I am using Windows XP (SP3) and Avast Free Anti Virus. Suddenly, I received a Message from my Avast Anti-Virus application that it has attached a 'small Note' to an uploaded file -- whereas I had never uploaded any file that day. This was probably the stage when Cryptolocker uploads the User’s information (User’s Account Name under ‘Documents and Settings’) and also a cryptographic key to a server online.
When Cryptolocker was still encrypting my files (silently behind the scenes) I switched off my PC -- not knowing anything about the said Viral Attack.
Upon reboot, the first indication that something was amiss was given by the missing Desktop Wallpaper. When I went to 'My Pictures' folder I found that no 'preview' of images in this folder was available; moreso, Desktop ‘Display Properties’ window (for fixing the missing wallpaper) also crashed. At this stage, I found that almost <st1:stockticker w:st="on">ALL</st1:stockticker> ‘.exe’ files failed to open, including my Avast Free Anti-Virus.
The only hint of what was wrong was an Error Message about 'file permissions' -- when I opened Properties in ‘My Pictures’ folder => Security tab I found two new 'Account Unknown' entries at the Top of the List of Owners, and these had inherited the 'permissions' from a higher level of folder than 'My Pictures' (i.e. from the current User under ‘My Documents and Settings'). So, I first broke the chain of 'inheritance' from parent folder, and then DELETED the said two new Owners -- from the topmost folder upto ‘My Pictures’.
To view a missing Security tab, open Folder Options in Control Panel. Click Start, and then click Control Panel. Click Appearance and Themes, and then click Folder Options. On the View tab, under Advanced settings, clear ‘Use simple file sharing [Recommended]’.
Since I was repeatedly getting an Error Message about Adobe, it was suspected that the external server connection was being established through Adobe. Hence, I DELETED Adobe Updater from the following Registry entry:
H_<st1:stockticker w:st="on">KEY</st1:stockticker>_CURRENT_USER => Software => Microsoft => Windows => CurrentVersion => RunOnce
Thereafter I used the simple steps for restoring file association for ‘.exe’ files, and for previewing images, e.g.
i) regsvr32 %systemroot%\system32\shimgvw.dll
ii) Click Start, and then click Run. Type "command.com" , and then press Enter. (A DOS window opens.) Type the following:
"cd\"
"cd \windows"
Press Enter after typing each one.
Now type/copy "regedit.exe regedit.com" and then press Enter.
Type "start regedit.com" and then press Enter.
Navigate to, and select the key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
In the right pane, double-click the (Default) value.
Delete the current value data, and then type:
"%1" %*
Tip: Type the characters: quote-percent-one-quote-space-percent-asterisk.
Close Regedit utility.
Ran Kaspersky online Virus scan and, thereafter, my Avast Antivirus (both Quick Scan and Boot-time Scan).
Since I regularly backup my important Documents on DVDs, I restored the same on my PC from the backup.
Hope this helps those affected by Cryptolocker.
. Suddenly, I received a Message from my Avast Free Anti-Virus application that it has attached a 'small Note' to an uploaded file -- whereas I had never uploaded any file that day. This was probably the stage when Cryptolocker uploads the User’s information (User’s Account Name under ‘Documents and Settings’) and also a cryptographic key to a server online.
When Cryptolocker was still encrypting my files (silently behind the scenes) I switched off my PC -- not knowing anything about the said Viral Attack.
Upon reboot, the first indication that something was amiss was given by the missing Desktop Wallpaper. When I went to 'My Pictures' folder I found that no 'preview' of images in this folder was available; moreso, Desktop ‘Display Properties’ window (for fixing the missing wallpaper) also crashed. At this stage, I found that almost <st1:stockticker w:st="on">ALL</st1:stockticker> ‘.exe’ files failed to open, including my Avast Free Anti-Virus.
The only hint of what was wrong was an Error Message about 'file permissions' -- when I opened Properties in ‘My Pictures’ folder => Security tab I found two new 'Account Unknown' entries at the Top of the List of Owners, and these had inherited the 'permissions' from a higher level of folder than 'My Pictures' (i.e. from the current User under ‘My Documents and Settings'). So, I first broke the chain of 'inheritance' from parent folder, and then DELETED the said two new Owners -- from the topmost folder upto ‘My Pictures’.
To view a missing Security tab, open Folder Options in Control Panel. Click Start, and then click Control Panel. Click Appearance and Themes, and then click Folder Options. On the View tab, under Advanced settings, clear ‘Use simple file sharing [Recommended]’.
Since I was repeatedly getting an Error Message about Adobe, it was suspected that the external server connection was being established through Adobe. Hence, I DELETED Adobe Updater from the following Registry entry:
H_<st1:stockticker w:st="on">KEY</st1:stockticker>_CURRENT_USER => Software => Microsoft => Windows => CurrentVersion => RunOnce
Thereafter I used the simple steps for restoring file association for ‘.exe’ files, and for previewing images, e.g.
i) regsvr32 %systemroot%\system32\shimgvw.dll
ii) Click Start, and then click Run. Type "command.com" , and then press Enter. (A DOS window opens.) Type the following:
"cd\"
"cd \windows"
Press Enter after typing each one.
Now type/copy "regedit.exe regedit.com" and then press Enter.
Type "start regedit.com" and then press Enter.
Navigate to, and select the key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
In the right pane, double-click the (Default) value.
Delete the current value data, and then type:
"%1" %*
Tip: Type the characters: quote-percent-one-quote-space-percent-asterisk.
Close Regedit utility.
Ran Kaspersky online Virus scan and, thereafter, my Avast Antivirus (both Quick Scan and Boot-time Scan).
Since I regularly backup my important Documents on DVDs, I restored the same on my PC from the backup.
Hope this helps those affected by Cryptolocker.