Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware...


  • Please log in to reply
23 replies to this topic

#1 Speaks

Speaks

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 07 April 2013 - 01:50 PM

Files with extentions .doc .docx .jpg .pdf . bmp .lnk .xlsx .psd have had .html added to the end of the file names. all the files that were affected were changed within 5 mins of each other. the user folder and folders at the root of the drive were affected. When  I click on a file changed to html it forwards me to hxxp://xblabouse.net/xbl/i.php?uid={23D5C066-2A22-8825-EEF7-222723C0BC5D} this website was asking for money to decrypt the files but the site is not functioning this morning.
 
I have tried to remove the .html extentsions and the application(word powerpoint pdf etc ect) that its being opened with cannot read the file. I have backed up/formated the computer. Tried the kaspersky decrypting tools/ malware bytes/ spyware doctor  / AVG virus scan/ Norton scan/ all windows updates are installed and latest virus definitions installed
 
heres a example of what the files look like. feYjfCG.png

Edited by Orange Blossom, 16 May 2013 - 10:22 AM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 davidwarrenphoto

davidwarrenphoto

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 09 April 2013 - 09:57 PM

OMG me to!!!!!!!!!!!! I got all of the ransomware and trojans off my computer but all of my jpegs are still changed to jpeg.html and I can't change it back to just jpeg. Please help anyone who has any suggestions. Thank you in advance for all your help



#3 doinmeedin

doinmeedin

  • Members
  • 455 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:28 AM

Posted 10 April 2013 - 05:03 AM

Have you tried to take ownership of these files, you can try, Rizone Take Ownership Shell Extension, or, Download TakeOwnership.zip from HTG !!

 

There is also full tutorials on how to take ownership Like this one ::

 

icon1.png How to Take Ownership and Full Control Permissions of Files & Folders in Windows

 A lot of files and folders in Windows 7 & Vista does not actually belongs to users. Rather, most system files have “Trusted Installer” as owner, the assign or grant read+write, traverse or full control permissions to SYSTEM or CREATOR OWNER user account only. So users must take ownership and grant full access control permissions and rights to themselves if they want to modify, rename or delete these files or folders. Sometimes, users may need to take ownership and grant full rights to themselves on another drive or partition, especially on disk newly installed or inserted if they cannot browse the contents from the drive.

To take ownership and grant full control (or read write) permissions of files or folders in Windows Vista, do these steps.

1. In Windows Explorer window, locate the files or folders that you want to take ownership and grant or change full control or other access permissions.
2. Right click on the file or directory, and then select Properties on the right click menu.

62704815sa6.jpg

3. Click on Security tab.
4. Click on Advanced button at the bottom.

78592640pz9.jpg

5. In “Advanced Security Settings” dialog window, click on Owner tab.
6. Here you will be able to see current owner (i.e. TrustedInstaller). To take ownership of the object, click on the Edit button. If UAC prompts for administrator’s password or permission to continue, enter the correct password or press Continue button.

44809332ag4.jpg

7. Additional “Advanced Security Settings” dialog will appear. Highlight the user name (for example, Administrators) in the Change owner to box that you want to assign as the owner for the object. Click OK to make the change.

13330034my0.jpg

8. Back in original parent level “Advanced Security Settings” window, you will see the existing owner of the file or folder has changed to the user you just selected.
9. Click OK button to exit this window.
10. Click OK again to exit completely from the Properties window.
11. The ownership is now belonged to user or user account that been selected. To assign necessary permissions to the user too, repeat step 1 to 3 to open the object’s Properties window again.
12. In object’s Properties window, click on Edit button to change permissions. If UAC prompts for administrator’s password or permission to continue, enter the correct password or press Continue button.

48161257go4.jpg

13. Highlight the Administrators or the user who wants the permissions on the object be changed in the “Group or user names” box.

If the user ID or group that you want to manage the permissions for the object doesn’t exist, click on Add button, and type in the user name or group name desired into the Enter object names to select box, and finish off by clicking on OK.
14. In the Permissions for Administrators box below (or any other user name or group name you chose), click on “Full Control” under the “Allow” column to assign full access rights control permissions to Administrators group.

79998812sb9.jpg

15. Click “OK” twice when done.

Users can now do whatever you like to the files or directories processed as above. If you feel that above process is a little too long, and prefer to use command line to perform above process, then open an elevated command prompt as administrator, and issues the following commands:

For Files:

takeown /f file_name /d y
icacls file_name /grant administrators:F


For Folders or Directories (will perform action recursively):

takeown /f directory_name /r /d y
icacls directory_name /grant administrators:F /t


Replace file_name or directory_name with actual file name or folder name, with path when applicable. The first command will take ownership of the file or folder specified, and the second command will grant full control permissions to administrators user group. Note that when using command for folders, to command will run recursively. To prevent the task been perform recursively, remove the “/r” and “/t” switch.

