infected by ransom

[ahmednsry 0]

my server infected by ransom via rdp file encrypted to 9tax.pdf.ID-17AD78ECSA[[email protected]].mqbgadqaq

ransom note is attached

 

 

Addition.txt

FRST.txt

scan_161212-145125.txt

FE6834A1357638BA1C7C1804CB1E099AC0.TXT

[Kevin Zoll 309]

This looks like it could be Fabiansomware https://decrypter.emsisoft.com/fabiansomware

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

	HKLM-x32\...\Run: [] => [X]
HKLM\...\Winlogon: [LegalNoticeCaption] Attention!
HKLM\...\Winlogon: [LegalNoticeText] All your files were encrypted with strong algorithm AES256 and unique key.
Do not worry, all your files in the safety, but are unavailable at the moment.
To recover the files you need to get special decryption software and your personal key.
	You can contact us via Email:
[email protected]
	Your Personal ID: 17AD78ECSA
	Please use public mail service like gmail or yahoo to contact us, because your messages can be not delivered.
	For fast communication, you can write us in Jabber: [email protected]
How to register a jabber account: http://www.wikihow.com/Create-a-Jabber-Account
	You have 3 working days to contact us, otherwise recovering may be harder for you.
	Regards.
HKU\S-1-5-21-2078620211-2564939822-85446184-500\...\Run: [Decryption Instructions] => C:\Windows\system32\notepad.exe [193536 2015-07-09] (Microsoft Corporation)
IFEO\netsh.exe: [Debugger] C:\\WINDOWS\\system32\\svchost.exe
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
	

Close Notepad.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.