mowt

Help my files with infection by CryptoLocker

Recommended Posts

Hello.

I want you to instruct me to delete malware and decrypt my encrypted files.

 

My PC is infected by ransomeware named CryptoLocker.

Unfortunally, these files are not backed up, so the way I get the files back is only decryption.

Therefore, I want to borrow your wisdom.

 

scan_161201-010404.txt

Addition_01-12-2016 01.11.56.txt

FRST_01-12-2016 01.11.56.txt

______________________

 

Characteristics of Ransomeware I that I could confirm

・Encryption was done by executable file named syscop.exe

・The image on the desktop has been changed(wp.jpg), and the pop-up  continue to appear

post-44528-0-83938800-1480526926_thumb.png
Download Image

・The file attached below was created

files.zip

 

______________________

 

Encrypted file and original file: for reference

pdf.zip

 

 

Most sincerely.

Share this post


Link to post
Share on other sites

CryptoLocker encrypted files cannot be decrypted without paying the ransom.

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
CloseProcesses:
HKLM-x32\...\Run: [setup] => C:\Users\admin\AppData\Local\Temp\setup.exe /start <===== ATTENTION
HKU\S-1-5-21-1411513595-2743768656-841714597-1001\...\Run: [**famehyc<*>] => "C:\Users\admin\AppData\Local\598a3\f2a26.bat" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1411513595-2743768656-841714597-1001\...\MountPoints2: {b652f9ad-9eb0-11e2-be8f-2cd05a6ed49c} - "H:\SETUP.exe" 
HKU\S-1-5-21-1411513595-2743768656-841714597-1001\...\MountPoints2: {e5299b4a-9ec9-11e2-be90-2cd05a6ed49c} - "I:\startup.exe" 
HKU\S-1-5-21-1411513595-2743768656-841714597-1001\...\MountPoints2: {e5299b88-9ec9-11e2-be90-2cd05a6ed49c} - "K:\SETUP.exe" 
HKU\S-1-5-21-1411513595-2743768656-841714597-1001\...\MountPoints2: {e5299cde-9ec9-11e2-be90-2cd05a6ed49c} - "F:\setup.exe" 
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
GroupPolicy: Restriction - Windows Defender <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-1411513595-2743768656-841714597-1001 -> No Name - {AEF44653-C059-42CB-A5B7-41C640DA4A67} -  No File
Handler: WSAllMyTubechrome - No CLSID Value
FF Extension: (No Name) - C:\ProgramData\Wondershare\AllMyTube\[email protected]_xpi\ [not found]
CHR Extension: (Search YouTube) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extensions\iabhcmlfmommijjhppgpmaldhnnodggp [2015-06-04] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [idkknaphebegndgimgdpfnconcickdfn] - <no Path/update_url>
2016-11-26 13:19 - 2016-11-26 13:19 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign722443a1b3bf7eb7
2016-11-26 13:17 - 2016-11-26 13:17 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign89f0acb16f72bc69
2016-11-26 13:17 - 2016-11-26 13:17 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign321b4710d676ee0b
2016-11-26 13:17 - 2016-11-26 13:17 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign251f001f5ff1745d
2016-11-26 13:16 - 2016-11-26 13:16 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsignde507555206849c3
2016-11-26 13:16 - 2016-11-26 13:16 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign933120bbba3fecd5
2016-11-26 13:16 - 2016-11-26 13:16 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign6d59ca93d7b6e350
2016-11-26 13:16 - 2016-11-26 13:16 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign3f7b258304f56867
2016-11-26 13:15 - 2016-11-26 13:15 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign4201644c264441a0
2016-11-26 13:10 - 2016-11-26 13:10 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign8e52da24f8d2750c
2016-11-26 13:10 - 2016-11-26 13:10 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign65695c16cfe09336
2016-11-26 13:10 - 2016-11-26 13:10 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign3394d31008dc1da5
2016-11-26 13:10 - 2016-11-26 13:10 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign11fd2ffa7f6c9a19
2016-11-26 13:09 - 2016-11-26 13:09 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsigne41171b8926e95ef
2016-11-26 13:09 - 2016-11-26 13:09 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign51549826ef490126
2016-11-26 13:09 - 2016-11-26 13:09 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign1a7c4f52d5d8cfb6
2016-11-26 13:00 - 2016-11-26 13:00 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsignf5f15e1b4c80e42d
2016-11-26 13:00 - 2016-11-26 13:00 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsigncab90dbfdce56bef
2016-11-26 13:00 - 2016-11-26 13:00 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign7658f1550b37e38a
2016-11-26 02:08 - 2016-11-26 02:08 - 00000000 ____D C:\Users\admin\AppData\Local\598a3
2016-11-26 01:43 - 2016-11-26 01:43 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign6b8fde7e129db2b3
2016-11-26 01:43 - 2016-11-26 01:43 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign3bdf6793da8fdcab
2016-11-26 01:41 - 2016-11-26 01:41 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign784231a5b8b73396
2016-11-26 01:41 - 2016-11-26 01:41 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign3f063b490f5086ba
2016-11-26 01:40 - 2016-11-29 23:54 - 00000000 ____D C:\Program Files (x86)\80EFD0B9-1480092050-E211-8030-B0ED34159215
2016-11-26 01:36 - 2016-11-26 01:36 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsignd1c0a3f5a6cadabd
2016-11-26 01:36 - 2016-11-26 01:36 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsigna5ac9b0d9ac69bd9
2016-11-26 01:36 - 2016-11-26 01:36 - 00000000 ____D C:\Users\admin\AppData\Local\Tempzxpsign41c58c6c2b338d3c
2016-11-26 01:35 - 2016-11-30 22:39 - 00000000 ____D C:\Users\admin\AppData\Local\Ukqmedia
2016-11-26 01:35 - 2016-11-30 22:06 - 00000000 ____D C:\Users\admin\AppData\Local\Odzlics
2015-12-12 00:14 - 2010-05-21 01:39 - 2583552 _____ (LennarDigital) C:\Program Files\Sylenth1 (x64).dll
2013-11-09 02:37 - 2014-01-22 21:04 - 0083505 _____ () C:\Program Files (x86)\Uninstal.exe
2012-03-21 00:00 - 2012-03-21 00:00 - 1482752 _____ (Waves Audio Ltd.) C:\Program Files (x86)\WaveShell-VST 9.0.dll
2014-01-08 04:10 - 2016-10-02 03:26 - 0000132 _____ () C:\Users\admin\AppData\Roaming\Adobe BMP Format CS6 Prefs
2015-06-05 09:25 - 2015-06-05 09:25 - 0000024 _____ () C:\Users\admin\AppData\Roaming\appdataFr25.bin
2015-10-14 17:32 - 2015-10-14 17:32 - 0000020 _____ () C:\Users\admin\AppData\Roaming\gnuplot.ini
2013-05-14 15:55 - 2013-05-14 15:55 - 0000000 _____ () C:\Users\admin\AppData\Roaming\tmcef.log
2016-11-29 15:04 - 2016-11-29 15:04 - 22937985 _____ () C:\Users\admin\AppData\Roaming\Microsoft\Crypto.zip
2013-08-01 16:03 - 2013-08-01 16:03 - 0001811 _____ () C:\Users\admin\AppData\Local\ACCCx189.zip.aamdownload.aamd
2014-10-09 02:10 - 2014-11-10 02:59 - 0007680 _____ () C:\Users\admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Users\admin\AppData\Local\Temp\headhunts.dll
C:\Users\admin\AppData\Local\Temp\ReimagePackage.exe
CustomCLSID: HKU\S-1-5-21-1411513595-2743768656-841714597-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\admin\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
Task: {402B2576-68C9-42C3-8E0B-0178FC12F8DD} - System32\Tasks\WinTaske => C:\Program Files (x86)\WinTaske\WinTaske\WinTaske.exe <==== ATTENTION
Task: {72343AA9-B9D0-4973-85C5-8A30732389C6} - System32\Tasks\SpinningTrakt => c:\programdata\{9be9a178-ff94-52c0-9be9-9a178ff985e3}\9201886653116750660c.exe <==== ATTENTION
Task: {83C45053-3E16-4CB6-A242-E24181ADD05D} - System32\Tasks\DNSARVONIA => C:\Program Files (x86)\DNS Unlocker\dnsarvonia.exe <==== ATTENTION
Task: {96A23590-A7F9-459C-8465-DCD0D4E47DE9} - System32\Tasks\DNSCOLFAX => C:\Program Files (x86)\DNS Unlocker\dnscolfax.exe <==== ATTENTION
Task: C:\Windows\Tasks\I-Generator.job => c:\programdata\{1a2057e6-4d30-404f-1a20-057e64d35f99}\2140719986440314712b.exe <==== ATTENTION
Task: C:\Windows\Tasks\ReimageUpdater.job => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe <==== ATTENTION
Task: C:\Windows\Tasks\SpinningTrakt.job => c:\programdata\{9be9a178-ff94-52c0-9be9-9a178ff985e3}\9201886653116750660c.exe <==== ATTENTION
AlternateDataStreams: C:\Users\admin\Local Settings:4Tfa5x3Qjo8G2Wzru33U0QNWoQu6 [2272]
AlternateDataStreams: C:\Users\admin\AppData\Local:4Tfa5x3Qjo8G2Wzru33U0QNWoQu6 [2272]
AlternateDataStreams: C:\Users\admin\AppData\Local\Application Data:4Tfa5x3Qjo8G2Wzru33U0QNWoQu6 [2272]
AlternateDataStreams: C:\Users\admin\AppData\Local\t2s2M1d8Bb5mSM:JZT2pxwm1SFvdayzt [2198]
AlternateDataStreams: C:\Users\admin\AppData\Local\Temporary Internet Files:cFTVj2WVVfOpR6JCrhILvZWSTK [2242]
HKU\S-1-5-21-1411513595-2743768656-841714597-1001\Software\Classes\3cfb1: "C:\Windows\system32\mshta.exe" "javascript:mB9Lhis="4Gg9";Gg3=new ActiveXObject("WScript.Shell");aFp7Ll="LPg";mdp56h=Gg3.RegRead("HKCU\\software\\wklqeoq\\mdftomx");Q7iVdKi6="T";eval(mdp56h);Und8N0="350W8lRy";" <===== ATTENTION
C:\Users\admin\AppData\Local\598a3\f2a26.bat
C:\Users\admin\AppData\Local\598a3
Reboot:
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

