Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IDTool v2 - Help victims identify what Ransomware variant they have


  • Please log in to reply
49 replies to this topic

#1 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:49 PM

Posted 16 September 2015 - 07:18 PM

IDTool is no longer supported. Nathan Scott (DecrypterFixer) discontinued development of his tools and now works for Malwarebytes (see here). The EasySync Solutions web site was taken down and all downloads from that site are no longer available.

We now recommend the use of ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. 

 

 

 

IDTool v2 - Infection Detection Tool

 

IDTOOL2.png

 

IDTool v2 is the second version of IDTool, which is used to help victims detect which Ransomware variant they were infected with, and point them where they can go to get help.

 

The old version of the tool had an internal database which caused a forum member wanting to share the program, or even a direct victim, to download the tool every time a new ransomware came out. This also made updating the tool very slow.

 

Version 2 has a few new things, the biggest being a online database which is pulled each time the tool is ran. This provides the victim with the latest database on every run, and also makes updating easy and automatic from my server. The tool also has a local Database just in case their is no internet connection. You will never have to update this tool, so downloading it once and archiving it for later is all that is required.

 

I welcome the redistribution of this tool among users and members, and also encourage members trying to help victims of ransomware to use it as much as they like.

 

A auto search feature has also been added for more information on each infection.

 

Any questions or comments are welcome! 

 

Thanks!

 

DOWNLOAD:

http://easysyncsolutions.com/IDTOOL/IDTOOL.exe


Edited by xXToffeeXx, 15 December 2016 - 12:00 PM.

Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


#2 Comdark.Bubnix

Comdark.Bubnix

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:49 AM

Posted 18 September 2015 - 09:25 PM

this tool is perfectly what i need ! this tool will be a great help in order to id a ransomware. thank you so much.



#3 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:07:49 PM

Posted 19 September 2015 - 07:10 AM

Nathan

 

I have a question about the tool.  I've never been affected by any of the ransomware variants.

 

I downloaded the tool to my Desktop.  The icon disappears from the Desktop after about 10 seconds.

 

Is the tool automatically deleted if the PC doesn't have ransomware present on the PC?

 

I searched my (C:) HDD for "IDtool".  Search results were negative and the icon isn't in the Recycle Bin.

 

 



#4 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:49 PM

Posted 19 September 2015 - 09:24 AM

No, chances are there is some Av on your computer triggering on my tool as a false positive. I'll look into this.
Have you performed a routine backup today?

#5 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:07:49 PM

Posted 19 September 2015 - 10:51 AM

Thanks :).  I didn't think about that (AV).  I'm running Norton N360 AV.

 

That's what it is.  I disabled Norton and downloaded the tool.  It's staying on the Desktop now.

 

[edit]  It stayed on the Desktop until I tried to run the tool.  Then a Win dialog appeared "Can't find path...", something similar, and the icon disappeared.

 

I had re-enabled the AV before trying to run the tool so that's probably what's preventing it from running.


Edited by Scoop8, 19 September 2015 - 10:54 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 PM

Posted 19 September 2015 - 04:35 PM

I had re-enabled the AV before trying to run the tool so that's probably what's preventing it from running.

Most likely. The problem is really with the anti-virus vendors who keep targeting these programs for various reasons and NOT with the tools themselves. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:49 PM

Posted 19 September 2015 - 05:06 PM

Quietman is exactly right. This program, along with alot of decrypters I make, contains some of the same strings, flags, and function bytes as the infection itself to help detect the infections, or to detect the encrypted files. That being said, some AV database rules are on the lazyer side, and simply detect these strings with no other checks, thus flags even good ware tools to stop or help with these infections. I'll have to submit a FP report to the Av company
Have you performed a routine backup today?

#8 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:07:49 PM

Posted 19 September 2015 - 06:54 PM

10-4.  Thanks for the info.



#9 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 19 September 2015 - 08:36 PM

Hi Nathan

 

I ran it on Windows 10 Pro with Eset nod32 aand MBAM Pro running.

 

Good News: Nothing showed up.

 

Odd news: Clicking on the Detection Search and Jump to Location buttons causes the tool to quit.

 

But I'm happy with the negative results.

 

Gene



#10 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:49 PM

Posted 19 September 2015 - 08:56 PM

Ah, I forgot to detect if there is no item selected, thus a crash happens. I'll fix this.

I'll also make it so if their is no results it will message box that nothing was found.
Have you performed a routine backup today?

#11 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 PM

Posted 19 September 2015 - 10:37 PM

Glad to help out with the fine-tuning. :smash:

 

Gene



#12 surajthakur

surajthakur

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 28 September 2015 - 11:49 AM

Hi Nathan
 
Thanks for developing this IDTool v2. I downloaded and did a scan. Unfortunately nothing showed up. I know my laptop is infected with ransomware.
 
It happened 3 days ago. All files on desktop, My downloads, My Pictures,My Music are encrypted and now ends with .0x0 extension. Also there is a file secret.key and a file named bleepedfiles.txt which has a e mail address saying to contact if I want my files back.



#13 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:49 PM

Posted 28 September 2015 - 01:13 PM

This is a new infection I haven't heard of, but no matter as idtool updates are instant, I'll get on that.

As for your infection, Please send the ransom file "bleepedfiles.txt", a sample encrypted file, and any exe you think may have caused this, or any suspicious one still on the machine zipped up to decryptorbit@outlook.com

Thanks
BTW ur secret.key files makes me think u may have a new tesla crypt variant, but I can't be sure yet
Have you performed a routine backup today?

#14 decrypt belgium

decrypt belgium

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 07 October 2015 - 07:19 AM

Hi Nathan,

we have a customer with a crypto virus - I have send you 2 mails - could you please check in on it and give us your feedback?

 

thanks in advance



#15 decrypt belgium

decrypt belgium

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 07 October 2015 - 07:27 AM

Nathan,

 

I've downloaded your new tool - does it search on external discs automatically? Can't select drives.

Second question; does it scan infected files specific? Or does it scan the virus itselves. In toher wrods - I have a external drive with good and bad (encrypted) files - but the tool indicates nothing.

 

thanks for your answers,






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users