.CRYPT extension mess

Got some malware mess!
[Running W7-Ult x64.]
The "Polizei Bundes" warning message appeared, covering my screen (more info on it), and locked me out of my user account. Rebooted and had a MS Visual C++ Runtime Library error on the login screen: C:\Windows\system32\nvvsvc.exe with generic sub-message. Clicking OK brought me to my login prompt, though the other accounts were not visible/accessible in the normal fashion, and got the same PayNow warning screen with no typical access. Rebooted (several iterations) into safe mode with network cable removed. Used a flash USB drive for back and forth to another PC.
Before following details of this site, I had tried a plethora of programs in safe mode, but executing off of the USB fash drive, with portable definition updates included: MS-Safety-Scanner_msert64.exe got nothing on quick and locked on FULL; spybotsd162.exe removed cookies and junk; ComboFix.exe removed some malware; HijackThis.exe only to see what was running; and mbam-setup-1.61.0.1400.exe with minor hits.
The OLD and NEW Log files are included.

See Next.........

 

From previous.........

Played with renaming some files/extensions (Acrobat.exe and PDF), but nothing major.
Then...came upon this site.
Followed this site's directions...and a rootkit was found....
Also, note that rebooting the infected PC with the USB flash drive plugged-in repeatedly caused its file-table to goof: I had to use testdisk-6.13.win.zip several times to repair it rather than reformatting.

HELP! I'm not sure if the system is clean. BUT the file extensions are F*Ked up with .crypt as well as other mods like .lnk.crypt. :cry
PLEASE HELP.

 

Lastly, I attach the MGlogs.zip file.

Sigh. Please. Help. Messed extensions.....


PS--still getting the nvvsvc.exe runtime error.

 

Incidentally, the following link is similar to my issue, though not identical.

http://deletemalware.blogspot.com/2011/05/remove-bundespolizei-ransomware.html

Note that my entries were as expected (Explorer.exe, etc.) while checking them after the fact.

 

Hello,

I think this might be a new variant of Xorist.

Try this tool by Kaspersky: http://www.majorgeeks.com/Kaspersky_XoristDecryptor_d7732.html

If this does not work, please attach 2-3 of the .crypted files for analysis.

 

Ran xoristdecryptor.exe as suggested, of course, post-cleaning from yesterday. No hits were found. It appears that the file extensions and associations are broken / need of repair, but there are many!
Pointed to C:\Program Files (x86)\Microsoft Security Client\MpClient.dll.crypt with the LOG file (18,009 KB) eventually stating the following from bottom to top:

Deinitialize success
Can't init decryptor on file C:\[as above]
ProcessDriveEnumEx: Drive [#]:\ type 3.0 , for several non-C drives with no hits

Processing file: C:\Users\[several]\[subfolders]\[filename.ext].crypt , MANY entries...

Processing file: C:\ProgramData\[subfolders]\[filename.ext].crypt , MANY entries...

Processing file: C:\Program Files (x86)\[subfolders]\[filename.ext].crypt , MANY entries...

Processing file: C:\Program Files\[subfolders]\[filename.ext].crypt , MANY entries...

ProcessDriveEnumEx: Drive C:\ type 3.0
Initialize success
=====
Boot type: Normal boot
Page size: 0x1000
Number of processors: 8
Processor architecture: Intel x64
Running under WOW64
System windows directory: C:\Windows

UserName: [name--admin]
ComputerName: [name]
Product type: Workstation
OS Version: 6.1.7601 ServicePack: 1.0

SystemInfo:
Current date / time: 2012/05/12 [time]
=====
Trojan-Ransom.Win32.Xorist decryptor tool 2.2.69.0 May 11 2012 18:20:12

 

Hi,

Can you attach 2-3 of the crypted files for analysis?

 

I've attached 3 .crypt files and the nvvsvc file (just in case). I had to append an extension (.ZIP) to enable a valid upload to this site.
Again, it appears that the files (PDFs for instance) can be recovered by simply changing the extension and the file association. Not sure about files that may be deleted/hidden/....

At this point, is there a tools that fixes the extensions and/or associations?
Or shall I just reformat/reinstall (have a boot SSD, so faster)?!

