Infected by Loki ransomware

Status
Not open for further replies.
A

anguishedwanderer

New Member
Thread author
Dec 26, 2022
5
Greetings.
A Loki ransomware has managed to delete all my restore points and added itself to Windows Defender exclusion list, however since I have Acronis True Image from my WD hard drive purchase I bought for local daily backup, Acronis Ransomware Protection allows me to block ransomware's file access I denied the ransomware, thus the ransomware has encrypted nothing but files on the root C:\ drive which are driver installation logs and the stuff on Public user folder, and all of them are program shortcuts.

I know I'm supposed to send in Malwarebytes logs, but since the ransomware is still active and it has added itself to Windows Defender exclusion list, I didn't want to boot into my Windows installation, not even safe mode. Why? Afraid of the ransomware starting up. However, Malwarebytes free seems not to be licensed for offline scanning from my precursory internet search. Hence I'm attaching just a FRST logfile collected from booting the system from Windows 10 installation USB disk
 

Attachments

  • FRST.txt
    89.5 KB · Views: 13
  • Like
Reactions: Dave Russo
nasdaq

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===



Please post the Fixlog.tx also I need to see the Addition.txt logs that was created with the Farbar scan.
Let me know what problem persists.
 

Attachments

  • Fixlist.txt
    3.1 KB · Views: 11
  • Like
Reactions: Dave Russo
A

anguishedwanderer

New Member
Thread author
Dec 26, 2022
5
Hello, running from recovery means Farbar won't produce Addition.txt
It is safe if I Boot to Windows once I run Fix?
 
nasdaq

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hi,

Yes just run the fix for now.

Then run a Farbar scan in RE and post the log for my review.

Will take care of the Addition.txt later.
 
  • Like
Reactions: Dave Russo
nasdaq

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hi,

You are correct. Your reply was deleted my some one I'm investigating it.
I undeleted the reply as you can see.

Can you run a scan with the Farbar program and post the FRST.TXT and Addition.txt log in normal mode.
If you still cannot then do it in the RE.

Let me know what problem persists.
 
  • Like
Reactions: Dave Russo
nasdaq

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hi,

from your logs posted Sunday at 6:37 PM
I would need to see the FRST.TXT on that date.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

1 -iClean the Windows Defender Quarantine folder.

Comment: Delete/Restore quarantined files.

How to: Delete/Restore quarantined files.
docs.microsoft.com

Restore quarantined files in Microsoft Defender Antivirus - Microsoft Defender for Endpoint

You can restore quarantined files and folders in Microsoft Defender Antivirus.
docs.microsoft.com

Follow the directives on the page to delete all the files in the quarantine folder.

Restart the computer when done.
<<<>>>

This fix will remove the restrictionns on these classes of files.
HKU\S-1-5-21-1948350676-4017922296-1157506175-1001\Software\Classes\regfile: <==== ATTENTION
HKU\S-1-5-21-1948350676-4017922296-1157506175-1001\Software\Classes\.reg: => <==== ATTENTION
HKU\S-1-5-21-1948350676-4017922296-1157506175-1001\Software\Classes\.bat: => <==== ATTENTION
HKU\S-1-5-21-1948350676-4017922296-1157506175-1001\Software\Classes\.cmd: => <==== ATTENTION

Try to run the Farbar program in normal mode after the restart of the computer.

Please post the Fixlog.txt generated with the fix.

and Include fresh FRST.TXT and Additional.txt logs

and let me know what problem persists.
 

Attachments

  • Fixlist.txt
    3.8 KB · Views: 6
  • +Reputation
Reactions: oldschool
nasdaq

nasdaq

Super Moderator
Verified
Staff Member
Nov 5, 2019
1,597
Hi,

Sorry for this long delay. Do you still need help?
 
Status
Not open for further replies.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,491
Security News
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
Malware News macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools
Replies
0
Views
1,009
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
Security News Black Basta ransomware poses as IT support on Microsoft Teams to breach networks
Replies
0
Views
796
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top