Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My corrupted/encrypted files are visible its just that they won't open


  • This topic is locked This topic is locked
13 replies to this topic

#1 exguru

exguru

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 18 February 2013 - 05:55 AM

Following a Ransomware attack on 11.2.2013 all the files in my username (all types - word, jpg, xls etc) are encrypted (as the Ransomware said they would be). Files in other usernames are not affected.

 

I have been able (with help from boopme in this forum) to finally get rid of the trojan affecting my computer but I am left with the encrypted/corrupted files.

 

I researched on Google and thought I had found the solution in Kaspersky Rannoh Decrypter which cleverly uses a comparison of one encrypted file with the same original file (if you are fortunate to have one, which I have - in fact I have lots because I backed-up previous years photos prior to 2012 on an external hard drive) to crack the code.  However on running this decrypter it wouldn't work because "Encrypted file size does not equal to original". I found that this was true - (example) --
Encrypted file 3013982 bytes (and "Modified 11.1.13)"
Original file 3012938 bytes.

 

DSS log attached as instructed by boopme,

 

H E L P  please!!!!!!!!!!!!!!!!!!!!!! I'm particularly keen to restore my 2012 photos which I had not got round to backing-up when the virus attacked.

 

AL

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 8.0.6001.18702
Run by Alan Townsend at 10:26:30 on 2013-02-18
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1168 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Belkin\F5D8053\v6\WifiSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\devolo\dlan\devolonetsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1170435745\ee\AOLSoftware.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\UNLOCKER\UnlockerAssistant.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\Belkin\F5D8053\v6\BelkinWCUI.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\JetMailMonitor\JetMM.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6070104
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HP Photosmart 5510 series (NET)] "c:\program files\hp\hp photosmart 5510 series\bin\ScanToPCActivationApp.exe" -deviceID "CN16Q051RG05NR:NW" -scfn "HP Photosmart 5510 series (NET)" -AutoStart 1
uRun: [FormAutoFiller] c:\program files\formautofiller\faf.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DSLSTATEXE] c:\program files\bt voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\bt voyager 105 adsl modem\dslagent.exe
mRun: [%FP%Friendly fts.exe] "c:\program files\voyagertest\fts.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HostManager] c:\program files\common files\aol\1170435745\ee\AOLSoftware.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [openvpn-gui] c:\program files\openvpn\bin\openvpn-gui.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SpeetItUpFree] "c:\program files\speeditup free\speeditupfree.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alanto~1\startm~1\programs\startup\jetmai~1.lnk - c:\program files\jetmailmonitor\JetMM.exe
StartupFolder: c:\docume~1\alanto~1\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\docume~1\alanto~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\v6\BelkinWCUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:157
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{1421F386-7674-43B3-B489-B12FF3E7A518} : DHCPNameServer = 192.168.0.1
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - LocalServer32 - <no file>
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
AppInit_DLLs= c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 35552]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\alan townsend\my documents\downloads\emsisoftemergencykit\run\a2ddax86.sys [2013-2-13 17904]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 164832]
R1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\43926\RapportCerberus32_43926.sys [2012-10-30 272216]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-11-15 5814904]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-10-22 196664]
R2 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2011-11-4 274432]
R2 DevoloNetworkService;devolo Network Service;c:\program files\devolo\dlan\devolonetsvc.exe [2010-7-19 2231616]
R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [2010-6-10 35840]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
R4 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-6-12 21520]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-1-4 30192]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2011-11-4 584832]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== File Associations ===============
