elvin7 0 Posted April 9, 2016 Report Share Posted April 9, 2016 The ransomware was sent via email attachment and has encrypted most of my files. I tried removing the offender with malware bytes and seems successful so I attached that log too. Thank you for any help. Addition.txt FRST.txt malware bytes log.txt scan_160409-153957.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 11, 2016 Report Share Posted April 11, 2016 Hi, It appears that the infection was removed. However, there are a few items that still need to be corrected. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\elvin\AppData\Local\Temp\jna5823133352577735123.dll C:\Users\elvin\AppData\Local\Temp\McCSPInstall.dll C:\Users\smc_c\AppData\Local\Temp\jna3991165125275244217.dll C:\Users\smc_c\AppData\Local\Temp\jna6967898026039739988.dllClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. It also appears that you still have several encrypted files present. Link to post Share on other sites
elvin7 0 Posted April 11, 2016 Author Report Share Posted April 11, 2016 Hello, I did as you said and attached the log, Is there any way to decrypt the files? or should i remove them? (Unfortunately there are quite a lot I have not been able to recover from backups) Thank you for your help. Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 12, 2016 Report Share Posted April 12, 2016 Currently there is no known method to decrypt files that have been encrypted by Maktub. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running? Link to post Share on other sites
elvin7 0 Posted April 13, 2016 Author Report Share Posted April 13, 2016 Everything seems to be running ok now, should I remove the encrypted files from my computer? Thanks again. FRST.txt scan_160413-235308.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 14, 2016 Report Share Posted April 14, 2016 ... should I remove the encrypted files from my computer?That is entirely up to you.If you wish to delete the encrypted files showing in your FRST log, do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. 2016-04-08 11:32 - 2016-04-05 22:17 - 00010960 _____ C:\Users\smc_c\Desktop\sinead mccrossan guest list 21.11.09.xlsx.huuywl 2016-04-05 23:53 - 2016-04-05 23:53 - 00868832 _____ C:\Users\smc_c\Downloads\zsnesw151.zip.huuywl 2016-04-05 23:53 - 2016-04-05 23:53 - 00005615 _____ C:\Users\smc_c\Downloads\_DECRYPT_INFO_huuywl.html 2016-04-05 21:45 - 2016-04-05 21:45 - 00462912 _____ C:\Users\smc_c\Documents\apple white and raven queen coloring page.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00319888 _____ C:\Users\smc_c\Documents\holly_o_hair_by_elfkena-d7n0mcy.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00284304 _____ C:\Users\smc_c\Desktop\asos.pdf.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00254800 _____ C:\Users\smc_c\Documents\cerise_hood_by_elfkena-d6fzqqu.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00185728 _____ C:\Users\smc_c\Documents\My-Little-Pony-Coloring-Pages.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00130672 _____ C:\Users\smc_c\Documents\ashlynn_ella_by_elfkena-d6fzqh9.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00126096 _____ C:\Users\smc_c\Documents\my_little_pony_28.png.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00106192 _____ C:\Users\smc_c\Documents\Darling Charming Ever After High Coloring Page.png.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00102912 _____ C:\Users\smc_c\Documents\Bunny Blanc Ever After High Coloring Page.png.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00062864 _____ C:\Users\smc_c\Documents\My-Little-Pony-coloring-pages-Rainbow-dash-one.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00047472 _____ C:\Users\smc_c\Documents\ever1.pdf.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00043392 _____ C:\Users\smc_c\Documents\Printable%20My%20Little%20Pony%20Friendship%20Is%20Magic%20Applejack%20coloring%20pages.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00039520 _____ C:\Users\smc_c\Documents\paw-patrol 03.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00037056 _____ C:\Users\smc_c\Documents\coloring-book-paw-patrol-10-2-s-307x512.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00021952 _____ C:\Users\smc_c\Documents\cerise-hood-colorear.jpg.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00007776 _____ C:\Users\smc_c\Desktop\dec.xlsx.huuywl 2016-04-05 21:45 - 2016-04-05 21:45 - 00005615 _____ C:\Users\smc_c\Documents\_DECRYPT_INFO_huuywl.html 2016-04-05 21:45 - 2016-04-05 21:45 - 00005615 _____ C:\Users\smc_c\Desktop\_DECRYPT_INFO_huuywl.html 2016-04-05 21:45 - 2016-04-05 21:45 - 00003376 _____ C:\Users\smc_c\Documents\thMCE1VPTH.jpg.huuywlClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Part 2: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\elvin\AppData\Local\Temp\jna5173515143834679719.dll Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER" /v "NORUN" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER" /v "NOFOLDEROPTIONS" /fClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
elvin7 0 Posted April 16, 2016 Author Report Share Posted April 16, 2016 I have ran the fixes and attached the logs, computer seems to be running as normal. Thank you very much for your help. Fixlog part1.txt Fixlog part2.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 18, 2016 Report Share Posted April 18, 2016 Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
Kevin Zoll 309 Posted April 21, 2016 Report Share Posted April 21, 2016 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts