Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Help | decrypt_mblblock.exe


  • This topic is locked This topic is locked
3 replies to this topic

#1 Holden_McG

Holden_McG

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 11 July 2015 - 05:29 PM

I got CryptLocker.. again today. The only thing I download was a .PDF from a trusted drum site and a couple hours later I got the dreadful meassage. 

(Also the first time I got this I was also on a large commercial real estate website and clicked on a PDF flyer and got it -- How do they sneak these things in on these sites???)

 

Working through the resoultion process I removed all the Crytpo shortcuts I could find and I got ShadowExplorer to restore some of the files but not all of them (oddly enough neither the ShadowExplorer or Malwarebytes .exe/programs were active on the computer from the first time through this process and I know I didn't remove them. Wonder if Crypto bounced them???).

 

I tried to use the utility that was linked from the main "Crypt" help article on this malware and through a Yahoo search that landed in this forum.

I D/L'ed and ran the utility but didn't seem to have any luck cracking the encrypted files.  Is the " decrypt_mblblock.exe " still a valid utility tool, or have the bad guys worked around this?

 

Also I thought there was a laundry list of items to check in the Registry in the CryptLocker article but I can't seem to locate it to make sure that nasty malware isn't buried deep and just waiting to be resurrected? 

 

Regards,

HMcG


Edited by Chris Cosgrove, 11 July 2015 - 05:48 PM.
Moved from Vista to General Security


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:08 PM

Posted 11 July 2015 - 09:49 PM

The original Cryptolocker infection has been down for a while now and has not returned. There are several copycat and fake ransomware variants which use the CryptoLocker name but the infection is not the same.

Decrypt_mblblock.exe was a tool used for even an older infection...Decrypt Protect MBL Advisory virus.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .xyz, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
About_Files

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Holden_McG

Holden_McG
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 12 July 2015 - 08:14 AM

quietman7,

Thanks for the update on the original/copy cat Crypto - now Decrypt ...

 

The documents in my file folder didn't have any changes to their file extensions  (i.e. John Bonham Tuning Guide.docx is still showing as John Bonham Tuning Guide.docx, or ParadiddleGrooves1.pdf is still named ParadiddleGrooves1.pdf, but neither can be functionally opened).

 

The ransom notes scattered on my drive were these series of four: HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG, which I combed through my drive and manually deleted. 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,582 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:08 PM

Posted 12 July 2015 - 08:43 AM

- CryptoWall 3.0 leaves files (ransom notes) named:
HELP_DECRYPT.TXT
HELP_DECRYPT.HTML
HELP_DECRYPT.URL
HELP_DECRYPT.PNG

- CryptoWall does not change extensions on a file and does not leave anything behind once it has finished encrypting...the only evidence will be the ransom notes and registry keys.

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users