I've been infected by ransomware

[milishatam 0]

Hello,

Unfortunately, I have been infected by a ransomeware from an Email Attachment. I followed the instructions you have provided on this page:

http://support.emsisoft.com/forum-6/announcement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

Prior to the tasks suggested by you and the process that has been completed through your programs, I would post the Logs that are needed for your further evaluation.

 

I do appreciate your support on this matter greatly. Please, I do need your help extensively. My life will be ruined if the hacker delete my files on my hard disk.

My whole life is on this hard disk, it is possible that I will not need to live a moment after such consequences.

In addition, I ca not pay the ransom because of the sanctions that have been imposed on the Iranian Banking system, at least until May when the Swift System is back in business in Iran.

Thanks Again,

 

 

FRST.txt

Addition.txt

scan_160401-171729.txt

[Elise 277]

Hello,

I'm sorry to hear about your trouble. From your logs it appears you already ran the Nemucod decrypter, did this not work?

For more information about the decrypter as well as instructions on how to run it:  https://decrypter.emsisoft.com/nemucod

For more information about the Nemucod ransomware, see here.

 

I can help you to clean up the active parts of the infection if they remain after the decrypter has run.

[milishatam 0]

Thanks for your quick reply,

 

Yes, i have already used the Nemucod Decrypter. But, when I clicked on the software to run it, I received this message:

"The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart on to the decrypter to determine a correct key. Files need to be at least 510 bytes long."

 

From what I can gather, this means I must have an encrypted file on my computer and a copied healthy version of the file on a flash drive, etc. In order to drag and drop them both onto the Nemucod.exe. Problem is I do not have a healthy copied version of any files at the moment. However, If I run a search on the internet to look for the uploaded files, would it help me to decrypt all the files on my computer? By simply drag and dropping both the infected and the healthy version on the Nemucod.exe?

 

Thanks again,

[milishatam 0]

*****UPDATE*****

 

I did drag and and drop a healthy and an infected version of "a file", and I received an initial key. I am running the decrypter at the moment and it is running to crypt my files on the C drive.

 

Thanks for your attention,

[Elise 277]

I'm glad to hear that works! When the decryption process is done, please post fresh FRST logs, because other malware is present as well and needs removal.

[milishatam 0]

Hello,

 

Along the way of decrypting my encrypted files I noticed that the software keeps the infected files untouched. That has caused my PC not to be able to decrypt all the files because of Low Hard Disk Space. Is there a way to change that setting? to get rid of the encrypted files at once?

 

Also, since the hacker threatened that he would delete all my files in less than 3 days if I did not fully deliver the ransom money, on which stage should I get rid of the Trojans/spywares? Can I use your own recovery software to do that?

 

I appreciate your time again

Thanks,

[Peter2150 45]

One lesson to take from this experience is Backup, Backup, and Backup.   Then recovering would be painless

[Elise 277]

To get rid of the malware, please post a new FRST log.  

 

Any chance you can free up some disk space (by cleaning temp files and such) or move some things to another disk? The original files are not infected, they're encrypted, the tool does not remove them for safety reasons (if decryption is not successful, you don't want to be left without files at all).