Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Files with "!crypted!somenumbers" but no How_Decrypt* files? (CryptoDefense )

  • Please log in to reply
1 reply to this topic

#1 AAG1


  • Members
  • 1 posts
  • Local time:05:40 AM

Posted 07 May 2014 - 05:00 PM

One of my machines (referred to as machine 1 - was XP running under an admin account - its being rebuilt with windows 7) got infected with cryptodefense (and I've got a load of files which are encrypted with "!crypted!somenumbers" - as detailed in your FAQ.




(Effected file extensions not mentioned elsewhere also included .h /  .c* / .obj)


I noticed that on that machine - there were the How_Decrypt* files in various folders, BUT files in that directory were untouched (but files in the child directories were encrypted). With your FAQ I've been able to find which files are encrypted and which weren't (by searching for the !crypted! prefix).


As a pre-caution, on my 2nd machine (old netbook, windows 7 starter - UAC set at default),  I updated my antivrus, installed the Malwarebytes Anti-Malware - and ran a full scan - they both reported as being clean.


Then from my 2nd machine I then searched local drives/backup external HDs for all files containing !crypted!.


My external USB/backup HDS are clean




the search DID Find various encrypted .GIF files in the temp IE folder on machine 2  in

C:\Users\Wizzie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZDD0EEWO

C:\Users\Wizzie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SDEH4C3D


YET the AV/Malware run said the machine 2 was clean??? (And the anti virus hasn't had any historical detections?)


I also noticed that there's no corresponding HOW_DECRYT* files in the temp IE folder.


Main questions are :-

  1. How does this thing infect you?

Machine1 - Had Reg keys for auto starting

Machine2 - No reg keys - no virus/spyware detection - yet something has run to encrypt some files in the IE temp folder?


All the !crypted! fileswere created at ‎19 ‎April ‎2014, ‏‎07:40:48.


Looking at event viewer - I logged on at 07:34:59.


Using "browsing history viewer" (which reads index.dat files from http://www.nirsoft.net/) - there's some page vists at 07:37 - but nothing obvious to any "warez/adult sites" - which is how this is supposed to be infected. (Also I didn't open an attachments received via email)


I'm using a router with firewall enabled, there's no open ports inbound - so something must have connected out and downloaded/run the encrypter? Presumably due to file permissions - only the temp IE folder was "accessible" BUT what happened to the actual exe/encrypter - where's it gone? But why didn't it create the HOW_DECRYPT files if its due to file permissions (ie how was it started/what account was it running under)? 


Is it possible that the decrypter was picked up earlier and scheduled to run at a future point, or does the encrypter usually run as soon as its downloaded. 


  2.Is machine 2 really safe?- no additional files have been infected since the 19th?


  3. Is there anything to stop something similar from happening? Its really frigtning that something can just encrypt all your files.

The AV "heristics" on machine 1 didn't detect a load of files being re-written in rapid succession - but IE would have been running under an admin account.

Eg starting IE in a batch file - but have the batch file reset the %appdata% enviroment variable to c:\ie-temp and then have that folder deleted when IE shuts down? (And enable some group policy to stop exes from running from that folder)? 



Sorry for the rambling post, but most of the talk has been, understandibly, about how to get your files back, but I'm really confused as to how machine 2 picked up ransomeware in the 1st place, and why/what happened to the encrypter exe.



Thanks in advance



BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,093 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:40 PM

Posted 07 May 2014 - 06:43 PM

The link you provided is a repository of all current knowledge regarding CryptoDefense.

There is also a lengthy ongoing discussion in this topic: CryptoDefense - Newest cryptolocker variant. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users