Здравейте,

Попаднах на компютър, заразен с crypto вирус.  По форума виждам, че не съм единствения, борещ се с този проблем.
Криптираните файлове, които забелязах са с разширения (вероятно е да има и други): .cer , .xls , .doc , .docx , .zip , .rar , .pdf , .txt , .dbf , .mdb , .ppt .
Съдейки по датите на променените файлове, процесът на криптиране е започнал около 22:40 на 01.10.
За разлика от други crypto вируси, на които съм попадал, при този няма никаква информация за обратна връзка за декриптиране.  За съжаление, Shadow Explorer не сработи.

Прилагам FRST log, като според мен, предупреждения от рода на "HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION" се дължат на CryptoPrevent, инсталиран март месец тази година:

=================================================================
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:30-09-2015
Ran by User (administrator) on DIANA (02-10-2015 16:05:34)
Running from C:\Documents and Settings\User\My Documents\Downloads
Loaded Profiles: User (Available Profiles: User)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(TODO: <Company name>) C:\Genius\ioCentre\gTaskBar.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(TODO: <Company name>) C:\Genius\ioCentre\gMouseTask.exe
(TODO: <Company name>) C:\Genius\ioCentre\gKbdTask.exe
(TODO: <Company name>) C:\Genius\ioCentre\gAutoPan.exe
() C:\Genius\ioCentre\gAutoScroll.exe
(TODO: <Company name>) C:\Genius\ioCentre\gZoom.exe
(TODO: <Company name>) C:\Genius\ioCentre\gMGlass.exe
(TODO: <Company name>) C:\Genius\ioCentre\gIMMgm.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(TODO: <Company name>) C:\Genius\ioCentre\gDeskMgm.exe
(TODO: <Company name>) C:\Genius\ioCentre\gTaskSwitch.exe
(CANON INC.) C:\WINDOWS\system32\CNAB4RPK.EXE
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17887232 2009-06-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ioCentre] => C:\Genius\ioCentre\gTaskBar.exe [241664 2006-12-08] (TODO: <Company name>)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227648 2015-03-30] (AVAST Software)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\RECYCLER <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Application Data\open source software bundle installer.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Application Data\open source software bundle installer.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\Local Settings\Application Data\open source software bundle installer.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\open source software bundle installer.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\open source software bundle installer.exe <====== ATTENTION
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\...\Run: [Google Update] => C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [144200 2015-08-31] (Google Inc.)
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\...\Run: [iLivid] => "C:\Documents and Settings\User\Local Settings\Application Data\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [53737488 2015-08-07] (Skype Technologies S.A.)
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\...\MountPoints2: {0318e233-a93b-11df-ae4f-00265538f7e0} - POZLATIO\\javio.exe
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\...\MountPoints2: {53ba268e-193c-11e3-9a63-00265538f7e0} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL start.exe
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\...\MountPoints2: {9b59d334-3a34-11e3-9a7d-00265538f7e0} - H:\USBAutoRun.exe
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\MICROI~1.SCR [784041 2015-04-21] (Microinvest     )
AppInit_DLLs: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Wincert\WIN32C~1.DLL => No File
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
HKLM\...\AppCertDlls: [x86] -> C:\Program Files\Movies Toolbar\Datamngr\apcrtldr.dll <===== ATTENTION
HKLM\...\AppCertDlls: [x64] -> c:\program files\movies toolbar\datamngr\x64\apcrtldr.dll <===== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-01-07] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.10.1.1
Tcpip\..\Interfaces\{BC25206F-471F-448A-9E8D-607140714507}: [DhcpNameServer] 10.10.1.1

Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Start Page = www.microinvest.net
HKU\S-1-5-21-1078081533-1303643608-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search.ask.com/sr?src=ieb&gct=ds&appid=725&systemid=406&v=n9602-132&apn_uid=5471591332344133&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKLM -> {cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8} URL = hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^HJ^xdm174^YYA^bg&si=CD9418&ptb=7BF3EA8C-DA6D-4824-ADC4-2CE00E22141D&ind=2013101112&n=77fd7c38&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1078081533-1303643608-1801674531-1003 -> {1059ba16-437d-4e6f-8d1e-abb4fa565e2c} URL = hxxp://www.searchsave.com/index.php?req=search&term={searchTerms}
SearchScopes: HKU\S-1-5-21-1078081533-1303643608-1801674531-1003 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search.ask.com/sr?src=ieb&gct=ds&appid=725&systemid=406&v=n9602-132&apn_uid=5471591332344133&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1078081533-1303643608-1801674531-1003 -> {cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8} URL = hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^HJ^xdm174^YYA^bg&si=CD9418&ptb=7BF3EA8C-DA6D-4824-ADC4-2CE00E22141D&ind=2013101112&n=77fd7c38&psa=&st=sb&searchfor={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-01-07] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM - EFOToolbar - {AB26BF6C-BB04-4F00-8F98-BDE786CDE97D} - C:\DOCUME~1\User\APPLIC~1\OSI\dlls\EFOTOO~1.DLL No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
Toolbar: HKU\S-1-5-21-1078081533-1303643608-1801674531-1003 -> EFOToolbar - {AB26BF6C-BB04-4F00-8F98-BDE786CDE97D} - C:\DOCUME~1\User\APPLIC~1\OSI\dlls\EFOTOO~1.DLL No File
Toolbar: HKU\S-1-5-21-1078081533-1303643608-1801674531-1003 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-23] (Google Inc.)
DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} hxxps://mwb.municipalbank.bg/CSWebBankASP/capicom.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9t1dyhs.default
FF SearchEngineOrder.1: Ask.com
FF SearchEngineOrder.3: Bing 
FF SelectedSearchEngine: Ask.com
FF Homepage: hxxp://www.google.bg/
FF Keyword.URL: hxxp://search.tb.ask.com/search/GGmain.jhtml?st=kwd&ptb=7BF3EA8C-DA6D-4824-ADC4-2CE00E22141D&n=77fd7c3f&ind=2013101119&p2=^HJ^xdm174^YYA^bg&si=CD9418&searchfor=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @VideoDownloadConverter_ScriptHelper.com/Plugin -> C:\Program Files\VideoDownloadConverter\npVDCPlugin.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1078081533-1303643608-1801674531-1003: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin HKU\S-1-5-21-1078081533-1303643608-1801674531-1003: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2013-01-02] (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF SearchPlugin: C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9t1dyhs.default\searchplugins\bingp.xml [2013-07-11]
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\Ask.xml [2013-10-11]
FF Extension: B-Trust Tool - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9t1dyhs.default\Extensions\[email protected] [2015-05-29]
FF Extension: New tab - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9t1dyhs.default\Extensions\{12EA0B34-CD10-0574-EA58-62B2AED1FE75} [2013-12-11]
FF Extension: Movies Toolbar (Dist. by Bandoo Media, Inc.) - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9t1dyhs.default\Extensions\{3d86a75b-cb6b-4764-885d-ca6336f04ba2} [2013-10-11]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p9t1dyhs.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-02-02]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-10-01]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-10-01]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-04-14]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-08-05]

Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://www.msn.com/?pc=UP97&ocid=UP97DHP&dt=071113" 
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\41.0.2272.101\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll => No File
CHR Plugin: (Native Client) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\41.0.2272.101\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\41.0.2272.101\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (avast! WebRep) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda [2011-10-06]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-07]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-09-16]
StartMenuInternet: chrome.exe - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-07] (AVAST Software)
R2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [168004 2009-05-01] (NVIDIA Corporation) [File not signed]
R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3273088 2013-09-16] (Skype Technologies S.A.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2015-01-07] ()
R1 aswKbd; C:\WINDOWS\system32\Drivers\aswKbd.sys [20624 2012-10-31] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2015-01-07] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2015-01-07] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2015-01-07] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2015-01-07] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [423784 2015-01-07] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2015-01-07] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2015-01-07] ()
S2 DgiVecp; C:\WINDOWS\System32\Drivers\DgiVecp.sys [41984 2004-05-17] (DeviceGuys, Inc.) [File not signed]
S3 gHidPnp; C:\WINDOWS\System32\Drivers\gHidPnp.Sys [14848 2006-07-14] ()
S3 gMouUsb; C:\WINDOWS\System32\DRIVERS\gMouUsb.sys [9984 2006-07-14] ()
R3 nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [8055584 2009-05-01] (NVIDIA Corporation) [File not signed]
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [54784 2008-08-01] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [22016 2008-08-01] (NVIDIA Corporation)
S3 usbbus; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [13056 2008-11-19] (LG Electronics Inc.)
S3 UsbDiag; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [19968 2008-11-19] (LG Electronics Inc.)
S3 USBModem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [24832 2008-11-19] (LG Electronics Inc.)
S4 IntelIde; no ImagePath
S3 StarOpen; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-02 16:02 - 2015-10-02 16:05 - 00000000 ____D C:\FRST
2015-10-01 13:09 - 2015-10-01 14:03 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-23 09:07 - 2015-09-23 09:07 - 00000000 ____D C:\Program Files\Common Files\Skype
2015-09-23 09:07 - 2015-09-23 09:07 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Skype
2015-09-12 10:36 - 2015-09-12 10:36 - 00019306 _____ C:\Documents and Settings\User\Desktop\PROTOKOL.xlsx

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-02 16:05 - 2010-04-14 11:29 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Temp
2015-10-02 16:03 - 2010-04-30 09:42 - 00000420 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{9B58B9BC-CCE5-4BE8-864A-C05B141F56C4}.job
2015-10-02 15:57 - 2012-06-04 16:18 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\Axialis
2015-10-02 14:41 - 2014-06-27 16:29 - 00000446 _____ C:\WINDOWS\Tasks\SyncBackFree PlN.job
2015-10-02 14:34 - 2010-04-14 11:22 - 00000000 ____D C:\WINDOWS\Registration
2015-10-02 13:29 - 2010-04-14 11:24 - 01437563 _____ C:\WINDOWS\WindowsUpdate.log
2015-10-02 13:28 - 2013-01-02 14:36 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-10-02 13:28 - 2010-04-14 14:20 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-10-02 13:28 - 2010-04-14 14:20 - 00000053 _____ C:\WINDOWS\wiaservc.log
2015-10-02 13:28 - 2010-04-14 11:27 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-10-02 13:28 - 2009-05-01 00:30 - 00229488 _____ C:\WINDOWS\system32\NvApps.xml
2015-10-02 13:27 - 2010-04-14 11:29 - 00000278 ___SH C:\Documents and Settings\User\ntuser.ini
2015-10-02 13:27 - 2010-04-14 11:27 - 00032628 _____ C:\WINDOWS\SchedLgU.Txt
2015-10-02 10:52 - 2010-04-15 15:54 - 00184123 _____ C:\WINDOWS\mcmaster.ini
2015-10-02 10:27 - 2013-06-17 19:11 - 00000000 ____D C:\Documents and Settings\User\Application Data\Skype
2015-10-02 10:26 - 2012-05-11 14:52 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-10-02 10:26 - 2008-04-14 15:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-10-01 22:58 - 2010-04-15 14:36 - 00000000 ____D C:\Package
2015-10-01 22:58 - 2010-04-15 14:21 - 00000000 ____D C:\McMaster
2015-10-01 22:52 - 2014-09-18 16:32 - 00707874 _____ C:\dok [email protected]
2015-10-01 22:52 - 2014-09-18 16:31 - 00863016 _____ C:\dok [email protected]
2015-10-01 22:52 - 2012-01-12 12:07 - 01408703 _____ C:\[email protected]
2015-10-01 22:51 - 2014-09-18 16:40 - 00928311 _____ C:\Document [email protected]
2015-10-01 22:51 - 2014-08-22 14:22 - 00001588 _____ C:\[email protected]
2015-10-01 22:51 - 2010-04-15 14:19 - 00000000 ____D C:\dcdownload
2015-10-01 22:49 - 2014-04-28 16:08 - 01040038 _____ C:\Documents and Settings\User\My Documents\МАРИЯ[email protected]
2015-10-01 22:43 - 2014-08-12 18:24 - 00020484 _____ C:\Documents and Settings\User\My Documents\[email protected]
2015-10-01 22:34 - 2013-04-29 12:43 - 00020996 _____ C:\Documents and Settings\User\My Documents\PERSONAL [email protected]
2015-10-01 22:33 - 2015-04-15 11:49 - 00000000 ____D C:\Documents and Settings\User\My Documents\MICRO
2015-10-01 22:33 - 2015-03-31 18:42 - 00000000 ____D C:\Documents and Settings\User\My Documents\MIKRO
2015-10-01 22:33 - 2014-11-28 14:09 - 00000000 ____D C:\Documents and Settings\User\My Documents\OKLASSSSSSSSSSSSSSS
2015-10-01 22:33 - 2014-04-28 14:50 - 00267780 _____ C:\Documents and Settings\User\My Documents\[email protected]
2015-10-01 22:33 - 2013-07-24 18:44 - 00028676 _____ C:\Documents and Settings\User\My Documents\[email protected]
2015-10-01 22:23 - 2015-02-27 17:11 - 00018948 _____ C:\Documents and Settings\User\My Documents\[email protected]
2015-10-01 22:23 - 2013-05-27 19:56 - 00020996 _____ C:\Documents and Settings\User\My Documents\[email protected]
2015-10-01 22:23 - 2012-05-04 10:43 - 00195588 _____ C:\Documents and Settings\User\My Documents\Copy of GRAFIK-Д[email protected]
2015-10-01 22:23 - 2011-04-29 19:01 - 03428111 _____ C:\Documents and Settings\User\My Documents\[email protected]
2015-10-01 18:21 - 2010-04-16 10:42 - 00000148 _____ C:\WINDOWS\McMaster2007.INI
2015-09-25 15:29 - 2011-04-26 18:34 - 00000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\Google
2015-09-23 09:36 - 2012-06-19 16:20 - 00780488 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-09-23 09:36 - 2011-10-06 14:45 - 00142536 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-09-23 09:07 - 2014-02-28 11:22 - 00001878 _____ C:\Documents and Settings\All Users\Desktop\Skype.lnk
2015-09-23 09:07 - 2013-06-17 19:10 - 00000000 ___RD C:\Program Files\Skype
2015-09-23 09:07 - 2013-06-17 19:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2015-09-04 11:39 - 2010-04-29 14:31 - 00002497 _____ C:\Documents and Settings\User\Desktop\Microsoft Office Word 2003.lnk

==================== Files in the root of some directories =======

2010-04-15 16:04 - 2010-04-15 16:04 - 0278752 _____ () C:\Documents and Settings\User\Local Settings\Application Data\Open Source Software Bundle Installer.exe

Some files in TEMP:
====================
C:\Documents and Settings\User\Local Settings\Temp\BlackBerryDeviceManager.exe
C:\Documents and Settings\User\Local Settings\Temp\BlackBerryLauncher.exe
C:\Documents and Settings\User\Local Settings\Temp\SkypeSetup.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Здравейте,

Попаднах на компютър, заразен с crypto вирус.  По форума виждам, че не съм единствения, борещ се с този проблем.
Криптираните файлове, които забелязах са с разширения (вероятно е да има и други): .cer , .xls , .doc , .docx , .zip , .rar , .pdf , .txt , .dbf , .mdb , .ppt .
Съдейки по датите на променените файлове, процесът на криптиране е започнал около 22:40 на 01.10.
За разлика от други crypto вируси, на които съм попадал, при този няма никаква информация за обратна връзка за декриптиране.  За съжаление, Shadow Explorer не сработи.

Прилагам FRST log, като според мен, предупреждения от рода на "HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION" се дължат на CryptoPrevent, инсталиран март месец тази година:

Тъй като нямаше информация за откуп а счетоводителката не можеше да чака все пак фирмите си чакат документите - се принудихме да сменим няколко компютъра и да преинсталираме другите на чисто.
Междувременно в интернет намерих човек който има същия проблем и беше постнал картинка с която му искат откуп (която при нас я нямаше) ето я:

Написахме писмо по инструкциите в картинката и след 1 денонощие получихме следния email:
Subject: Re: ID0959511641
From: "File Two" <[email protected]>
Date: 07.10.15 07:13 ч.
To: 

Hello
If you wish to get all your files back, you need to pay 3 BTC.
How to get bitcoins?
1. Bitcoin ATMs www.coinatmradar.com
2. www.localbitcoins.com
3. google: buy bitcoins
This is the only way to get your files back.
There’s no way to decrypt them without the original key.
The price is non-negotiable.
After paying 3 BTC and emailing the confirmation of payment you will be provided with a decoder.
If you don't trust me, you can email one of your files, I will decode it and send it back to you.
However, if the file you're requesting to decode is valuable, I will send you either a quote from it or a screenshot.
I apologise for any inconvenience caused.
Let me know if you want to proceed.
Thank you for cooperation.
--------------------------------------------------------------
NB! Alternative emails: [email protected]
--------------------------------------------------------------

След което изпратихме тестов zip който разкодираха и ни изпратиха от него само 1 малко неизползваемо файлче.
Последва нов email от нас в който казаха биткоин портфейл за 3-те Биткоина които искат.
След плащане от наша страна и изпращане на потвърдената транзакция ни върнаха декриптор с 2 ключа.
Дължината на ключа беше 32 символа - та веднага мога да ви кажа брутфорс е безсмислен при такъв ключ. 

Писмото с декодера и 2-та ключа е налично ако представлява интерес за антивирусния отбор можем да го предоставим.

Дано спести на някой друг 3-те биткоина които платихме за него.

Да бяхте написали откъде сте го лепнали, каква антивирусна го е пропуснала. За колко време колко шифрова, усетихте ли нещо през това време. Гледам бая хора са го лепнали. За друго май не е имало толкова теми.

Обикновено откупите са до 1 биткоин (около 400$), сефте виждам някой да иска 3. и след като сте платили толкова поне да се  научите, а и останалите.

Редактирано 21 октомври 201510 г. от Филипов (преглед на промените)

Здравейте,

Всички антивирусни го пропускат. 

И аз имам такъв случай и доста подробно го разгледах. Вирусът ползва стандартни дупки във сигурността за да заразява файловете. Обикновено причината за злополучното събитие е човешки фактор.

След внимателен анализ на щетите установих, че пораженията са само там където вирусът е разполагал с Executable permission. След това започва да генерира произволни имена на процеси и така докато не бъде изчистен.

Чисти се само ръчно не намерих антивирусна която да ми помогне!

Страшното е в пораженията които прави. Аз разполагам с хардуерен ресурс и в момента се опитвам да го "брут форсна" Убеден съм в успеха, но ще отнеме време. Ако успея ще опиша метода подробно.

П.п. И ще го опиша безплатно

 

Редактирано 5 ноември 201510 г. от Han Solo
Спи ми се вече! (преглед на промените)

Разбира се, че антивирусните го пропускат. За превенция на този тип зарази се използват програми, които имат HIPS/IDS възможности, behaviour blocker, cloud, sandbox, reputation analysis, virtualization, anti-executable/default-deny програми (като VoodooShield, SecureAplus, Appguard, Applocker в Windows), UAC (на максимални настройки), LUA (ограничен акаунт) и SRP (Software Restriction Policies - gpedit,msc) и опции за защита на определени папки (като Panda DataShield, Comodo Protected Files and Folders, 360 Total Security Data Hijack Protection) и т.н.

Хардуера не е фактор при тази зараза. Да, за тези, които brute force-а е възможен да, ще намали времето за изпълнение на задачата, но за някои варианти просто това е невъзможно. И най-интересното като казвам варианти е (може да става въпрос не за различни версии на ransomware-a, а за една и съща версия, която използва едни и същи разширения дори...за една декриптирането да е възможно, за да друга да не е). Това зависи от това, колко слаб е бил генератора на ключ от страна на C&C сървъра. Затова и инструмента на Касперски, който съм постнал във важната тема на този раздел, може да е полезен за едни и безполезен за други.

А в момента вече има и доста по-коварни криптори. Заговори се за нова версия на Cryptowall, която използва специална чат система за комуникация със автора на зловредния софтуер. Та в случая превенцията е по-добро решение от опита за почистването в последствие.

Но все пак ви желая успех, защото ако успеете ще помогнете на още хора, а целта е именно да помагаме с каквото можем. ;)