Armageddon Posted July 3, 2013 Posted July 3, 2013 Hi chaps this one has me stuck , but lets start from the begining a friend of mine contacted me re the pceu virus he had it on his system am guessing from his viewing of the seedy side of the internet . I splatted the offending bug as per insructions from our good friend Pete , only thing is every picture and document is now encrypted with the following File is encrypted This file can be decrypted using the program DirtyDecrypt.exe Press CTRL+ALT+D to run DirtyDecrypt.exe If DirtyDecrypt.exe not opened сheck the paths: C:\Program Files\Dirty\DirtyDecrypt.exe C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\[YOUR USER]\AppData\Roaming\Dirty\DirtyDecrypt.exe C:\Documents and Settings\[YOUR USER]\Application Data\Dirty\DirtyDecrypt.exe C:\Documents and Settings\[YOUR USER]\Local Settings\Application Data\Dirty\DirtyDecrypt.exe the offending folders are removed and all malware checks now come up clean , but i cant restore the pictures/documents , and new pictures/documents are fine , all research points nowhere including beeping computer the post there re this states everything is lost am just wondering if our security super hero's have any ideas Quote Google is your friend We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
etavares Posted July 7, 2013 Posted July 7, 2013 We have tools but it gets a bit tricky which decrypter to use. Are the files HTML? What was the virus that was detected? Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Armageddon Posted July 7, 2013 Author Posted July 7, 2013 It was the PCEU virus i shifted that the dirty decrpt folders were a part of the clean , but since the gentleman wanted a full re image I did that yesterday , I do know he still has the pics docs etc just incase we can sort them Quote Google is your friend We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
etavares Posted July 7, 2013 Posted July 7, 2013 Gotcha. It can depend on which payload comes with the PCEU. They each use a slightly different encryption. Emisoft has several decrypters than can be of use once you know which to use. We can try them one by one...we just won't delete the files until we find the right decrypter. Let me know when you're ready to proceed and I'll provide some suggested ones to start with. -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Armageddon Posted July 7, 2013 Author Posted July 7, 2013 Anytime you like just one thing can I do this remotely or do I need the tower here with me or the drive with the effected files Quote Google is your friend We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
etavares Posted July 8, 2013 Posted July 8, 2013 You should be able to do it remotely. We are shooting blindly since I don't know what the infection was. Do you know what it was called or where it said to go to decrypt the files? Let's start with this tool: http://tmp.emsisoft.com/fw/decrypt_harasom.exe Download it and run it from their computer where the encrypted files are. In the Decrypter tab, you can let it scan all, or just limit it to whichever hard drive or folder you want to restrict it to. Under the Options tab, make sure the option to delete files is UNCHECKED. Click Decrypt and let it run. Let me know how it goes. Once it's done, take a look at the decrypted files. Open them...did it decrypt OK? If yes, you can then delete the old encrypted files or run it again but check the box to delete them in the Options tab. If the decrypted files are gibberish, corrupted or just not right, just let me know and we'll try another decrypter. -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Armageddon Posted July 8, 2013 Author Posted July 8, 2013 Every picture I click on basically is the following and the exe file and the folders are gone during the removal , I will contact my friend and run the tool you have recommended and get back to you , Thanks Armageddon Quote Google is your friend We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
etavares Posted July 9, 2013 Posted July 9, 2013 Did you mean to attach a photo? It's not showing up for me. -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.