Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My PC infected with extensions WNCRY - WNCYR - OXR


  • This topic is locked This topic is locked
13 replies to this topic

#1 FREEZ

FREEZ

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 19 December 2017 - 08:15 AM

Hi Bleeping ,

 Yesterday my pc was infected with ransomeware virus "@WanaDecryptor@" , with extensions wncry/wncyr/oxr .

my video files encrypted with extension "WNCYR" and text files encrypted with extension WNCRY and OXR . and unfortunately this virus removed my restore point too , so would be nice if you help me to decrypt my files , sorry for bad english

 

Thank you



BC AdBot (Login to Remove)

 


#2 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:31 AM

Posted 19 December 2017 - 08:21 AM

Hello,

Please share here with wetransfer 2-3 crypted files and the ransom note to see if a decryptor exists for your case.

Regards, Emmanuel



#3 FREEZ

FREEZ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 19 December 2017 - 12:16 PM

Hello,

Please share here with wetransfer 2-3 crypted files and the ransom note to see if a decryptor exists for your case.

Regards, Emmanuel

Hello , thanks for your reply

  here is a rar file with crypted files and hope it will help you for understanding about this virus .  https://www.sendspace.com/file/qiexsn

here is a screen link: http://i67.tinypic.com/ff26n7.jpg

unfortunately i cannot provide you video crypted file due to big file size but i added a screenshot in the rar file for mkv file .

 

Thanks for your support !



#4 FREEZ

FREEZ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 20 December 2017 - 05:29 AM

It's been few hours to go but no reply yet , @all i really need your help to decrypt my files . :(



#5 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:31 AM

Posted 20 December 2017 - 06:41 AM

Hello Freez,

Sorry for the time. I search for a decryptor but find nothing (the Trend Micro Decryptor for WannaCry is not working).

Nevertheless I will open a ticket for you at Dr.Web and tell you if they have a solution.

I come back to you as soon as possible. Kind regards,

Emmanuel emte@adc-soft.com



#6 FREEZ

FREEZ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 20 December 2017 - 06:54 AM

Hello Freez,

Sorry for the time. I search for a decryptor but find nothing (the Trend Micro Decryptor for WannaCry is not working).

Nevertheless I will open a ticket for you at Dr.Web and tell you if they have a solution.

I come back to you as soon as possible. Kind regards,

Emmanuel emte@adc-soft.com

Hello Sir ,

   Thanks a lot for your support , i actually cannot use my pc properly at this time and waiting a method to decrypt my files first , even i do not connect my USBs to my pc . so i hope i will be able to decrypt my file asap. :(

but can i scan my pc and remove virus using malwarebytes etc before decrypting files ? thank you

 

 

Regards!

FREEZ



#7 Amigo-A

Amigo-A

  • Members
  • 423 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:31 PM

Posted 20 December 2017 - 09:18 AM

OXAR Ransomware adds the extension .OXR to the encrypted files. 
 
He can also use other images to confuse the victims. If it's him, then it's based on HiddenTear and it's more likely to be decrypted.
Other extortionists also use other ransomware's images and extensions.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#8 FREEZ

FREEZ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 20 December 2017 - 11:19 AM

 

OXAR Ransomware adds the extension .OXR to the encrypted files. 
 
He can also use other images to confuse the victims. If it's him, then it's based on HiddenTear and it's more likely to be decrypted.
Other extortionists also use other ransomware's images and extensions.

 

HiddenTear ? Could you help me please to decrypt my files ?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 AM

Posted 20 December 2017 - 03:37 PM

Emmanuel_ADC-Soft advised he is checking with Dr.Web for a solution so please be patient.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:31 AM

Posted 20 December 2017 - 03:44 PM

Ticket is open. I come back as soon as possible -).



#11 FREEZ

FREEZ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 20 December 2017 - 05:08 PM

Ok got it and thanks both of you for your support ,



#12 FREEZ

FREEZ
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 21 December 2017 - 03:54 AM

@all , sorry but i asked a question in my previous reply but didn't get answer yet , please suggest me

can i scan my pc for removing virus using malwarebytes or any other antivirus before decrypting files ? thank you



#13 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:31 AM

Posted 21 December 2017 - 03:58 AM

Hello Freez,

There is no decryption solution avalaible for this ransomware : it's the Wanacry that made the buzz not long ago.
In addition this one is infected with "classic" virus Win32.HLLP.Neshta
You should keep your crypted files on a hard disk and clean your computer with malwarebytes or the cleaning tool of your choice.

Good luck, Emmanuel


Edited by Emmanuel_ADC-Soft, 21 December 2017 - 03:59 AM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 AM

Posted 21 December 2017 - 06:47 AM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Malwarebytes 3.0, Zemana AntiMalware, RogueKiller Anti-malware and HitmanPro. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

Note: Disinfection will not help with decryption of any files affected by the ransomware.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.When or if a decryption solution is found, that information will be provided in the above support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users