I didn't delete the key you mentioned in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.  I did delete the key that's in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run.

To be honest, if I didn't stop it, it would have encrypted all of my files.  When I stopped it, I saved about half of them.  But it still got around 200,000 files screwed up (mostly documents and installation files).

The virus encrypts all (.asm, .asmx, .jpg, .pdf, .txt, .rtf, .doc, docx, ppt, pptx, xls, xlsx, htm, html, .js, .css, .vbproj, .djvu, .frm, .cdr, .cdx, .php, .phpr, .phprt, .phpyt, phpyyt, .cer, .chm, .dfm, dpr, .key, .pas, .vbp, .wri and .xfm) files.

Did the virus total scan help?

Don't use the tool just above to do with photorec etc.

we need a exported winlogin key to see the ID etc.

I will also PM you with instructions for the file.

as for the If I didn't stop it................................., all you have to do is shift the files to another location to make them dormant but not delete them from the PC and don't alter the registry.

Quads

Thanks, I have the files I will have to unpack and repack.   The guy for free that will try the work has gone to bed, we are also trying to get the files from Bleeping Computers thread to help with this and to compare.

Quads

where would i find it in my computer? i used norton to clean my computer after i was infected. thats all i did. i did not go to my registry or anything like that. so how do i proceed?

I think wpbt0.dll was in C:\windows\system32 or syswow64.  It might have been deleted.  Look for it!

herman1134

Do you know how to use regedit,??  What is your operating system??

Quads

I also have had this virus infect my computer.  Most of my files are backed up but not the most recent one.  I would like to save the encrypted .jpg if possible.  I have not deleted anything.  Is there anything I can add to help?

guys on this thread for a minute just please slow down, I would rather do that as this involves personal files OK.

lh 

can you find the the registry key I mentioned previously, very slowly as I DON"T want it deleted but exported  DON"T DELETE!!!!!

Quads

Looking at HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon there is a registry setting for 'id'  but not 'bdgid".

Export that key

Quads

herman1134

With help from a programmer on my other Malware samples forum He infected his machine and successfully run the decrypt tool he created . I also imported your registry data onto my machine and ran the tool on my Win 7 system and was able to decrypt your samples also, 

The tool was not publicly available and was a direct download which Symantec does not allow on the forum, also be aware it is not fully tested, Only him and myself.

Also disable Norton while the tool is running and for Vista / Win 7  to start the program right click it and choose from the menu "Run as Administrator"

Now though the tool has been direct linked here for download, second message http://www.bleepingcomputer.com/forums/topic455347.html

Quads

I can certainly use regedit.

Thank you VERY much for this tool.  How exactly do I use it?

Quads

I exported the key.  Do you still need it or should I just try the encryptor?

I still need it.  I downloaded the program you made, and put it and some encrypted files on a different computer to see if it worked.  It didn't.  Maybe I did something wrong?

I also came across with such problem. I am professional photographer and all pictures of my clients were encrypted. During the whole week many specialists tried to retrieve files after activity of such viruses, They tried different software to back up deleted files, But nothing helped. Finally, i paid 50 usd to the blackmailers, And after several hours they emailed me software for deciphering, which deciphered all files. I think this is extreme option to pay the blackmailers but if you cannot do it yourself and dont have other alternative you need to pay to have your problems solved and next time be more careful.

My appology to those who encountered such problem. :(

Adam Kotovsky

You should give the file to Quads, and I will give the one he gave me.  It's a s**tty program, misspelled and with memory leaks.  I have also called MoneyPak to see if I can get this guy prosecuted.  You should call too.

---

AdamKy wrote:

I also came across with such problem. I am professional photographer and all pictures of my clients were encrypted.

---

 

You are a professional photographer and do not have backups!!!!!???  Well maybe now you will start..

I had a backup. On an external drive. He was connected to a computer and was also encrypted.

---

AdamKy wrote:

I had a backup. On an external drive. He was connected to a computer and was also encrypted.

---

Ooooch!.  Lesson learned the hard way.  As noted in other posts above, do not leave external backup drive connected when not in use.

Could everyone please, for the sake of sympathy STOP MENTIONING MAKING OR HAVING A BACKUP!!!  It doesn't help anyone, it takes up valuable space on the forum, and it doesnt add to the conversation.  EVERYONE who has this problem was caught unawares and a backup would not have saved everything.  NO ONE is going to back up their systems every day.  This virus also attacks the program files and Windows files and you cant backup those without a reformat.  Furthermore on extrnal drives, some people need them on, connected and running at all times because they need alot of files on them and the boot drive is too small.

Quads, would you like to examine the program the virus maker made to decrypt the files so that mayke you can make a more efficent fixer for everyone else.  The program you made I fear is not that good.

The virus maker's program has severe memory leaks.  It very slowly scans every directory for .crypt files, makes a temp .crypt.decrypt file and then makes the original file.  The memory it uses skyrockets up to 2,000,000 KB of RAM after about an hour, then (if you run out of RAM) you need to start all over again.  I have fixed around 1/5 of my files so far.