Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomeware infected my comp Not sure how to decrypt / fix

  • Please log in to reply
2 replies to this topic

#1 Serverlord


  • Members
  • 1 posts
  • Local time:11:50 PM

Posted 26 May 2017 - 09:16 AM

Hi Recently, (yesterday morning), I was watching a stream on twitch tv. I had a popup stating "guide.exe has stopped responding". I reset the computer and then it still would not let me click on my icons etc saying they were not there or had been removed. I turned the computer off and still it was happening. Since then I have realised all my .exe files and .txt files have been encrypted and changed. There is a ransom .txt file in every directory etc. I have used the ID ransomeware site every few hours, but it cannot recognize the malware etc. I have downloaded and used decryption programs and they cannot find the key. Is there any where I can upload the infected file(s) and .txt ransome demands. The infected files have been encrypted and changed to [nintendonx(AT)qq(DOT)com after their original file name


The ransomeware. txt file (DECRYPTION.TXT) I will paste, but I will edit/adjust the links email so no one clicks on them (I will put them in bold font also).


All your files have been encrypted due to a security problem with your PC.
If you want to restore them, write us to the e-mail: nintendonx(at)qq(DOT)com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 5Mb

How to obtain Bitcoins
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller
by payment method and price

Do not rename or move encrypted files - this may compromise the integrity of the decryption process
Do not try to decrypt your data using third party software, it may cause permanent data loss.




EDIT: This has nothing to do with twitch.tv :) Just what I was doing at the time when the malware proc'd itself.

Edited by Serverlord, 26 May 2017 - 09:55 AM.

BC AdBot (Login to Remove)


#2 xXToffeeXx


    Bleepin' Polar Bear

  • Malware Response Instructor
  • 6,087 posts
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:50 PM

Posted 26 May 2017 - 10:07 AM



I believe this is the new variant of Amnesia ransomware. We are working on it currently.



~If I am helping you and you have not had a reply from me in two days, please send me a PM~


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here


 ~Twitter~ | ~Malware Analyst at Emsisoft~

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,090 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 26 May 2017 - 05:59 PM

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users