Avast WEBforum

Other => Viruses and worms => Topic started by: jermsdawg101 on August 12, 2009, 08:01:25 AM

Title: Files encrypted as ransom
Post by: jermsdawg101 on August 12, 2009, 08:01:25 AM

Just today I noticed that most of my files on a particular drive had new extensions.  Many of these include my mp3s, some pics, and some other files.  The new extensions were .ENCRYPTED.  When I removed the extensions the files still were not playable.  I use Avast Home Edition and it never caught or told me anything had happened.  In each folder on the drive was a README.txt that stated I needed to pay 50 euro in order for them to email me the decrypter for my files.  When I ran a scan of viruses xwr48247.dll came up as infected.  I don't know what to do!  Any suggestions/ideas/solutions?

Title: Re: Files encrypted as ransom
Post by: FreewheelinFrank on August 12, 2009, 10:52:32 AM

Can you submit one of the encrypted files to Virus Total and post the result here?

http://www.virustotal.com/

Title: Re: Files encrypted as ransom
Post by: Lisandro on August 12, 2009, 01:44:41 PM

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).