.
FileExt: .chm: Applications\AcroRD32.exe="c:\program files\adobe\reader 9.0\reader\AcroRd32.exe" "%1" [UserChoice] [default=Read - 'Open' doesn't exist]
.
=============== Created Last 30 ================
.
2013-02-16 10:35:34    --------    d-----w-    c:\program files\EMSISOFT Folder
2013-02-15 10:26:20    --------    d-----w-    c:\documents and settings\alan townsend\application data\SUPERAntiSpyware.com
2013-02-15 10:26:09    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-02-15 10:26:09    --------    d-----w-    c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-02-05 10:56:21    --------    d-----w-    c:\documents and settings\all users\application data\APN
2013-02-04 10:36:34    477616    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-01-29 11:43:23    --------    d-----w-    c:\program files\devolo
2013-01-22 17:05:52    --------    d-----w-    c:\documents and settings\all users\application data\AVG January 2013 Campaign
2013-01-22 11:46:20    398752    ----a-w-    c:\program files\unhide.exe
.
==================== Find3M  ====================
.
2013-02-06 11:09:42    6422    --sha-w-    c:\windows\system32\KGyGaAvL.sys
2013-02-06 11:09:00    168    --sh--r-    c:\windows\system32\1F3AEC7B7C.sys
2013-02-04 10:36:23    73728    ----a-w-    c:\windows\system32\javacpl.cpl
2013-02-04 10:36:23    473520    ----a-w-    c:\windows\system32\deployJava1.dll
2013-01-26 03:55:44    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-14 15:05:07    448816    ----a-w-    c:\program files\rannohdecryptor.exe
2013-01-07 01:19:45    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49:10    148992    ----a-w-    c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10    1292288    ----a-w-    c:\windows\system32\quartz.dll
2012-12-26 20:16:29    916480    ----a-w-    c:\windows\system32\wininet.dll
2012-12-26 20:16:28    43520    ------w-    c:\windows\system32\licmgr10.dll
2012-12-26 20:16:28    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2012-12-24 06:40:59    385024    ------w-    c:\windows\system32\html.iec
2012-12-16 12:23:59    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 16:49:28    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-05 10:16:07    1409    ----a-w-    c:\windows\QTFont.for
2012-08-24 15:16:10    1654976    ----a-w-    c:\program files\freeopener_714.exe
2012-08-24 13:00:40    809840    ----a-w-    c:\program files\DOCX setup.exe
2012-08-24 11:47:15    38808920    ----a-w-    c:\program files\FileFormatConverters.exe
2012-04-09 13:38:42    4731432    ----a-w-    c:\program files\RepairTool.exe
2009-08-05 20:37:12    3942048    ----a-w-    c:\program files\mbam-setup.exe
2009-08-05 20:28:15    16409960    ----a-w-    c:\program files\spybotsd162.exe
2009-01-20 11:24:22    52307672    ----a-w-    c:\program files\AVSVideoConverter.exe
2008-05-14 08:39:31    27024112    ----a-w-    c:\program files\PowerPointViewer.exe
2007-04-08 21:09:25    12196976    ----a-w-    c:\program files\widgetsus.exe
.
============= FINISH: 10:27:53.06 ===============
 


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 19 February 2013 - 09:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 exguru

exguru
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 20 February 2013 - 03:24 AM

Good Morning mOle and thanks for taking-on my topic.

 

Can I say that having thought about the problem, I DON'T think that the files are really encrypted - I think the bad guys calling it encrypted was another CON.

Why do I think this?

ALL types of file are affected

I have a lot of stuff on the PC and it would take ages to encrypt it all

The file extensions and icons are all unchanged

Every file has grown slightly in size (see example in my first post).

The response I get on trying to open the files - eg "Word cannot open the converter mswrd632wpc" " Cannot read file header".

 

Thanks again and await your thoughts in due course.  AL

 



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 20 February 2013 - 08:13 PM

It would help to know which ransomware we are dealing with - this will tell me whether you have encrypted files and if they are fixable. Can you remember the name seen on any pages that appeared? Assuming you had these splash pages.
Posted Image
m0le is a proud member of UNITE

#5 exguru

exguru
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 21 February 2013 - 03:50 AM

Thanks - I'll go back through the logs and reply asap.  AL



#6 exguru

exguru
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 21 February 2013 - 05:58 AM

Hello again - This was from Malwarebytes on 11.1.2013 (the date of the attack).

