jaschultz 0 Posted April 18, 2016 Report Share Posted April 18, 2016 here are the logs. thanks Addition.txt FRST.txt scan_160411-233041.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 19, 2016 Report Share Posted April 19, 2016 Hello, There is currently no tool that can be used to recover your original, unecrypted, files. I can help with removing the infection. To remove the infection, do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Run: [Alcmeter] => C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe [12800 2015-01-27] () <===== ATTENTION HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-21-2390302527-2383292128-4052601444-500\...\MountPoints2: {9d16bff1-66f8-11e5-80b4-806e6f6e6963} - "D:\setup.exe" IFEO\sethc.exe: [Debugger] C:\windows\system32\cmd.exe AutoConfigURL: [S-1-5-21-2390302527-2383292128-4052601444-500] => hxxp://127.0.0.1:895/proxy.js URLSearchHook: [S-1-5-21-1489495786-843726036-337122057-1001] ATTENTION => Default URLSearchHook is missing IE Session Restore: HKU\S-1-5-21-1489495786-843726036-337122057-1010 -> is enabled. 2016-04-11 13:17 - 2016-04-11 13:17 - 00000000 ____D C:\Users\sql\AppData\Local\Temp\3 2016-04-11 12:05 - 2016-04-11 13:52 - 10391552 _____ C:\Users\QBDataServiceUser25\AppData\Local\Temp\sqla01b5.tmp 2016-04-10 06:39 - 2016-04-10 06:39 - 00000000 _____ C:\Users\tc\AppData\Local\Temp\tmpC337.tmp 2016-04-09 22:39 - 2016-04-11 11:35 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsu.tmp 2016-04-06 18:25 - 2016-04-11 00:00 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\5 2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\nsa1BF5.tmp 2016-04-02 17:59 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\~nsuA.tmp 2016-04-02 17:59 - 2016-04-08 01:55 - 00000000 ____D C:\ProgramData\hsswpr 2016-04-01 12:39 - 2016-04-01 12:39 - 00000000 _____ C:\Users\Roy\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.46opera_autoupdate.metrics.lock 2016-04-01 12:39 - 2016-04-01 12:39 - 00000000 _____ C:\Users\Roy\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.46opera_autoupdate.download.lock 2016-03-28 16:07 - 2016-03-28 16:07 - 00020480 ____T C:\Users\tk\AppData\Local\Temp\~DF2FB0469DBAD5B348.TMP 2016-03-28 16:07 - 2016-03-28 16:07 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DF01C7E568F963837F.TMP 2016-03-28 15:59 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Roy\AppData\Local\Temp\10 2016-03-27 12:15 - 2016-03-28 02:59 - 00002052 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_1XDKXrJbBupqOpH 2016-03-27 12:14 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\{B5A402BF-CD1F-45CB-8965-8042436383A0} 2016-03-27 12:14 - 2016-03-28 16:24 - 00008200 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_nhoMnrtgWqDYpKs 2016-03-27 12:12 - 2016-03-28 02:59 - 00004104 ___HT C:\Users\Jane\AppData\Local\Temp\etilqs_EKHZNFn1WHdBgHV 2016-03-27 12:12 - 2016-03-27 12:12 - 00032768 ____T C:\Users\tk\AppData\Local\Temp\~DF88EF3450435AC03B.TMP 2016-03-27 12:12 - 2016-03-27 12:12 - 00016384 ____T C:\Users\tk\AppData\Local\Temp\~DFAF8665CF596F1D20.TMP 2016-03-23 01:35 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\{BB3A07D2-410E-4E93-8547-4E9FDF990292} 2016-03-23 01:35 - 2016-03-23 01:35 - 00172032 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DFEF9B35CDB811D098.TMP 2016-03-23 01:35 - 2016-03-23 01:35 - 00135168 ____T C:\Users\Intel\AppData\Local\Temp\~DF40E564EECA2C47DF.TMP 2016-03-23 01:35 - 2016-03-23 01:35 - 00016384 ____T C:\Users\Intel\AppData\Local\Temp\~DF352D8A629C21D494.TMP 2016-03-23 01:35 - 2016-03-23 01:35 - 00000000 ____T C:\Users\administrator.CHSC\AppData\Local\Temp\~DF39FCCA420440AB98.TMP 2016-03-23 01:33 - 2016-04-10 06:39 - 00000000 ____D C:\Users\Test12 2016-03-23 01:33 - 2016-04-08 02:04 - 00000000 ____D C:\Users\Test12\AppData\Local\Temp\3 2016-03-19 12:30 - 2016-03-19 12:30 - 00000000 _____ C:\Users\Jane\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.32opera_autoupdate.metrics.lock 2016-03-19 12:30 - 2016-03-19 12:30 - 00000000 _____ C:\Users\Jane\AppData\Local\Temp\CProgram Files (x86)Opera36.0.2130.32opera_autoupdate.download.lock 2016-03-16 15:08 - 2016-03-16 15:08 - 00000123 _____ C:\Users\tk\AppData\Local\Temp\CFGC7FA.tmp 2016-03-16 