A friend of mine is at his wits end and has given me his PC to try and rescue. I work for a small IT company so I am his "expert"! But this bit of malwatre is beyond me.
He rang me last week, complaining that he had "lost" all his pictures and he thought he had a virus on his PC. Unfortunatly because he is a busy hospital consultant and I am a not so busy network installer, I couldn't pick it up for a couple of days. I say unfortunatly because he played around with it during this time, despite my instructions, installing and uninstalling various anti malware and AV programs. This obviously didn't work, just made my job harder.
When I got hold of it most of his documents were locked with the following message coming up when they were accessed.
File is encrypted
This file can be decrypted using the program DirtyDecrypt.exe
Press CTRL+ALT+D to run DirtyDecrypt.exe
If DirtyDecrypt.exe not opened сheck the paths:
C:\Program Files (x86)\Dirty\DirtyDecrypt.exe
C:\Documents and Settings\[YOUR USER]\Application Data\Dirty\DirtyDecrypt.exe
C:\Documents and Settings\[YOUR USER]\Local Settings\Application Data\Dirty\DirtyDecrypt.exe
This appeared when any photo or PDF was opened. If a word or excel document was accessed then it reported it as being corupt and if you recovered it, then the message above appeared. Not all the documents were affected, but 95% of the them were. All the affected ones had read only attributes. Strangely about 30GB of photos which were stored in the Olympus Program file were unaffected.
Because he had run some many different programs, the intial virus had been removed (he proudly told me!) Unfortunatly that meant i didn't have anything to look at. All his system restore points had been deleted up to the day the virus found its way onto his PC. Incidently he blamed (and i believe him) his daughter streaming video to the the PC as the cause of the infection. it was consistent with the time that changes started appearing.
Anyway, I restored back to the first point that I could and found the DirtyDecrpt.exe program. Of course i ran it and it was a standard ransomeware input screen which wanted you to put either a 100 euros or 100 pounds sterling kcash or something like that code it to decrypt the file. I obviously didn't do that.
I looked through all the programs that he had used before I got it and they included Mcafees (his ususal av) AVG, malwarebytes, maybe hitman I'm not sure if he downloaded that and most unfortunatly combofix (recommended by his hospitals IT dept) Now I know the rules about using combofix and posting on this forum (I have used the forum extensivly in the past although I haven't needed to post) but he not only used it but I think he deleted all the logs! Anyway, I can't find them and I.m not sure if he actually ran it, though there is a Qoobox folder.
Another strange occurence is that everytime you start the PC a UAC box come up with CMD prompt asking to run " C:\Windows\SysWow64\ cmd.exe"/C ""C:\users\Harish\Appdata\Local\temp\xoladmin
This will just not go away and demands to be run, which i will not.
All the existing documents and pictures seem to have normal file types associated with them no .aes or alike.
Any new documents being created now dont seem to be screwing up at all. It is very strange and any diagnosis is going to be complicated by Harish's cutting and slashing using all the different anti malware programs.
Anyway has anyone seen this program before? Google seems oblivious to it!
He has most of the files backed up externally but not all. I am presently attempting to move any of the ones that have not been locked.
The machine is a Dell WIN764 PRO SP1 PC. He is running Office 2010 and Mcafee which is strangely not working!
Any help would be much appreciated but I understand the problems he has created by his use of various spyware removal programs.