I have the Symantec AV program that I received thru the DOD for home use. It is set for daily updates and scans. I was hit with the Trojan.zefarch virus while at a website. The AV program detected the virus after it had initialized but was unable to stop it. It displayed that is was able to only quarantine some of it. I followed the directions to remove the threat. (disable system restore, update AV definitions, run full system scan, and delete) but ran into a problem. It looks like I was able to remove all of the virus but it has encoded most of my files. I am unable to access word, pictures, PDF files, MPEG, .FLV, as they have .ENCODED added to their file name and the hotlinks off the desktop, e-mail, internet, all have a .INK after the title. My question is will I be abe to gain access to these documents or are they all lost forever and I will just need to reformat my HD and start from scratch? Thanks for any assistance that you give.
Unfortunately I did have the background on the desktop change to the ransom demand. I did try the decrypt keys that you provided for S&G's, but nothing happened. And, unfortunately I am still not able to access any of the computer programs (IE, Outlook, MS: Word, Exel, ) and it is driving me crazy. Have I lost all the e-mails that I have stored? Will I need to do a clean wipe of my computer to get this after effects of this @$&%^$*#%@ virus of my computer? I do have a spare drive that I can transfer all of the encrypted files to on the hopes that one day a cure can be found, but I would rather not due that as I have a whole bunch of programs that I do have access to on the first drive.
The punishment for these worthless $&*%# should be a quick drop followed by a short stop! Or better yet, do like the Chinese; immediate lead poisoning to the back of the head followed up with a bill to the family for the cost of the bullet!
I have the Symantec AV program that I received thru the DOD for home use. It is set for daily updates and scans. I was hit with the Trojan.zefarch virus while at a website. The AV program detected the virus after it had initialized but was unable to stop it. It displayed that is was able to only quarantine some of it. I followed the directions to remove the threat. (disable system restore, update AV definitions, run full system scan, and delete) but ran into a problem. It looks like I was able to remove all of the virus but it has encoded most of my files. I am unable to access word, pictures, PDF files, MPEG, .FLV, as they have .ENCODED added to their file name and the hotlinks off the desktop, e-mail, internet, all have a .INK after the title. My question is will I be abe to gain access to these documents or are they all lost forever and I will just need to reformat my HD and start from scratch? Thanks for any assistance that you give.
As far as I am aware the Ransomware does not infect and encrypt email file types
So,
.pst files for Outlook
Can't remember for Outlook Express or Windows Mail
.msf and no extentsion for Thunderbird Everything for the user like their inbox files and settings are in the location "C:\Documents and Settings\[username]\Application Data\Thunderbird\Profiles\h8xkln41.default "
The address book file is also OK (.wab file)
But file types for documents for say Word, Open Office, Excel, Powerpoint Adobe,
Audio and video files, .mp3, .avi, mpg, .mov, .vob, .flv. Picture files .bmp, jpg, and archive files, .zip, .rar,
I have been able to arrange almost all of my shortcuts on the desktop, but I still having a few problems. Off the start/program menu all the links have the .Ink after the program. You said that it altered the NeverShowExt setting in the registry so it will show .lnk as the file type but I do not know how to correct that little problem either.
I have not been able to track down the MS Outlook Express link but have found the .wab (good shape) and the .pst file. It looks like the .pst may have been affected as I only have one on the drive and it is now only 96kb in size.
Another problem that I have is MS word only wants to save information in plain text. Every time I try to save anything I keep getting a message saying that it can only be saved in plain text format.
I appreciate all the assistance, as this is really starting to get on my nerves.
Someone else will have to state where the Outlook Express / Windows Mail files are located, depending on the actual Email client you use.
Outlook and Outlook Express are not the same, When looking for the Outlook .pst files you may have a .pst file that is larger called "archive.pst" which has the older email messages inside.
When searching via the Windows search you will have to select the options seacrch hidden files and folders etc.
I doubt it is actually safe to replace backup documents photos, music etc. from say a backup usb hard drive without knowing the GPcode is completely gone first, as what a bugger if it isn't and you connect a portable drive with the backup files and the Ransomware detects the backup copies on the newly connected drive and starts encrypting the backups.
