cancel
Showing results for 
Search instead for 
Did you mean: 
hjb
Level 7

Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

Although I have the McAffee Antivirus Plus installed, my labtop was infected from a virus called dirtyencryt.exe. I have removed t´he virus meanwhile completely but have no clue how to get my files back?

0 Kudos
6 Replies
exbrit
Level 21

Re: Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

Moved this to Malware Discussion > Home User Assistance for better support.

If you've got rid of the malware then you should be able to do the following:

For the encrypted files try this:

    Right click on the files.

    Select "restore previous version".

    Click restore.

- This will search the volume shadow copy for backups.

0 Kudos
exbrit
Level 21

Re: Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

BTW, you can also do that with folders as well as individual files.   Of course you can also do the entire machine using System Restore which may work.

Message was edited by: Ex_Brit on 15/09/13 9:26:48 EDT AM
0 Kudos
hjb
Level 7

Re: Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

I was forced to setup the complete system to get rid of the virus, therefore there are no Shadow files available anymore. Is there another way to solve that?

0 Kudos
exbrit
Level 21

Re: Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

From what I've read online no there isn't I'm afraid to say.  But you could try asking on BleepingComputer forums, they are excellent at this sort of thing.

Probably the best way would be to go the DDS route which is outlined lower down the last link in my signature below.

If you ever detect anything untoward like this again, do not touch anything, mouse or keyboard or screen, hard power off immediately.  Then boot to Safe Mode and initiate System Restore.

0 Kudos
Hayton
Level 17

Re: Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

I see no "DirtyEncrypt" anywhere on the internet. Possibly the poster meant "DirtyDecrypt".

Virus removal guides for ransomware &c - HERE

Initial symtoms and ransom screen

http://www.bleepingcomputer.com/forums/t/501385/decryptexe/

Long discussion here, no final resolution.

http://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/

At the moment the personal files encrypted on the drive(s) seem to be encrypted with RSA ---End Quote--- There are different types of encryption, so obviously different programs to remove them.

Encryption appears to be carried out using Microsoft EFS - see

http://technet.microsoft.com/en-us/library/bb457065.aspx and

http://technet.microsoft.com/en-us/library/bb457116.aspx

This offers a small crumb of comfort to the rest of us, namely :

Note A file cannot be both compressed and encrypted at the same time.

Note : those article apply only to XP Pro and Server 2003.  However the encryption process is described in detail, which is useful.


... No EFS for XP home, Vista home, Windows 7 home or Windows 8 home (basic)

So I don't know if the encryption process would use a different method if the target machine were running one of the above operating systems.


One of the posters is of the opinion that the cipher used is

CBC Chaining + SHA256 Hash + RC6 (2048) Algorithm cipher.

For average users, the only reliable way to limit the loss in case of crypto malware infections is a solid backup strategy, which is not only effective against crypto malware, but also helps with other scenarios like hardware failure. Just make sure that the storage system you keep your backups on is not accessible from your computer if you aren't creating or restoring a backup. So if you backup to an external hard drive, make sure you disconnect it after you are done. Otherwise malware can just encrypt your backups as well.

I can confirm the following,


(1) FOUR different RSA keys are created in %UserProfile%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1220945662-1659004503-1801674531-500 folder.

(2) JPG files with the "archive" attribute are NOT affected.

Grinler's verdict :

there is no solution to files encrypted by RSA and not having the private key


Unfortunately, the private key is removed and stored on the malware developers server and without it there is nothing you can do.

0 Kudos
Hayton
Level 17

Re: Does anybody know how to encrypt files decrypted by virus Dirtyencrypt.exe

More on this :

Microsoft identifies this as Trojan:Win32/Dircrypt.A.  It offers no guidance on decrypting files.

See also http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

http://malware.dontneedcoffee.com/2013/09/revoyem-goes-international-shocking.html

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2861

According to Kaspersky the encryption uses "Encryption algorithm RC4 + RSA1024 can't be cracked."

List of domains involved in distributing this at http://pastebin.com/MsytKqNS

0 Kudos