02:56 - 2016-03-16 02:56 - 00016384 _____ C:\Users\tk\AppData\Local\Temp\~DFA04F57FFDC73B71E.TMP 2016-03-14 09:06 - 2016-04-08 02:05 - 00000000 ____D C:\Users\tk\AppData\Local\Temp\9 2016-04-11 23:36 - 2016-02-09 19:04 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\1 2016-04-11 15:01 - 2016-01-02 17:01 - 00000000 ____D C:\Users\QBDataServiceUser25\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1 2016-04-08 02:04 - 2016-03-07 02:34 - 00000000 ____D C:\Users\Intel\AppData\Local\Temp\7 2016-04-08 02:04 - 2016-03-02 23:54 - 00000000 ____D C:\Users\Jane\AppData\Local\Temp\4 2016-04-08 02:04 - 2016-02-22 02:45 - 00000000 ____D C:\Users\tc\AppData\Local\Temp\5 2016-04-08 02:04 - 2016-01-29 18:31 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\5 2016-04-08 02:01 - 2016-02-02 00:55 - 00000000 ____D C:\Users\dk\AppData\Local\Temp\6 2016-04-08 02:00 - 2016-01-26 09:10 - 00000000 ____D C:\Users\administrator.CHSC\AppData\Local\Temp\4 2016-04-08 02:00 - 2016-01-26 01:47 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\3 2016-03-26 01:13 - 2016-02-10 17:34 - 00000000 ____D C:\Users\fk\AppData\Local\Temp\2 2016-01-03 01:20 - 2016-01-29 13:47 - 0037376 _____ () C:\Users\administrator.CHSC\AppData\Roaming\FileDrTool.log 2016-01-02 14:44 - 2016-01-02 16:42 - 0040702 _____ () C:\Users\administrator.CHSC\AppData\Roaming\QBFileDrTool.log C:\Users\ADMINI~1.CHS\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE" /v "DEBUGGER" /f C:\Users\administrator.CHSC\AppData\Local\Temp\1\5Gx1QaiFCpc3VP0.exe C:\Users\Administrator\AppData\Local\Temp\5\5Gx1QaiFCpc3VP0.exeClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. If you wish to remove the encryted files, do the following: WARNING: Deleting the encrypted files will mean that you cannot decrypt the files in the future. Should a decryption tool become available. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk.crypt [2016-01-02] Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.crypt [2016-01-02] Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk.crypt [2016-01-02] Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk.crypt [2016-01-02] Startup: C:\Users\dk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\fk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Intel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Roy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\tc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () 2016-04-09 22:42 - 2016-04-09 22:53 - 00002036 _____ C:\Users\tk\Desktop\bomb.txt.crypt 2016-04-08 07:28 - 2016-04-08 07:28 - 00002298 _____ C:\Users\sql\Documents\reef.txt.crypt 2016-04-08 01:59 - 2016-04-08 01:59 - 00005552 _____ C:\Users\Test12\AppData\Local\Temp\WriteQBApplicationParameters.txt.crypt 2016-04-08 01:59 - 2016-04-08 01:59 - 00001315 _____ C:\Users\Test12\AppData\Local\Temp\EntitlementClientInstallLog.txt.crypt 2016-04-08 01:58 - 2016-04-08 01:59 - 00002313 _____ C:\Users\Test12\AppData\Local\Temp\Intuit.Spc.Map.Features.WindowsFirewallLog.txt.crypt 2016-04-07 15:35 - 2016-04-07 15:35 - 00001015 _____ C:\Users\sql\Desktop\TurboMailer.lnk.crypt 2016-04-06 17:02 - 2016-04-06 17:02 - 00001442 _____ C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.crypt 2016-04-06 17:02 - 2014-02-22 00:37 - 00000369 _____ C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk.crypt 2016-04-06 17:02 - 2014-02-22 00:37 - 00000369 _____ C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk.crypt 2016-04-05 08:22 - 2016-04-05 08:22 - 00090082 _____ C:\Users\Administrator\Downloads\huuiu.jpg.crypt 2016-04-05 08:19 - 2016-04-05 08:19 - 00181544 _____ C:\Users\Administrator\Downloads\946431_10153979351609719_6379855436311776480_n.jpg.crypt 2016-04-04 07:09 - 2016-04-04 07:09 - 00002914 _____ C:\Users\tk\Downloads\bombing.txt.crypt 2016-03-29 01:47 - 2016-03-29 01:47 - 00022362 _____ C:\Users\Test12\Desktop\NMV1MX5_bu.jpg.crypt 2016-03-29 01:46 - 2016-03-29 01:46 - 00030268 _____ C:\Users\Test12\Desktop\longchamp-blue-le-pliage-tote-product-1-13016511-037257689_large_flex.jpg.crypt 2016-03-29 01:46 - 2016-03-29 01:46 - 00020714 _____ C:\Users\Test12\Desktop\81MIWgTXm0L._UY575_.jpg.crypt 2016-03-25 07:31 - 2016-03-15 21:30 - 00114879 _____ C:\Users\Jane\Desktop\66.png.crypt 