# Cryptolocker 2.0 and CBT Locker



## hdavis (Feb 14, 2012)

Here's my bottom line on these trojans. The fastest way to get it cleaned and running again is to either do a fresh install or use a system backup. Everything else is time consuming and uncertain.

With both laptops and viruses, the system security was compromised enough that multiple malware programs were installed before the locker virus encrypted files and restricted access to the directory structure.

Cleaning the systems before doing a restore (not using a boot disk) is a little tedious. Kaspersky Lab's Rescue Disk has a program called Windows Unlocker which will open access to the file system back up, and then virus scanning and removal can begin. I tried multiple rescue disks - AVG, Kasperky, and Bitdefender. Personally, I like Kaspersky best. None of them found all malware by themselves. I'm still trying to convince myself that there isn't another trojan that none of them detected.

Once you get the viruses / malware off, you still have to go back through and tighten system and browser security. 

On the latest laptop, I have a Windows boot disk for for recovering the system somewhere, which would be a faster option. The key word there is "somewhere". All the personal files were backed up, so there was no big loss from CBT Locker. Cryptolocker2.0 encrypted files apparently can be deciphered, and there is free software to do that. CBT locker uses a different algorithm, according to reports, so presumably they're encrypted for good.

FWIW, the internet traffic I was picking up goes back to a server in China. I spotted the infected laptop by monitoring internet traffic, but I wasn't fast enough to prevent it from getting encrypted...

Back up, and make sure you can find the disks when you need them:jester:


----------



## 91782 (Sep 6, 2012)

There's been a ramping up of that the last few days it seems.

Been fighting off a google redirect malware - took some doing, but all the traffic was to chinee IPs.

For the past 5 or so years, I've learned to keep NOTHING of importance on the machine.

Agree with your view on the crypto malware - its a lost cause.


The last HD restore I got from Toshiba came on a thumb drive - how neat is that?!


----------



## hdavis (Feb 14, 2012)

I love thumb drives. I even have a linux one for booting / etc.


----------



## Inner10 (Mar 12, 2009)

You guys need to stop surfing suspect pron sites.


----------



## tedanderson (May 19, 2010)

Inner10 said:


> You guys need to stop surfing suspect pron sites.


Yeah.. you need to go to the safe ones that aren't in it for the money.
:jester:


----------



## hdavis (Feb 14, 2012)

Inner10 said:


> You guys need to stop surfing suspect pron sites.


LOL, I'l pass that along:laughing:


----------



## 91782 (Sep 6, 2012)

Inner10 said:


> You guys need to stop surfing suspect pron sites.


Hmmm, and how would YOU know that sonny?:jester:


----------



## hdavis (Feb 14, 2012)

He owns a suspect site?


----------



## 91782 (Sep 6, 2012)

hdavis said:


> He owns a suspect site?


:thumbsup: My first thought...
:laughing::laughing:

I've never had the cryptolocker on any machine here. (EDIT - knockwood) Fella that "fixes" computers & comes into the local eatery was frustrated by it on a customer machine. Did some research, pointed him to www.bleepingcomputer.com, and came to same conclusion as you - it ain't worth it - the fix that is.

Now, as to the little nasty I had recently - it was "PUM.Hompage"

A Google/IE redirector turd. Happened when searching for a "Fossil Fuel Kit" to convert the furnace from propane back to CNG.

But along the way, I discovered a really fast, barebones File Manager - hooray!
:clap:


----------



## CO762 (Feb 22, 2010)

hdavis said:


> None of them found all malware by themselves.
> 
> Back up, and make sure you can find the disks when you need them


Yup, those two. Wife is on faceb00k and she always seems to be getting malware and it does take three different programs to fully clear her computer. Once you lose something valuable/costly, you are a believer in back ups and a plug in usb external hard drives are exceedingly cheap these days.

They must be hitting construction people's websites or something as you're the third person I ran across that had that and the other two were in construction too.


----------



## CO762 (Feb 22, 2010)

SmallTownGuy said:


> Happened when searching for a "Fossil Fuel Kit" to convert the furnace from propane back to CNG.


Innocent websites can be hacked and one of their files downloaded, a loader put in it, then put back on their website and they don't even know it. I got a vicious one when I was looking for public land to hunt on. Another time there was one in a statistical program at a university.
So just visiting a website can get your computer into trouble, don't even have to download anything.

I don't use javascript and use a script blocker and that seems to have helped. On this website, there are 9 scripts running, I block 8 of them from executing on my computer. There are 8 trackers also and I don't allow any of them to be put on my computer.


----------



## 91782 (Sep 6, 2012)

CO762 said:


> Innocent websites can be hacked and one of their files downloaded, a loader put in it, then put back on their website and they don't even know it. I got a vicious one when I was looking for public land to hunt on. Another time there was one in a statistical program at a university.
> So just visiting a website can get your computer into trouble, don't even have to download anything.
> 
> I don't use javascript and use a script blocker and that seems to have helped. On this website, there are 9 scripts running, I block 8 of them from executing on my computer. There are 8 trackers also and I don't allow any of them to be put on my computer.


