Server with Ransomeware

[jaschultz 0]

here are the logs.

 

 

thanks

 

Addition.txt

FRST.txt

scan_160411-233041.txt

[Kevin Zoll 309]

Hello,

There is currently no tool that can be used to recover your original, unecrypted, files. I can help with removing the infection.

To remove the infection, do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [Alcmeter] => C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe [12800 2015-01-27] () <===== ATTENTION
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-2390302527-2383292128-4052601444-500\...\MountPoints2: {9d16bff1-66f8-11e5-80b4-806e6f6e6963} - "D:\setup.exe" 
IFEO\sethc.exe: [Debugger] C:\windows\system32\cmd.exe
AutoConfigURL: [S-1-5-21-2390302527-2383292128-4052601444-500] => hxxp://127.0.0.1:895/proxy.js
URLSearchHook: [S-1-5-21-1489495786-843726036-337122057-1001] ATTENTION => Default URLSearchHook is missing
IE Session Restore: HKU\S-1-5-21-1489495786-843726036-337122057-1010 -> is enabled.
2016-04-11 13:17 - 2016-04-11 13:17 - 00000000 ____D C:\Users\sql\AppData\Local\Temp\3
2016-04-11 12:05 - 2016-04-11 13:52 - 10391552 _____ C:\Users\QBDataServiceUser25\AppData\Local\Temp\sqla01b5.tmp
2016-04-10 06:39 - 2016-04-10 06:39 - 00000000 _____ C:\Users\tc\AppData\Local\Temp\tmpC337.tmp
2016-04-09 22:39 - 2016-04-11 11:35 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsu.tmp
2016-04-06 18:25 - 2016-04-11 00:00 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5
2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\nsa1BF5.tmp
2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsuA.tmp
2016-04-02 17:59 - 2016-04-08 01:55 - 00000000 ____D C:\ProgramData\hsswpr
2016-04-01 12:39 - 2016-04-01 12:39 - 00000000 _____ C:\Users\Roy\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.46opera_autoupdate.metrics.lock
2016-04-01 12:39 - 2016-04-01 12:39 - 00000000 _____ C:\Users\Roy\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.46opera_autoupdate.download.lock
2016-03-28 16:07 - 2016-03-28 16:07 - 00020480 ____T C:\Users\tk\AppData\Local\Temp\~DF2FB0469DBAD5B348.TMP
2016-03-28 16:07 - 2016-03-28 16:07 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DF01C7E568F963837F.TMP
2016-03-28 15:59 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Roy\AppData\Local\Temp\10
2016-03-27 12:15 - 2016-03-28 02:59 - 00002052 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_1XDKXrJbBupqOpH
2016-03-27 12:14 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\{B5A402BF-CD1F-45CB-8965-8042436383A0}
2016-03-27 12:14 - 2016-03-28 16:24 - 00008200 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_nhoMnrtgWqDYpKs
2016-03-27 12:12 - 2016-03-28 02:59 - 00004104 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_EKHZNFn1WHdBgHV
2016-03-27 12:12 - 2016-03-27 12:12 - 00032768 ____T C:\Users\tk\AppData\Local\Temp\~DF88EF3450435AC03B.TMP
2016-03-27 12:12 - 2016-03-27 12:12 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DFAF8665CF596F1D20.TMP
2016-03-23 01:35 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\{BB3A07D2-410E-4E93-8547-4E9FDF990292}
2016-03-23 01:35 - 2016-03-23 01:35 - 00172032 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DFEF9B35CDB811D098.TMP
2016-03-23 01:35 - 2016-03-23 01:35 - 00135168 ____T C:\Users\Intel\AppData\Local\Temp\~DF40E564EECA2C47DF.TMP
2016-03-23 01:35 - 2016-03-23 01:35 - 00016384 ____T C:\Users\Intel\AppData\Local\Temp\~DF352D8A629C21D494.TMP
2016-03-23 01:35 - 2016-03-23 01:35 - 00000000 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DF39FCCA420440AB98.TMP
2016-03-23 01:33 - 2016-04-10 06:39 - 00000000 ____D C:\Users\Test12
2016-03-23 01:33 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Test12\AppData\Local\Temp\3
2016-03-19 12:30 - 2016-03-19 12:30 - 00000000 _____ C:\Users\Jane\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.32opera_autoupdate.metrics.lock
2016-03-19 12:30 - 2016-03-19 12:30 - 00000000 _____ C:\Users\Jane\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.32opera_autoupdate.download.lock
2016-03-16 15:08 - 2016-03-16 15:08 - 00000123 _____ C:\Users\tk\AppData\Local\Temp\CFGC7FA.tmp
2016-03-16 02:56 - 2016-03-16 02:56 - 00016384 _____ C:\Users\tk\AppData\Local\Temp\~DFA04F57FFDC73B71E.TMP
2016-03-14 09:06 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\9
2016-04-11 23:36 - 2016-02-09 19:04 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\1
2016-04-11 15:01 - 2016-01-02 17:01 - 00000000 ____D C:\Users\QBDataServiceUser25\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1
2016-04-08 02:04 - 2016-03-07 02:34 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\7
2016-04-08 02:04 - 2016-03-02 23:54 - 00000000 ____D C:\Users\Jane\AppData\Local\Temp\4
2016-04-08 02:04 - 2016-02-22 02:45 - 00000000 ____D C:\Users\tc\AppData\Local\Temp\5
2016-04-08 02:04 - 2016-01-29 18:31 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\5
2016-04-08 02:01 - 2016-02-02 00:55 - 00000000 ____D C:\Users\dk\AppData\Local\Temp\6
2016-04-08 02:00 - 2016-01-26 09:10 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\4
2016-04-08 02:00 - 2016-01-26 01:47 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3
2016-03-26 01:13 - 2016-02-10 17:34 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\2
2016-01-03 01:20 - 2016-01-29 13:47 - 0037376 _____ () C:\Users\administrator.CHSC\AppData\Roaming\FileDrTool.log
2016-01-02 14:44 - 2016-01-02 16:42 - 0040702 _____ () C:\Users\administrator.CHSC\AppData\Roaming\QBFileDrTool.log
C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe
C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE" /v "DEBUGGER" /f
C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe
C:\Users\Administrator\AppData\Local\Temp\5\5Gx1QaiFCpc3VP0.exe

