locked
Virus infection RRS feed

  • Question

  • Hi, recently my parent's computer was affected by ctb-locker. I remove the virus but still can not decrypt office files - Have Microsoft official answer to this? Have you got specialist that are prepared to answer the challenge  - I know that you stopped support of win xp - but i still think that it is your product and we as a customers have the right to expect quality you promised. Why only Ms office files are affected - How can i get them back? I hope that Microsoft as the largest software company has the answer about this attack! I still believe in your possibilities and expect your reaction, because in this files are all my and my parent's lives!
    Sunday, December 21, 2014 5:11 PM

Answers


  • AM I understand right ?????? - With the above comment  you just said that Microsoft products are unsafe and  everyone has easy access to  customer information no matter of the OS  - just one click is needed to destroy your product!!!!!!!!!!!! I don't blame you /don't understand me wrong/- because the mistake is mine - i don't have a back up - but honestly I am little disappointed that such software experts as microsoft  doesn't care about the safety and you did nothing to help customers or to search  for the solution! Your answer is nothing can be done and that is all !

    A few clarifications:

    1. I do NOT work for Microsoft.  No one in these forums works for Microsoft.  We are just regular users like yourself.

      

    2. I did not say that all Microsoft products are unsafe.  I said that this particular ransomware affects all versions of Windows XP->8.  But it cannot affect your system unless you let it onto your computer.

      

    3. No matter how much protection is put into an Operating System, the end user will always be able to make it unsafe.  This ransomware came originally as an ad or a popup notice from a website or an email that said something to entice the user to click the link.  When the link is clicked, the computer does what it is told...just like if the user had clicked on a safe link.  It is impossible to create software that can predict the future and tell what kinds of malware will be created later on and provide protection for it.  This is why user education is THE first defense against it.  When you get an email from someone you don't know, or an ad popup that was unexpected or a phone call from someone claiming to work for "Windows", you do NOT click the link or press the pop up button or do what the caller tells you to do.  Instead, you delete the email or close the pop up with the X in the corner or hang up the phone.  No matter how much anti-virus or protection software is written, there is always someone out there decoding it to try to defeat it.  That is why an educated end user is the only real defense.

      

    4. Yes the answer is at this point, nothing can be done.  Because the files were encrypted with a complex nearly unbreakable algorithm.  If I make a secret code and don't tell anyone what the key is, they won't be able to read my message unless they figure out what that key is.  The makers of this ransomware used their computers to do just that.  It would literally take other computers thousands of years to figure out what the correct key is.  Nothing and no one at Microsoft could have fixed this any easier than anyone else once the files were encrypted.


    Please do not read this sentence. Please ignore the previous sentence.


    • Edited by Kamin of Ressik Monday, January 5, 2015 3:50 PM
    • Marked as answer by Jerry_nik Tuesday, January 6, 2015 10:21 AM
    Monday, January 5, 2015 3:45 PM
  • I done what you suggested but the files still stay with strange extension - like *.doc.hmstufs - and can not be opened

    If the PC was truly infected with the CTB-Locker ransomware, then there is nothing that can be done.  The random extension names are just there to show you that the particular file has been encrypted.

      

    The encryption used is elliptical curve cryptography, which is unique to this particular infection.  There is NO WAY to unencrypt the files unless you pay the ransom.  This is NOT the right choice however, as it only serves to fund the people who created it in the first place.  Also it is very hard to track down whomever is behind it because the program communicates with its masters through TOR rather than the regular internet.

      

    Unfortunately, the only thing you can do is format the hard drive and restore from a backup that was made before the attack occurred.  For more information on CTB-Locker click here.  Sorry to bring the bad news, but this event should enforce the reason for making regular full system backups.


    Please do not read this sentence. Please ignore the previous sentence.


    • Edited by Kamin of Ressik Monday, December 22, 2014 4:43 PM
    • Marked as answer by Jerry_nik Wednesday, December 24, 2014 8:48 PM
    Monday, December 22, 2014 4:42 PM

All replies

  • Hi Jerry,

    It may possible office files corrupt due to virus and then you remove the virus from computer. Next time when you tried to open office files it could not. Please try to remove virus from safe mode. Do  the system full scan. Once finished again try to open office file. what is the error when you open a office file?  Please share little bit more info.

    Regards

    Biswajeet

    Sunday, December 21, 2014 6:07 PM
  • I done what you suggested but the files still stay with strange extension - like *.doc.hmstufs - and can not be opened
    Sunday, December 21, 2014 6:22 PM
  • Try system restore and then confirm.
    Sunday, December 21, 2014 7:39 PM
  • That was the first thing i done but the files remain unchanged - i am despaired.

    Sunday, December 21, 2014 7:49 PM
  • Sunday, December 21, 2014 8:01 PM
  • Thank you verry much for your professional advice and sympathy! I will do what you offer and will write the result!
    Sunday, December 21, 2014 8:12 PM
  • You are most welcome if your problem solve then mark as answer.
    Sunday, December 21, 2014 8:18 PM
  • Try system restore and then confirm.

    I dont think system restore is the best method for removing virus. Its creates copies of exe or other files on HDD itself and gives the virus/malware the platform to spread again. 

    Have a look at this : http://www.brighthub.com/computing/smb-security/articles/44731.aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Sunday, December 21, 2014 9:25 PM
    Moderator
  • Have you tried renaming the files to their proper extension? i.e. A Word file should have the .doc extension.

    See: How to Rename Multiple Files with Windows Explorer


    Carey Frisch

    Monday, December 22, 2014 4:24 AM
    Moderator
  • I done what you suggested but the files still stay with strange extension - like *.doc.hmstufs - and can not be opened

    If the PC was truly infected with the CTB-Locker ransomware, then there is nothing that can be done.  The random extension names are just there to show you that the particular file has been encrypted.

      

    The encryption used is elliptical curve cryptography, which is unique to this particular infection.  There is NO WAY to unencrypt the files unless you pay the ransom.  This is NOT the right choice however, as it only serves to fund the people who created it in the first place.  Also it is very hard to track down whomever is behind it because the program communicates with its masters through TOR rather than the regular internet.

      

    Unfortunately, the only thing you can do is format the hard drive and restore from a backup that was made before the attack occurred.  For more information on CTB-Locker click here.  Sorry to bring the bad news, but this event should enforce the reason for making regular full system backups.


    Please do not read this sentence. Please ignore the previous sentence.


    • Edited by Kamin of Ressik Monday, December 22, 2014 4:43 PM
    • Marked as answer by Jerry_nik Wednesday, December 24, 2014 8:48 PM
    Monday, December 22, 2014 4:42 PM
  • I know that nothing can be done except format. "Thank you"  MICROSOFT for stop supporting Win XP and losing my parents memories -  I suppose also that this  ctb locker is invented by microsoft to show how vulnerable are PCs with XP because if you have win 7 or win 8 there is ways to unlock and decrypt files. I am mad - microsoft has not experts and can't support their own products and loyal clients /My parents are too old to learn your new products/!!!!!!!!!!!!!

    Wednesday, December 24, 2014 3:43 PM
  • An inexpensive backup would have saved you all the grief.  Example

    You might also try contacting a recovery specialist for assistance.


    Carey Frisch


    Friday, December 26, 2014 2:51 AM
    Moderator
  • I know that nothing can be done except format. "Thank you"  MICROSOFT for stop supporting Win XP and losing my parents memories -  I suppose also that this  ctb locker is invented by microsoft to show how vulnerable are PCs with XP because if you have win 7 or win 8 there is ways to unlock and decrypt files. I am mad - microsoft has not experts and can't support their own products and loyal clients /My parents are too old to learn your new products/!!!!!!!!!!!!!

    Microsoft supported Windows XP for 13 years.  They are a business just like any other, and when supporting it became non-profitable, then it was dropped.  However, it was NOT a sudden thing.  It was well known what the drop dead date was.  There was plenty of chance to upgrade.  Windows 7 can be configured to run exactly as though it were Windows XP.  Ergo, a very small learning curve.

      

    But...running Windows 7 or 8 would not have helped you.  Your files would have been encrypted just the same.  If you had read the link I posted, you would have seen that it affects ALL versions of Windows XP -> 8.  And NO the new OS would NOT have been able to decrypt them.  This malware was NOT created by Microsoft, but by some group of people who want to hold less savvy computer users feet to the fire in order to get some money out of them.  It is actually sold as a kit online for $3000.00.

      

    The malware is caught when uneducated users click on ads that pop up or go to websites that load it onto their systems or click links in email that send them the files.  EDUCATION is the main defense against it.

      

    The second line of defense is as Carey said, a good regular backup.  If you had been backing up this PC, this whole thing would have been nothing more than a minor inconvenience of a system restore.


