bkiwan 0 Posted July 21, 2016 Report Share Posted July 21, 2016 Hello Dears, All our files are infected and encrypted by .XTBL extension. (including SQL DB) I follow the procedure steps that you request and all the required log files are attached. Waiting your kind support for this urgent case. scan_160721-103552.txt FRST.txt Addition.txt Link to post Share on other sites
Kevin Zoll 309 Posted July 21, 2016 Report Share Posted July 21, 2016 Hello, Encrypted files with the xtbl extension cannot be decrypted. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Run: [kghniyoh] => C:\Windows\System32\[email protected] HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-21-2811035814-3685519089-1505991472-1130\...\MountPoints2: {45339bca-c429-11e3-8989-806e6f6e6963} - E:\Autorun.exe HKU\S-1-5-21-2811035814-3685519089-1505991472-1130\...\MountPoints2: {8743a86d-39a6-11e4-958f-babad6e8e5c6} - F:\setup.exe Startup: C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How to decrypt your files.jpg [2016-07-21] () Startup: C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How to decrypt your files.txt [2016-07-21] () HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll No File FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File] 2016-07-21 10:34 - 2016-07-21 10:36 - 00000000 ____D C:\Users\bkiwan\AppData\Local\Temp\tmp00001d35 2016-07-21 10:34 - 2016-07-21 10:34 - 02053586 ____T C:\Users\bkiwan\AppData\Local\Temp\E61C750ABE4C48C7A3CDA6D5619635B1.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 02053586 ____T C:\Users\bkiwan\AppData\Local\Temp\89819AA7EEBA409D8850E7FB1CE9EB1F.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 02053586 ____T C:\Users\bkiwan\AppData\Local\Temp\29321768B2584DE580B9DA253B655B79.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 01747238 ____T C:\Users\bkiwan\AppData\Local\Temp\A7E9554B318749E394DEB8EAD33F0B56.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 01747238 ____T C:\Users\bkiwan\AppData\Local\Temp\96444C5F96BE4B6191242FF2127607B6.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 01695376 ____T C:\Users\bkiwan\AppData\Local\Temp\F57A59AF8FF74C00B7D232083BE33320.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00834951 ____T C:\Users\bkiwan\AppData\Local\Temp\FB7A5FB214624C8A8A77BEAB8E756934.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00834951 ____T C:\Users\bkiwan\AppData\Local\Temp\D95A0C94816747D0943B9B38B77850D8.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00834951 ____T C:\Users\bkiwan\AppData\Local\Temp\12274CF1B25E4C32AD6D4409B61FE736.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00718283 ____T C:\Users\bkiwan\AppData\Local\Temp\EEC4FF9043544567A99D73F864C1F7A5.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00718283 ____T C:\Users\bkiwan\AppData\Local\Temp\0B1F1F0A81EF4B5BB282BE235ECAF2A4.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00699243 ____T C:\Users\bkiwan\AppData\Local\Temp\A61128B40E08446DB186B7E439E6DE85.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00079884 ____T C:\Users\bkiwan\AppData\Local\Temp\E2D4C975E9CC42A1BC8CB8B311682E22.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00079884 ____T C:\Users\bkiwan\AppData\Local\Temp\C6CBCB2D26E64263991A8BD157E386D0.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00079884 ____T C:\Users\bkiwan\AppData\Local\Temp\23B70E6D90D246B9BB4397A5E9B8C54D.tmp 2016-07-21 10:34 - 2016-07-21 10:34 - 00052164 ____T C:\Users\bkiwan\AppData\Local\Temp\9AD45A6448054BC6B63161E382419F6B.tmp 2016-07-21 05:23 - 2016-05-26 12:47 - 00000000 ____D C:\Users\SYSTEM_USER\AppData\Local\Temp\6 2016-07-21 05:21 - 2016-05-26 12:33 - 00000000 ____D C:\Users\alpha\AppData\Local\Temp\4 C:\Users\bkiwan\AppData\Local\Temp\2\ReimagePackage.exe C:\Users\bkiwan\AppData\Local\Temp\2\sqlite3.exe Task: {3BD2AD39-C1E5-474C-A686-320B6D2554E3} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2016-05-27] (Reimage®) <==== ATTENTION Task: {51A20EA7-EFB5-4528-87F4-50DC4AED561E} - System32\Tasks\GoogleUpdateTaskMachineSvc => /nw <==== ATTENTION Task: {8209253D-E60B-44B5-8C53-96C794C909AD} - System32\Tasks\Reimage Reminder => C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe [2016-07-11] (Reimage ltd.) <==== ATTENTION C:\Users\TEMP\Downloads\[email protected]Close Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
bkiwan 0 Posted July 23, 2016 Author Report Share Posted July 23, 2016 This is the fixlog file thanks Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted July 25, 2016 Report Share Posted July 25, 2016 That should take care of the infection itself. The encrypted files are another matter. Unfortunately, they cannot be decrypted, as I mentioned in my earlier post. Link to post Share on other sites
Recommended Posts