2016-03-25 07:31 - 2016-03-15 21:30 - 00110978 _____ C:\Users\Jane\Desktop\11.png.crypt 2016-03-25 07:31 - 2016-03-15 21:30 - 00108478 _____ C:\Users\Jane\Desktop\22.png.crypt 2016-03-25 07:31 - 2016-03-15 21:30 - 00102505 _____ C:\Users\Jane\Desktop\33.png.crypt 2016-03-25 07:31 - 2016-03-15 21:30 - 00076423 _____ C:\Users\Jane\Desktop\55.png.crypt 2016-03-25 07:31 - 2016-03-15 21:30 - 00072799 _____ C:\Users\Jane\Desktop\44.png.crypt 2016-03-23 01:33 - 2016-03-23 01:33 - 00001442 _____ C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.crypt 2016-03-23 01:33 - 2014-02-22 00:37 - 00000369 _____ C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk.crypt 2016-03-23 01:33 - 2014-02-22 00:37 - 00000369 _____ C:\Users\Test12\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk.crypt 2016-03-21 21:36 - 2016-03-21 21:36 - 00001204 _____ C:\Users\Public\Desktop\PROXIFIER.lnk.crypt 2016-03-21 21:36 - 2016-03-21 21:36 - 00001097 _____ C:\Users\Public\Desktop\SocksClient - HIDEPASS.lnk.crypt 2016-03-21 21:36 - 2016-03-21 21:36 - 00001077 _____ C:\Users\Public\Desktop\SocksClient.lnk.crypt 2016-03-17 03:18 - 2016-04-02 17:59 - 00000699 _____ C:\Users\tk\AppData\Local\Temp\HssInstaller.txt.crypt 2016-03-14 09:06 - 2016-03-14 09:06 - 00001442 _____ C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk.crypt 2016-03-14 09:06 - 2014-02-22 00:37 - 00000369 _____ C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk.crypt 2016-03-14 09:06 - 2014-02-22 00:37 - 00000369 _____ C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk.crypt 2016-04-07 00:03 - 2016-01-02 17:01 - 00018192 _____ C:\Users\QBDataServiceUser25\AppData\Local\Temp\QBSearchIndexerError.txt.crypt 2016-04-01 01:29 - 2016-03-03 03:27 - 00001023 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk.crypt 2016-03-30 19:20 - 2016-01-26 13:08 - 00002175 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk.crypt 2016-03-30 19:20 - 2016-01-26 13:08 - 00002163 _____ C:\Users\Public\Desktop\Google Chrome.lnk.crypt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Program Files (x86)\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Roaming\HOW TO DECRYPT FILES.txt 2016-01-24 15:19 - 2016-01-24 15:19 - 0441418 _____ () C:\Users\administrator.CHSC\AppData\Local\dd_vcredistMSI4503.txt.crypt 2016-01-24 15:19 - 2016-01-24 15:19 - 0019810 _____ () C:\Users\administrator.CHSC\AppData\Local\dd_vcredistUI4503.txt.crypt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\Users\administrator.CHSC\AppData\Local\HOW TO DECRYPT FILES.txt 2016-01-02 21:00 - 2015-01-27 19:47 - 0000423 _____ () C:\ProgramData\HOW TO DECRYPT FILES.txtClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
jaschultz 0 Posted April 19, 2016 Author Report Share Posted April 19, 2016 thanks, here is the log Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 20, 2016 Report Share Posted April 20, 2016 Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
jaschultz 0 Posted April 22, 2016 Author Report Share Posted April 22, 2016 all the .lnk files were encrypted as well. so I am unable to launch any programs. and I'm still getting the decrypt files TXT file opening at startup. FRST.txt scan_160422-225242.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 22, 2016 Report Share Posted April 22, 2016 This will get rid of the How To Decrypt messages. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\administrator.CHSC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\dk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\fk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Intel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\Roy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\tc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] () Startup: C:\Users\tk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2015-01-27] ()Close Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. You can try the Gomasom decryption tool. Your infection might be related. http://www.bleepingcomputer.com/news/security/gomasom-crypt-ransomware-decrypted/ Link to post Share on other sites
Kevin Zoll 309 Posted April 25, 2016 Report Share Posted April 25, 2016 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts