Help, my Pc is infected (Maktub Ransomware)

[elvin7 0]

The ransomware was sent via email attachment and has encrypted most of my files. I tried removing the offender with malware bytes and seems successful so I attached that log too. Thank you for any help.

Addition.txt

FRST.txt

malware bytes log.txt

scan_160409-153957.txt

[Kevin Zoll 309]

Hi,

It appears that the infection was removed. However, there are a few items that still need to be corrected.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\Users\elvin\AppData\Local\Temp\jna5823133352577735123.dll
C:\Users\elvin\AppData\Local\Temp\McCSPInstall.dll
C:\Users\smc_c\AppData\Local\Temp\jna3991165125275244217.dll
C:\Users\smc_c\AppData\Local\Temp\jna6967898026039739988.dll

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

It also appears that you still have several encrypted files present.

[elvin7 0]

Hello, I did as you said and attached the log,

 

Is there any way to decrypt the files? or should i remove them? (Unfortunately there are quite a lot I have not been able to recover from backups)

 

Thank you for your help.

Fixlog.txt

[Kevin Zoll 309]

Currently there is no known method to decrypt files that have been encrypted by Maktub.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running?

[elvin7 0]

Everything seems to be running ok now, should I remove the encrypted files from my computer?

 

Thanks again.

FRST.txt

scan_160413-235308.txt

[Kevin Zoll 309]

... should I remove the encrypted files from my computer?

That is entirely up to you.

If you wish to delete the encrypted files showing in your FRST log, do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2016-04-08 11:32 - 2016-04-05 22:17 - 00010960 _____ C:\Users\smc_c\Desktop\sinead mccrossan guest list 21.11.09.xlsx.huuywl
2016-04-05 23:53 - 2016-04-05 23:53 - 00868832 _____ C:\Users\smc_c\Downloads\zsnesw151.zip.huuywl
2016-04-05 23:53 - 2016-04-05 23:53 - 00005615 _____ C:\Users\smc_c\Downloads\_DECRYPT_INFO_huuywl.html
2016-04-05 21:45 - 2016-04-05 21:45 - 00462912 _____ C:\Users\smc_c\Documents\apple white and raven queen  coloring page.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00319888 _____ C:\Users\smc_c\Documents\holly_o_hair_by_elfkena-d7n0mcy.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00284304 _____ C:\Users\smc_c\Desktop\asos.pdf.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00254800 _____ C:\Users\smc_c\Documents\cerise_hood_by_elfkena-d6fzqqu.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00185728 _____ C:\Users\smc_c\Documents\My-Little-Pony-Coloring-Pages.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00130672 _____ C:\Users\smc_c\Documents\ashlynn_ella_by_elfkena-d6fzqh9.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00126096 _____ C:\Users\smc_c\Documents\my_little_pony_28.png.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00106192 _____ C:\Users\smc_c\Documents\Darling Charming Ever After High Coloring Page.png.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00102912 _____ C:\Users\smc_c\Documents\Bunny Blanc Ever After High Coloring Page.png.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00062864 _____ C:\Users\smc_c\Documents\My-Little-Pony-coloring-pages-Rainbow-dash-one.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00047472 _____ C:\Users\smc_c\Documents\ever1.pdf.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00043392 _____ C:\Users\smc_c\Documents\Printable%20My%20Little%20Pony%20Friendship%20Is%20Magic%20Applejack%20coloring%20pages.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00039520 _____ C:\Users\smc_c\Documents\paw-patrol 03.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00037056 _____ C:\Users\smc_c\Documents\coloring-book-paw-patrol-10-2-s-307x512.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00021952 _____ C:\Users\smc_c\Documents\cerise-hood-colorear.jpg.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00007776 _____ C:\Users\smc_c\Desktop\dec.xlsx.huuywl
2016-04-05 21:45 - 2016-04-05 21:45 - 00005615 _____ C:\Users\smc_c\Documents\_DECRYPT_INFO_huuywl.html
2016-04-05 21:45 - 2016-04-05 21:45 - 00005615 _____ C:\Users\smc_c\Desktop\_DECRYPT_INFO_huuywl.html
2016-04-05 21:45 - 2016-04-05 21:45 - 00003376 _____ C:\Users\smc_c\Documents\thMCE1VPTH.jpg.huuywl

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Part 2:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\Users\elvin\AppData\Local\Temp\jna5173515143834679719.dll
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER" /v "NORUN" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER" /v "NOFOLDEROPTIONS" /f

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[elvin7 0]

I have ran the fixes and attached the logs,

 

computer seems to be running as normal.

 

Thank you very much for your help.

 

 

Fixlog part1.txt

Fixlog part2.txt

[Kevin Zoll 309]

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.