Ransomware encrypted my files. All files have .html extension

Page 1 of 2 12 LastLast

  1. Posts : 7
    Windows 7 Professional
       #1

    Ransomware encrypted my files. All files have .html extension


    Hello,


    System is a Toshiba Satellite L755-S5353 Windows 7 Home Premium 64-bit. Intel Pentium CPU B950 @ 2.10GHz 4GB RAM.

    This laptop came into my shop with the FBI screen. After making full backup and scanning with Malwarebytes, Superantispyware, and Symantec Endpoint Protection on my "Server" I was able to actually use the laptop again. But when i go into my documents everything has a .html file extension.

    If it is a word document, the file looks like this: "xxxx.docx.html." When I try to open the file it opens up Internet Explorer with a Decrypt Protect screen. Which I know is fake because it is asking me to pay a fee. The link it opens is http://mblblock.in/index.php. I tried to remove the extension but when i try to open the doc or jpeg is says it is corrupted.


    Also ran rkill which found nothing. The Antivirus on the machine is McAffee.
    I have looked at the backup i made before i did anything and still can open those files from the backup.

    I completely reloaded the machine because my customer was in need of the computer. I do have a full backup and still have access the files I want to get back.

    Any help would be appreciated!

    Mitchell
      My Computer


  2. Posts : 740
    Windows 7 Ultimate x64
       #2

    You need a cryptography specialist! never had a ransomeware case before. Looks like a real mean piece of malware! Encrypting all your docs and wont give them back untill you pay...

    It's ruder than hard disk failure!
      My Computer


  3. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #3
      My Computer


  4. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #4

    I've read one person's post, that said he was able to free up his computer using G Data ... now, I can't verify this, because of the encryption key(s) that were put on your Documents.

    Anyway, you can try a free scan G Data Antivirus - Download
      My Computer


  5. Posts : 7
    Windows 7 Professional
    Thread Starter
       #5

    Yeah it's a mean one!!! I do not currently have the computer in my shop anymore. I did try the HitmanPRO solution but to no avail .

    I DO have all the files here. I have been all over the internet trying to figured this thing out. I thought i would try seeing if anyone here had any thoughts. Hoping some day it will get figured out so i can get this ladies pictures, files, and music back to her. Only 20GB's worth of stuff....

    Thanks for the replies. If you got anything else for me i would love to try any possible fixes.
      My Computer


  6. Posts : 4,161
    Windows 7 Pro-x64
       #6

    I can't help you with a quick fix but it would be interesting to see the file header on one of the JPEG files. These files have a specific format starting at byte 0. If Windows says the file is corrupt, it means the file header doesn't match the file type (JPG). The only way to look at the header would be to use a hex file viewer. I'm guessing the file header was overlaid with a html header and the URL to the site or it contains a jump code. If the units and picture density data have been over-written, I'm afraid the pictures are gone.

    The Start Of Image (SOI) marker will always contain the values FF D8 (hex). The Application Use marker (APP0) will always contain the values FF E0 (hex) and the characters "JFIF" in the marker data. The JFIF characters will be followed by two zeros (00h).

    Here's the header format if you want to check to see if it's overlaid in one of the JPEG files:
    Code:
     
    typedef struct _JFIFHeader
    {
      BYTE SOI[2];          /* 00h  Start of Image Marker     */
      BYTE APP0[2];         /* 02h  Application Use Marker    */
      BYTE Length[2];       /* 04h  Length of APP0 Field      */
      BYTE Identifier[5];   /* 06h  "JFIF" (zero terminated) Id String */
      BYTE Version[2];      /* 07h  JFIF Format Revision      */
      BYTE Units;           /* 09h  Units used for Resolution */
      BYTE Xdensity[2];     /* 0Ah  Horizontal Resolution     */
      BYTE Ydensity[2];     /* 0Ch  Vertical Resolution       */
      BYTE XThumbnail;      /* 0Eh  Horizontal Pixel Count    */
      BYTE YThumbnail;      /* 0Fh  Vertical Pixel Count      */
    } JFIFHEAD;
      My Computer


  7. Posts : 2,470
    Windows 7 Home Premium
       #7

    mslocke15,

    There may not be a Ransomware Decryption Tool available for the encrypted files.

    You could try restoring them from a Previous Version in Windows:
    >Rename the file to the original filename (If you know this)
    >Right-click the file and select: Properties
    >Select the Previous Versions tab
    >Select the file from the previous versions found.
    >Backup the existing encrypted file
    >Click: Restore

    Windows should restore the older file and overwrite the encrypted one.

    If there is no backup of the files, the above is a long process, but may be worth the effort.
      My Computer


  8. Posts : 7
    Windows 7 Professional
    Thread Starter
       #8

    carwiz said:
    I can't help you with a quick fix but it would be interesting to see the file header on one of the JPEG files. These files have a specific format starting at byte 0. If Windows says the file is corrupt, it means the file header doesn't match the file type (JPG). The only way to look at the header would be to use a hex file viewer. I'm guessing the file header was overlaid with a html header and the URL to the site or it contains a jump code. If the units and picture density data have been over-written, I'm afraid the pictures are gone.

    The Start Of Image (SOI) marker will always contain the values FF D8 (hex). The Application Use marker (APP0) will always contain the values FF E0 (hex) and the characters "JFIF" in the marker data. The JFIF characters will be followed by two zeros (00h).

    Here's the header format if you want to check to see if it's overlaid in one of the JPEG files:
    Code:
     
    typedef struct _JFIFHeader
    {
      BYTE SOI[2];          /* 00h  Start of Image Marker     */
      BYTE APP0[2];         /* 02h  Application Use Marker    */
      BYTE Length[2];       /* 04h  Length of APP0 Field      */
      BYTE Identifier[5];   /* 06h  "JFIF" (zero terminated) Id String */
      BYTE Version[2];      /* 07h  JFIF Format Revision      */
      BYTE Units;           /* 09h  Units used for Resolution */
      BYTE Xdensity[2];     /* 0Ah  Horizontal Resolution     */
      BYTE Ydensity[2];     /* 0Ch  Vertical Resolution       */
      BYTE XThumbnail;      /* 0Eh  Horizontal Pixel Count    */
      BYTE YThumbnail;      /* 0Fh  Vertical Pixel Count      */
    } JFIFHEAD;

    Which Hex File Viewer do you suggest?
      My Computer


  9. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #9

    Do you know the exact name of the ransomware? Or more info about it, for example what message was on screen?
      My Computer


  10. Posts : 7
    Windows 7 Professional
    Thread Starter
       #10

    Kaktussoft said:
    Do you know the exact name of the ransomware? Or more info about it, for example what message was on screen?

    It was a version of the FBI moneypak virus. I watch a video that showed how to remove it. The screen on that comes up in the video is the exact screen i was getting. The youtube video is Remove Decrypt Protect Virus MBLPCBlock.In Decrypt Files Ransomware - YouTube.

    I also tried what the person did to fix it but i didnt have the registry entries that were in the video. Nor the file he deletes.

    I should mention that i restored the backup i made when the machine first came in and tried that fix, thinking that my scans may have found those entries or "deleted" the decrypting key to be able to use the files again.

    Hope this helps...
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:46.
Find Us