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

If you wish to remove the encryted files, do the following:

WARNING: Deleting the encrypted files will mean that you cannot decrypt the files in the future. Should a decryption tool become available.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk.crypt [2016-01-02]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.crypt [2016-01-02]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk.crypt [2016-01-02]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk.crypt [2016-01-02]
Startup: C:\Users\dk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\fk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Intel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Roy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\tc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
2016-04-09 22:42 - 2016-04-09 22:53 - 00002036 _____ C:\Users\tk\Desktop\bomb.txt.crypt
2016-04-08 07:28 - 2016-04-08 07:28 - 00002298 _____ C:\Users\sql\Documents\reef.txt.crypt
2016-04-08 01:59 - 2016-04-08 01:59 - 00005552 _____ C:\Users\Test12\AppData\Local\Temp\WriteQBApplicationParameters.txt.crypt
2016-04-08 01:59 - 2016-04-08 01:59 - 00001315 _____ C:\Users\Test12\AppData\Local\Temp\EntitlementClientInstallLog.txt.crypt
2016-04-08 01:58 - 2016-04-08 01:59 - 00002313 _____ C:\Users\Test12\AppData\Local\Temp\Intuit.Spc.Map.Features.WindowsFirewallLog.txt.crypt
2016-04-07 15:35 - 2016-04-07 15:35 - 00001015 _____ C:\Users\sql\Desktop\TurboMailer.lnk.crypt
2016-04-06 17:02 - 2016-04-06 17:02 - 00001442 _____ C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.crypt
2016-04-06 17:02 - 2014-02-22 00:37 - 00000369 _____ C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk.crypt
2016-04-06 17:02 - 2014-02-22 00:37 - 00000369 _____ C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk.crypt
2016-04-05 08:22 - 2016-04-05 08:22 - 00090082 _____ C:\Users\Administrator\Downloads\huuiu.jpg.crypt
2016-04-05 08:19 - 2016-04-05 08:19 - 00181544 _____ C:\Users\Administrator\Downloads\946431_10153979351609719_6379855436311776480_n.jpg.crypt
2016-04-04 07:09 - 2016-04-04 07:09 - 00002914 _____ C:\Users\tk\Downloads\bombing.txt.crypt
2016-03-29 01:47 - 2016-03-29 01:47 - 00022362 _____ C:\Users\Test12\Desktop\NMV1MX5_bu.jpg.crypt
2016-03-29 01:46 - 2016-03-29 01:46 - 00030268 _____ C:\Users\Test12\Desktop\longchamp-blue-le-pliage-tote-product-1-13016511-037257689_large_flex.jpg.crypt
2016-03-29 01:46 - 2016-03-29 01:46 - 00020714 _____ C:\Users\Test12\Desktop\81MIWgTXm0L._UY575_.jpg.crypt
2016-03-25 07:31 - 2016-03-15 21:30 - 00114879 _____ C:\Users\Jane\Desktop\66.png.crypt
2016-03-25 07:31 - 2016-03-15 21:30 - 00110978 _____ C:\Users\Jane\Desktop\11.png.crypt
2016-03-25 07:31 - 2016-03-15 21:30 - 00108478 _____ C:\Users\Jane\Desktop\22.png.crypt
2016-03-25 07:31 - 2016-03-15 21:30 - 00102505 _____ C:\Users\Jane\Desktop\33.png.crypt
2016-03-25 07:31 - 2016-03-15 21:30 - 00076423 _____ C:\Users\Jane\Desktop\55.png.crypt
2016-03-25 07:31 - 2016-03-15 21:30 - 00072799 _____ C:\Users\Jane\Desktop\44.png.crypt
