ahmednsry 0 Posted December 12, 2016 Report Share Posted December 12, 2016 my server infected by ransom via rdp file encrypted to 9tax.pdf.ID-17AD78ECSA[[email protected]].mqbgadqaq ransom note is attached Addition.txt FRST.txt scan_161212-145125.txt FE6834A1357638BA1C7C1804CB1E099AC0.TXT Link to post Share on other sites
Kevin Zoll 309 Posted December 12, 2016 Report Share Posted December 12, 2016 This looks like it could be Fabiansomware https://decrypter.emsisoft.com/fabiansomware Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Run: [] => [X] HKLM\...\Winlogon: [LegalNoticeCaption] Attention! HKLM\...\Winlogon: [LegalNoticeText] All your files were encrypted with strong algorithm AES256 and unique key. Do not worry, all your files in the safety, but are unavailable at the moment. To recover the files you need to get special decryption software and your personal key. You can contact us via Email: [email protected] Your Personal ID: 17AD78ECSA Please use public mail service like gmail or yahoo to contact us, because your messages can be not delivered. For fast communication, you can write us in Jabber: [email protected] How to register a jabber account: http://www.wikihow.com/Create-a-Jabber-Account You have 3 working days to contact us, otherwise recovering may be harder for you. Regards. HKU\S-1-5-21-2078620211-2564939822-85446184-500\...\Run: [Decryption Instructions] => C:\Windows\system32\notepad.exe [193536 2015-07-09] (Microsoft Corporation) IFEO\netsh.exe: [Debugger] C:\\WINDOWS\\system32\\svchost.exe GroupPolicy: Restriction <======= ATTENTION GroupPolicyScripts: Restriction <======= ATTENTION GroupPolicyScripts\User: Restriction <======= ATTENTION Close Notepad. Link to post Share on other sites
Kevin Zoll 309 Posted December 15, 2016 Report Share Posted December 15, 2016 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts