PDA

View Full Version : Rogue .yoyvyrf file extension



Firetree
2015-01-25, 06:47
Curious if anyone has run across a bug that adds a bogus file extension of .yoyvyrf at the end of an otherwise legitimate file name (cf., myphoto.jpg becomes myphoto.jpg.yoyvyrf). The file also becomes hopelessly corrupted, even if you fix the file name. Neither SpyBot or Avast found anything. It was done on hundreds of files on this person's backup drive...I won't be getting into the main box until tomorrow afternoon.

Anyone seen this? Basically curiosity...gonna have to clean out the whole system anyway.

Thanks in advance.
----------------------------------
Admin Edit
For future reference and others reading. :)
http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-%28Please-read-this-Procedure-Before-Requesting-Assistance%29-Updated

Juliet
2015-01-25, 13:28
Very uncomfortable with what your finding.

If I have you run this tool and it finds what I'm thinking it will, you will have a ton of work to do.

Don't know if there is anything I can do, if we can identify which infection it is then there is a chance we can undo some of the damage.

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png IDTool

Please download IDTool (http://www.bleepstatic.com/fhost/uploads/3/idtool.zip) and save the file to your Desktop.
Right-Click idtool.zip and click Extract All. Select your Desktop and click Extract.
Right-Click IDTool.exe and click http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
If you're prompted to download and install Micorsoft .NET Framework, please agree.
Allow the programme to collect the necessary data.
Once the main console is loaded, click Rescan Computer and Generate a New Report.
Upon completion, and when prompted that the rescan is complete, click Generate Text Friendly Report for Forums.
Copy the contents of the report and paste in your next reply.

Firetree
2015-01-25, 23:30
I'll try that...so long as this utility will handle an external drive. I won't be getting into the main box until this afternoon...but I'm now thinking I'd better wait on any action until I get a look at "mama." Thanks for the response/suggestion.



Very uncomfortable with what your finding.

If I have you run this tool and it finds what I'm thinking it will, you will have a ton of work to do.

Don't know if there is anything I can do, if we can identify which infection it is then there is a chance we can undo some of the damage.

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png IDTool

Please download IDTool (http://www.bleepstatic.com/fhost/uploads/3/idtool.zip) and save the file to your Desktop.
Right-Click idtool.zip and click Extract All. Select your Desktop and click Extract.
Right-Click IDTool.exe and click http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
If you're prompted to download and install Micorsoft .NET Framework, please agree.
Allow the programme to collect the necessary data.
Once the main console is loaded, click Rescan Computer and Generate a New Report.
Upon completion, and when prompted that the rescan is complete, click Generate Text Friendly Report for Forums.
Copy the contents of the report and paste in your next reply.

Juliet
2015-01-26, 01:46
I understand.

Firetree
2015-01-26, 21:20
I figured it out. It's CTB-Locker. From all indications it was on the HDD AFTER the previous techs had "clean installed" Win7. There is also evidence (from file IDs) that the infection was there BEFORE they clean installed the OS. That's troublesome. I also had scanned this drive (outside of the box, on my hot-swap system using my paid version) and SpyBot did NOT see it. I'm running a boot-time scan with Avast now to see what comes up there...but not expecting anything, because it did not discover any indicators when file transfers were started...which it will do if the threat is in its library. Also...the bug's UI isn't auto-triggering as it normally would. Interesting indeed.

Anyway...considering the HDD is eight years old, and the computer is six years old, I think my recommendation will be a new machine. Unfortunately, they've lost all their data. The backups were also contaminated/encrypted.

Hope that info may be of help to others.


Curious if anyone has run across a bug that adds a bogus file extension of .yoyvyrf at the end of an otherwise legitimate file name (cf., myphoto.jpg becomes myphoto.jpg.yoyvyrf). The file also becomes hopelessly corrupted, even if you fix the file name. Neither SpyBot or Avast found anything. It was done on hundreds of files on this person's backup drive...I won't be getting into the main box until tomorrow afternoon.

Anyone seen this? Basically curiosity...gonna have to clean out the whole system anyway.

Thanks in advance.

Juliet
2015-01-26, 22:48
It's possible some files/folders can be recovered.....which ones I can't say.
If your interested in trying:

recovery with the use of Previous Versions or ShadowExplorer may be possible. File recovery software may also be an option if the infection does not securely delete the original files.

http://i.imgur.com/y3MMIrs.png Previous Versions

Right-click the file/folder and click Properties.
Click Previous Versions.
This tab will list all copies of the file and the date they were backed up.
To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
If you wish to restore the selected file and replace the existing one, click Restore.
If you wish to view the contents of the file before restoring, click Open.


http://i.imgur.com/MzmiIl9.gif ShadowExplorer

Please download ShadowExplorer (http://www.shadowexplorer.com/uploads/ShadowExplorer-0.9-portable.zip) and save the file to your Desktop.
Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract.
Right-Click ShadowExplorer.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
You will see a drop-down menu with the shadow copies of all partitions and disks present.
Click C:\ from the drop-down menu.
To the right, pick a date prior to the infection from the drop-down menu.
To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.






http://i.imgur.com/J8xQM97.png File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

http://i.imgur.com/fSA1TL4.png R-Studio (http://www.r-studio.com/)
http://i.imgur.com/C08PZmH.png[/img Photorec (http://www.cgsecurity.org/wiki/PhotoRec)
[img]http://i.imgur.com/uc6sByo.png (http://www.piriform.com/recuva/builds) Recuva (http://www.piriform.com/recuva/builds)

Firetree
2015-02-08, 01:23
I specialize in data recovery...three different data recovery apps did not find any residual, unencrypted files. These folks are SOL, I'm afraid.

What bothers me most, I think, is that SpyBot didn't detect this at all. Neither did Avast, or McAfee, or Norton, or AVG. Hmmmm...

Another development (just today) is that this same person found that files they have residing on Picasa are infected/encrypted. I'm not able to discern as yet if they were infected by someone else uploading to Picasa, or were infected on the client's machine prior to being uploaded.

Not one of our better days out here in tropical paradise... :cool:


It's possible some files/folders can be recovered.....which ones I can't say.
If your interested in trying:

recovery with the use of Previous Versions or ShadowExplorer may be possible. File recovery software may also be an option if the infection does not securely delete the original files.

http://i.imgur.com/y3MMIrs.png Previous Versions

Right-click the file/folder and click Properties.
Click Previous Versions.
This tab will list all copies of the file and the date they were backed up.
To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
If you wish to restore the selected file and replace the existing one, click Restore.
If you wish to view the contents of the file before restoring, click Open.


http://i.imgur.com/MzmiIl9.gif ShadowExplorer

Please download ShadowExplorer (http://www.shadowexplorer.com/uploads/ShadowExplorer-0.9-portable.zip) and save the file to your Desktop.
Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract.
Right-Click ShadowExplorer.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
You will see a drop-down menu with the shadow copies of all partitions and disks present.
Click C:\ from the drop-down menu.
To the right, pick a date prior to the infection from the drop-down menu.
To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.






http://i.imgur.com/J8xQM97.png File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

http://i.imgur.com/fSA1TL4.png R-Studio (http://www.r-studio.com/)
http://i.imgur.com/C08PZmH.png[/img Photorec (http://www.cgsecurity.org/wiki/PhotoRec)
[img]http://i.imgur.com/uc6sByo.png (http://www.piriform.com/recuva/builds) Recuva (http://www.piriform.com/recuva/builds)

Juliet
2015-02-08, 12:58
I think developers are searching relentlessly for an exact venue on how people are infected with this version of CTB-Locker, past versions, and future versions, and dissect it for a patch.

It's sad to say we don't know it all when it comes to what will become infected and what wont. We do try to post info on how to stay protected and avoid infection but some how I think it's able to slip through those preventions.

Let me supply you with an article for this specific version in hopes it can help in some small way.
http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

Juliet
2015-02-14, 04:32
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.