    Please do not read this sentence. Please ignore the previous sentence.


    Monday, December 29, 2014 3:39 PM
  • I know that nothing can be done except format. "Thank you"  MICROSOFT for stop supporting Win XP and losing my parents memories -  I suppose also that this  ctb locker is invented by microsoft to show how vulnerable are PCs with XP because if you have win 7 or win 8 there is ways to unlock and decrypt files. I am mad - microsoft has not experts and can't support their own products and loyal clients /My parents are too old to learn your new products/!!!!!!!!!!!!!

    Microsoft supported Windows XP for 13 years.  They are a business just like any other, and when supporting it became non-profitable, then it was dropped.  However, it was NOT a sudden thing.  It was well known what the drop dead date was.  There was plenty of chance to upgrade.  Windows 7 can be configured to run exactly as though it were Windows XP.  Ergo, a very small learning curve.

      

    But...running Windows 7 or 8 would not have helped you.  Your files would have been encrypted just the same.  If you had read the link I posted, you would have seen that it affects ALL versions of Windows XP -> 8.  And NO the new OS would NOT have been able to decrypt them.  This malware was NOT created by Microsoft, but by some group of people who want to hold less savvy computer users feet to the fire in order to get some money out of them.  It is actually sold as a kit online for $3000.00.

      

    The malware is caught when uneducated users click on ads that pop up or go to websites that load it onto their systems or click links in email that send them the files.  EDUCATION is the main defense against it.

      

    The second line of defense is as Carey said, a good regular backup.  If you had been backing up this PC, this whole thing would have been nothing more than a minor inconvenience of a system restore.


    Please do not read this sentence. Please ignore the previous sentence.


    AM I understand right ?????? - With the above comment  you just said that Microsoft products are unsafe and  everyone has easy access to  customer information no matter of the OS  - just one click is needed to destroy your product!!!!!!!!!!!! I don't blame you /don't understand me wrong/- because the mistake is mine - i don't have a back up - but honestly I am little disappointed that such software experts as microsoft  doesn't care about the safety and you did nothing to help customers or to search  for the solution! Your answer is nothing can be done and that is all !
    Monday, January 5, 2015 10:00 AM

  • AM I understand right ?????? - With the above comment  you just said that Microsoft products are unsafe and  everyone has easy access to  customer information no matter of the OS  - just one click is needed to destroy your product!!!!!!!!!!!! I don't blame you /don't understand me wrong/- because the mistake is mine - i don't have a back up - but honestly I am little disappointed that such software experts as microsoft  doesn't care about the safety and you did nothing to help customers or to search  for the solution! Your answer is nothing can be done and that is all !

    A few clarifications:

    1. I do NOT work for Microsoft.  No one in these forums works for Microsoft.  We are just regular users like yourself.

      

    2. I did not say that all Microsoft products are unsafe.  I said that this particular ransomware affects all versions of Windows XP->8.  But it cannot affect your system unless you let it onto your computer.

      

    3. No matter how much protection is put into an Operating System, the end user will always be able to make it unsafe.  This ransomware came originally as an ad or a popup notice from a website or an email that said something to entice the user to click the link.  When the link is clicked, the computer does what it is told...just like if the user had clicked on a safe link.  It is impossible to create software that can predict the future and tell what kinds of malware will be created later on and provide protection for it.  This is why user education is THE first defense against it.  When you get an email from someone you don't know, or an ad popup that was unexpected or a phone call from someone claiming to work for "Windows", you do NOT click the link or press the pop up button or do what the caller tells you to do.  Instead, you delete the email or close the pop up with the X in the corner or hang up the phone.  No matter how much anti-virus or protection software is written, there is always someone out there decoding it to try to defeat it.  That is why an educated end user is the only real defense.

      

    4. Yes the answer is at this point, nothing can be done.  Because the files were encrypted with a complex nearly unbreakable algorithm.  If I make a secret code and don't tell anyone what the key is, they won't be able to read my message unless they figure out what that key is.  The makers of this ransomware used their computers to do just that.  It would literally take other computers thousands of years to figure out what the correct key is.  Nothing and no one at Microsoft could have fixed this any easier than anyone else once the files were encrypted.


    Please do not read this sentence. Please ignore the previous sentence.


    • Edited by Kamin of Ressik Monday, January 5, 2015 3:50 PM
    • Marked as answer by Jerry_nik Tuesday, January 6, 2015 10:21 AM
    Monday, January 5, 2015 3:45 PM