Above two commands have been scripted in Windows command shell batch script that easily perform the task of taking ownership and grant full control permissions to Administrators user group by typing simple command. Alternatively, users can add “Take Control Of” option to right click menu so that the next time you need to take control of a file with full control permissions, it’s just a one click task.


Edited by doinmeedin, 10 April 2013 - 05:09 AM.

If life is not an option then why are we not given the option in the first place !


#4 Speaks

Speaks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 10 April 2013 - 12:09 PM

I tried this and it didn't work. There's no problem with permissions as far as editing the .html off the file name. When I do take the .html extension off its unreadable by the program trying to read it. For example I can take off .html off pregam.doc and try to load it on word. It will give me the message "The file pregam.doc cannot be opened because there was a problem with the contents. The file is corrupt or can not be opened"

Edited by Orange Blossom, 16 May 2013 - 10:23 AM.
Removed unnecessary quote. ~ OB


#5 computercpr

computercpr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 10 April 2013 - 02:34 PM

We have a computer that has been hit by this same issue.  Ownership isn't a problem and just reversing the file extension back to original doesn't solve it.  I think the hacker truly expects the victim to pay to get their files back (unencrypted).  I opened one file in notepad just to see the text info and sure enough in the top line it says hxxp://xblabouse.net/xbl/i.php?uid={41FB3F60-DE4F-8818-3688-7693F8FFE8E9} .  It looks like each "customer" gets their own GUID assigned.  Lucky us. As of today 4-10-13 the page is down, so I don't know how long they were open for business, but it looks like the window of recovery possibility is closed...for now.  Unless one of you smart programmers somewhere out there finds the relationship between the guid and encryption. :-)

Edited by Orange Blossom, 16 May 2013 - 10:24 AM.
Deactivated link. ~ OB


#6 doinmeedin

doinmeedin

  • Members
  • 455 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:28 AM

Posted 10 April 2013 - 04:00 PM

Have you tried removing / changing in safemode ?


If life is not an option then why are we not given the option in the first place !


#7 computercpr

computercpr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 10 April 2013 - 04:17 PM

the mode you are booted into, or the computer you try to open the files with doesn't make a difference.  The computer was hosed from the virus anyway, so I tried to open them on another machine after changing back the file extension.  It just doesn't matter.  The file is idependently of the state of the operating system encrypted in some way.  I tried some of those excel recovery programs and they said the OLE header was corrupt, which I'm sure it is since an excel file is not supposed to start out with <html xmlns='hxxp://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; hxxp://xblabouse.net/xbl/i.php?uid={41FB3F60-DE4F-8818-3688-7693F8FFE8E9}' /><title>Index</title></head><body></body>

Edited by Orange Blossom, 16 May 2013 - 10:26 AM.
Deactivated links. ~ OB


#8 dura1198

dura1198

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 11 April 2013 - 08:17 PM

Just received a machine from a co-worker with the exact same problem. Close to 50,000 files of various types all renamed to add an .html extension. Clicking on any of them sends you to xblabouse.net. Renaming the files back to their original names/extensions does nothing. All of my attempts to rename the files were from a Linux box.


Edited by dura1198, 11 April 2013 - 08:21 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 AM

Posted 12 April 2013 - 09:32 PM

Hello I would suggest you each start new individual topics here Virus, Trojan, Spyware, and Malware Removal Logs.

You will the help provided by the techs there.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jcanepa

jcanepa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 13 April 2013 - 10:09 AM

I found a solution at least on Windows Vista Home, same situation.

Use ShadowExplorer to recover the files....

 

http://www.shadowexplorer.com/

 

 



#11 dura1198

dura1198

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 15 April 2013 - 06:59 AM

I found a solution at least on Windows Vista Home, same situation.

Use ShadowExplorer to recover the files....

 

http://www.shadowexplorer.com/

 

I was not aware of this tool, thanks for posting! Unfortunately for me Shadow Explorer only shows 2 available version of the files and both still have the .html extension.



#12 dura1198

dura1198

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 15 April 2013 - 05:26 PM

I no longer have access to the machine. I do, however, have a copy of all the "infected" files should anyone learn of a way to fix them.



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:28 AM

Posted 15 April 2013 - 06:57 PM

Bleeping Computer offers a method for people to submit files to our site so that these malware samples can be analyzed to determine what they do or if they are even bad.

The url to the submission script is:
http://www.bleepingcomputer.com/submit-malware.php
 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 jcanepa

jcanepa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 16 April 2013 - 08:02 AM

This computer that I recovered the files was exactly like the pictures, I guess I worked on it on time.



#15 Speaks

Speaks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 16 April 2013 - 03:09 PM

Malware submitted.

 

Bleeping Computer offers a method for people to submit files to our site so that these malware samples can be analyzed to determine what they do or if they are even bad.

The url to the submission script is:
http://www.bleepingcomputer.com/submit-malware.php
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users