Jump to content

Help! My PC is infected with Locky Ransomware!


Recommended Posts

Unfortunately, Locky encrypted files cannot be decrypted.

I can help with removing the infection.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2016-05-25 23:58 - 2015-02-25 08:46 - 00003230 _____ C:\Windows\System32\Tasks\{7BE7F44B-9211-45FA-98E5-7C062A7C9AE8}
2013-12-19 09:34 - 2014-07-19 07:18 - 0000223 _____ () C:\Users\Michael\AppData\Roaming\WB.CFG
2015-09-22 14:00 - 2015-09-22 14:00 - 0003757 _____ () C:\Users\Michael\AppData\Local\recently-used.xbel
2015-01-31 21:53 - 2015-01-31 21:53 - 0000057 _____ () C:\ProgramData\Ament.ini
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1395833097-3149699993-3059009772-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Michael\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {22389DEB-46BE-481C-B7D1-58C6A0210DBD} - System32\Tasks\UpdaterEX => C:\Users\Michael\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {4346E96D-6619-4649-A30A-EA674B0C3467} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
Task: {FA521FE3-E024-4764-9CDE-7CFB1151819B} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Michael\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:0B79AB8D [236]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:3D36932D [400]
AlternateDataStreams: C:\ProgramData\TEMP:96AFAB10 [428]
C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\4v1rfv1l.default-1390250997693\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
C:\ProgramData\apn
C:\ProgramData\Yahoo! Companion
C:\Windows\Tasks\UpdaterEX.job
Reg: reg delete "HKEY_USERS\S-1-5-21-1395833097-3149699993-3059009772-1001\SOFTWARE\CONDUIT" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN.1" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN.1" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1395833097-3149699993-3059009772-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1395833097-3149699993-3059009772-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1395833097-3149699993-3059009772-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1395833097-3149699993-3059009772-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR" /v "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YAHOO! COMPANION" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YAHOO! TOOLBAR" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Thank you for your help. Here is the fix log.I have a couple questions real quick. Should I hold on to the encrypted files in case a decryption key is developed? Will this happen to any more files i download now? How do I stop this from happening again? Thank you very much for your time.

 

-Mike

Fixlog.txt

Link to post
Share on other sites

Yes, you should hold onto the encrypted files, just in case a decryption tool becomes available.

Once the infection has been removed, no further files should get encrypted.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...