Jump to content

"READ TO DECRYPT!" infection

Recommended Posts

All, I am new here and searched the forums and did not find the exact problem I am having, so here it goes: A friend was showing me how to stream free movies online and afterwards, I noticed almost all of my folders had a new file in them named "READ TO DECRYPT!!!.html" and the office and pdf documents in those folders would no longer open. I have attached screenshots of the messages I get when trying to open the document. I am running windows xp pro. As you will see from the attached screenshot of the contents of the Read to Decrypt.html file, this is a ransom type situation and of course I have no intention of paying it. I have a backup of my system I made a week or two ago, so worse case I could use that. Please review the attached files and let me know if there is anything I can do to recover from this other than wiping my hard drive and going back to my last backup? I would rather not have to do that since I have done quite a bit of work and updates to files since then. Thank you very much!post-152509-0-32849300-1387234789_thumb.post-152509-0-52860500-1387234788_thumb.post-152509-0-99087200-1387234723_thumb.post-152509-0-92584400-1387234831_thumb.post-152509-0-24526900-1387234829_thumb.

Link to post
Share on other sites


Sorry to say if you're not going to pay then you'll need to Reformat and re-stall.

**Cryptolocker Ransomware** that is encrypting files.

There's no known tool to fix this infection at this time.

We can remove the infection but not the encryption.

Once encrypted you will not be able to access those encrypted files unless you pay a ransom and that doesn't always work.

Please be sure to backup your important files / data.

Cryptolocker Ransomware: What You Need To Know


Let me know if that answers your questions.

Link to post
Share on other sites

Not gonna pay for sure!

Thanks for your reply. Can you help me remove any traces of the bug? I will delete all folders that contain encrypted files and replace them with backups that I had made a couple of weeks ago. Fortunately, the I noticed that something weird was running on my computer after going through a website that must have loaded the bug and I stopped it before it could get through all of the folders on my computer, so it only made it through a couple of dozen folders before I stopped it. Please let me know how to proceed with getting rid of this for sure!. Thanks, Steve

Link to post
Share on other sites

Lets collect additional information off the system to see if we can spot the issue.

Please download DDS from the link below and save it to your desktop:

Note: Be sure to select Save as Type > All Types

Download one of the DDS tools from the location below and save to your Desktop

dds.scr - http://download.bleepingcomputer.com/sUBs/dds.scr

dds.com - http://download.bleepingcomputer.com/sUBs/dds.com

Double click dds.scr to run the tool.

It will automatically run; all you will see is a small message saying DDS is running in silent mode, then a message saying 2 logs shall be created on your Desktop.

When done, DDS will have saved 2 logs to your desktop:

1. DDS.txt

2. Attach.txt Please attach both logs in your next reply.

Link to post
Share on other sites

PS- Warning to all that may be surfing through web sites that offer free streaming movies. Although I have had only pesky issues with VIOOZ.CO, there was one site (not sure which one) that definitely got me and infected my computer with the ransom bug. As I found out, it is not worth it to try and watch free movies online unless you are willing to risk the security of your computer!

Link to post
Share on other sites

While I'm looking at the scans,



Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\documents and settings\all users\application data\yetqmyy.dat

Then click Submit. Allow the file to be scanned, and then please copy and paste the link to the results page here for me to see.

Do the same for this one:

c:\documents and settings\e0067354\1401795.exe

Link to post
Share on other sites

Link to post
Share on other sites

Were you able to get those 2 files scanned?


Is this a work pc or are you using it at work?

Did you setup a proxy server?

uProxyServer = proxy.etn.com:8080

uProxyOverride = connect.eaton.com;rs.eportal.eaton.com;*tnv.com;*lmtas.com;htgapp*.dana.com;portal.pw.utc.com;business.isabel.be;*.corp.moeller.net;intranet.moeller.net;mis.moeller.net;wtt.moeller.net;was.moeller.net;ctx.moeller.net;yambs.moeller.net;vip.moeller.net;tintranet.moeller.net;statistik.moeller.net;www.moeller.net;legolas.moeller*cz.com;portal.bicguniversity.com;127*;255.*;192.168.*;;198.147.174*;207.24.213*;;;;;193.228.200*;*aero.bombardier.net;*.mau.dana.com;*.vpn.dana.com;*.wdl.dana.com;nacitrix.dana.com;qts.ras.audi.vwg;kvs.ras.audi.vwg;*etn.com;151.110.*;148.179.*;166.99.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;10.*;<local>

Link to post
Share on other sites


This infection also is backdoor infection so be sure to change ALL your passwords.

Email, banks, etc. ALL of them.

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.

Direct link to the file:


•Be sure to print out and follow the instructions provided on that same page.

•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

•Doubleclick on the MBAR file you downloaded.

•Approve the UAC prompt in Vista / Windows 7 and newer operating systems.

•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.

•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next'.

•Click the 'Scan' button.

A.With some infections, you may see two messages boxes.

1.'Could not load protection driver'. Click 'OK'.

2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.

Then, please send the following logs as attachments to your reply. These logs are located in the mbar folder on your desktop where the tool extracted itself to.

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)


Link to post
Share on other sites

WOW, that's pretty nasty.

Please run another scan with mbar.exe. You'll find it in the extracted mbar folder.

Double click mbar.exe to run it.

Check for Updates, then click 'Next'.

Click 'Scan'

When it has completed, click the 'CleanUp' button and allow the reboot if prompted.

Please attach the most recent mbar-log <date and time>.txt in your next reply.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.