Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Decrypt Protect


  • This topic is locked This topic is locked
4 replies to this topic

#1 gotpcproblems

gotpcproblems

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 15 May 2013 - 01:22 AM

Has anybody dealt with this one it kind of looks like the spamhaus ransomwear. It renamed most files with lnk.html. If I put the correct file extension it breaks the file. Here is the link that it directs me too when I open a file hxxxttp://mblpcblock.in/index.php
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by trudy at 23:43:25 on 2013-05-14
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.959.272 [GMT -7:00]
.
AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Citrix\GoToAssist Remote Support Customer\498\g2ax_service.exe
C:\Program Files\Google\Update\1.3.21.145\GoogleCrashHandler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Citrix\GoToAssist Remote Support Customer\498\g2ax_comm_customer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Citrix\GoToAssist Remote Support Customer\498\g2ax_system_customer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Citrix\GoToAssist Remote Support Customer\498\g2ax_host.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToAssist Remote Support Customer\498\g2ax_user_customer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Citrix\GoToAssist Remote Support Customer\498\g2ax_user_medium_customer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript c:\windows\installer\tsclientmsitrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "c:\windows\installer\tsclientmsitrans\tscdsbl.bat"
dRunOnce: [tscuninstall] c:\windows\system32\tscupgrd.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347573888228
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1347578634643
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://clineserv.ad.clinechiropractic.com:4343/SMB/console/html/root/AtxEnc.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{7D9D3E06-E04B-4023-B990-205D31369FCD} : NameServer = 192.168.1.100
TCP: Interfaces\{AC0B01A0-7D2D-4C84-9CC1-6C483A328DEC} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist remote support customer\498\g2ax_winlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2013-1-10 122240]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2013-1-10 105784]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2013-3-21 1341664]
R2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\citrix\gotoassist remote support customer\498\g2ax_service.exe [2013-2-20 611400]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-12 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-12 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-12 22856]
S0 374ac98091ab9fc3;voruvuhypyfc.exe;\SystemRoot\\SystemRoot\System32\Drivers\374ac98091ab9fc3.sys --> \SystemRoot\\SystemRoot\System32\Drivers\374ac98091ab9fc3.sys [?]
S2 gupdate1ca68ec52bf33dd;Google Update Service (gupdate1ca68ec52bf33dd);c:\program files\google\update\GoogleUpdate.exe [2009-11-19 133104]
S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?]
.
=============== Created Last 30 ================
.
2013-05-15 06:36:00 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-15 06:27:59 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-15 03:05:12 -------- d-----w- c:\documents and settings\trudy.clinechiro\local settings\application data\ESET
2013-05-15 02:47:40 -------- d-----w- c:\program files\ESET
2013-05-14 23:08:48 -------- d-sha-r- C:\cmdcons
2013-05-14 22:21:08 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2013-05-14 19:06:45 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-05-14 17:55:44 98816 ----a-w- c:\windows\sed.exe
2013-05-14 17:55:44 256000 ----a-w- c:\windows\PEV.exe
2013-05-14 17:55:44 208896 ----a-w- c:\windows\MBR.exe
2013-05-14 17:18:01 -------- d-----w- c:\documents and settings\trudy.clinechiro\local settings\application data\Primary Interop Assemblies
.
==================== Find3M  ====================
.
2013-05-15 06:35:43 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-15 06:35:43 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-15 01:33:04 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-15 01:33:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 23:44:33.87 ===============

Edited by nasdaq, 15 May 2013 - 09:05 AM.
Bad link obfuscated.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:29 PM

Posted 19 May 2013 - 08:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

We've got something for that... :)

Download decrypt_mblblock.exe to your desktop.
The complete usage instructions and video can be found here.
  • If you only have a single hard disk with one partition, then only thing you need to do is start the tool.
  • Windows XP users can simply double click and run the tool, Windows Vista, 7 & 8 users need to run the tool with administrator rights.
  • Now it will automatically scan your complete hard disk for encrypted files, when there are encrypted files present it will automatically decrypt those without deleting the encrypted originals.
  • After the decryption check that all of the decrypted files open properly.
  • Once you have verified that the files were decrypted properly you can delete the encrypted HTML files.
  • If you have more than one hard disk or partitions with encrypted files, things get slightly more complicated. To scan and decrypt files on those other hard disks or partitions do the following:
  • While holding down the Windows key now press the R key.5198943264916-Windows_key_R_system_infor The Run Box will now appear.
  • In the Run box Type in cmd.exe and press Enter.
  • The Windows Command Line prompt should show up.
  • You first need to switch into the directory where you downloaded the decryption tool to.
  • This can be done using the cd command: cd /d <path>
  • Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:
    cd /d C:\Users\Administrator\Downloads
  • If you did everything right you will see that the command prompt changed slightly and now references the download directory.
  • Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:
    decrypt_mblblock.exe C:\ D:\ E:\
  • Please be patient and refrain from using the computer for other tasks while the tool is running
5198944194f7c-decrypt_mblblock-cmd.png
Posted Image
m0le is a proud member of UNITE

#3 gotpcproblems

gotpcproblems
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 19 May 2013 - 10:04 PM

Thanks M0le worked like a charm much appreciated



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:29 PM

Posted 20 May 2013 - 06:16 PM

No problem

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:29 PM

Posted 20 May 2013 - 06:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users