Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having trouble with .crypt files


  • Please log in to reply
16 replies to this topic

#1 Mr. Quasar

Mr. Quasar

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 10 June 2012 - 02:17 PM

Hi all,

Last night while browsing some folders, I noticed a big text file on my desktop called "WARNING," which said the following:

YOUR ID: 286

YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.

STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at cryptdecrypt@yahoo.com. Indicate your ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.

Q: How I can make sure that you can really decipher my files?

A: You can send ONE any ciphered file on email cryptdecrypt@yahoo.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.

Q: Where can I purchase a MoneyPak?

A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.

Q: How do I buy a MoneyPak at the store?

A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
the MoneyPak.
https://www.moneypak.com/StoreLocator.aspx - here you find a store near.


There were roughly 486 of these text files - one in every folder I had ever created or altered. But in spite of the gloom-and-doom of the warning, I still had pretty much full access to everything, minus my personal text/doc files and task manager. My text/doc files were now ending in a .crypt extension, and while I can open them, it's just gibberish. So I ran Malwarebytes, nothing. Ran PC Doctor, nothing. Searched around on the Internet for a brief bit, found some not-very-helpful information, and decided to go ahead and do a system restore (yeah, first time ever, probably shouldn't have done that). Ran both PC Doctor and Malwarebytes again, no problems. Task manager works fine, everything seems perfect, but I still can't access any of my text/doc files. Thoughts?

Sorry if this was long, that's just how I am...any clarifications or anything needed, just let me know. Thanks for your time.

BC AdBot (Login to Remove)

 


#2 gstott81

gstott81

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 10 June 2012 - 02:53 PM

This happened to me today also.
I am seeing all my documents as .CRYPT files. Removing this extension is not fixing it.
I removed the execute file from the application data folder, and was able to delete the virus called, " vsdsrv32.exe"
Now the "please send money screen" is not coming up, but the docs are still encrypted.

Any thoughts?

#3 Resnaux

Resnaux

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 10 June 2012 - 03:10 PM

Hello,

I have the same issue. I didn't remove the virus because I know it won't solve the issue with my files which are encrypted (already try to use them on another computer even when removing the extension). I prefer to keep it in order to keep potential encryption data if any is remaining.

I also search the web but I didn't find anything working. This trojan/virus doesn't seems to be new but I think this is a new variant.

If somebody can help me to recover my files ?

Thanks a lot in advance if anyone has a solution to propose... otherwise thanks a lot for having read this message.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:54 AM

Posted 10 June 2012 - 04:35 PM

This looks like "ransomeware" a money scam..

First try doing a system restore to a date before this happened...

Windows XP and Vist System Restore Guide
Windows 7
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 marcel71

marcel71

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 10 June 2012 - 05:12 PM

HiI have also fallen victim to this nasty thing yesterday. AT first I thought it was some prank adware so I went about what I usually do in these cases which was kill the process, delete a wpbt0.dll file I found and clean the registry and thought everything was fine until I went and tried to open my files and saw they were encrypted. I use a renameming utility to change the extensions believing that was that and now none of the files will open.

THis is only one of two thread I found on this particular variant of the Malware, the other on the Norton forums has his a dead end.

I tried every solution I found with decryption proggrams, renaming the files to rar (didn't work), etc and nothing worked and to make matter worse all the original infection files are gone and I'm stuck with GBs of personal files that I can't use anymore..

Please I am desperate to recover my files so if anyone has a solution please post! Thank you!

Marcel

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:54 AM

Posted 10 June 2012 - 05:24 PM

Hello, if the Restore was ineffective..
We will need to repost to find and remove it. Post a DDS log if you can If not .....

Start the new topic Titled Ransomeware

Copy this link in the nrew topic.

http://www.bleepingcomputer.com/forums/topic456569.html/page__pid__2726791#entry2726791

DDS
Please go here....
Preparation Guide ,do steps 6 - 9 if you can.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 10 June 2012 - 05:39 PM

Hey guys, sorry to hear all of you are having this problem as well. At the same time, I guess that might increase our chances of figuring this thing out?

@boopme, thanks for the help, system restore eliminated any issue I was having with task manager and such, but my files are still encrypted. I'll go through those steps then start a new topic. Thanks again :)

Edited by Mr. Quasar, 10 June 2012 - 05:42 PM.


#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,849 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:54 AM

Posted 10 June 2012 - 05:59 PM

@ Mr. Quasar, marcel71, Resnaux, and gstott81,

To expand on boopme's latest instructions, when you create the new topic in the log forum, please include as much information as possible concerning what the infection has done to the machine. Also, please explain what you have already tried to do. Please DO NOT attempt any further alterations in removing the infection on your own as you may complicate the removal of the infection or make impossible the recovery of your files.

For future reference, please create your own topic when posting about a problem and do not post in someone else's topics even though the problem may seem the same. The causes and solutions may be different, and the malware might be different. Further, posting in someone else's topic with your own problems creates massive confusion for all concerned.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 Mr. Quasar

Mr. Quasar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 10 June 2012 - 06:07 PM

Thanks Orange :) Is there anything from my original post that needs to be expanded on? Any info I could have included that I didn't? I'm making the new topic now, so I just want to be sure. Cheers!

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,849 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:54 AM

Posted 10 June 2012 - 06:24 PM

Hello Mr. Quasar,

Your initial post was quite informative. If there were any other changes that occurred both as a result of the infection and as a result of doing System Restore that you didn't already mention in your first post, please include that information in your new topic. Also, please include what you wrote in your initial post to save your helper some time.

Also, if you noticed any strange file names, please make a note of those, and DO NOT delete them. Your helper may need a sample in order to resolve the problem.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 jdashr

jdashr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 10 June 2012 - 09:14 PM

Hi Mr. Quasar, i found a resolution for this issue that you had. just dont delete anything in your computer and stop changing any of your pc settings.. pm me your email address so i can send you the file that can fix the issue that you have.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:54 AM

Posted 10 June 2012 - 09:33 PM

WHY not post the fix for all to use.. Thats why we have this forum .. Also it would be better to see the fix and be sure it is safe to use.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 KenZoi

KenZoi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 10 June 2012 - 09:43 PM

WHY not post the fix for all to use.. Thats why we have this forum .. Also it would be better to see the fix and be sure it is safe to use.


I agree.

This ransomware also crypted all my pics (even from external hd). I also got over 1000 valuable texts. This is pretty devastating. I got pwned.

We need a hero.

#14 oboe22

oboe22

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 11 June 2012 - 12:09 AM

Hi all,

I found out that I'm experiencing this issue tonight as well!

Like the others, not only Word and text documents but all my photos have been changed to .CRYPT as well. PDF's are also affected. It will give me a heart attack if I can't recover them.

I only tried to do a full scan with the up to date MS Security Essentials but it did not detect anything. I have not tried any other method to remove the virus yet and I'm still seeting that damn warning popup on my desktop.

If anyone knows how to resolve this please advise. Thanks for all your help!

#15 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:54 PM

Posted 11 June 2012 - 01:06 AM

Similar discussion and potential fix posted here: http://www.bleepingcomputer.com/forums/topic455347.html/page__view__findpost__p__2718675

Good luck :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users