vadiaz 1 Posted October 19, 2016 Report Share Posted October 19, 2016 Hi! All files encrypted and every file have a text near it. I attached EEK and FRST logs Your Computer is locked and ALL DATA IS ENCRYPTED! Contact by Email for DATA recovering. Email: [email protected] Then, we'll provide Unlock-Password and Data Decryption Software to you. WARNING: If you don't contact in 48 hours, then all DATA may be damaged unrecoverably!!! Addition.txt FRST.txt scan_161019-091558.txt 1 Link to post Share on other sites
Kevin Zoll 309 Posted October 19, 2016 Report Share Posted October 19, 2016 Please use the Fabiansomware decrypter: https://decrypter.emsisoft.com/fabiansomware Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-21-157473276-1081225212-1846646709-500\...\MountPoints2: {3be69c5c-fc0a-11e4-80b1-806e6f6e6963} - "D:\setup.exe" URLSearchHook: [S-1-5-21-157473276-1081225212-1846646709-1116] ATTENTION => Default URLSearchHook is missing URLSearchHook: [S-1-5-21-157473276-1081225212-1846646709-1159] ATTENTION => Default URLSearchHook is missing URLSearchHook: [S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534] ATTENTION => Default URLSearchHook is missing "silsvc" => service was unlocked. <===== ATTENTION 2016-10-19 09:10 - 2016-10-19 09:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\tmp000002b1 2016-10-19 09:08 - 2016-10-19 09:08 - 02170114 ____T C:\Users\Administrator\AppData\Local\Temp\2BA2257E1BF0406EA6CF8405142DB6BD.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 02170114 ____T C:\Users\Administrator\AppData\Local\Temp\2AF60A6B74574DD2A891F7F56A1D35D4.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 02170114 ____T C:\Users\Administrator\AppData\Local\Temp\039ED2FD6A904AF897A211C520756990.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 01861332 ____T C:\Users\Administrator\AppData\Local\Temp\7D2DFD09B9EC4F7DA60BB6EE53BEE892.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 01861332 ____T C:\Users\Administrator\AppData\Local\Temp\257A08967DBB46BD96650B55B5AC0597.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 01743068 ____T C:\Users\Administrator\AppData\Local\Temp\7E170B234D944616BD231579997E5DC4.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00870821 ____T C:\Users\Administrator\AppData\Local\Temp\D769F207516E4E3F9BB2B40C613AF234.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00870821 ____T C:\Users\Administrator\AppData\Local\Temp\6496759890C547B897D93423E2F76EBA.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00870821 ____T C:\Users\Administrator\AppData\Local\Temp\3D2FD383C3B64A64836F3E9AEE291F2A.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00747175 ____T C:\Users\Administrator\AppData\Local\Temp\B0F2A58519BF477AABDEE4C14CF7C6B8.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00747175 ____T C:\Users\Administrator\AppData\Local\Temp\0AC0A672BB73498A8D7B0223C32626AB.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00723722 ____T C:\Users\Administrator\AppData\Local\Temp\7AE25661625046858EED279B42CC51C9.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00088372 ____T C:\Users\Administrator\AppData\Local\Temp\EFFED6B2228741C89E31BDF06C7FB5DA.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00088372 ____T C:\Users\Administrator\AppData\Local\Temp\43BE0BBD710E414B8F69008B6A08799B.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00088372 ____T C:\Users\Administrator\AppData\Local\Temp\220C7C9051FD49968F89595BD137A50A.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00060906 ____T C:\Users\Administrator\AppData\Local\Temp\A0BE4D23167F4E44B064DC4ECF9B99C5.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00060906 ____T C:\Users\Administrator\AppData\Local\Temp\404073BA33DE4614B0750EAF48546A20.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00060906 ____T C:\Users\Administrator\AppData\Local\Temp\0DDC20F1DF6B4548A134E17F2DE95711.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00057992 ____T C:\Users\Administrator\AppData\Local\Temp\91DBE79E98AA4B9195A54E21B3B97DA7.tmp 2016-10-19 09:08 - 2016-10-19 09:08 - 00057992 ____T C:\Users\Administrator\AppData\Local\Temp\3373DE31FF794F268BCA5843163E1020.tmp 2016-10-18 14:15 - 2016-10-18 14:15 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\42E5A11E-F7F6-422F-9F34-10A659F8D5C4 2016-10-16 12:28 - 2016-10-16 12:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\{3724893E-746B-4B9C-8E75-A9647CD12ED7} 2016-10-16 11:22 - 2015-05-21 12:49 - 00668938 ____N () C:\Users\Administrator\AppData\Local\Temp\_iu14D2N.tmp 2016-10-16 11:17 - 2016-10-16 11:17 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp\7B240E35-80C6-4941-B094-47099ED1FAC1 2016-10-04 01:34 - 2016-10-04 01:33 - 01266792 _____ (Google Inc.) C:\Users\Administrator\AppData\Local\Temp\943E.tmp 2016-09-28 03:06 - 2016-09-28 03:06 - 00305488 _____ C:\Windows\Minidump\092816-92671-01.dmp C:\Users\Administrator\AppData\Roaming\Microsoft\conhost.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\ACYFKX52\4[1].binClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
