Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Internet Explorer favorites

May 13, 2012 2:56AM PDT

Most of my Internet explorer favorites have changed from what should be an Internet Shortcut, to a LCBK file, which means they are all locked.

Why has this happened, and how do I convert them back???

Thanks

Discussion is locked

- Collapse -
Clarification Request
You will need to explain more
May 13, 2012 3:00AM PDT

because IE's Favorites is just one text file which the browser uses to list favorites while the browser is open.

So please tell us what happens when you try to open a link from inside your browser using your Favorites links.

Mark

- Collapse -
Clarification Request
Looks like a typo there.
May 13, 2012 3:03AM PDT

While I know we could fix associations your post is incomplete. No mention of the version of Windows, IE and I'm left to wonder if LCBK is really a .LNK.
Bob

- Collapse -
Thanks
May 13, 2012 4:16AM PDT

Thanks for your replies.

Windows XP, IE ver 8.0 and it is LCBK.

When I go into my favorites, all the names now have 'locked' in front of them, and they will not open.
If I right click on any favorite and look in properties, general, it says the file type is LCBK where it normally says Internet shortcut.

It must be some sort of virus but I am running AVG anti virus and Windows Firewall, so am a bit confused!!

- Collapse -
An antivirus only stops what it knows about.
May 13, 2012 4:21AM PDT
- Collapse -
Oh dear!
May 13, 2012 7:02AM PDT

Since then I have turned of the computer and restarted it. It is obviously a virus of some sort, as the computer comes up with a message saying it is locked!!

It boots up, and then totally locks up, so I cannot access anything at all.

What do I do now? I seem to remember you could boot from the CD or start in safe mode, but I dont know how that will help. I am not much of a techie!

- Collapse -
Safe Mode for the non-tech.
May 13, 2012 7:04AM PDT

Put the Windows version you run (Windows XP?) and SAFE MODE into google to pick the article you understand.

Grif does note to boot and scan in safe mode.
Bob

- Collapse -
Bad to Worse!!!
May 18, 2012 12:39AM PDT

I have goy back to trying to sort out this issue, but it is even worse now!!!

All my data files, word docs, xls, pdf etc etc are now locked and I cannot access anything at all!!

Disaster of mega proportions!

The computer is a Toshiba lap top and I do not know even how to get into safe mode.

So some help would be appreciated please.

Colin

- Collapse -
Not really. Grif writes about UNHIDE too.
May 18, 2012 12:55AM PDT

It appears you haven't cleaned off that nasty yet but I wonder if you took Grif's advice. You didn't tell.

Grif writes about UNHIDE.EXE at http://forums.cnet.com/7726-6122_102-5239386.html and this applies to what he writes there and files.

MY CONCERN HERE is that you appear to have no backup copies. That is, we only lose what we don't backup.

Are your files worth having a backup copy?
Bob

- Collapse -
Hi Bob
May 18, 2012 1:36AM PDT

Hi Bob, I have downloaded the Rkill and Malwarebytes onto a memory stick, and the computer will not even recognise the memory stick, so no I have not managed to do it yet.
I also do not know how to open up the machine in safe mode so until I find that out I am going to struggle!

Backup? Yes they are worth having a backup copy, for for many reasons this has not been done. We have all sorts of pressures here at this time, and we have been talking about using a cloud. But we havnt done it ........ Sad Sad

Colin

- Collapse -
I find some nasties disable that.
May 18, 2012 1:38AM PDT

They do that to make recovery hard. You may have to boot SAFE MODE and use them from a CD.
Bob

- Collapse -
Safe Mode
May 18, 2012 4:41AM PDT

Google would tell you, but quickly, reboot the computer and after the BIOS checks start tapping the F8 key once a second until you see the Safe Mode list of options.

Mark

- Collapse -
They want money!!
May 18, 2012 5:18AM PDT

Even worse, they are demanding money from me to turn my computer back on!!!!

