GregM 0 Posted December 22, 2016 Report Share Posted December 22, 2016 I have a main office and 5 branch offices infrected, I have had someone power off all the pc's the server is still running and I ran the scanners. scan_161222-093249.txt Addition.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted December 22, 2016 Report Share Posted December 22, 2016 Hello, This system appears to be a victim of Nemucod. Decryption tool download page: https://decrypter.emsisoft.com/nemucod Usage Guide: https://decrypter.emsisoft.com/howtos/emsisoft_howto_nemucod.pdf Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKU\S-1-5-21-1297813860-651119852-3588835907-1164\...\MountPoints2: {e0136360-cde5-11e2-89af-806e6f6e6963} - E:\setup.exe HKU\S-1-5-21-1297813860-651119852-3588835907-1189\...\MountPoints2: {e0136360-cde5-11e2-89af-806e6f6e6963} - E:\setup.exe IFEO\sethc.exe: [Debugger] c:\windows\fonts\2008.exe Startup: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2010-11-20] () GroupPolicyScripts: Restriction <======= ATTENTION SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1296 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1297 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1298 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1299 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1300 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1301 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = "silsvc" => service was unlocked. <===== ATTENTION C:\Users\admin\AppData\Local\Temp\tch.exe C:\Users\crown\AppData\Local\Temp\fuflxpnl.dll C:\Users\Mohrgreg\AppData\Local\Temp\Abspdf.exe C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfu.dll C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuamd64.dll C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfui.dll C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuia64.dll C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuiamd64.dll C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuiia64.dll C:\Users\Mohrgreg\AppData\Local\Temp\cdintf.dll C:\Users\Mohrgreg\AppData\Local\Temp\InstallAX.exe C:\Users\Mohrgreg\AppData\Local\Temp\niqup4zz.dll C:\Users\Mohrgreg\AppData\Local\Temp\PDFPRT400.exe C:\Users\Mohrgreg\AppData\Local\Temp\x3rohnvv.dll C:\Users\Mohrgreg\AppData\Local\Temp\xmllite.dll Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE" /v "DEBUGGER" /f C:\Users\admin\Downloads\xdedicrdppatch (1).exe C:\Users\admin\Downloads\xdedicrdppatch.exe C:\Users\crown\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UTC0V7CH\SFInstaller_SFFZ_filezilla_8992693_[1].exe C:\Users\crown\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOYBYHY4\SFInstaller_SFFZ_filezilla_8992693_[1].exe C:\Users\usera\Downloads\xdedicrdppatch.exe Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
GregM 0 Posted December 23, 2016 Author Report Share Posted December 23, 2016 If I can;t find two files, one before encryption and one after, what can i do? It appears that all non-encrypted copies have been removed. Link to post Share on other sites
Kevin Zoll 309 Posted December 23, 2016 Report Share Posted December 23, 2016 If you do not have a copy of an original and its encrypted copy, then the tool will not work. Your only other recourse is to pay the ransom. Link to post Share on other sites
Recommended Posts