Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i am inifected


  • Please log in to reply
4 replies to this topic

#1 ihajjar

ihajjar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 08 December 2016 - 01:35 AM

dear all

i need your help with my infection

i am infected with this file extension (.lnk.[amagnus@india.com].wallet) and all my company data is encrypted any one can help me to decrypt my file any suggestions 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:02 PM

Posted 08 December 2016 - 05:03 PM

Hello, if you are using Win 8 or down..

 

Click on Control Panel..
Click Uninstall a Program.
Select [amagnus@india.com].wallet and click Uninstall button

 

 

3Al62Pm.pngMiniToolBox

  • Please download MiniToolBox, save it to your desktop and run it.
  • Checkmark the following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Users, Partitions and Memory size.

  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 PM

Posted 08 December 2016 - 09:30 PM

dear all
i need your help with my infection
i am infected with this file extension (.lnk.[amagnus@india.com].wallet) and all my company data is encrypted any one can help me to decrypt my file any suggestions

Any files that are encrypted with Dharma Ransomware (a new variant of CrySiS) will have an .[<email>].dharma, .[<email>].wallet or .<email>.zzzzz extension appended to the end of the encrypted data filename (i.e. [worm01@india.com].dharma, [bitcoin143@india.com].wallet, [amagnus@india.com].zzzzz) and leave files (ransom notes) named README.txt, README.jpg as explained here.

Our First Responders and MRT can only assist you with clean up.... there is no known way at this time to decrypt files encrypted by Dharma variants without paying the ransom. Our crypto malware experts who analyze these infections suspect another cyber criminal forked the code and generated their own keys which were not part of the leaked master decryption keys for the original CrySiS variants.

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

When or if a solution is found, that information will be provided in the above support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 ihajjar

ihajjar
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 09 December 2016 - 01:55 AM

thanks all for your posts and help

unfortunately i payed for the ransom it cost me 2 bitcoin :@ (1700$) and i found the infected machine, i worked on isolated this infected machine , it was a process named 111.exe found on administrator desktop running on TMG server 

Now My question : Normally the ransom inject whats it call time bomb that will explode with another ransom in later time is their any cases like this ?

 

and again many thanks for all of you



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 PM

Posted 09 December 2016 - 06:31 AM

No cases or reports here at BC that I am aware of.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users