But have got into safe mode and am now running Rkill and Malwarebytes.

Fingers crossed Grin

- Collapse -
Good work
May 18, 2012 5:19AM PDT

and good luck.

Mark

- Collapse -
Didnt work!!
May 18, 2012 5:27AM PDT

I seem to be able to access programs now, but all my data files are corrupt.

For example a file named expenditure04-05.xls is now called locked-expenditure04-05.xls.cbml and is now known as a cbml file.
expenditure 05-06.xls is now called locked-expenditure05-06.xls.jlxv and is known as a jlxv file.

The virus has renamed all my files with a random 4 letter code.

What the h*ll do I do now??

- Collapse -
Can you use Normal Mode now?
May 18, 2012 5:31AM PDT

If so, run those programs again in Normal Mode.

Remember when you run RKill, do not reboot afterwards but instead run MBAM again, then Unhide.exe

You may have to run these a few times.

Mark

- Collapse -
Answer
Still no good!
May 18, 2012 7:54AM PDT

Well I have run Rkill and Malwarebytes again and still just the same. All my data files have corrupted file names.

Any more suggestions?

Colin

- Collapse -
I missed that
May 18, 2012 7:57AM PDT

"They want money"

Who is this 'they'? Is this the malware you thought you had but didn't know?

What are you seeing, and what does it say?

Mark

- Collapse -
Money
May 18, 2012 4:46PM PDT

The money was demamnded by the Malware. I have managed with Rkill to clear all that but it has left all my data files corrupted.

- Collapse -
If we had known earlier
May 18, 2012 9:14PM PDT

then we might have suggested different routes.

Different malware often needs to be handled differently.

Do you know the name of this malware?

Try a test with one of those files, eg locked-expenditure05-06.xls.jlxv

Copy the file and place the copy in some other location, eg your Desktop. Why copy? We work on the copy, not on the original for tests. Right click that copied file and select "Rename".

Rename it to expenditure05-06.xls

Press Enter. Now open that file. Does it work?

Mark

- Collapse -
Hi Mark
May 19, 2012 4:40AM PDT

Sorry I do not know the name of the malware and do not know hoe to find it, particularly as I have run Rkill and Matwarebytes.

I have copied a word file and a spreadshhet file and saved them as .doc and.xls files.

they will not open!!

Any other suggestions please?

Colin

- Collapse -
I'm not sure where we go from here
May 19, 2012 8:19PM PDT

I hope you have backups of these files because then you can just load the backups, (try one just as a test), and when you have confirmed they all work, delete all the locked files.

If not...?

It seems you were hit with Ransomware, a form of malware that demands money from you for an unlock code. But without knowing which Ransomeware, there are many, your options are severely limited.

How do you know the files are locked? The file names may have 'locked' added to them, along with another file extension, but what happens when you try to open them?

Please give full details.

Here is an example of what one Ransomeware does;
http://news.softpedia.com/news/New-Worm-Locks-Documents-with-Password-155228.shtml

Mark

- Collapse -
No backup!
May 19, 2012 11:31PM PDT

Hi Mark, I have no backup for the data files, that is the problem. This machine is a laptop I have been using temporarily for about 3 months, and I was going to copy everything back to my desktop when I had finished using it. Unfortunately that was not done!

The locked files all have locked in front of them for example locked-dvla2.doc.cbwr. If I try to open it with Word it just comes up with gibberish.
When I copy and rename it dvla2.doc and open it, I get the message 'Word cannot start the convertor mswrd632' . And I still get gibberish, but different gibberish!!

I have copied my other word documents across from the desktop to the laptop, and they work OK.

I have also copied over my Internet Explorer favorites and they work OK, just not up to date!

If I have lost the data, then that is a total pain in the butt, but I wqould like to recover my emails which are not affected.

I am using Firefox, and do not know where the folders are stored!

The linked article on Ransomware was interesting reading!

