working properly?

    I really would like to identify the name of the Ransomware you have, as there is hope for recovering your files from some of them. Is there any way for you to post a screen shot of the ransom note? From a phone perhaps?

    Edit: You say you are unable to upload, but are you able to download?
    oke with a guy from malware in Santa Clara and There is no way out of the encryption but malware can deal with infection.
    As far as I can see through running full scans there is NO infection on my system.
    I am resigned to losing my files. I would appreciate advice on how to deal with cleaning out the encrypted files. As I indicated I have a clean version of Windows 10 but it is administrator priviledged and so I cannot get anything into the clean files. Hope that answers your queries.
    Thank you for your reply. all the filesare encrypyed with .LOCKY I don,t want to post a picture of the ransom note as it has my recovery info on it. I sp
      My System SpecsSystem Spec

  5.    06 Apr 2016 #5

    Lancaster said: View Post
    oke with a guy from malware in Santa Clara and There is no way out of the encryption but malware can deal with infection.
    As far as I can see through running full scans there is NO infection on my system.
    I am resigned to losing my files. I would appreciate advice on how to deal with cleaning out the encrypted files. As I indicated I have a clean version of Windows 10 but it is administrator priviledged and so I cannot get anything into the clean files. Hope that answers your queries.
    Thank you for your reply. all the filesare encrypyed with .LOCKY I don,t want to post a picture of the ransom note as it has my recovery info on it. I sp
    Yes, okay, there is no way at present to decrypt Locky. The best you can do right now is copy the encrypted files to another drive and store them in the hopes something will break through, or the servers get confiscated by the authorities, and you can get your personal key.

    You could check the volume shadow service on the computer, to see if the ransomware was unsuccessful in turning it off - sometimes this does happen. See here:
    CryptoLocker Ransomware Information Guide and FAQ
    Scroll down to Using ShadowExplorer -

    A full scan of the operating system drive with Malwarebytes Antimalware or ESET Online Scanner should remove all traces of the ransomware. Note that, once the encryption is completed and the ransom note appears, its work is finished, and it shouldn't be doing anything further on the system (basically rendered harmless once finished).

    If you are unable to run these, you could try Kaspersky's Rescue Disk. It would need to be downloaded and burned to disk from a working, clean computer and then run on the infected system at boot.

    Kaspersky Rescue Disk 10


    How to Use the Kaspersky Rescue Disk to Clean Your Infected PC


    Make A Bootable USB Kaspersky Rescue Disk 10 - gHacks Tech News

    .
      My System SpecsSystem Spec

  6.    06 Apr 2016 #6

    To get rid of the infected files, simply copy to another drive (if you're going to save them), or just delete them from the computer.
    I'm not sure I understand what you mean by this:
    I have a clean version of Windows 10 but it is administrator priviledged and so I cannot get anything into the clean files.
    Last edited by simrick; 06 Apr 2016 at 16:04.
      My System SpecsSystem Spec

  7.    06 Apr 2016 #7

    simrick said: View Post
    To get rid of the infected files, simply copy to another drive (if you're going to save them), or just delete them form the computer.
    I'm not sure I understand what you mean by this:
    I have Windows10 I have access by : 1 User name 2 Administrator. when I open using Administrator the Ransome message is gone from my Desk Top and I have ALL my file folders without the .LOCKY 's. In Admin sign in I am not allowed to get photos from my camera. That is why I need to get back to using my User Name entry.
    Thanks for taking the time to help me here. It is appreciated. Could you offer me some advice on how to get the Ransome note off my Desk Top? and also best way to delete my Photo files my music files etc? Thanks again and to this great site.
      My System SpecsSystem Spec

  8.    06 Apr 2016 #8

    Lancaster said: View Post
    I have Windows10 I have access by : 1 User name 2 Administrator. when I open using Administrator the Ransome message is gone from my Desk Top and I have ALL my file folders without the .LOCKY 's. In Admin sign in I am not allowed to get photos from my camera. That is why I need to get back to using my User Name entry.
    Thanks for taking the time to help me here. It is appreciated. Could you offer me some advice on how to get the Ransome note off my Desk Top? and also best way to delete my Photo files my music files etc? Thanks again and to this great site.
    You're welcome. Yes, this is a great site!

    The Administrator account - you've enabled the hidden Admin account?

    Running Malwarebytes Antimalware and/or ESET online scan should remove the ransom note when it removes the infection.

    You could try this:
    Create a new admin-level user, a different name than your current username. See option #3 here:

    User Account - Add in Windows 10 - Windows 10 Forums

    Then log out of the Administrative Account, and log into your newly-created admin-level account. Then follow the instructions in this tutorial to delete the old user account, choosing to *not* keep files and folders:
    User Account - Delete in Windows 10 - Windows 10 Forums

    Then be sure to re-hide (disable) the hidden administrator account, if you did indeed enable it.

