Jump to content

Recommended Posts

It would appear that there is currently no tool to decrypt files encrypted by the ransomwar variant with which you are infected.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [Alcmeter] => C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe [12800 2015-01-27] () <===== ATTENTION
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-2390302527-2383292128-4052601444-500\...\MountPoints2: {9d16bff1-66f8-11e5-80b4-806e6f6e6963} - "D:\setup.exe" 
IFEO\sethc.exe: [Debugger] C:\windows\system32\cmd.exe
Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\dk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\fk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Intel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Roy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\tc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
AutoConfigURL: [S-1-5-21-2390302527-2383292128-4052601444-500] => hxxp://127.0.0.1:895/proxy.js
2016-04-11 21:03 - 2016-04-11 21:03 - 00000000 ____D C:\Users\Test12\AppData\Local\Temp\4
2016-04-11 13:17 - 2016-04-11 13:17 - 00000000 ____D C:\Users\sql\AppData\Local\Temp\3
2016-04-11 12:05 - 2016-04-11 13:52 - 10391552 _____ C:\Users\QBDataServiceUser25\AppData\Local\Temp\sqla01b5.tmp
2016-04-10 06:39 - 2016-04-10 06:39 - 00000000 _____ C:\Users\tc\AppData\Local\Temp\tmpC337.tmp
2016-04-09 22:39 - 2016-04-11 11:35 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsu.tmp
2016-04-06 18:25 - 2016-04-11 00:00 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5
2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\nsa1BF5.tmp
2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsuA.tmp
2016-04-02 17:59 - 2016-04-08 01:55 - 00000000 ____D C:\ProgramData\hsswpr
2016-03-28 16:07 - 2016-03-28 16:07 - 00020480 ____T C:\Users\tk\AppData\Local\Temp\~DF2FB0469DBAD5B348.TMP
2016-03-28 16:07 - 2016-03-28 16:07 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DF01C7E568F963837F.TMP
2016-03-28 15:59 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Roy\AppData\Local\Temp\10
2016-03-27 12:15 - 2016-03-28 02:59 - 00002052 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_1XDKXrJbBupqOpH
2016-03-27 12:14 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\{B5A402BF-CD1F-45CB-8965-8042436383A0}
2016-03-27 12:14 - 2016-03-28 16:24 - 00008200 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_nhoMnrtgWqDYpKs
2016-03-27 12:12 - 2016-03-28 02:59 - 00004104 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_EKHZNFn1WHdBgHV
2016-03-27 12:12 - 2016-03-27 12:12 - 00032768 ____T C:\Users\tk\AppData\Local\Temp\~DF88EF3450435AC03B.TMP
2016-03-27 12:12 - 2016-03-27 12:12 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DFAF8665CF596F1D20.TMP
2016-03-23 01:35 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\{BB3A07D2-410E-4E93-8547-4E9FDF990292}
2016-03-23 01:35 - 2016-03-23 01:35 - 00172032 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DFEF9B35CDB811D098.TMP
2016-03-23 01:35 - 2016-03-23 01:35 - 00135168 ____T C:\Users\Intel\AppData\Local\Temp\~DF40E564EECA2C47DF.TMP
2016-03-23 01:35 - 2016-03-23 01:35 - 00016384 ____T C:\Users\Intel\AppData\Local\Temp\~DF352D8A629C21D494.TMP
2016-03-23 01:35 - 2016-03-23 01:35 - 00000000 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DF39FCCA420440AB98.TMP
2016-03-23 01:33 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Test12\AppData\Local\Temp\3
2016-03-16 15:08 - 2016-03-16 15:08 - 00000123 _____ C:\Users\tk\AppData\Local\Temp\CFGC7FA.tmp
2016-03-16 02:56 - 2016-03-16 02:56 - 00016384 _____ C:\Users\tk\AppData\Local\Temp\~DFA04F57FFDC73B71E.TMP
2016-03-15 14:49 - 2016-03-15 14:49 - 00000000 ____D C:\Users\tk\AppData\Roaming\Mozilla
2016-03-14 09:06 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\9
2016-04-11 23:36 - 2016-02-09 19:04 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\1
2016-04-11 15:01 - 2016-01-02 17:01 - 00000000 ____D C:\Users\QBDataServiceUser25\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1
2016-04-08 02:04 - 2016-03-07 02:34 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\7
2016-04-08 02:04 - 2016-03-02 23:54 - 00000000 ____D C:\Users\Jane\AppData\Local\Temp\4
2016-04-08 02:04 - 2016-02-22 02:45 - 00000000 ____D C:\Users\tc\AppData\Local\Temp\5
2016-04-08 02:04 - 2016-01-29 18:31 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\5
2016-04-08 02:01 - 2016-02-02 00:55 - 00000000 ____D C:\Users\dk\AppData\Local\Temp\6
2016-04-08 02:00 - 2016-01-26 09:10 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\4
2016-04-08 02:00 - 2016-01-26 01:47 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3
2016-03-26 01:13 - 2016-02-10 17:34 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\2
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files (x86)\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Roaming\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Local\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\ProgramData\HOW TO DECRYPT FILES.txt
C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe
C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE" /v "DEBUGGER" /f
C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe
C:\Users\Administrator\AppData\Local\Temp\5\5Gx1QaiFCpc3VP0.exe
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...