The File types it encrypts
Once you have your Address Book file and email files, then any other possible personal files that ARE NOT any of the files types in the screenshot above. It's probably better to reformat / wipe the HD and install Windows fresh from CD or factory Hard Drive if possible then install Norton and make sure Norton is then up to date with Program and definitions.
After that you can copy the email and address book files into the location it was where you found them earlier. After that start the Email client and the inbox and other folders should be found and loaded by the Email client.
You can also now transfer the good photos etc. knowing the GPcode Ransomware is gone.
Nothing worse than using your backups and finding that the ransomware is not gone so the Backups are also screwed.
If your computer is unfunctional, you need to print instructions, anyway. Can anyone do it for you? can you print instructions from the library?
The VIPRE Rescue Program is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily run.
The VIPRE Rescue Program is packaged into a self-extracting executable file (.exe) that prompts the user for an "unpack" or installation location, then starts the scanner and performs a deep scan. The user can start the program either by opening it via windows or from the command line.
Virus definitions are included, and the program is self-running once executed. The initial scan, and all subsequent scans, include Rootkit Detection. Four command line options are available, perform a deep scan, perform a quick scan, log the events, and disabling the rootkit.
Detections are consistent with the full VIPRE, and the VIPRE Rescue Program is designed to disinfect a system so infected that a user cannot install VIPRE.
It can scan your pc and remove virus, even tough your PC is so infected that it is inoperable. Watch for the red items on the black screen, that will be a virus.
2) Can you save the file on your flashdrive for Viprerescue from other PC? Can you ask anyone to do it for you?
3) The most logical solution at this point, is to contact Microsoft, they will remove Virus for FREE. Call them (866PCSafety) press 1 before 866. They will do it. I called them, and they recommended me this Viprerescue , and it is a good virus remover.
There isn't much the user can do. The files can't be restored at this point in time. The infection can be removed but the files will remain encrypted. We have seen this happen before.
Slowly and bit by bit, I'm getting my computer programs working again. (Thank you all for your help) To answer some of the questions posted: Yes, they did demand the $120 to get all of my computer working again. I was looking at pictures on peopleofwalmart.com (and their other picture links) when I got hit. The only AV program that I had at the time was Symantec (US Goverment version) and the standard MS Firewall & AV programs. Symantec did catch the virus but was unable to do anything about it. My computer is now up and running (OK, more like walking and hobbling!) as it does have a few problems remaining.
The good news: I had several AV programs look (and installed) on my computer and they say there are no remnants of the virus. I installed AVG (free version) and did the free AVG PC Health. I was able to find my e-mail folder (.dbx file) and now have IE and Outlook back up and running. I reloaded MS Office 2000 so I am also able to generate new files. I have downloaded a few different files from the internet and saved them on my computer, restarted it a few times and nothing got encrypted. And, I have been able to restore almost all of my added programs/games.
Now the bad news: All my MS Word, Excel, PPT, PDF, BMP, TXT, FLV, and JPG files that were on my computer before I got slammed by the virus (except the ones that were in my e-mail) are still encrypted. (Those got save onto an external HD and then unplugged!) Also, when I click "Start", the links to: Windows Update, Microsoft Update, etc and click "Start/Programs", those quick links are all worthless. When I click on their properties they all say "ENCODED File" and have an .Ink after them.
And finally I have a problem with the Symantec AV, for some reason it does not want to Liveupdate. It tries to connect but I get the error, "LU1803: LiveUpdate failed...If fails again...reinstall LiveUpdate. I go start/settings/control pannel click on the LiveUpdate icon and get "LiveUpdate could not access settings. Program failed to create an instance of LiveUpdate engine or a LiveUpdate settings pointer." I then click C:/Program files/Symantec/LiveUpdate/LSETUP. It asks if I want to install, click yes, and then displays "The installed version of LiveUpdate on this system is already up-to-date.
That is a few of the last major hurdle's left to complete.
Again thanks to any help that you all can provide with this problem.
