Jump to content

My windows machine was hijacked with .DALLE ransomware


Recommended Posts

Hello Zaid.   :welcome:

My name is Maurice.  I will be helping & guiding you on this case.

You now have your own topic.   In this sub-forum ( windows malware removal) we have one to one help with the Original Poster.

We do not do multi-user type things.

I will reply to this case very soon.

Maurice

Link to post
Share on other sites

Hello Zaid,

I regret to see & to have to say that this Windows pc has the encrypting ransomware .DALLE   ( which is a very new variant of the STOP (djvu) ransomware.

Please know that Malwarebytes had no decrypter for the files that have been encrypted  ( with the .DALLE extension)..

The first thing that needs to be done is to insure there is no currently active malware.

Typically the ransomware deletes itself after it has done the encryptions.

The ransomware notes I can guide you to removing  (later).   But as mentioned, we have no decrypter.

I will point you later to some possible help on the damaged files.

 

You did not mention whether Malwarebytes for Windows is able now to run.  Is it ?

I did notice you got a couple of 3rd-party tools.   As I help you along on this case, please do not do any fixes or changes on your own.

If you have questions as we go along, ask first.

 

We will start with running the Malwarebytes anti-rootkit stand alone.   We will do other things later on.  Your patience is needed during all this case.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from here this link

and save it to your desktop.   When you get to the download page, press the Download button.  Ignore the other displayed lines on browser screen on the page.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

There will be more to do later on.  Our first main goal is to insure no malicious malware is still running.  To that end, we will run some other tasks, later.

Your patience is very much needed.   along with timely replies, as well.  

Sincerely,

 

 

Link to post
Share on other sites

  • AdvancedSetup changed the title to My windows machine was hijacked with .DALLE ransomware

hello everyone

all my files are

Hello everyone,

 

I am here to inform you that I have not been able to open malwarebytes on my windows computer nor was I able to open any other app. All files, videos and pictures look white and have .DALLE extension and cannot be opened.

 

I tried to boot into safe mode, use malwarebytes and hitman pro , but nothing worked and the app doesn't run.

later my i could  not access the internet im using safemode with networking to download anti virus

 

can anyone help me?

_readme.txt

Link to post
Share on other sites

Hello Zaid,

This is Maurice.   We had made earlier today, a specific Topic just for you.  It seems you did not see my answer there.

I need for you to Read and to stick with that Thread from now & forward.

This is for you.  Make replies there.  See my last reply to you there.

https://forums.malwarebytes.com/topic/248685-my-windows-machine-was-hijacked-with-dalle-ransomware/

 

Thanks for the new attachment you sent.   We will need to close this thread here.

Sincerely,

Maurice

 

Link to post
Share on other sites

P.S.  Neither Malwarebytes nor Hitmanpro can possibly decrypt the files that now have the extension .Dalle

Later on ( on the other thread) I will point you to where it may be possible to use another special tool to decrypt the Dalle files.

But first, we have to sure that there is no currently active malware on this box.

Do have patience.

Link to post
Share on other sites

p.s.s.

Please do not be trying to use any "actions" I provided to Nasfar.   Your Windows pc is sure to be wholly different in terms of potential infection.

Please stick to your own special thread.

Use  https://forums.malwarebytes.com/topic/248685-my-windows-machine-was-hijacked-with-dalle-ransomware/

Thank you very much.

Maurice

 

Link to post
Share on other sites

Link to post
Share on other sites

hello maurice naggar 

sorry for replying in the other post i could not help myself after virus infected my laptop with that being said i tried to follow instruction you provided for nasfar it didnt help!

i'll follow this thread from now onward :)

As i have told you before i cannot access to internet in normal windows meaning my browsers aren't working i'm using internet in safe mode with networking.

here the attachment for mbar files you mentioned

thanks for replying

FRST_25-06-2019 15.28.20.txt Addition_25-06-2019 15.28.20.txt

Link to post
Share on other sites

Hello Zaid.