Regards

Colin

- Collapse -
Not sure what you mean about emails
May 20, 2012 4:59AM PDT

Firefox doesn't manage emails, except web access email accounts but then any browser would do there as the emails are stored in the cloud, (on the email web servers).

If you mean Thunderbird, (Mozilla's family of Firefox browser and Thunderbird email client), then for Windows XP the emails are store in;

C:\Documents and Settings\{WindowsAccountName}\Application Data\Thunderbird\Profiles\Profile name

But I am unsure what you need to recover if the emails are not affected.

Mark

- Collapse -
Mark
May 20, 2012 6:13AM PDT

Thanks for your reply, I need to get all the emails from the laptop onto my desk top, which I can now do thanks.

Colin

- Collapse -
What I think now
May 20, 2012 9:12PM PDT

It's good that you can now rescue the emails.

I see Bob is helping also and that's great, but I have to be straight here. If you provide a file via Dropbox and we still cannot de-crypt it then your options become severely limited. I see now that the lock has affected other files besides your personal documents and I am assuming that these other files are going to make this OS unstable.

If so, then it is time to cut and run. Reformat that laptop drive and install the OS again as a fresh install.

For your information here's another link, a different example of Ransomeware;
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

That one is even worse as it seems the malware wasn't obtained via the usual methods but is actually installed by someone.

You might try BleepingComputer's forums, (available via the link above), or even Kaspersky's forums here http://forum.kaspersky.com/index.php?showforum=3 .

But frankly, if you intend to carry on with this, I am not at all sure forums are the best venue for you and you may have to consider removing the drive and sending it off to some expert data recovery service.

Mark

- Collapse -
Answer
About your EMAILS. Do you use GOOGLE GMAIL?
May 20, 2012 5:06AM PDT

If so, your emails are still there.

It's taken a lot of posts to find out this machine has RANSOMWARE but some Antivirus companies do provide the unlock key for free. But since we don't know which it was, no one can tell what to do next.

At this point it may be time to consider how much all this is worth to you. If it's not worth calling up Kapersky's antivirus support for a few hundred then we know the files are not worth a few hundred and then you can decide to forget it, reload the OS and next time be religious about backup.
Bob

- Collapse -
Answer
Mr Profitt
May 20, 2012 6:20AM PDT

yes you are correct in what you say, it has taken many posts to get there!

Sorry I do not know where the Ransomware came from, but I just followed the instructions on here to run Rkill and Malwarebytes. Nobody asked me to try and find out a name of anything, and I was not even aware of anything called Ransomware, I thought I had just some sort of simple virus.

As everything now seems to be working correctly, I assume there is no way of knowing where the Ransomware came from?

The emails I have rescued, but have lost all my data files, doc, xls, jpg, etc and there numerous other 'locked' files all over, but I am not sure what they are.

Thanks

Colin

- Collapse -
One last offer.
May 20, 2012 6:24AM PDT

Put a locked file up on a Public link on your DROPBOX account then share the public link. I'll get and see if the file is one I've seen before.

Sorry but please use google to learn about DROPBOX since we would be duplicating the web if I wrote how to share a file over that.
Bob

- Collapse -
Thank you Bob
May 21, 2012 5:54AM PDT

Just got in from work and this 62 year old has another skill. Dropbox user!!!

http://dl.dropbox.com/u/80737663/locked-maserati%20job%20list%205.xls.rqet

http://dl.dropbox.com/u/80737663/locked-maserati%20parts%205.xls.psfh

I have taken the liberty of copying 2 what were xls files.

The first is a very simple list, mainly text. The 2nd is a smaller, similar file.

Both of these items relate to a customer's job which has not been invoiced, and I do not have any other record of what is on here. Getting the invoice to him will make the difference to eating this month or not! Sorry to be so glum, but times are pretty hard here in the UK!!!

Good luck!

Colin

- Collapse -
(NT) Looking at it now. BRB.
May 21, 2012 5:56AM PDT