Moved this to Malware Discussion > Home User Assistance for better support.
If you've got rid of the malware then you should be able to do the following:
For the encrypted files try this:
Right click on the files.
Select "restore previous version".
- This will search the volume shadow copy for backups.
BTW, you can also do that with folders as well as individual files. Of course you can also do the entire machine using System Restore which may work.
I was forced to setup the complete system to get rid of the virus, therefore there are no Shadow files available anymore. Is there another way to solve that?
From what I've read online no there isn't I'm afraid to say. But you could try asking on BleepingComputer forums, they are excellent at this sort of thing.
Probably the best way would be to go the DDS route which is outlined lower down the last link in my signature below.
If you ever detect anything untoward like this again, do not touch anything, mouse or keyboard or screen, hard power off immediately. Then boot to Safe Mode and initiate System Restore.
I see no "DirtyEncrypt" anywhere on the internet. Possibly the poster meant "DirtyDecrypt".
Virus removal guides for ransomware &c - HERE
Initial symtoms and ransom screen
Long discussion here, no final resolution.
At the moment the personal files encrypted on the drive(s) seem to be encrypted with RSA ---End Quote--- There are different types of encryption, so obviously different programs to remove them.
Encryption appears to be carried out using Microsoft EFS - see
This offers a small crumb of comfort to the rest of us, namely :
Note A file cannot be both compressed and encrypted at the same time.
Note : those article apply only to XP Pro and Server 2003. However the encryption process is described in detail, which is useful.
... No EFS for XP home, Vista home, Windows 7 home or Windows 8 home (basic)
So I don't know if the encryption process would use a different method if the target machine were running one of the above operating systems.
One of the posters is of the opinion that the cipher used is
CBC Chaining + SHA256 Hash + RC6 (2048) Algorithm cipher.
For average users, the only reliable way to limit the loss in case of crypto malware infections is a solid backup strategy, which is not only effective against crypto malware, but also helps with other scenarios like hardware failure. Just make sure that the storage system you keep your backups on is not accessible from your computer if you aren't creating or restoring a backup. So if you backup to an external hard drive, make sure you disconnect it after you are done. Otherwise malware can just encrypt your backups as well.
I can confirm the following,
(1) FOUR different RSA keys are created in %UserProfile%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1220945662-1659004503-1801674531-500 folder.
(2) JPG files with the "archive" attribute are NOT affected.
Grinler's verdict :
there is no solution to files encrypted by RSA and not having the private key
Unfortunately, the private key is removed and stored on the malware developers server and without it there is nothing you can do.
Microsoft identifies this as Trojan:Win32/Dircrypt.A. It offers no guidance on decrypting files.
According to Kaspersky the encryption uses "Encryption algorithm RC4 + RSA1024 can't be cracked."
List of domains involved in distributing this at http://pastebin.com/MsytKqNS