It's good to see you finally get on this thread.  Thanks for the FRST & the MBAR scan log.  The MBAR found no malware.  But I think that is qualified to the fact that Windows was running in Safe mode with networking   ( not in normal mode).

I see that this pc had Hitmanpro & Spyhunter.  Please do not do any changes or fixes on your own, as long as the case is active here.

IF you are also getting help at another venue, stop and let me know that.

 

By the way, please do not use any "torrent"  while this vase is still on-going.  Please do not do any web surfing.  Be extremely careful on your use of browsers.

 

The FRST show a few "boogers" so we will do a special custom fix for those .....  as just a first procedure.   There will be more later on.

This system does have files encrypted by the .DALLE ransomware.  We have no decrypter for that.  I will point you later to a potential help resource on those.

[ 1 ]

We start with the following, so that Windows shows all hidden folders, all hidden files.

Select the Start button, then select Control Panel > Appearance and Personalization.

Select Folder Options, then select the View tab.

Under Advanced settings, select Show hidden files, folders, and drives, and then select OK.

 

[ 2 ]

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) in the Downloads folder 

The tool named FRST.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

[ 3 ]

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.
( use the scroll bar at the right as needed).

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
CLICK  it to get it ON



On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.
Let it remove what it has detected.

[ 4 ]

Next, need to get fresh information from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Also, attach the file named FIXLOG.txt   from the step # 2 above.

Thank you.

fixlist.txt

Link to post
Share on other sites

When you get done with the tasks / suggestions above.   And when you have some quiet time.

It appears there is some good news about using a decrypter tool that is cited at Bleepingcomputer forum.

Before you start though, make sure you make extra copies of the DALLE files  to some save location.   Just a precaution.

Do keep the original Dalle files where they are.   Only suggesting to save copies somewhere before you try the decrypter.

Malwarebytes has no decrypter.   Attempting to decrypt the files is something you need to do on your own.

 

There is apparently a new update to StopDecrypter  at Bleepingcomputer forum that can handle the .Dalle  files.

Please do a fresh review at Bleeping computer topic and about how to get, use, & run the STOPdecrypter

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/?hl= stop djvu

Quote

06/27/19: STOPDecrypter updated to include support with new OFFLINE KEYS for the following variants as explained in Post #46111.
.truke, .dalle, .lotep

 

Quote

Update for STOPDecrypter v2.1.0.14 with more OFFLINE keys

OFFLINE ID: PrHLxGQfozsYqIt6y8iByGll1cv9doSVfPSfS2t1

Extensions: .dalle

Edited by Maurice Naggar
Link to post
Share on other sites

Hello maurice.

Thanks for replying.

yes i'm using safe mode with networking because i can't use anything in normal window for more than 5 minutes meaning if i open any window or folder it says it not responding, then i have no other option than to force shutdown my laptop and open in safe mode with networking.

i treid running hitmanpro and spyhunter nothing works 

i'm not getting any help other than malwarebyte forum after seeing some postive comments.

thanks for that:)

ALL THE THE STEPS ARE DONE IN SAFE MODE WITH NETWORKING.

(1)

firsst step is done

(2)

i have done all the step you described. here  is the attached file

i would like to mention that it didn't took me long as have you mentioned in earlier post and i didn't got the message to restart the system.

(3)

step three is done. here the threat scan report. 

second thing i would like to mention after scan,system told to restart so i did it.

(4)

step four done.here the ZIP file attachment.

THANKS YOU 

waitng for your reply.

Fixlog.txt threat scan.txt mbst-grab-results.zip

Link to post
Share on other sites

Thanks for the reports.

The Fixlog run results are good.  Though, it would have been better had the system been n Normal Windows mode.

On the Malwarebytes scan, it found a number of P U P , plus, a DNSChanger trojan.   But all the tagged lines mentioned "No Action By User".

