Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with HELP_DECRYPT


  • This topic is locked This topic is locked
12 replies to this topic

#1 amiga4ever

amiga4ever

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 13 March 2015 - 12:52 PM

I have followed a few guides on here and having issues, I have run the adware remover as advised in another post and tried all other ways of recovering the files but with out success and not sure how to move on. I have loads of files I need to unencrypt but don't  know were to go from here.

 

I have run adware cleaner and that has removed quite a few things and I have tried to restore files via shadows explorer as shadow volumes have been deleted.

I have created run FRST and it has created two files which I have attached (not sure if I should have copied and pasted the content of them).

 

system is running win 8.1 so backup was not set as on by default so I don't know if this will cause any issues as I cant select restore like I can on a win 7 machine via properties

 

Any help will be much appreciated

 

Also I hope I have posted this in correct way

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 13 March 2015 - 02:30 PM

Hello amiga4ever and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
---------------------------------------------------------------------------------------------------------

 

Let's check out system to clean. We can't  recover the files.

-------------------

I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

 

:hello:

 

Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 13 March 2015 - 04:05 PM

Step 1:
FRST Script:
Please download this attached txt.gif  fixlist.txt   4KB   0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
Run Eset Online Scan
Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option "Scan Archives" and Remove found threats is ticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Have a nice day.

 

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 amiga4ever

amiga4ever
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 13 March 2015 - 04:15 PM

Thank you for the quick reply. I will do this tomorrow and post the files you require, I am currently at work and about to start a night shift, so will be in about 12 hrs time.

#5 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 14 March 2015 - 06:02 AM

Okay. Have a nice working day.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 amiga4ever

amiga4ever
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 14 March 2015 - 08:55 AM

I have created the too log files after scan but I am being completely stupid and cant see how to add them as attachments

 

Thanks



#7 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 14 March 2015 - 05:43 PM

You can send with the browse button in the message window click them or copy and paste the page.
or

with sendspace.com
https://www.sendspace.com/

 

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 amiga4ever

amiga4ever
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 17 March 2015 - 05:09 AM

Just having issues now that the eset log is not complete is fails the scan at 82% no matter what advance settings I use the only infection it finds is Win32/Filecoder.CR Trojan.

 

will upload the log asap

 

other log file is

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Pickles at 2015-03-14 09:22:39 Run:1
Running from F:\
Loaded Profiles: Pickles (Available profiles: Pickles)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
CloseProcesses:
Startup: C:\Users\Pickles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Pickles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
InternetURL: C:\Users\Pickles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.balzakoptions.com/1gd9xwm
2015-03-13 10:31 - 2015-03-13 10:31 - 00008630 _____ () C:\Users\Pickles\HELP_DECRYPT.HTML
2015-03-13 10:31 - 2015-03-13 10:31 - 00008630 _____ () C:\Users\Pickles\Desktop\HELP_DECRYPT.HTML
2015-03-13 10:31 - 2015-03-13 10:31 - 00000296 _____ () C:\Users\Pickles\HELP_DECRYPT.URL
2015-03-13 10:31 - 2015-03-13 10:31 - 00000296 _____ () C:\Users\Pickles\Desktop\HELP_DECRYPT.URL
2015-03-13 09:50 - 2015-03-13 10:26 - 00008630 _____ () C:\Users\Pickles\Documents\HELP_DECRYPT.HTML
2015-03-13 09:50 - 2015-03-13 10:26 - 00000296 _____ () C:\Users\Pickles\Documents\HELP_DECRYPT.URL
2015-03-13 09:50 - 2015-03-13 09:50 - 00008630 _____ () C:\Users\Pickles\Downloads\HELP_DECRYPT.HTML
2015-03-13 09:50 - 2015-03-13 09:50 - 00000296 _____ () C:\Users\Pickles\Downloads\HELP_DECRYPT.URL
2015-03-12 20:46 - 2015-03-12 20:46 - 00008630 _____ () C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-12 20:46 - 2015-03-12 20:46 - 00008630 _____ () C:\Users\Pickles\AppData\Local\HELP_DECRYPT.HTML
2015-03-12 20:46 - 2015-03-12 20:46 - 00008630 _____ () C:\Users\Pickles\AppData\HELP_DECRYPT.HTML
2015-03-12 20:46 - 2015-03-12 20:46 - 00000296 _____ () C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.URL
2015-03-12 20:46 - 2015-03-12 20:46 - 00000296 _____ () C:\Users\Pickles\AppData\Local\HELP_DECRYPT.URL
2015-03-12 20:46 - 2015-03-12 20:46 - 00000296 _____ () C:\Users\Pickles\AppData\HELP_DECRYPT.URL
2015-03-12 20:46 - 2015-03-12 20:46 - 0008630 _____ () C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-12 20:46 - 2015-03-12 20:46 - 0046102 _____ () C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-12 20:46 - 2015-03-12 20:46 - 0000296 _____ () C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.URL
2014-11-10 16:01 - 2015-03-13 11:47 - 0000093 _____ () C:\Users\Pickles\AppData\Roaming\sp_data.sys
2015-03-12 20:46 - 2015-03-12 20:46 - 0008630 _____ () C:\Users\Pickles\AppData\Local\HELP_DECRYPT.HTML
2015-03-12 20:46 - 2015-03-12 20:46 - 0046102 _____ () C:\Users\Pickles\AppData\Local\HELP_DECRYPT.PNG
2015-03-12 20:46 - 2015-03-12 20:46 - 0000296 _____ () C:\Users\Pickles\AppData\Local\HELP_DECRYPT.URL
AlternateDataStreams: C:\Users\Pickles\OneDrive:ms-properties
C:\Users\Pickles\AppData\Local\Temp\542824559.exe
C:\Users\Pickles\AppData\Local\Temp\APNSetup.exe
C:\Users\Pickles\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2s4s9w.dll
C:\Users\Pickles\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppvbi9b.dll
C:\Users\Pickles\AppData\Local\Temp\jre-8u40-windows-au.exe
C:\Users\Pickles\AppData\Local\Temp\Quarantine.exe
C:\Users\Pickles\AppData\Local\Temp\sqlite3.dll
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (YouTube) - C:\Users\Pickles\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-10]
2015-03-13 10:31 - 2015-03-13 10:31 - 00020480 ___SH () C:\Users\Pickles\Desktop\Thumbs.db
2014-09-29 17:24 - 2014-09-29 17:24 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-05-15 15:58 - 2012-09-07 11:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2014-05-15 15:58 - 2009-07-22 10:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-15 15:58 - 2012-09-07 11:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:

 

 

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\Pickles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML not found.
C:\Users\Pickles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG not found.
C:\Users\Pickles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL not found.
C:\Users\Pickles\HELP_DECRYPT.HTML => Moved successfully.
"C:\Users\Pickles\Desktop\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Pickles\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Pickles\Desktop\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Pickles\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Pickles\Documents\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Pickles\Downloads\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Pickles\Downloads\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Pickles\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Pickles\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Pickles\AppData\Local\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Pickles\AppData\HELP_DECRYPT.URL => Moved successfully.
"C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
"C:\Users\Pickles\AppData\Roaming\HELP_DECRYPT.URL" => File/Directory not found.
C:\Users\Pickles\AppData\Roaming\sp_data.sys => Moved successfully.
"C:\Users\Pickles\AppData\Local\HELP_DECRYPT.HTML" => File/Directory not found.
C:\Users\Pickles\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
"C:\Users\Pickles\AppData\Local\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\Pickles\OneDrive" => ":ms-properties" ADS not found.
"C:\Users\Pickles\AppData\Local\Temp\542824559.exe" => File/Directory not found.
C:\Users\Pickles\AppData\Local\Temp\APNSetup.exe => Moved successfully.
"C:\Users\Pickles\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2s4s9w.dll" => File/Directory not found.
"C:\Users\Pickles\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppvbi9b.dll" => File/Directory not found.
C:\Users\Pickles\AppData\Local\Temp\jre-8u40-windows-au.exe => Moved successfully.
C:\Users\Pickles\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Pickles\AppData\Local\Temp\sqlite3.dll => Moved successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\Users\Pickles\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo => Moved successfully.
C:\Users\Pickles\Desktop\Thumbs.db => Moved successfully.
C:\ProgramData\DP45977C.lfl => Moved successfully.
C:\ProgramData\SetStretch.cmd => Moved successfully.
C:\ProgramData\SetStretch.exe => Moved successfully.
C:\ProgramData\SetStretch.VBS => Moved successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset all =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  netsh int ipv4 reset =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

=========  netsh int ipv6 reset =========

Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

EmptyTemp: => Removed 1.2 GB temporary data.

The system needed a reboot.

==== End of Fixlog 09:24:39 ====



#9 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 17 March 2015 - 06:55 AM

Hi again.

 

Dr.Web CureIt run:

Ashampoo_Snap_2015.02.19_17h50m22s_001__

  • Please download Dr.Web CureIt! Free  antivirus and save it to your computer. The file size is in excess of 100MB
  • NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
  • Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
  • Shutdown your antivirus to avoid any conflicts while scanning.
  • Once the scans have completed please re-enable your antivirus.
  • If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
  • If needed you can also temporarily disable it from starting with Windows
  • Temporarily turn off any other security add-ons or applications you may also have.
  • Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
  • If it does not have a Digital Signature then do not run it.
  • Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
  • You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
  • Click on the Yes button to start the installer.
  • Click OK to scan your computer in the Enhanced Protection Mode
  • Click on the check box to agree to participate in their software improvement program.
  • Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
  • Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
  • Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
  • Then click on the Start scanning button.
  • If a threat is found you can click on the Action column in the program.
  • Your options will be Cure or Ignore
  • If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
  • Then click on the Neutralize button.
  • Once completed click on the green Open Report link. It will open the report in NOTEPAD
  • Save the report to your desktop. The report will be called Cureit.log
  • Close Dr.Web Cureit!
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, attach the log Cureit.log you saved previously in your next reply.
  • Re-Enable your antivirus and other security programs when all done.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 21 March 2015 - 08:36 AM

4 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 24 hours, this thread will be closed due to inactivity.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 amiga4ever

amiga4ever
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 21 March 2015 - 09:21 AM

The Dr. Web did or could not complete a scan as well. But it didn't find as many issues, the eset scan found 512 files infected with win 32 file encoder.cr and nothing else and stuck at 82% and the Dr Web one found some but not the same ones but gets stuck at 99%. I have set it running again this morning in minimal boot to see if that helps. Will post again tonight after work

#12 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 26 March 2015 - 04:16 PM

Hello

 

5 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 24 hours, this thread will be closed due to inactivity.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 30 March 2015 - 11:16 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users