I have a customer whos laptop has been hit with some form of virus/script/whatever. The end result is that all the document (.doc, .ppt etc) and music files have been changed to an unreadable state.

The initial symptom is that the files are renamed to xxxx.doc.NCRYPTED.NCRYPTED.NCYRPTED.NCRYPTED.ncrypted

Renaming the file to remove the rubbish on the end makes no difference as the file is still unreadable - appears the file header has been altered perhaps?

There is also a text file left behind with the following:

"Some files on your machine are encrypted and your private informations were collected and sent to us.
To decrypt files so you could use them again, you have to buy our decryptor.
After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
To buy decryptor, contact us at: thankyoumuchos@gmail.com or meloveyoug@yahoo.com
If you dont contact us, your private informations will be shared and you will loose all your data."

Normally, I would just run a format & reinstall the system but in this case the customer is desperate to keep their data since they have no backup.
So far I have run multiple virus scans with NOD32 which has pulled off some 30+ infections. I have also run spyware scans but of course this has had no effect.
Goggle has so far been unable to help and I'm not very confident of being able to get this resolved.

Any ideas or help would be greatly appreciated!

this kind of thing scares the hell out of me...  it's no longer just a matter of wiping the virus off or reinstalling. 

but I've always been calmed down when I think that all that needs to happen is for law enforcement to follow the money.  not sure how this would work internationally though.....

As for getting the data back, be sure to keep track of the malware before you clean it off of the machine. If you can find the particular nasty that was responsible for encrypting the data in the first place, then you stand a better chance of being able to undo the problem. If you really need the data back, this is the route that I would take.

Hi Ne0,

re-reading my post there is a fair amount that isn't as understandable as I'd have liked.

Checking backups before the restore was what I had meant by 'old enough not to be hijacked'. Should be common practice but I know several people (myself included) who have been caught by the same issue.

Thanks for catching the issue. I definitely wouldn't want someone taking my advice word for word then complaining when they spent hours of work only to still be infected...

RR

finally there is solution after i submit the sample files to Trend MicroUNISTLVWT16 detected in machine and they relased the pattern files 5.853 for the same. Unfortunately the deleted files cannot be recovered.
The virus is termed as WORM_RANSOM.AQ by trend micro

Hi
   Please find the url which will shows some details about the virus

http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444
http://en.wikipedia.org/wiki/Ransomware_(malware)

BADGUYS were not always the badgusy, politics and there ppl make them for the cause of money , some do for fun and some do for revenge, and some do for there own business, this list might increase any time and might go to anylength, but who know there might be hidden stuff in the orginal files too, when ever there is positive there will always a negative for that, i just wonder wht the conficker might bring now...