2016-03-23 01:33 - 2016-03-23 01:33 - 00001442 _____ C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.crypt
2016-03-23 01:33 - 2014-02-22 00:37 - 00000369 _____ C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk.crypt
2016-03-23 01:33 - 2014-02-22 00:37 - 00000369 _____ C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk.crypt
2016-03-21 21:36 - 2016-03-21 21:36 - 00001204 _____ C:\Users\Public\Desktop\PROXIFIER.lnk.crypt
2016-03-21 21:36 - 2016-03-21 21:36 - 00001097 _____ C:\Users\Public\Desktop\SocksClient - HIDEPASS.lnk.crypt
2016-03-21 21:36 - 2016-03-21 21:36 - 00001077 _____ C:\Users\Public\Desktop\SocksClient.lnk.crypt
2016-03-17 03:18 - 2016-04-02 17:59 - 00000699 _____ C:\Users\tk\AppData\Local\Temp\HssInstaller.txt.crypt
2016-03-14 09:06 - 2016-03-14 09:06 - 00001442 _____ C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.crypt
2016-03-14 09:06 - 2014-02-22 00:37 - 00000369 _____ C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk.crypt
2016-03-14 09:06 - 2014-02-22 00:37 - 00000369 _____ C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk.crypt
2016-04-07 00:03 - 2016-01-02 17:01 - 00018192 _____ C:\Users\QBDataServiceUser25\AppData\Local\Temp\QBSearchIndexerError.txt.crypt
2016-04-01 01:29 - 2016-03-03 03:27 - 00001023 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk.crypt
2016-03-30 19:20 - 2016-01-26 13:08 - 00002175 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk.crypt
2016-03-30 19:20 - 2016-01-26 13:08 - 00002163 _____ C:\Users\Public\Desktop\Google Chrome.lnk.crypt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files (x86)\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Roaming\HOW TO DECRYPT FILES.txt
2016-01-24 15:19 - 2016-01-24 15:19 - 0441418 _____ () C:\Users\administrator.CHSC\AppData\Local\dd_vcredistMSI4503.txt.crypt
2016-01-24 15:19 - 2016-01-24 15:19 - 0019810 _____ () C:\Users\administrator.CHSC\AppData\Local\dd_vcredistUI4503.txt.crypt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Local\HOW TO DECRYPT FILES.txt
2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\ProgramData\HOW TO DECRYPT FILES.txt

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[jaschultz 0]

thanks,

 

here is the log

 

Fixlog.txt

[Kevin Zoll 309]

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[jaschultz 0]

all the .lnk files were encrypted as well.  so I am unable to launch any programs.

and I'm still getting the decrypt files TXT file opening at startup.

 

FRST.txt

scan_160422-225242.txt

[Kevin Zoll 309]

This will get rid of the How To Decrypt messages.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\dk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\fk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Intel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\Roy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\tc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()
Startup: C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

You can try the Gomasom decryption tool. Your infection might be related.

http://www.bleepingcomputer.com/news/security/gomasom-crypt-ransomware-decrypted/

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.