FF DefaultProfile: 41A66E7E5EE1
FF ProfilePath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1 [not found][UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
U3 ah0pjip0; C:\Windows\System32\Drivers\ah0pjip0.sys [0 ] (Intel Corporation) <==== ATTENTION (zero byte File/Folder)
2016-12-01 01:55 - 2016-12-01 01:55 - 23484660 _____ () C:\Users\admin\AppData\Roaming\Microsoft\Crypto (2).zip
C:\Users\admin\AppData\Local\Temp\libeay32.dll
C:\Users\admin\AppData\Local\Temp\msvcr120.dll
C:\Users\admin\AppData\Local\Temp\sqlite3.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}" /f
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{02DD8284-A49F-43E5-9D84-CF19DC9AD21D}" /f
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{27DE7D30-BCCD-44D1-ADCB-A74A4259EBEF}" /f
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{3A0EFC4E-F167-4D0E-9C24-FC5519237993}" /f
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}" /f
Key: HKEY_USERS\S-1-5-21-1411513595-2743768656-841714597-1001_CLASSES\WOW6432NODE\INTERFACE\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}" /f
C:\ProgramData\InstallMate\{5860CEA1-9411-4D72-AF99-DC338383EC57}\Custom.dll
C:\ProgramData\InstallMate\{5860CEA1-9411-4D72-AF99-DC338383EC57}
C:\ProgramData\InstallMate\{77F50089-D756-47E5-A50E-9F74AC16227F}\Custom.dll
C:\ProgramData\InstallMate\{77F50089-D756-47E5-A50E-9F74AC16227F}
C:\ProgramData\InstallMate\{3E81F2D2-2E74-4C1F-AEF4-6656E562D024}\Custom.dll
C:\ProgramData\InstallMate\{3E81F2D2-2E74-4C1F-AEF4-6656E562D024}
C:\ProgramData\InstallMate\{9CB01066-AF44-402E-A2C5-E76647533290}\Custom.dll
C:\ProgramData\InstallMate\{9CB01066-AF44-402E-A2C5-E76647533290}
C:\ProgramData\InstallMate\{D9252F1C-9853-4B9E-A975-D07102C60DEA}\Custom.dll
C:\ProgramData\InstallMate\{D9252F1C-9853-4B9E-A975-D07102C60DEA}
C:\ProgramData\InstallMate\{FD5D7B51-633B-4222-A0C9-2B1926BE59A7}\Custom.dll
C:\ProgramData\InstallMate\{FD5D7B51-633B-4222-A0C9-2B1926BE59A7}
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

The support forums have been under a DDoS attack, which has resulted in a delay in being able to respond to your support request.

That should take care of what I saw in your logs.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.