Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Ransomware encrypted my files. All files have .html extension

21 May 2013   #1
mslocke15

Windows 7 Professional
 
 
Ransomware encrypted my files. All files have .html extension

Hello,


System is a Toshiba Satellite L755-S5353 Windows 7 Home Premium 64-bit. Intel Pentium CPU B950 @ 2.10GHz 4GB RAM.

This laptop came into my shop with the FBI screen. After making full backup and scanning with Malwarebytes, Superantispyware, and Symantec Endpoint Protection on my "Server" I was able to actually use the laptop again. But when i go into my documents everything has a .html file extension.

If it is a word document, the file looks like this: "xxxx.docx.html." When I try to open the file it opens up Internet Explorer with a Decrypt Protect screen. Which I know is fake because it is asking me to pay a fee. The link it opens is http://mblblock.in/index.php. I tried to remove the extension but when i try to open the doc or jpeg is says it is corrupted.


Also ran rkill which found nothing. The Antivirus on the machine is McAffee.
I have looked at the backup i made before i did anything and still can open those files from the backup.

I completely reloaded the machine because my customer was in need of the computer. I do have a full backup and still have access the files I want to get back.

Any help would be appreciated!

Mitchell


My System SpecsSystem Spec
.
21 May 2013   #2
Sub Styler

Windows 7 Ultimate x64
 
 

You need a cryptography specialist! never had a ransomeware case before. Looks like a real mean piece of malware! Encrypting all your docs and wont give them back untill you pay...

It's ruder than hard disk failure!
My System SpecsSystem Spec
21 May 2013   #3
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

My System SpecsSystem Spec
.

21 May 2013   #4
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I've read one person's post, that said he was able to free up his computer using G Data ... now, I can't verify this, because of the encryption key(s) that were put on your Documents.

Anyway, you can try a free scan G Data Antivirus - Download
My System SpecsSystem Spec
21 May 2013   #5
mslocke15

Windows 7 Professional
 
 

Yeah it's a mean one!!! I do not currently have the computer in my shop anymore. I did try the HitmanPRO solution but to no avail .

I DO have all the files here. I have been all over the internet trying to figured this thing out. I thought i would try seeing if anyone here had any thoughts. Hoping some day it will get figured out so i can get this ladies pictures, files, and music back to her. Only 20GB's worth of stuff....

Thanks for the replies. If you got anything else for me i would love to try any possible fixes.
My System SpecsSystem Spec
21 May 2013   #6
carwiz

Windows 7 Pro-x64
 
 

I can't help you with a quick fix but it would be interesting to see the file header on one of the JPEG files. These files have a specific format starting at byte 0. If Windows says the file is corrupt, it means the file header doesn't match the file type (JPG). The only way to look at the header would be to use a hex file viewer. I'm guessing the file header was overlaid with a html header and the URL to the site or it contains a jump code. If the units and picture density data have been over-written, I'm afraid the pictures are gone.

The Start Of Image (SOI) marker will always contain the values FF D8 (hex). The Application Use marker (APP0) will always contain the values FF E0 (hex) and the characters "JFIF" in the marker data. The JFIF characters will be followed by two zeros (00h).

Here's the header format if you want to check to see if it's overlaid in one of the JPEG files:
Code:
 
typedef struct _JFIFHeader
{
  BYTE SOI[2];          /* 00h  Start of Image Marker     */
  BYTE APP0[2];         /* 02h  Application Use Marker    */
  BYTE Length[2];       /* 04h  Length of APP0 Field      */
  BYTE Identifier[5];   /* 06h  "JFIF" (zero terminated) Id String */
  BYTE Version[2];      /* 07h  JFIF Format Revision      */
  BYTE Units;           /* 09h  Units used for Resolution */
  BYTE Xdensity[2];     /* 0Ah  Horizontal Resolution     */
  BYTE Ydensity[2];     /* 0Ch  Vertical Resolution       */
  BYTE XThumbnail;      /* 0Eh  Horizontal Pixel Count    */
  BYTE YThumbnail;      /* 0Fh  Vertical Pixel Count      */
} JFIFHEAD;
My System SpecsSystem Spec
21 May 2013   #7
cottonball

Windows 7 Home Premium
 
 

mslocke15,

There may not be a Ransomware Decryption Tool available for the encrypted files.

You could try restoring them from a Previous Version in Windows:
>Rename the file to the original filename (If you know this)
>Right-click the file and select: Properties
>Select the Previous Versions tab
>Select the file from the previous versions found.
>Backup the existing encrypted file
>Click: Restore

Windows should restore the older file and overwrite the encrypted one.