We have to do another scan.

 

Lets please put the machine back into Windows normal mode & then just do this new Scan run.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.
( use the scroll bar at the right as needed).
Be sure *Scan within archives* is set to OFF.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

mb3_quar_all.png.04cd608a24228b12f49ed2a5f6e74edc.png



Then you can proceed to click on the blue button Quarantine selected.


Let me know how it goes.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your email.
Thank you.

Link to post
Share on other sites

Hello maurice

i cannot run malwarebyte in normal window because of the virus

is there any way to run malwarebyte in normal window and do the scan?

 can i

Restart the machine in Safe Mode with networking and run Malwarebytes from there. uninstall and redownload in safe mode and install it fresh in normal window and do the scan?

 

here is the recent scan report in safe mode with networking since i cannot open malwarebyte in normal window

thanks

 

recentscan.txt

Link to post
Share on other sites

Hello maurice

i cannot run malwarebyte in normal window because of the virus

is there any way to run malwarebyte in normal window and do the scan?

 can i

Restart the machine in Safe Mode with networking and run Malwarebytes from there. uninstall and redownload in safe mode and install it fresh in normal window and do the scan?

 

here is the recent scan report in safe mode with networking since i cannot open malwarebyte in normal window

thanks

 

Edited by AdvancedSetup
removed email address
Link to post
Share on other sites

Dalle is a ransomware.  It is not a virus.

Dalle has deleted itself;   it is gone, after it did its deed.  Yes, it left the files with new extension Dalle & encrypted the files so you cannot use them.

But the ransomware is not now active.

The question really is, can you just start Windows please  ....in Normal mode ....and stay there.

 

What you can do is do a complete new install of Malwarebytes ....while in Normal mode.

[ B ]

Please prepare by first closing any open work; saving any work in progress. Close them so you can have better view.

Ideally, if possible, do a Windows Restart. Then proceed.

 

the Malwarebytes installer is at this link

download and save the setup file . It will automatically download. Just SAVE first.

1.    Double-click mb3-setup-consumer-3.8.3.2965-1.0.613-1.0.11270 to start the Malwarebytes for Windows setup.
2.    Follow the installation instructions to complete setup.

Watch all of the process. Have lots of patience.
Let me know how it goes. When setup has completed, my suggestion is always to do a Windows Restart.

Then start Malwarebytes for Windows and do the Scan.

Please let me know how this goes.

Link to post
Share on other sites

Hello.

I am glad to know that you managed to do a new Malwarebytes install & then run Malwarebytes for Windows.

There was one adware type and that was removed  ( per the report "threatscan3").

That was just a adware.  No trojan or active malware was found.

and on the 27th, you had run the MBAR anti-rootkit tool & it reported no rootkit or malware active.

,

As to the Dalle encrypted files, I provided you the other day, links to Bleepingcomputer for the STOP decrypter tool.

Please read and checkout those possibilities.

Malwarebytes had no decrypter.

.

I suggest to run another tool to check out this Windows 7 computer.

Download ComboFix from here and save it to your desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Be real sure you SAVE it first. Save it to the DESKTOP.

Double click on ComboFix.exe & follow the prompts.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Attach that log in your next reply.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

Note:  The Dalle ransomware had deleted itself after it finished encrypting some files.  It is not now active.

It also would have turned off Windows System restore service & deleted all pre-existing system restore points.

 

One question would be, whether you have backups of this system from before the time of the Dalle infection ?

Sincerely.
Thank you.

 

 

Link to post
Share on other sites

hello

i'm glad to find out there is no malware in my machine.

thanks to you specially.

here is the combofix attached file

about the backups i dont think i have done any backup before malware attack or ever before.

most of my files which are encypted which i really dont care but there are some which i really care about. i tried using stopdecrypter which you have told me about i'll see what can i do about it.

what precaution would you like to give me so that the malware would not resurrect.

THANKS

ComboFix.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.