RP45

Help, my PC is infected!

Recommended Posts

Your client is a victim of Apocalypse.

Decryption tool download: https://decrypter.emsisoft.com/apocalypse

Usage Gude can be downloaded from the same page.

Apocalypse implements the WIndwos CryptoAPI in a flawed manner.  Frequently resulting in files that are encrypted with garbage data.  Resulting in files that cannot be decrypted.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

	HKLM\...\Winlogon: [LegalNoticeCaption] Attention!
HKLM\...\Winlogon: [LegalNoticeText] All your files were encrypted with strong algorithm AES256 and unique key.
Do not worry, all your files in the safety, but are unavailable at the moment.
To recover the files you need to get special decryption software and your personal key.
	You can contact us via Email:
[email protected]
	Your Personal ID: 11C53BA7US
	Please use public mail service like gmail or yahoo to contact us, because your messages can be not delivered.
	For fast communication, you can write us to Jabber: [email protected]
How to register a jabber account: http://www.wikihow.com/Create-a-Jabber-Account
	You have 3 working days to contact us, otherwise recovering may be harder for you.
	Regards.
	HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-3038702256-372892838-3846165685-1204\...\Run: [Decryption Instructions] => C:\Windows\system32\notepad.exe [217600 2013-08-22] (Microsoft Corporation)
HKU\S-1-5-21-3038702256-372892838-3846165685-1204\...\Policies\system: [DisableLockWorkstation] 1
URLSearchHook: [S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-82-271721585-897601226-2024613209-625570482-296978595] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236] ATTENTION => Default URLSearchHook is missing
2016-12-17 07:17 - 2016-12-17 07:17 - 00001388 _____ C:\66CDB594DCB6F6C1914141011C53BA7US.TXT
2016-12-17 02:13 - 2016-12-17 02:13 - 00001388 _____ C:\3D1C8BC0CB53F3C1C9021B011C53BA7US.TXT
2016-12-07 12:37 - 2016-12-07 12:37 - 00008147 ____N C:\Users\ETB User\Desktop\767854jJnFDz3iHshnj81.bat
	

Close Notepad.

Share this post


Link to post
Share on other sites

Didn't work, booted win server 2012 to safe mode with networking. ran msconfig uncheck windows update service and applied no restart. copied fixlist.txt and decrypt_apocalypse.exe. ran it three different times. in the DecriptLog1.txt I browsed to file that are encrypted and that was the print out. I have a copy of the Peachtree/Sage database I need to decrypt I can upload a zip if needed. Everything else on the server can be replaced if we have to. the database is about 3 months of data we're trying to avoid rebuilding. Thanks for your help

DecriptLog.txt

DecriptLog1.txt

DecriptLog2.txt

fixlist.txt

Share this post


Link to post
Share on other sites

None of these tools are meant to be run in Safe Mode.  If you still have fixlist.txt then FRST did not load and run its contents.  Make sure that both FRST and fixlist.txt are in the same folder with each other.  Neither can be a shortcut.

Share this post


Link to post
Share on other sites

so I'm going into safe-mode to stop the window update service from starting, then reboot to regular mode with FRST and fixlist.txt on the desktop and run the

Apocalypse Decryption tool from the desktop? Is this the steps

Share this post


Link to post
Share on other sites

Ok here's what I did

1 Boot to safe mode

2 Uncheck Windows Update under services

3 Reboot and run the Apocalypse Decryption tool.   The tool ran as before with no results and fixlist.txt and FRST on the desktop

4 Ran FRST program and clicked "fix" the program ran 48 hours with no results

Mon morn check FRST running stopped with task manager. In the task manager noticed "windows update service" and another service called "update" running and taking about 95% cpu. Looking thru the services panel "Windows Update Services" is disabled.

Share this post


Link to post
Share on other sites

It was actually a program called "windows_update" and separate program called "update" traced it back to a public folder named jb-JP and couple of sub folders with the bat files in them. Renamed all .bat to OLD and zipped it and then deleted the folder and reboot and no more cpu usage from windows_update or update. I have a copy of the zip on a virtual machine I can upload if it will help.

Share this post


Link to post
Share on other sites

Your files may have been encrypted with garbage data.  Apocalypse implements the Windows CryptoAPI in a flawed manner resulting in a 1-in-3 chance that files are encrypted in such a manner that they cannot be decrypted.

If FRST is taking that long to run then something is blocking it.  Go ahead and run the fix in safe mode.

Share this post


Link to post
Share on other sites

So I found those files that were running "windows_update" and "update" in the background and was able to stop them and the cpu lightened up after I stopped them maybe that's what was stopping it. And you're saying run the FRST and choose fix and not run decrypt_apocalypse.exe?

Share this post


Link to post
Share on other sites

Run FRST click fix after it has finished running the contents of fixlist.txt use the Apocalypse decryption tool.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.