Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomeware? DirtyDecrypt.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 Patash

Patash

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 29 April 2013 - 03:07 PM

Hello

 

A friend of mine is at his wits end and has given me his PC to try and rescue. I work for a small IT company so I am his "expert"! But this bit of malwatre is beyond me.

 

He rang me last week, complaining that he had "lost" all his pictures and he thought he had a virus on his PC. Unfortunatly because he is a busy hospital consultant and I am a not so busy network installer, I couldn't pick it up for a couple of days. I say unfortunatly because he played around with it during this time, despite my instructions, installing and uninstalling various anti malware and AV programs. This obviously didn't work, just made my job harder.

 

When I got hold of it most of his documents were locked with the following message coming up when they were accessed.

 

 

File is encrypted

This file can be decrypted using the program DirtyDecrypt.exe

Press CTRL+ALT+D to run DirtyDecrypt.exe

 

If DirtyDecrypt.exe not opened сheck the paths:

C:\Program Files\Dirty\DirtyDecrypt.exe

C:\Program Files (x86)\Dirty\DirtyDecrypt.exe

C:\Users\[YOUR USER]\AppData\Roaming\Dirty\DirtyDecrypt.exe

C:\Documents and Settings\[YOUR USER]\Application Data\Dirty\DirtyDecrypt.exe

C:\Documents and Settings\[YOUR USER]\Local Settings\Application Data\Dirty\DirtyDecrypt.exe

 

 

This appeared when any photo or PDF was opened. If a word or excel document was accessed then it reported it as being corupt and if you recovered it, then the message above appeared. Not all the documents were affected, but 95% of the them were. All the affected ones had read only attributes. Strangely about 30GB of photos which were stored in the Olympus Program file were unaffected.

 

Because he had run some many different programs, the intial virus had been removed (he proudly told me!) Unfortunatly that meant i didn't have anything to look at. All his system restore points had been deleted up to the day the virus found its way onto his PC. Incidently he blamed (and i believe him) his daughter streaming video to the the PC as the cause of the infection. it was consistent with the time that changes started appearing.

 

Anyway, I restored back to the first point that I could and found the DirtyDecrpt.exe program. Of course i ran it and it was a standard ransomeware input screen which wanted you to put either a 100 euros or 100 pounds sterling kcash or something like that code it to decrypt the file. I obviously didn't do that.

 

I looked through all the programs that he had used before I got it and they included Mcafees (his ususal av) AVG, malwarebytes, maybe hitman I'm not sure if he downloaded that and most unfortunatly combofix (recommended by his hospitals IT dept) Now I know the rules about using combofix and posting on this forum (I have used the forum extensivly in the past although I haven't needed to post) but he not only used it but I think he deleted all the logs! Anyway, I can't find them and I.m not sure if he actually ran it, though there is a Qoobox folder.

 

Another strange occurence is that everytime you start the PC a UAC box come up with CMD prompt asking to run " C:\Windows\SysWow64\ cmd.exe"/C ""C:\users\Harish\Appdata\Local\temp\xoladmin

 

This will just not go away and demands to be run, which i will not.

 

All the existing documents and pictures seem to have normal file types associated with them no .aes or alike.

 

Any new documents being created now dont seem to be screwing up at all. It is very strange and any diagnosis is going to be complicated by Harish's cutting and slashing using all the different anti malware programs.

 

Anyway has anyone seen this program before? Google seems oblivious to it!

 

He has most of the files backed up externally but not all. I am presently attempting to move any of the ones that have not been locked.

 

The machine is a Dell WIN764 PRO SP1  PC. He is running Office 2010 and Mcafee which is strangely not working!

 

Any help would be much appreciated but I understand the problems he has created by his use of various spyware removal programs.

 

Thanks

 

Patash



BC AdBot (Login to Remove)

 


#2 Jon Snow

Jon Snow

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 30 April 2013 - 04:42 AM

Hey this has happened to my partner we took oir laptop to a local IT shop they were stumped aswell the only way they have been able to do it is looking through the binary code of the pictures because the virus has edited the code they said its very small they are doing one by one until they can find a way to do it all together

#3 Patash

Patash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 30 April 2013 - 06:47 AM

Jon

 

thanks for the reply, i was beginning to think that my poor friend was the only one in the world with this virus, there seems no other mention of it on the web.

 

Although I work in ITand can remove most malware and virus's I am no expert in the field and this has left me completly at

a loss. While he has most of his documents and pictures backed up, of course some of his more important pictures of his kids plus recen documentst are corrupted with no backups.

 

If you could give me any further pointers that your IT people come up with it would be very much appreciated.

 

Thanks

 

Pat



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:17 PM

Posted 30 April 2013 - 11:13 AM

Hello,

 I think we should get a deeper look. Please follow this Preparation Guide and post in a new topic.

If you cannot perform the steps than just repost your 1st post here in the new topic saying you cannot run DDS.

 

Let me know if all went well.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Patash

Patash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 30 April 2013 - 03:18 PM

Thanks boopme

 

Do you want me to post the DDS log in a new topic within this forum or within the Malware, Spyware etc removal log forum?

 

 

 



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:17 PM

Posted 30 April 2013 - 03:43 PM

In Virus, Trojan, Spyware, and Malware Removal Logs thanks
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Patash

Patash
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 02 May 2013 - 07:35 AM

boopme

 

I have made the new post http://www.bleepingcomputer.com/forums/t/493322/dirtydecryptexe/ here.

 

Thanks

 

Pat



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:17 PM

Posted 02 May 2013 - 10:22 AM

Thanks Pat

 

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 2 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topi


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users