Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.CRYPT help2@tech-center.com - Help removing and decrypting files


  • Please log in to reply
10 replies to this topic

#1 rhys100

rhys100

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 11 September 2017 - 10:52 PM

Hi, one of my clients has got a pc infected. Not sure how it has got on here.

 

Malwarebytes found Hack.Tool.MImikatz located in C:/users\USER\documents\win32\mimikatz.exe and X64\Mimikatz

 

I also found ProcessHacker 2.39 folder/files in the download folder.

 

The file that opens on the screen says the following

 

Your documents, photos, databases, and other important data has been encrypted.
Data recovery requires a decoder.
To restore information write to technical support by help2@tech-center.com, in case of no answer in 24, write to help3@tech-center.com
 
*Attention!
 *Do not attempt to remove the program or run the anti-virus tools
 *Attempts to self-decrypting files will result in the loss of your data
 *Decoders are not compatible with other users of your data, because each user's unique encryption key
 
Your ID: 
 
File encrypted are called this for example
BRN30055C4C7177_024918.pdf.[tech-center].crypt
 
I have some original files if required.
 
 
Can I decrypt?
What tool will make sure this malware is gone?
 
What I have tried so far
  • Ran CryptXXX 3.0 Kaspersky but it says "Encryption file not equal to original" CryptXXX 3.0

Edited by rhys100, 11 September 2017 - 10:56 PM.


BC AdBot (Login to Remove)

 


#2 rhys100

rhys100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 11 September 2017 - 11:15 PM

I used https://www.nomoreransom.org/

 

I got this message " You have been probably infected by "CrySIS" or "Chimera" or "CryptXXX V1" or "CryptXXX V2" or "CryptXXX V3" or "Patcher".

 

I tried all of the tools and no success. Does this mean I have the Patcher version?



#3 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:18 PM

Posted 11 September 2017 - 11:52 PM

Try ID Ransomware, it might give a more definite analysis of the ransomware. Go here: https://id-ransomware.malwarehunterteam.com/

 

Upload both the ransom note and an encrypted file.


We are drowning in information - and starving for wisdom.


#4 rhys100

rhys100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 12 September 2017 - 12:15 AM

Here is results...

https://i.imgur.com/0FkzCcG.png



#5 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:18 PM

Posted 12 September 2017 - 12:24 AM

Did you select BOTH the ransom note AND the encrypted file first, THEN  click on upload?  If you did so, and got the result you just posted, you will have to wait for Demonslay or one of the other analysts to review your case. You might also upload a few encrypted files to sendspace and post the download link in this topic. 


We are drowning in information - and starving for wisdom.


#6 rhys100

rhys100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 12 September 2017 - 12:42 AM

yes.

 

here is some downloads.

 

Encrypted file - https://www.dropbox.com/s/bgj22uh3czxsndv/ProcessHacker.sig.%5Btech-center%5D.crypt.%5Btech-center%5D.crypt?dl=0

Note with files - https://www.dropbox.com/s/6c49q3x7d8fdphm/New%20Text%20Document.txt?dl=0



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 PM

Posted 12 September 2017 - 06:27 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:18 PM

Posted 12 September 2017 - 11:15 AM

The super generic extension may have confused things, but the filemarkers are more accurate readings. It is more likely to be Amnesia2 or Scarab, or at least related to one of them. You could try the Emsisoft Amnesia2 decrypter.

 

I've tamed to false-positives for CryptXXX since those variants aren't really active anymore.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 rhys100

rhys100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 12 September 2017 - 06:21 PM

The super generic extension may have confused things, but the filemarkers are more accurate readings. It is more likely to be Amnesia2 or Scarab, or at least related to one of them. You could try the Emsisoft Amnesia2 decrypter.

 

I've tamed to false-positives for CryptXXX since those variants aren't really active anymore.

 

Hi, Ive tried Amnesia2 but no success. Ive read i may need to change change the extension on files and it may work?

 

Anyway ive uploaded some more files to the upload page for this thread if u can take a look?



#10 rhys100

rhys100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 12 September 2017 - 06:41 PM

seems other people have come across this virus now as that email wasnt even on google. now it is. 

http://removeallthreats.com/how-to-remove-help2tech-center-com-virus-crypt-files/ - seems just a generic article they write. useless



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 PM

Posted 12 September 2017 - 06:47 PM

Information provided by the removal guide which you link to should not be trusted. A simple search will reveal numerous such sites all of which provide bogus and misinformation. They create these removal guides as soon as something new is reported.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users