Jump to content

All my files encrypted - please help


Recommended Posts

Hi!

All files encrypted and every file have a text near it. I attached EEK and FRST logs

 

 

Your Computer is locked and ALL DATA IS ENCRYPTED!

 

Contact by Email for DATA recovering.

 


 

Then, we'll provide Unlock-Password and Data Decryption Software to you.

 

WARNING: If you don't contact in 48 hours, then all DATA may be damaged unrecoverably!!!

Addition.txt

FRST.txt

scan_161019-091558.txt

  • Upvote 1
Link to post
Share on other sites

Please use the Fabiansomware decrypter: https://decrypter.emsisoft.com/fabiansomware

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-157473276-1081225212-1846646709-500\...\MountPoints2: {3be69c5c-fc0a-11e4-80b1-806e6f6e6963} - "D:\setup.exe" 
URLSearchHook: [S-1-5-21-157473276-1081225212-1846646709-1116] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-157473276-1081225212-1846646709-1159] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534] ATTENTION => Default URLSearchHook is missing
"silsvc" => service was unlocked. <===== ATTENTION
2016-10-19 09:10 - 2016-10-19 09:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\tmp000002b1
2016-10-19 09:08 - 2016-10-19 09:08 - 02170114 ____T C:\Users\Administrator\AppData\Local\Temp\2BA2257E1BF0406EA6CF8405142DB6BD.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 02170114 ____T C:\Users\Administrator\AppData\Local\Temp\2AF60A6B74574DD2A891F7F56A1D35D4.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 02170114 ____T C:\Users\Administrator\AppData\Local\Temp\039ED2FD6A904AF897A211C520756990.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 01861332 ____T C:\Users\Administrator\AppData\Local\Temp\7D2DFD09B9EC4F7DA60BB6EE53BEE892.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 01861332 ____T C:\Users\Administrator\AppData\Local\Temp\257A08967DBB46BD96650B55B5AC0597.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 01743068 ____T C:\Users\Administrator\AppData\Local\Temp\7E170B234D944616BD231579997E5DC4.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00870821 ____T C:\Users\Administrator\AppData\Local\Temp\D769F207516E4E3F9BB2B40C613AF234.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00870821 ____T C:\Users\Administrator\AppData\Local\Temp\6496759890C547B897D93423E2F76EBA.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00870821 ____T C:\Users\Administrator\AppData\Local\Temp\3D2FD383C3B64A64836F3E9AEE291F2A.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00747175 ____T C:\Users\Administrator\AppData\Local\Temp\B0F2A58519BF477AABDEE4C14CF7C6B8.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00747175 ____T C:\Users\Administrator\AppData\Local\Temp\0AC0A672BB73498A8D7B0223C32626AB.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00723722 ____T C:\Users\Administrator\AppData\Local\Temp\7AE25661625046858EED279B42CC51C9.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00088372 ____T C:\Users\Administrator\AppData\Local\Temp\EFFED6B2228741C89E31BDF06C7FB5DA.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00088372 ____T C:\Users\Administrator\AppData\Local\Temp\43BE0BBD710E414B8F69008B6A08799B.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00088372 ____T C:\Users\Administrator\AppData\Local\Temp\220C7C9051FD49968F89595BD137A50A.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00060906 ____T C:\Users\Administrator\AppData\Local\Temp\A0BE4D23167F4E44B064DC4ECF9B99C5.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00060906 ____T C:\Users\Administrator\AppData\Local\Temp\404073BA33DE4614B0750EAF48546A20.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00060906 ____T C:\Users\Administrator\AppData\Local\Temp\0DDC20F1DF6B4548A134E17F2DE95711.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00057992 ____T C:\Users\Administrator\AppData\Local\Temp\91DBE79E98AA4B9195A54E21B3B97DA7.tmp
2016-10-19 09:08 - 2016-10-19 09:08 - 00057992 ____T C:\Users\Administrator\AppData\Local\Temp\3373DE31FF794F268BCA5843163E1020.tmp
2016-10-18 14:15 - 2016-10-18 14:15 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\42E5A11E-F7F6-422F-9F34-10A659F8D5C4
2016-10-16 12:28 - 2016-10-16 12:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\{3724893E-746B-4B9C-8E75-A9647CD12ED7}
2016-10-16 11:22 - 2015-05-21 12:49 - 00668938 ____N () C:\Users\Administrator\AppData\Local\Temp\_iu14D2N.tmp
2016-10-16 11:17 - 2016-10-16 11:17 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\7B240E35-80C6-4941-B094-47099ED1FAC1
2016-10-04 01:34 - 2016-10-04 01:33 - 01266792 _____ (Google Inc.) C:\Users\Administrator\AppData\Local\Temp\943E.tmp
2016-09-28 03:06 - 2016-09-28 03:06 - 00305488 _____ C:\Windows\Minidump\092816-92671-01.dmp
C:\Users\Administrator\AppData\Roaming\Microsoft\conhost.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\ACYFKX52\4[1].bin
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Hi!

Sorry, but looks like I am missing out something.

The FRST64 run was very short in time and looks like nothing changed. If it fixed should I rename files to original name and I will see an original content? or after fix I need to run something in addition. Sorry it my first time with ransomware.

I run it on isolated VM so it take time to transfer files via attaching/detaching vmdk

 

Addition.txt

FRST.txt

scan_161020-224800.txt

Scan_161020-230610.txt

Link to post
Share on other sites

I see on impacted server a few files in ESET quarantine - one of them is an explorer.exe marked as filecoder.trojan. Others are coinminer.trojan Should I restore those files from quarantine to be able to decrypt files?

I contacted hacker and he sent to me 2 decrypted files to prove it legit, but when I drop 2 files original and encrypted on fabiansomware decrypter it says that it can not find right key. Please advice.

Link to post
Share on other sites

Hi!

My customer paid a ransom and get decrypter and password/key, I scanned it with antivirus, but I am not sure that it safe and not another trojan. Can you check it. See attachment

Edit:

I ran it, but it does not work - say wrong key.

Now they want more money for key.

Any help appreciated

Decrypter.zip

Link to post
Share on other sites

Hi!

Will you be able to connect to encrypted server and take a look for some fee? I prefer to pay people who help others and not who harm others.

I found backups for most important files, but there is still a lot of excel and word documents from 6 week old backup. 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...