 

Thank you for uploading the files. Please do the following:

Download SystemLook_x64.exe

• Double-click SystemLook_x64.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:dir[/COLOR]
c:\users\CPM\AppData\Local\_ /s
[COLOR="DarkRed"]:filefind[/COLOR]
*.crypt

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

I have reviewed your logs and the ones you have provided thus far are clean.
Let me know what malware related problems you are experiencing at this point.

 

Attached. :-o I've already read the Don't Do Post. No obvious issues besides only the CPM user account is accessible and the file extension/association mess.

Also, the SystemLook program didn't popup a notepad window but did produce one on the desktop. The 'Look' button turned into the greyed out 'Scanning...' button but never indicated it was complete so after 5min or so I hit the 'Exit' button.

 

Code:

Users on this computer:
Is Admin? | Username
------------------
   Yes    | Administrator (Disabled)
   Yes    | Booger (Disabled)
   Yes    | CPM
          | Guest (Disabled)
          | HomeGroupUser$ (Disabled)
          | Max (Disabled)
          | UpdatusUser (Disabled)

• Press and hold the Windows key and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • cmd
• Now press ENTER
• The Command Prompt (black box) should have opened
• Type in these commands and press ENTER after each one
  • net user Booger /active:yes
  • exit

Is the user account "Booger" now accessible? Reboot your PC and try to log in to find out.

 

Applied to Booger (admin) & Max user accounts.
Both are now visible on the logon screen, in addition to CPM (admin).

However...

Upon logon attempt, Max generates an error: The Group Policy Client service failed the logon. Access is denied. (Also, the logon icon is blank, rather than some picture.)

Upon logon attempt, Booger indicated that the Desktop was being generated and the account appears scrubbed, though it's not mine and was used infrequently, so maybe it was without documents.

For both admin accounts, the .crypt extensions and incorrect associations are prevalent and still a primary issue.
Besides this, shall I reinstall MS Security Essentials since it appears broken beyond the .crypt's?
What's next...? :confused

 

I'd like to see how many .crypt files there are on your system. Please retry the SystemLook instructions from post #9.
Let it scan for 30 minutes if needed.

 

Do you remember which anti-malware program removed this screen so that you could enter your desktop again?

If possible, can you attach the files that were quarantined in the scan that removed the "Polizei Bundes" ransom message?

__

Let's run this scan as well:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox. <-- Very important!
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

As per Post#13, I let SystemLook run for as long as it took. The TXT file is too large to attach (97.4MB!!), which indicates the large number of .crypt extensions.

 

As per Post#14: I don't recall the specific malware-removing program(s) since I ran several while in safe mode (it was free from the German PayNow screen), which is further detailed in Post#1 and better reflects my recollection. Attached are ZIPs with quarantined files, logs, etc. Hopefully I didn't miss any.
Also attached is a ZIP of the large Xorist--log (see Post#6).
Will attach more in next MSG.

 

As per Post#14: these are from my first scan(s) prior to trying other anti-malware programs.

 

As per Post#14, regarding running OTL.exe: Extras OTL log file attached. The main OTL log file is 97.8MB and will only compress to 10MB, so too big to attach.

 

Hello CPM,

Thank you for attaching the quarantined files and logs. I will be able to review these later tonight.

In the meantime, I have updated the OTL scan instructions. Please rescan with OTL. The log file (OTL.txt) should be much smaller.

 

Re-did OTL scan w/o custom script scan settings: attached log file.

 

This log is clean. Please be patient while I seek advice on how to proceed with the files that are actually encrypted.

If you have not done so already, I recommend that you back up your important data.

 

Here are a couple leads:

EN = http://www.trojaner-board.de/111039-bundespolizei-trojaner-ravcpl32-exe.html

EN = http://www.trojaner-board.de/114115-wiederherstellung-verschluesselten-dateien-rechnung-exe-realtecdriver-exe-schadsoftware-7.html#post820437

&
Recover the file infected by .crypt virus

 

Please let me know if there is progress in determining a solution. Else, it's time to reformat my boot C drive. Note that other drives were not corrupted, even Program files placed on D.

 

Still gathering information but it may be a few more days. If you need the computer back in working order now and do not mind reformatting, then that would be the quickest solution.