Interesting to note that there are some savvy users on here. We ARE more than knuckle draggers - s0me of us...

Yeah, its a curious thing. I mess around with modifying app software, so visit some very interesting sites. THEY tend to behave themselves.

The one that caught me - well, I'd only been to a couple places during that exact time frame - and other than here - it was an HVAC surplus dealer with an ad on eBay.

Still don't know - doesn't matter. Shoot 'em when you see 'em, I say...:jester:


----------



## hdavis (Feb 14, 2012)

These were not used by me, so they weren't going to construction sites - mainly facebook and such, as near as I can tell.

As an update, I'm going to do a clean OS install, since I've also found Powerliks virus. All in all, there are enough changes to security aspects (that I've found) from the multiple infections it isn't worth trying to straighten out the exisiting install. Hopefully I'll be able to find the backup disks if they're needed again.


----------



## 91782 (Sep 6, 2012)

hdavis said:


> These were not used by me, so they weren't going to construction sites - mainly facebook and such, as near as I can tell.
> 
> As an update, I'm going to do a clean OS install, since I've also found Powerliks virus. All in all, there are enough changes to security aspects (that I've found) from the multiple infections it isn't worth trying to straighten out the exisiting install. Hopefully I'll be able to find the backup disks if they're needed again.


There's an app for that.
http://kb.eset.com/esetkb/index?page=content&id=SOLN3587
http://download.eset.com/special/ESETPoweliksCleaner.exe


----------



## hdavis (Feb 14, 2012)

That's a little more simple than some of the other methods. I'll try that before the clean install, just to see how well it works.


----------



## 91782 (Sep 6, 2012)

hdavis said:


> That's a little more simple than some of the other methods. I'll try that before the clean install, just to see how well it works.


My read on Powliks is that it is continually morphing. A tool I just used my self (for that PUM thing) is here, along with a quick overview of the issue.


http://www.adlice.com/poweliks-removal-with-roguekiller/

http://www.adlice.com/softwares/roguekiller/


----------



## CO762 (Feb 22, 2010)

SmallTownGuy said:


> Still don't know - doesn't matter. Shoot 'em when you see 'em, I say...:jester:


Yup, there's just no way to tell other than having your guard up up front. I'm always amazed at how most websites want to run things or put things on your computer. One tracker was called 'liftdna'. Plug-ins are what seem to get a lot of people too.


----------



## hdavis (Feb 14, 2012)

Tried the linked download - cleaned it quick:thumbsup:
I'm still going through the system to see what the state of security is...

No telling where they came from, other than the China server connection.

I thought the ransomeware was interesting, but it's fairly conventional in terms of how it gets cleaned. This last one infects the registry, so you aren't so much cleaning files as killing processes and cleaning the registry... A new angle, it seems.


----------



## tccoggs (Dec 17, 2008)

Tips

Do not disable uac. It can be a bit irrating at times, but role with it.

Don't use an admin account all the time. Create a restricted user account. A lot of this stuff requires elevation of rights to install so if your not an admin, its not getting in.

Install a browser sand boxing tool like sandboxie. This executes the browser is a redirected sandbox making file and reg writes go to a falsified copy of both. It means that infections cannot be persisted between reboots.

Create system restore points often and be able to roll back without major data loss. Have a boot disk an external drive to boot an infected machine and copy files off before running system restore.


Cryptolocker, at least the first gen could be blocked by using group policy to block exe files from the temp directory. With poweliks the first gen relied on power shell which can also be blocked with gp.

Windows home edition sucks for not having some of these tools. Buy pro if possible


----------



## 91782 (Sep 6, 2012)

tccoggs said:


> Tips
> 
> Do not disable uac. It can be a bit irrating at times, but role with it.
> 
> ...


Ultimate solution (at least on real PCs: Run a Virtual Machine. Use that for all yer online activities.

I'm surprised how responsive XP SP3 is on this little i3 Toshiba w/W7 x64 (VMWare Player & "IE8.WinXP.For.WindowsVirtualBox".


----------



## hdavis (Feb 14, 2012)

These were both Win 7 Home machines.

Besides group policies (I did a bunch manually, but found a little program that puts something like 200 restrictions in place) and user account control, I also disabled services I didn't need.

Regarding restore points, some of the malware destroys restore points earlier than the infection, so that becomes of limited use.

As an alternate to running a virtual machine, I have a couple bootable 32 Gig USB flash drives - I use Linux on them, but I could always put something else on them.


----------



## hdavis (Feb 14, 2012)

I picked up another 32 Gig USB flash drive at Staples yesterday for $13. That's just about the cheapest insurance I can buy...


----------