    Use the newly-created user account now as your normal user account.
      My System SpecsSystem Spec

  9.    06 Apr 2016 #9

    simrick said: View Post
    You're welcome. Yes, this is a great site!

    The Administrator account - you've enabled the hidden Admin account?

    Running Malwarebytes Antimalware and/or ESET online scan should remove the ransom note when it removes the infection.

    You could try this:
    Create a new admin-level user, a different name than your current username. See option #3 here:

    User Account - Add in Windows 10 - Windows 10 Forums

    Then log out of the Administrative Account, and log into your newly-created admin-level account. Then follow the instructions in this tutorial to delete the old user account, choosing to *not* keep files and folders:
    User Account - Delete in Windows 10 - Windows 10 Forums

    Then be sure to re-hide (disable) the hidden administrator account, if you did indeed enable it.

    Use the newly-created user account now as your normal user account.

    Hi againand thanks I think we are on the right track.
    Firstly I don't know if I have the hidden Administrator because it will not allow me to upload photos from my camera. it ses you are not allowed to upload from your camera drive. I tend to be very literal so do get confused by having a user account (the one where they encripted) and I have a PIN to sign into that. I somehow got my Administrator account and it says ADMINISTRATOR. I use a password to enter that one and I am on it now. I get confused when I have a Microsoft P/W and two Windows accounts presently one with a PIN the other(Administrator) with a P/W. When I create the family/other user account can I do it from my User/name account(my old one) or my Administrator? Be honest I don,t know if it is THE hidden Administrator.
    I tried using a USB Drive E to send my Picture file contents which are all Locky files and I think it looks like I am sending them to E drive and then I check and my Picture file is NOT empty so It is not moving them.
      My System SpecsSystem Spec

  10.    06 Apr 2016 #10

    Lancaster said: View Post
    Hi againand thanks I think we are on the right track.
    Firstly I don't know if I have the hidden Administrator because it will not allow me to upload photos from my camera. it ses you are not allowed to upload from your camera drive.
    Okay, you do not have the hidden administrator account enabled. My mistake. I was confused.
    I would not try to do any uploading from the camera until you have the system cleaned. That is probably what is preventing it. Were you able to run the ESET Online Scan or Malwarebytes Antimalware?

    Lancaster said: View Post
    I tend to be very literal so do get confused by having a user account (the one where they encripted) and I have a PIN to sign into that. I somehow got my Administrator account and it says ADMINISTRATOR. I use a password to enter that one and I am on it now. I get confused when I have a Microsoft P/W and two Windows accounts presently one with a PIN the other(Administrator) with a P/W.
    So you have 2 accounts, one called Administrator which uses a password, and one with a username (local account) which uses a PIN, correct? and the user account with the PIN is the one that was encrypted, right? Do they both have admin rights on the system?

    Lancaster said: View Post
    When I create the family/other user account can I do it from my User/name account(my old one) or my Administrator? Be honest I don,t know if it is THE hidden Administrator.
    You can do it from either account. Only an "admin-rights" account will have authority to do this. If the account you're in doesn't allow you to create a new user, then it's not an admin-level account, so try the other one. Make sure the new account you create has admin rights as well (not a child account).

    Lancaster said: View Post
    I tried using a USB Drive E to send my Picture file contents which are all Locky files and I think it looks like I am sending them to E drive and then I check and my Picture file is NOT empty so It is not moving them.
    It could be that you are "copying" and not "moving". In that case, once the files are all copied to the flash drive, you can just select them all on the computer and right-click, then Delete.
      My System SpecsSystem Spec


 
Page 1 of 3 123 LastLast

Related Threads
Bitlocker: Encrypted USB no access in AntiVirus, Firewalls and System Security
Hello, I have a usb that has been encrypted using bitlocker, I can connect this usb to my desktop and I can input the password and access the usb. However on my laptop and other computers, when I plug in the usb I do not get the prompt to input my...
Recover encrypted files by virus in AntiVirus, Firewalls and System Security
Hello people. A friend of mine brought his computer to me to see if I am able to clear an encrypted mess done by a virus. Is it possible to recover that encrypted data? I know it may be almost impossible due to the lack of private key but I have...
Something nasty in my tech preview in AntiVirus, Firewalls and System Security
I have had a copy of the technical preview since the beginning, using WD and the free Malwarebytes with no problems up till last night. My home page on Edge is Sky.com which has my email and news, and I was looking through the many news items when a...
'Nasty' Reg Hack in Customization
There's another registry hack floating around the internet for W10TP called 'Experimental Login' DO NOT try it, there's a darn good chance you won't be able to log back in after a restart or clean start. It's a big PITA! 11523
Hi, can anyone please let me know if it is possible to create a True Crypt Encrypted OS when using a SSD and a Sata HDD installed. When creating the 2 OS with one encrypted on just one HDD that is partitioned it works perfectly, but as soon as I add...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 08:01.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums