help all files gone! recovery + rkyft also +lkvcx
Tuesday, March 8, 2016 by benmanns | Discussion: Internet
My mother called me today and told me that her PC was locked and all files displayed as wave files or mp3
So i gave her a visit and had a look what was going on.
I checked Windows it had 53 thousand entrys of _recovery_ +rkyft.html and _recovery_ +rkyft.png
All files seemed to be renamed randomly for example picture01.jpg - was now picture01.jpg.wav
I downloaded malwarebytes updated it and deleted a malicious file that had random letters and was not to be found on a google search ...
I cleaned the registry but apparently there are still two well hidden entrys that promt to the deleted file since the system tried to launch it on restart.
havent found those yet.
I read up on how to restore the files and one article pointed out that one should try to simply rename the file.
I did that with no success, each and every file is pretty much useless atm.
and once you have renamed them to picture01.jpg the file becomes corrupted.
My second thought would be ok lets try a restore point.
The pc is setup to make one for every update every new prog and had one done when i was here a month ago.
But guess what... no restore points all have been deleted...
Aint that nice.
So im currently sitting here like an idiot since i dont know what to do to get her files back.
I have no old backup data where i could select an original file and compare it the encrypted ones.
The system AV was running with aggressive settings. ( Bitdefender btw ) and was even updated.
So if you have any idea what can be done to save my mothers files help is greatly appreciated at this point.
Since im out of ideas...
Reply #2 Tuesday, March 8, 2016 11:11 AM
Everything I find on Google says it's ransomware and the SpyHunter will remove it.
I don't know that I trust that.
Doc is likely correct. Reformat time.
Reply #3 Tuesday, March 8, 2016 11:23 AM
Doc and RND know much more than I do.
Just a thought. Since reformat will totally lose all your Mother's files that will be hard on her for sure. Maybe try this to save files. Take one of the say picture.jpg.wav. Put it on a USB and place it on another computer and rename it. See if it will rename correctly and open. May not work at all but it is something I would at least try.
Reply #4 Tuesday, March 8, 2016 11:45 AM
Everything I find on Google says it's ransomware and the SpyHunter will remove it.
I don't know that I trust that.
Doc is likely correct. Reformat time.
Jim...shouldn't a ransom type screen appear demanding bitcoin payment, if it were that?
Also...I don't know all that much about it...not even sure he'll be able to dl and install herdprotect on it to do the necessary screening...
Dave - not so sure backing up all that stuff is wise...at least before it's been cleaned. Might end up with multiple machines/disks infected.
Unhappy your mom's having this trouble, benmanns.
Reply #5 Tuesday, March 8, 2016 11:47 AM
Before I reformated and lose everything which may be already lost anyway I would check out http://www.bleepingcomputer.com/
Its one of the best sites I know that can get an infected computer healthy again.
Reply #6 Tuesday, March 8, 2016 12:20 PM
Ty for the suggestions guys ...
I should´ve been more clear, sadly im a bit frustrated.
I managed to remove a dropper called mkpllokupo or something like that i made a quick search with my phone at the time that didnt brought up any results.
The Event log starts from 7am this morning...nothing is listed
I contacted a buddy over at trojanboard and explained my situation.
I messed up with the file extention guys.
Not every file is now .wav its also .mp3
The files do not have the usual locked indication, thats why i first though this could be something like the BKA scareware.
But it looks like im wrong this time.
I mainly thought it must be something cheap because it wasnt able to change the background it only had the above mentioned htm linked and a png file sitting in every folder... the background was black therefore my guess was that it should´ve had been replaced by the png. but that wasnt the case.
Anyway...
My buddy told me that there have been multiple reports lately about a encryption with the same stuff happening
and for now it looks like there is nothing i can do to fix it. Since it might be a slightly changed version of Teslacrypt 3
There are no shadow copies of the files. Stellar phonix is taking advantage out of this by asking for cash.
Edit: JC thanks for your suggestion- http://www.bleepingcomputer.com/news/security/new-teslacrypt-variant-now-uses-the-mp3-extension/
I seriously wanted to just trash the OS and start new but she has some important files on there, and i didnt had another HDD with me.
I still have a new WD drive, where i will back up all of the encrypted files in hope that there will be a solution some day.
Once everything is secured i will format and factory reset the drive and start over its safer that way.
Edit: Ask my mother what she did this morning, besides coffee and browsing her emails she did nothing.
havent checked her mails, also i think that would be a bit rude. But just to mention it be carefull and dont click on something that you dont know.
The only thing i can suggest as relief for now is to make a backup of your files as soon as you can, since it seems the only way to restore the files atm.
Or not clicking any unknown emails.
Reply #7 Tuesday, March 8, 2016 12:31 PM
Doc and RND know much more than I do.
Just a thought. Since reformat will totally lose all your Mother's files that will be hard on her for sure. Maybe try this to save files. Take one of the say picture.jpg.wav. Put it on a USB and place it on another computer and rename it. See if it will rename correctly and open. May not work at all but it is something I would at least try.
tested that on my old VM the file will be useless afterwards...
Once you change the file extension the file will change accordingly but you wont be able to open view or launch it.
Reply #8 Tuesday, March 8, 2016 12:42 PM
If BitDefender fails, you could try running MS's "herdprotect" (http://www.herdprotect.com/downloads.aspx) to identify the virus that did this.
Removing it...once identified, you'll have to look up specific methods on the net.
Restoring? Not at all sure that's possible since her "restore points" are gone.
A foolish question, perhaps...does she have an external/cloud backup? If not... "format c:"... unless someone has better ideas?
Nope but that the first thing that popped into my head when i couldnt fix the problem.
Guess a cloud drive would be the most safe thing but then again my mom saves everything into shortcuts... will take a while to teach her
But as you say its probably the best idea aswell as a format.
but this cryptshitthing is the worst...

Reply #9 Tuesday, March 8, 2016 1:59 PM
When you get it all sorted out make sure to do a recovery backup. I use AOMEI Onekey Recovery which is easy to use.
Reply #10 Tuesday, March 8, 2016 3:38 PM
Pull the HD out of the machine without backing up.
Buy a new HD and install the OS etc.
Meanwhile research the virus and its potential fixing.
Buy a second/external HD and educate mother into a backup regimen.
Assume all is lost.....and any recovery is a bonus.
Reply #12 Tuesday, March 8, 2016 4:59 PM
Jim...shouldn't a ransom type screen appear demanding bitcoin payment, if it were that?
I was merely reporting all I could find on Google in a short time period.
Reply #15 Thursday, March 10, 2016 5:46 AM
So i was looking a bit into WD My cloud the thing i dont understand is on how it will improve the current situation.
As far as i understand i can upload the files as "Backup" on the My cloud that is attached to the router and i can if i want access the data from anywhere.
Now my concern: since the Mycloud does not have any firewall itself nor AV on it wouldnt it be much easier to breach? The only firewall it could use is the one of the router.
As you can see im a bit confused, and i admit i have not yet much about this yet.
But if it syncs files that would be another issue since it would then sync the encrypted files - which would then end in a equally corrupted or encrypted backup without anyone noticing until it is to late.
I have already bought a new drive, installed windows on it and read a little more on how to stop such a thing from happening again.
I came across Malwarebytes Anti-Ransomware its still in Beta phase though.
I have installed it on her machine along with Bitdefender AV 2015Plus
Also bought Malwarebytes AM Premium package..
Reply #16 Thursday, March 10, 2016 8:28 AM
Anything hooked into your OS will be susceptible to the same issue.
What you need is a backup system that saves those essentials....emails...docs...photos...work...etc. systematically at an appropriate scheduled interval.
Example....
My system can be hit with ransomeware today...and I can restore my system to exactly as it was...yesterday.
Max loss....1 day.
Everything is done with redundancy.... files are separately backed to secondary hard drives daily. Also, the entire OS drive is imaged again to a separate [not the same] drive daily.
Weekly those files are backed again..to yet another drive...so secondary failure means loss of a week.
Last total OS 'stuff up' I experienced [my fault] saw me lose a grand total of 1 day's email....and nothing else at all [other than the time to restore everything again].
You need to look up the likes of Acronis...and Syncback [in particular]...
Please login to comment and/or vote for this skin.
Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:
- Richer content, access to many features that are disabled for guests like commenting on the forums and downloading skins.
- Access to a great community, with a massive database of many, many areas of interest.
- Access to contests & subscription offers like exclusive emails.
- It's simple, and FREE!
Reply #1 Tuesday, March 8, 2016 10:51 AM
If BitDefender fails, you could try running MS's "herdprotect" (http://www.herdprotect.com/downloads.aspx) to identify the virus that did this.
Removing it...once identified, you'll have to look up specific methods on the net.
Restoring? Not at all sure that's possible since her "restore points" are gone.
A foolish question, perhaps...does she have an external/cloud backup? If not... "format c:"... unless someone has better ideas?