If there is no backup of the files, the above is a long process, but may be worth the effort.
My System SpecsSystem Spec
22 May 2013   #8
mslocke15

Windows 7 Professional
 
 

Quote   Quote: Originally Posted by carwiz View Post
I can't help you with a quick fix but it would be interesting to see the file header on one of the JPEG files. These files have a specific format starting at byte 0. If Windows says the file is corrupt, it means the file header doesn't match the file type (JPG). The only way to look at the header would be to use a hex file viewer. I'm guessing the file header was overlaid with a html header and the URL to the site or it contains a jump code. If the units and picture density data have been over-written, I'm afraid the pictures are gone.

The Start Of Image (SOI) marker will always contain the values FF D8 (hex). The Application Use marker (APP0) will always contain the values FF E0 (hex) and the characters "JFIF" in the marker data. The JFIF characters will be followed by two zeros (00h).

Here's the header format if you want to check to see if it's overlaid in one of the JPEG files:
Code:
 
typedef struct _JFIFHeader
{
  BYTE SOI[2];          /* 00h  Start of Image Marker     */
  BYTE APP0[2];         /* 02h  Application Use Marker    */
  BYTE Length[2];       /* 04h  Length of APP0 Field      */
  BYTE Identifier[5];   /* 06h  "JFIF" (zero terminated) Id String */
  BYTE Version[2];      /* 07h  JFIF Format Revision      */
  BYTE Units;           /* 09h  Units used for Resolution */
  BYTE Xdensity[2];     /* 0Ah  Horizontal Resolution     */
  BYTE Ydensity[2];     /* 0Ch  Vertical Resolution       */
  BYTE XThumbnail;      /* 0Eh  Horizontal Pixel Count    */
  BYTE YThumbnail;      /* 0Fh  Vertical Pixel Count      */
} JFIFHEAD;

Which Hex File Viewer do you suggest?
My System SpecsSystem Spec
22 May 2013   #9
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Do you know the exact name of the ransomware? Or more info about it, for example what message was on screen?
My System SpecsSystem Spec
22 May 2013   #10
mslocke15

Windows 7 Professional
 
 

Quote   Quote: Originally Posted by Kaktussoft View Post
Do you know the exact name of the ransomware? Or more info about it, for example what message was on screen?

It was a version of the FBI moneypak virus. I watch a video that showed how to remove it. The screen on that comes up in the video is the exact screen i was getting. The youtube video is Remove Decrypt Protect Virus MBLPCBlock.In Decrypt Files Ransomware - YouTube.

I also tried what the person did to fix it but i didnt have the registry entries that were in the video. Nor the file he deletes.

I should mention that i restored the backup i made when the machine first came in and tried that fix, thinking that my scans may have found those entries or "deleted" the decrypting key to be able to use the files again.

Hope this helps...
My System SpecsSystem Spec
Reply

 Ransomware encrypted my files. All files have .html extension




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
CryptoWall Ransomware, Please Help To Decrypt Files.
Hello There, I am not sure if this is the right section to Post my problem, I Got a CryptoWall Virus, So they Encrypted all my files and blackmail me to Decrypt them back, So Does anyone knows any way to Decrypt this ? Please anyone can help, It's Excel and Word Work Files. Once they do this...
System Security
All files encrypted without me encrypting them.
OK, yesterday, a random .exe was found on my desktop (that i never downloaded) and it opened automatically saying that all of my files were encrypted and i needed to click something to remove encryption... Sensing an obvious trojan I decided to shred the file with iobit and everything was fine....
System Security
Encrypted Files
I have a top level folder where all folders, subfolders and files are encrypted. I purchased these Adobe Lightroom tutorials which are mainly Quicktime formatted. The folders also contain several PDF files. These files where received as Zip files and extracted by me. The folder and file names...
General Discussion
Encrypted files
Recently some damage happened to a user account with lots of encrypted files (virus or something), and now the files aren't accessible, even with that account (which is the original account that encrypted the files in the first place). When trying to decrypt the files, all I get is 'access denied'....
System Security
Cannot access encrypted files even though I never encrypted them
I have a 1TB external USB drive (M: for my entire music collection (all legitimately purchased!) It has always been connected to my desktop. Up until a few weeks ago, my desktop was Win7 32bit Ultimate. A few weeks ago my system died so I got a new one and I installed Win7 64bit Ultimate this...
Music, Pictures & Video


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:20.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App