Help, my PC is infected! .locky virus

[aschuch 0]

Hello

my client just got infected with the locky virus ....

unfortunately the mapped drives got infected and we need the data.

since i assume that you cant decrypt the files yet ... can you tell me if we would get the key if we would pay the 4 BTC. we need the files.

(i know about backups ... the server is safe, but it affected the NAS, and those files are mirrored but not backuped)

 

pls let me know if you have any ideas

 

thank you

 

 

Addition.txt

FRST.txt

scan_160528-164335.txt

[aschuch 0]

would it help if i could offer a file ... crypted and decrypted ? i found one that the virus infected but didnt delete in time ...

[Kevin Zoll 309]

You are infected with Locky and not AutoLocky. Files that have been encrypted by Locky cannot be decrypted.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Winlogon\Notify\ScCertProp: wlnotify.dll [X]
2016-04-28 09:33 - 2016-04-28 09:33 - 00000000 ____D C:\Users\USER2b\AppData\Local\ACP
Task: {0B35D866-76EC-4D1F-B634-F0D3EE0AFE2F} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> Keine Datei <==== ACHTUNG
Task: {33B1B314-075F-4E71-965F-7C7C8292721A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Keine Datei <==== ACHTUNG
Task: {3B80BF01-0D4C-4B76-8AA4-9D5759F80AE4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Keine Datei <==== ACHTUNG
Task: {630E5403-7D0F-47F8-B5BD-BE7A3A56BF55} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Keine Datei <==== ACHTUNG
Task: {696B5A85-4307-4B66-8D6F-E330061E953E} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Keine Datei <==== ACHTUNG
Task: {6CD6C52A-215F-46F2-B8BC-7FFB3EBDB456} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Keine Datei <==== ACHTUNG
Task: {77CF439D-BAEA-47B9-BAED-2C8F9BD39334} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Keine Datei <==== ACHTUNG
Task: {7A5CB700-9348-4BD0-918E-9F0EEFB5021E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Keine Datei <==== ACHTUNG
Task: {7F848CCE-A615-454C-B40E-00EC76C928AE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Keine Datei <==== ACHTUNG
Task: {85177D4D-7806-412E-834A-2FF19E7E70F0} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Keine Datei <==== ACHTUNG
Task: {B4B90B0C-08F4-4DAF-A5DD-57FEC655B8E0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Keine Datei <==== ACHTUNG
Task: {D52D1838-89D5-4417-B7EB-3B036F9783C6} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> Keine Datei <==== ACHTUNG

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[aschuch 0]

thank you helping: i'm right that this file just eliminates the virus from the machine. we disconnected the computer from the network anyway. does the virus spread over the LAN as well or does the virus only operate from the one machine and destroys the files in the LAN ?

 

will you ever be able to decrypt the files you think?

shall we pay?

[Kevin Zoll 309]

The script I sent only eliminates the what is shown in the script. Some ransomware variants are capable of encrypting network shares, at present none of the ransomware variants have displayed the ability to infect other machines on the network.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.