Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirected to mblpcblock.in/index and html extension added to files


  • This topic is locked This topic is locked
6 replies to this topic

#1 Ceej13

Ceej13

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 15 May 2013 - 03:03 PM

Having the same issues as http://www.bleepingcomputer.com/forums/t/494627/decrypt-protect/

and http://www.bleepingcomputer.com/forums/t/494697/dprotect-online-agent-ransomware-files-are-encrypted/

I'm to new to reply to those comments but we are researching the same issue. Found most files (jpg, bmp, doc, docx, xls, xlsx, and so forth) now have .html added to them and they redirect them to that http:mblpcblock.in/index.php. I tried to go to the website from 2 different computers, and it loops me back to the home page on each computer.

 

May be related to an arcomdir backdoor trojan the anti-malware/anti-virus picked up. Tried running a variety of spy ware with no success. 

Need assistance.

 

Update:

I decided to copy a couple of files over to another computer. When I tried to remove the html extension and open up the file, the program says that it is corrupted. When I launch the file as the html, I get that stupid mblpcblock page. So it is encrypted in the files.

 

Any help is appreciated.


Edited by Ceej13, 15 May 2013 - 03:48 PM.


BC AdBot (Login to Remove)

 


#2 Ceej13

Ceej13
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 16 May 2013 - 04:21 PM

Are you kidding me?
 
I know that any or several anti-malware, anti-spyware can remove the virus.
http://www.2-spyware.com/remove-fbi-virus.html
 
We've used Malwarebytes, SpyBot, Super Anti-Spyware with great success. (docstomac.a)
 
The problem is the encrypted .html files it leaves behind on your documents.
 
I find it WAY TOO SUSPICIOUS that YooCare/YooSecurity are the only ones with a way to decrypt it. They are asking $$$ to remote into your computer to take a look and decrypt these files. For all we know, they are the ones who sent it out so that they can get you to "remote" into your computer to grab what information they need. 

Edited by Elise, 19 May 2013 - 05:29 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:23 PM

Posted 19 May 2013 - 05:29 AM

Hello, and welcome to BleepingComputer. :)

Can you please try the following tool? I have removed the link from your previous post for security reasons..

Download decrypt_mblblock.exe to your desktop.
The complete usage instructions and video can be found here.
  • If you only have a single hard disk with one partition, the only thing you need to start the tool.
  • Windows XP users can simply double click and run the tool, Windows Vista, 7 & 8 users need to run the tool with administrator rights.
  • Now it will automatically scan your complete hard disk for decrypt the files, when there are encryptes files present it will automatically decrypt those without deleting the encrypted originals.
  • After the decryption check all of the decrypted files if they open properly.
  • Once you verified the files were decrypted properly you can delete the encrypted HTML files.
If you have more than one hard disk or partitions with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks or partitions you will have to pass the additional drives as a command line parameter:
  • While holding down the Windows key now press the R key.5198943264916-Windows_key_R_system_infor The “Run Box” will now appear.
  • In the “Run box” Type in “cmd.exe” and press Enter.
  • The Windows Command Line prompt should show up.
  • You first need to switch into the directory where you downloaded the decryption tool to.
  • This can be done using the cd command: cd /d “<path>”
  • Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:
  • cd /d “C:\Users\Administrator\Downloads”
  • If you did everything right you will see that the command prompt changed slightly and now references the download directory.
  • Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:
  • decrypt_mblblock.exe C:\ D:\ E:\
  • Please be patient while the tool is running, and you may better not use the computer before the tool is ready.
5198944194f7c-decrypt_mblblock-cmd.png

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Ceej13

Ceej13
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 20 May 2013 - 09:32 AM

Hello, and welcome to BleepingComputer. :)

Can you please try the following tool? I have removed the link from your previous post for security reasons..

Download decrypt_mblblock.exe to your desktop.
The complete usage instructions and video can be found here.

  • If you only have a single hard disk with one partition, the only thing you need to start the tool.
  • Windows XP users can simply double click and run the tool, Windows Vista, 7 & 8 users need to run the tool with administrator rights.
  • Now it will automatically scan your complete hard disk for decrypt the files, when there are encryptes files present it will automatically decrypt those without deleting the encrypted originals.
  • After the decryption check all of the decrypted files if they open properly.
  • Once you verified the files were decrypted properly you can delete the encrypted HTML files.
If you have more than one hard disk or partitions with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks or partitions you will have to pass the additional drives as a command line parameter:
  • While holding down the Windows key now press the R key.5198943264916-Windows_key_R_system_infor The “Run Box” will now appear.
  • In the “Run box” Type in “cmd.exe” and press Enter.
  • The Windows Command Line prompt should show up.
  • You first need to switch into the directory where you downloaded the decryption tool to.
  • This can be done using the cd command: cd /d “<path>”
  • Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:
  • cd /d “C:\Users\Administrator\Downloads”
  • If you did everything right you will see that the command prompt changed slightly and now references the download directory.
  • Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:
  • decrypt_mblblock.exe C:\ D:\ E:\
  • Please be patient while the tool is running, and you may better not use the computer before the tool is ready.
5198944194f7c-decrypt_mblblock-cmd.png

 

Thank you so much, Elise. This seems to be working GREAT!!!

And I apologize for the links you had to remove. 



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:23 PM

Posted 20 May 2013 - 12:06 PM

I'm glad that did the trick. :)

 

Do you have any other problem with your computer?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Ceej13

Ceej13
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 20 May 2013 - 12:39 PM

No other issues with the computer(s). 

 

I am happy to say the resolution (decrypt_mblblock.exeseems to have worked beautifully. I've checked most documents and other files and they are decrypted. I'm kind of glad that it leaves the encrypted HTML file so that I can compare files to have been decrypted. Cannot afford to lose any data.

Once I'm done, all i have to do is sort files by type and say "Good Riddance!"  to those encrypted files.

 

Thank you, 



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:23 PM

Posted 20 May 2013 - 12:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users