Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help_decrypt in Outlook 2010


  • This topic is locked This topic is locked
2 replies to this topic

#1 TrentonO

TrentonO

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 22 July 2015 - 10:40 AM

Hi,
 
A few months ago, I had the CrytoLocker virus (I think it was V2).  I thought it had all gone until I tried forwarding an e-mail to a college today and it arrived all messed up.  I have since noticed that there is a HELP_DECRYPT item in the Signatures section on outlook new message page.
 
I have tried a few things and worked out that the computer works fine for new e-mail, but when i forward one it corrupts the mail.
 
In my research, everyone seems to be asking for a log from FRST64 so i have attached both of these logs to try and speed things up.
 
I have run:  Malwarebytes, ADWCleaner, RougeKiller64 and of coarse FRST64.exe.
 
Thanks for any help you can give.
 
One more thing, I have already removed the Help_Decrypt items listed in the log.

Attached Files


Edited by hamluis, 22 July 2015 - 12:20 PM.
Moved from Win7 to 'Virus, trojan etc. logs'


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:37 PM

Posted 24 July 2015 - 09:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1765066632-1575468496-1825360798-1197\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR Extension: (Trend Micro Toolbar) - C:\Users\atempleman\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf [2015-06-10]
CHR Extension: (Trend Micro Password Manager) - C:\Users\atempleman\AppData\Local\Google\Chrome\User Data\Default\Extensions\olmajmomenlhgihenlbjcfbopoghpckg [2015-06-10]
CHR HKLM\...\Chrome\Extension: [olmajmomenlhgihenlbjcfbopoghpckg] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - No Path Or update_url value
CHR HKLM-x32\...\Chrome\Extension: [dflinnddekagfkncpgojoppgnppfkbkj] - No Path Or update_url value
CHR HKLM-x32\...\Chrome\Extension: [idkknaphebegndgimgdpfnconcickdfn] - No Path Or update_url value
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [olmajmomenlhgihenlbjcfbopoghpckg] - https://clients2.google.com/service/update2/crx
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
C:\ProgramData\HELP_DECRYPT.HTML
C:\ProgramData\HELP_DECRYPT.PNG
C:\ProgramData\HELP_DECRYPT.TXT
C:\ProgramData\HELP_DECRYPT.URL

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Try to remove the Signature from your Outlook program.

https://support.office.com/en-in/article/Stop-using-an-automatic-signature-f94df479-0bc6-43a4-a6cf-966db538de42

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:37 PM

Posted 29 July 2015 - 08:18 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users