 

Found a nifty program to remove the ".crypt" on files: ReNamer.
However, there are broken programs, so I will begin reformatting later today unless a magical solution appears. Thanks for your time and help.

 

FYI: I have backed up the 'personal' (non-program) .crypt files. I tried renaming the extension, but of course the files are 'damaged' upon attempting to open.

I tried the most recent XoristDecryptor.exe, but it doesn't help.
Are there other programs that may decrypt my files? :confused

Also, can I reformat and later still decrypt my files or does the 'original' installation need to be there?

 

I am not sure. I do not know much about the encryption method used. A malware sample of what caused this would have been great to analyze and potentially reverse.

 

This seems related, though not the same: New ACCDFISA Protection Center ransomware called Malware Protection......

Those German links translated to English that I posted are closer to it: Post#22.
There are tools included in that discussion, but I'm not familiar enough with the issues.... :hammer

If you have any links that I could further read through, I'm willing.

 

I spoke with a security developer about your issues and he said the setup.exe.crypt file you attached is "encrypted by AES-like algorithm." Keep in mind that the latest ACCDFISA variant uses AES algorithm and hasn't been solved yet.

These discuss files encrypted by Rannoh ransomware which does not sound like what you have. But feel free to try anyways. The decrypting tool is here

Do you remember which scan you used to bypass the Bundespolize ransomware message? If we can get a malware sample of this, there would be a greater chance of figuring out a solution for you and future victims.

 

I've attached some suspicious files (ZIP'd).
The one in "testy" is likely a problem file since it was DL'd near to the PayNow screen. The ravcpl32 also was flagged as a problem file....
My first post indicates the events: I used several tools once in safe mode. Those logs & quarantines have been attached in previous postings and ComboFix likely did most of the serious flags.

The Rannoh tool did not work: clean and crypt identical files were not the same size....

 

Hi can you try attaching the files again? They didn't attach.

 

Attached.

 

I'm afraid neither of these are a malware sample.

 

Since the system appears malware free BUT has encrypted files that should be recovered, I dug into the previous browsing records that likely caused the crypt file conversions.

I've attached a TXT file, with notes, of some SQL entries of suspicious browsing. Note that the DL'd files are not within the SQL stated TEMP folder, so they apparently were deleted by anti-malware or themselves.

Please let me know if I need to DL and attach the user's previous DL'd (problem?) files or if the links are sufficient.

 

Thanks, will be able to review these in the evening.

 

I wish I had some good news but I do not. Finished going through the links and although they are dangerous links, none of them contain a malware sample.
Also it appears that many of the very suspicious ones, like keygens around 400KB were taken down.

 

Thanks again for your help.

I found the user had backup files, so I was able to replace the corrupted data.
Also, the SQL files for Chrome were corrupted, while only the most recent Firefox files were 'edited' by the malware.--missing timestamps, etc.

I gave ID'ing details a go for others, but have reformatted and reinstalled.

Thanks!

 

Well that's good news. Glad to hear that.
Be safe

 

UPDATE: Fabian Wosar from of Emsisoft has taken the time to write a decrypting tool for this type of ransomware.

If you are infected with ransomware that has added the .crypt suffix to your personal files, please download, extract, and run: decrypt_SetSysLog32.zip

The tool can be run in two ways:

1. If you just start it, it will automatically search for and decrypt files on your Windows installation drive.
2. If you start it with a parameter, you can search for and decrypt files in custom folders and drives (for example "decrypt.exe D:\" will decrypt all files on drive D: ).

The tool will determine the decryption key automatically and perform validations that the files were decrypted correctly. Just in case though it will NOT delete the original .crypt files. If you see one of the following error message it means you most likely got hit by a new variant of the malware:

Code:

Could not find decryption key. Maybe a new variant?

or

Code:

An error occurred when trying to decrypt file <source file> to <destination file>!

The following error message though is normal and just indicates that the decrypted file could not be created as it is currently in use (like some LOG files for example):

Code:

Exception occurred while processing file <source file>:
Class: EFCreateError - Exception: Cannot create file "<destination file>".
The process cannot access the file because it is being used by another process