jaschultz 0 Posted April 12, 2016 Report Share Posted April 12, 2016 here are the logs. I hope you will be able to allow me to decrypt. logs.zip Link to post Share on other sites
Kevin Zoll 309 Posted April 12, 2016 Report Share Posted April 12, 2016 It would appear that there is currently no tool to decrypt files encrypted by the ransomwar variant with which you are infected. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Run: [Alcmeter] => C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe [12800 2015-01-27] () <===== ATTENTION HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-21-2390302527-2383292128-4052601444-500\...\MountPoints2: {9d16bff1-66f8-11e5-80b4-806e6f6e6963} - "D:\setup.exe" IFEO\sethc.exe: [Debugger] C:\windows\system32\cmd.exe Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\dk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\fk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Intel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Roy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\tc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () AutoConfigURL: [S-1-5-21-2390302527-2383292128-4052601444-500] => hxxp://127.0.0.1:895/proxy.js 2016-04-11 21:03 - 2016-04-11 21:03 - 00000000 ____D C:\Users\Test12\AppData\Local\Temp\4 2016-04-11 13:17 - 2016-04-11 13:17 - 00000000 ____D C:\Users\sql\AppData\Local\Temp\3 2016-04-11 12:05 - 2016-04-11 13:52 - 10391552 _____ C:\Users\QBDataServiceUser25\AppData\Local\Temp\sqla01b5.tmp 2016-04-10 06:39 - 2016-04-10 06:39 - 00000000 _____ C:\Users\tc\AppData\Local\Temp\tmpC337.tmp 2016-04-09 22:39 - 2016-04-11 11:35 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsu.tmp 2016-04-06 18:25 - 2016-04-11 00:00 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5 2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\nsa1BF5.tmp 2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsuA.tmp 2016-04-02 17:59 - 2016-04-08 01:55 - 00000000 ____D C:\ProgramData\hsswpr 2016-03-28 16:07 - 2016-03-28 16:07 - 00020480 ____T C:\Users\tk\AppData\Local\Temp\~DF2FB0469DBAD5B348.TMP 2016-03-28 16:07 - 2016-03-28 16:07 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DF01C7E568F963837F.TMP 2016-03-28 15:59 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Roy\AppData\Local\Temp\10 2016-03-27 12:15 - 2016-03-28 02:59 - 00002052 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_1XDKXrJbBupqOpH 2016-03-27 12:14 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\{B5A402BF-CD1F-45CB-8965-8042436383A0} 2016-03-27 12:14 - 2016-03-28 16:24 - 00008200 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_nhoMnrtgWqDYpKs 2016-03-27 12:12 - 2016-03-28 02:59 - 00004104 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_EKHZNFn1WHdBgHV 2016-03-27 12:12 - 2016-03-27 12:12 - 00032768 ____T C:\Users\tk\AppData\Local\Temp\~DF88EF3450435AC03B.TMP 2016-03-27 12:12 - 2016-03-27 12:12 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DFAF8665CF596F1D20.TMP 2016-03-23 01:35 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\{BB3A07D2-410E-4E93-8547-4E9FDF990292} 2016-03-23 01:35 - 2016-03-23 01:35 - 00172032 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DFEF9B35CDB811D098.TMP 2016-03-23 01:35 - 2016-03-23 01:35 - 00135168 ____T C:\Users\Intel\AppData\Local\Temp\~DF40E564EECA2C47DF.TMP 2016-03-23 01:35 - 2016-03-23 01:35 - 00016384 ____T C:\Users\Intel\AppData\Local\Temp\~DF352D8A629C21D494.TMP 2016-03-23 01:35 - 2016-03-23 01:35 - 00000000 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DF39FCCA420440AB98.TMP 2016-03-23 01:33 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Test12\AppData\Local\Temp\3 2016-03-16 15:08 - 2016-03-16 15:08 - 00000123 _____ C:\Users\tk\AppData\Local\Temp\CFGC7FA.tmp 2016-03-16 02:56 - 2016-03-16 02:56 - 00016384 _____ C:\Users\tk\AppData\Local\Temp\~DFA04F57FFDC73B71E.TMP 2016-03-15 14:49 - 2016-03-15 14:49 - 00000000 ____D C:\Users\tk\AppData\Roaming\Mozilla 2016-03-14 09:06 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\9 2016-04-11 23:36 - 2016-02-09 19:04 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\1 2016-04-11 15:01 - 2016-01-02 17:01 - 00000000 ____D C:\Users\QBDataServiceUser25\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1 2016-04-08 02:04 - 2016-03-07 02:34 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\7 2016-04-08 02:04 - 2016-03-02 23:54 - 00000000 ____D C:\Users\Jane\AppData\Local\Temp\4 2016-04-08 02:04 - 2016-02-22 02:45 - 00000000 ____D C:\Users\tc\AppData\Local\Temp\5 2016-04-08 02:04 - 2016-01-29 18:31 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\5 2016-04-08 02:01 - 2016-02-02 00:55 - 00000000 ____D C:\Users\dk\AppData\Local\Temp\6 2016-04-08 02:00 - 2016-01-26 09:10 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\4 2016-04-08 02:00 - 2016-01-26 01:47 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3 2016-03-26 01:13 - 2016-02-10 17:34 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\2 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files (x86)\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Roaming\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Local\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\ProgramData\HOW TO DECRYPT FILES.txt C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE" /v "DEBUGGER" /f C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe C:\Users\Administrator\AppData\Local\Temp\5\5Gx1QaiFCpc3VP0.exeClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
Kevin Zoll 309 Posted April 18, 2016 Report Share Posted April 18, 2016 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts