Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DPROTECT Online Agent Ransomware files are encrypted


  • This topic is locked This topic is locked
2 replies to this topic

#1 pipwillow

pipwillow

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 15 May 2013 - 01:30 PM

Mod Edit: Moved to more appropriate forum from Win 7 ~~ boopme
 
 
I have just fallen foul of a Ransomware virus.
 
Initially I had a screen that kept popping up that displayed the title "Online Agent" in the top right corner.
 
any attempt to close the screen resulted in it popping up a few moments later.
 
at the same time, all my files with common names (jpeg , mp3 etc) are encrypted with an extra .html extention
 
for instance demo.jpg.html
 
I booted into safemode, is seems that all my restore points have been deleted/ancrypted so no system respotre options.(in safemode there was no pop up)
 
clicking on any file leads me to the following....
 
hXXttp://mblpcblock.in/index.php
 
 
I have managed to get back to my normal windows setup (to some extent) by deleting a TSTHEME file using the Emsisoft Emergency Kit product which has a tool called Hijack Free , I used this to turn off options until I got to the theme, which now allows me to open windows without the popup.
 
however, the encryption part of the virus is obviously still working, all the new shortcuts, log files etc that I made in the last boot have now ALSO been encrypted, meaning I can't shed much light on what the file location was etc.
 
Please please help as I am away with limited resources to help myself.
 
 
thanks

Phill

Edited by nasdaq, 16 May 2013 - 07:47 AM.
Bad link obfuscated.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,447 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:58 AM

Posted 19 May 2013 - 05:30 AM

Hello Phill, and welcome to BleepingComputer. :)

Can you please try the instructions below:

Download decrypt_mblblock.exe to your desktop.
The complete usage instructions and video can be found here.
  • If you only have a single hard disk with one partition, the only thing you need to start the tool.
  • Windows XP users can simply double click and run the tool, Windows Vista, 7 & 8 users need to run the tool with administrator rights.
  • Now it will automatically scan your complete hard disk for decrypt the files, when there are encryptes files present it will automatically decrypt those without deleting the encrypted originals.
  • After the decryption check all of the decrypted files if they open properly.
  • Once you verified the files were decrypted properly you can delete the encrypted HTML files.
If you have more than one hard disk or partitions with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks or partitions you will have to pass the additional drives as a command line parameter:
  • While holding down the Windows key now press the R key.5198943264916-Windows_key_R_system_infor The “Run Box” will now appear.
  • In the “Run box” Type in “cmd.exe” and press Enter.
  • The Windows Command Line prompt should show up.
  • You first need to switch into the directory where you downloaded the decryption tool to.
  • This can be done using the cd command: cd /d “<path>”
  • Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:
  • cd /d “C:\Users\Administrator\Downloads”
  • If you did everything right you will see that the command prompt changed slightly and now references the download directory.
  • Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:
  • decrypt_mblblock.exe C:\ D:\ E:\
  • Please be patient while the tool is running, and you may better not use the computer before the tool is ready.
5198944194f7c-decrypt_mblblock-cmd.png

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,447 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:58 AM

Posted 23 June 2013 - 12:21 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users