vadiaz 1 Posted October 20, 2016 Author Report Share Posted October 20, 2016 Fixlog.txt See attached log Link to post Share on other sites
Kevin Zoll 309 Posted October 20, 2016 Report Share Posted October 20, 2016 Did the fabiansomware decrypter work? Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Link to post Share on other sites
vadiaz 1 Posted October 20, 2016 Author Report Share Posted October 20, 2016 Hi! Sorry, but looks like I am missing out something. The FRST64 run was very short in time and looks like nothing changed. If it fixed should I rename files to original name and I will see an original content? or after fix I need to run something in addition. Sorry it my first time with ransomware. I run it on isolated VM so it take time to transfer files via attaching/detaching vmdk Addition.txt FRST.txt scan_161020-224800.txt Scan_161020-230610.txt Link to post Share on other sites
vadiaz 1 Posted October 21, 2016 Author Report Share Posted October 21, 2016 I see on impacted server a few files in ESET quarantine - one of them is an explorer.exe marked as filecoder.trojan. Others are coinminer.trojan Should I restore those files from quarantine to be able to decrypt files? I contacted hacker and he sent to me 2 decrypted files to prove it legit, but when I drop 2 files original and encrypted on fabiansomware decrypter it says that it can not find right key. Please advice. Link to post Share on other sites
Kevin Zoll 309 Posted October 21, 2016 Report Share Posted October 21, 2016 If the Fabiansomware decrypter states that is cannot find the key, then it cannot decrypt your files. Restore the files in the ESET quarantine before decrypting your files. Your logs show no malware. Link to post Share on other sites
vadiaz 1 Posted October 22, 2016 Author Report Share Posted October 22, 2016 Hi! Restored from quarantine, but still Fabiansomware decrypter states that is cannot find the key. I tried to drop 2 180Mb files on it - still no key Please advice Link to post Share on other sites
Kevin Zoll 309 Posted October 24, 2016 Report Share Posted October 24, 2016 Try something smaller but larger than 4kb. Link to post Share on other sites
vadiaz 1 Posted October 24, 2016 Author Report Share Posted October 24, 2016 Hi! Tried multiply file pairs with different sizes - still get error about no key? Any advice? Link to post Share on other sites
vadiaz 1 Posted October 25, 2016 Author Report Share Posted October 25, 2016 Hi! My customer paid a ransom and get decrypter and password/key, I scanned it with antivirus, but I am not sure that it safe and not another trojan. Can you check it. See attachment Edit: I ran it, but it does not work - say wrong key. Now they want more money for key. Any help appreciated Decrypter.zip Link to post Share on other sites
Kevin Zoll 309 Posted October 25, 2016 Report Share Posted October 25, 2016 The Decrypter is safe. You are always gambling when paying the Ransom. Sometimes they decrypt your files, and sometimes they don't. Link to post Share on other sites
vadiaz 1 Posted October 26, 2016 Author Report Share Posted October 26, 2016 Hi! Will you be able to connect to encrypted server and take a look for some fee? I prefer to pay people who help others and not who harm others. I found backups for most important files, but there is still a lot of excel and word documents from 6 week old backup. Link to post Share on other sites
Kevin Zoll 309 Posted October 26, 2016 Report Share Posted October 26, 2016 Sorry, but no we cannot do that. Link to post Share on other sites
vadiaz 1 Posted October 27, 2016 Author Report Share Posted October 27, 2016 Hi! Ok I understand. Can you help find a decryption key in case I will upload pair encrypted and original file? Link to post Share on other sites
Kevin Zoll 309 Posted October 28, 2016 Report Share Posted October 28, 2016 No that is not possible either. There is just no way to determine the encryption key, for strong cyphers, that way. Link to post Share on other sites
Recommended Posts