Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
2 replies to this topic

#1 oboe22


  • Members
  • 2 posts
  • Local time:02:55 AM

Posted 14 June 2012 - 12:51 AM


I had been attacked by ransomware that encrypted many of my documents. My issue is similar to a previous thread started by another user: http://www.bleepingcomputer.com/forums/topic456569.html/page__pid__2726791#entry2726791

I believe the attack occured on the evening of Saturday,June 9th. My documents (Word, Excel, txt, PDF, JPG, etc.) had been encrypted and they all have ".crypt" extention at the end. Some of these file reside in my external hardrive which was connected to my computer at the time. There is a big black popup showing on my desktop and also a "WARNING" file created in each of my folders affected showing the following message:


YOUR COMPUTER IS BLOCKED. All your documents, text files and databases
are securely encrypted.
You can unblock your computer by completing three easy steps.

STEP 1: Buy a MoneyPak in amount of $50 at the nearest store.

STEP2: Fill out the fields on the black screen on your cumputer. Otherwise
send as an e-mail at cryptdecrypt@yahoo.com. Indicate your ID in the message
title and provide MoneyPak number.

STEP 3: Check your e-mail. We will send you a program to remove the malware
and decrypt your files once payment is verified. Your computer will roll back
to the ordinary state.

Q: How I can make sure that you can really decipher my files?

A: You can send ONE any ciphered file on email cryptdecrypt@yahoo.com
(Indicate your ID and /test decrypt/ phrase in the message title), in the
response message you receive the deciphered file.

Q: Where can I purchase a MoneyPak?

A: MoneyPak can be purchased at thousands of stores nationwide, including
major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart,
Kroger and Meijer.

Q: How do I buy a MoneyPak at the store?

A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display
and take it to the register. The cashier will collect your cash and load it onto
the MoneyPak.
https://www.moneypak.com/StoreLocator.aspx - here you find a store near .

I tried to run a full scan with MS Security Essentials (after updating definitions on June 10) but nothing was detected. I have not attempted to run any tools to remove the virus since then as I'm afraid any changes I make could impact my chance of recovering my files.

At this stage my first and foremost priority is to recover my files to the original state (they include some important work documents and personal photos) :( Removal of the virus comes second.

Please let me know if I need to provide anymore info. Any help to recover the infected files will be greatly appreciated!

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,502 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:55 AM

Posted 16 June 2012 - 01:31 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

The only solution found so far on this infection is to make a system restore.

Success here:

Try to do a system restore under utilities. It will take your computer back a few days, before the evil crack head got a hold of it. Let me know if it works or not.

#3 nasdaq


  • Malware Response Team
  • 40,502 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:55 AM

Posted 22 June 2012 - 12:52 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users