___________________________________________________________________

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.31.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Alan Townsend :: D1GRDP2J [administrator]

11/01/2013 15:28:36
mbam-log-2013-01-11 (15-28-36).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 353904
Time elapsed: 1 hour(s), 47 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 1 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 1 -> Quarantined and deleted successfully.

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\VLC Player\VLC_Setup.exe (Adware.IBryte) -> Quarantined and deleted successfully.

(end)

 

_________________________________________________________________________

On 13.1.2013 AVG found (see attached screenshots)--

 

The attack was Ukash Metropolitan Police e-crime unit etc.

 

AL

 

 

 

 

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 24 February 2013 - 07:24 PM

Reveton. The authors of this rubbish have been arrested recently. What is says isn't the truth and you should be able to get back your files. Use this link to a removal guide found on this site and let me know if you have any questions or problems with following the guide.


Posted Image
m0le is a proud member of UNITE

#8 exguru

exguru
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 25 February 2013 - 05:52 AM

Thanks for this, BUT I have already been over this ground in my original post which was --

 

http://www.bleepingcomputer.com/forums/t/484309/trojan-gone-but-files-still-encrypted/

 

At the end of that, the ransomware had gone but the files still could not be accessed and the person helping me, "boopme" , told me to start a new thread which I did - the one we are now in!!

 

To be sure I have just re-run Emsisoft in Safe Mode - nothing found.

 

Log was

 

 

Emsisoft Emergency Kit - Version 3.0
Last update: 25/02/2013 09:19:47
 
Scan settings:
 
Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect Riskware: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start:    25/02/2013 09:20:13
 
 
Scanned    461237
Found    0
 
Scan end:    25/02/2013 10:18:08
Scan time:    0:57:55
 
 
Any ideas??  I was glad to hear that I should be able to recover the files and that the people who set up this con have been caught.    AL


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 25 February 2013 - 03:27 PM

Hopefully the Reveton version falls under the decryptable. The odds are in your favourt but it's not a dead cert unfortunately

 

Try Emsisoft's decrypter tool. Download, unzip and run the program


Posted Image
m0le is a proud member of UNITE

#10 exguru

exguru
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 26 February 2013 - 05:54 AM

mOle - no joy I'm afraid - the decrypter says "Could not find decryption key. Maybe a new variant."

 

But are the files really encrypted or has something been added to the file header??  AL 



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 26 February 2013 - 08:37 PM

"Maybe a new variant" is not something I wanted to see in the decrypter response. In this case unfortunately they are encrypted and impossible to restore. The earlier versions were not as thorough. I'm sorry but I can't help you more in this case, exguru.
Posted Image
m0le is a proud member of UNITE

#12 exguru

exguru
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 February 2013 - 04:53 AM

mOle ----ah well  - fortunately thers not too much lost as earlier years photos were backed-up.

 

IF a person paid the £100 ransom - were they then told how to "decrypt" their files??  Eventually on some forum or other there may be the answer to this. I'll keep the corrupted files and keep looking. 

 

Despite the result can I say a big thanks for trying to help me.   AL



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 27 February 2013 - 07:02 PM

mOle ----ah well  - fortunately thers not too much lost as earlier years photos were backed-up.

That's good news, and a very good advert for backing up for anyone who may be reading this thread 

IF a person paid the £100 ransom - were they then told how to "decrypt" their files??

There's no evidence that they did, though they could... I believe that's an irrelevant question because you shouldn't pay these people anyway.

Eventually on some forum or other there may be the answer to this. I'll keep the corrupted files and keep looking.

The reason they could is that the only decrypter on the new variants was on the Reveton side. Without getting too technical they employed a one-way encryption where you will never have both pieces of the code to decrypt it. This is employed to more positive effects by online payment transactions or banking. 

Despite the result can I say a big thanks for trying to help me.   AL

Thanks for the thanks and sorry I couldn't save the files.
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:14 PM

Posted 03 March 2013 - 08:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users