Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Got "HELP_DECRYPT.***" files in document folders, but files are OK

  • This topic is locked This topic is locked
3 replies to this topic

#1 andy o

andy o

  • Members
  • 5 posts
  • Local time:02:30 AM

Posted 05 September 2015 - 02:06 AM

Hi there,


This is my work computer, so I don't have total control over it. I do have the administrator password. Windows 7 Pro SP1, it's one of 3 terminals connected to a Windows Server 2008 server. This contains the database for the business (small hotel).


So today I get to work to find the MSE icon orange. I open it, and it's asking me to restart the computer to complete the cleanup. I go to History, and find multiple entries of these:








Under the "Ransom" entries, the only file listed is HELP_DECRYPT.HTML. When I go to the folders, there is that file, and there are two more: HELP_DECRYPT.TXT and HELP_DECRYPT.PNG.


All our files though, appear to be OK, unencrypted and healthy.


I understand these files themselves are not the ransomware, but I am wondering how they got copied to all the folders. Is it possible for this trojan to run without adminsitrative privileges (i.e. someone had to enter the password)? If not, how could these HTML, PNG and TXT files have been copied to the PC?


I'm also trying to figure out how this might have happened. We have security cameras covering the front desk, and at the time the files are indicating on the "date created" "date accessed" "date modified" fields, which is the same date and time, no one was apparently using a browser. The resolution on the video is bad, but I think I can see a popup from the lower right corner of the computer monitor, might be the AV. No one was attending the computer at that time though.


We have Firefox 40.0.3 and Chrome 45.0.2454.85 m. I don't know which browser was used. Firefox is set to always use private mode, but the history in Chrome shows one suspicious item at about the time the files indicate:



There is no web address associated with that entry that I can tell. The icon is LastPass's icon. Not sure if that is Lastpass's doing, cause it's installed in these 2 browsers, but no one uses it but me.


Thanks, any help will be much appreciated.

Edited by andy o, 05 September 2015 - 02:11 AM.

BC AdBot (Login to Remove)


#2 andy o

andy o
  • Topic Starter

  • Members
  • 5 posts
  • Local time:02:30 AM

Posted 05 September 2015 - 03:17 AM

Well I was wrong, I had opened some files to check, but after I turned off and on the PC it seems no files are opening (I disconnected the PC from the LAN of course. Luckily it seems it's contained to that terminal and our database is fine. I'm still wondering, did this require someone to actually type out the admin password, or cryptolocker-type malware can just run like that without admin privileges?

Edited by andy o, 05 September 2015 - 03:17 AM.

#3 andy o

andy o
  • Topic Starter

  • Members
  • 5 posts
  • Local time:02:30 AM

Posted 05 September 2015 - 04:56 AM

A bit more info after more reading. I know now that these malware can run without elevated privileges. But if UAC and Previous Versions was enabled, would it be possible to restore the files, such as detailed in this post? http://malwaretips.com/threads/system-restore-uac-and-cryptowall-3-0.44366/


I don't want to try anything or even turn back on the PC until I am sure of what I can do.


Before turning off the PC the first time, I also saw 3 backups with last modified dates of yesterday, 2 and 3 days ago, with extension .bak. I can't find the .bak extension on the list of files affected by Cryptowall, such as http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-061923-2824-99 so that could be another option.


Also, am I right in assuming the ecrypted files' modified date won't change to the new date they were encrypted? Cause I don't think they did.

Edited by andy o, 05 September 2015 - 04:58 AM.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:30 AM

Posted 05 September 2015 - 06:50 AM

Crypto malware will run on non-admin accounts under the same privileges as the infected user and encrypt any files that are accessible to that user.

- CryptoWall 3.0 leaves files (ransom notes) named:

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Cryptowall typically deletes (though not always) all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. Another possible options is to try file recovery software such as R-Studio or Photorec to recover some of your original files but there is no guarantee that will work.

At this time there is no fix tool and Decryption of any CryptoWall Files...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. The only other alternative is to save your data as is and wait for possible updates...meaning, what seems like an impossibility at the moment (decryption of your data) there is always hope someday there may be a breakthrough or possible solution so save the encrypted data and wait until that time.

There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users