Server and 5 branch offices infected, help.

[GregM 0]

I have a main office and 5 branch offices infrected, I have had someone power off all the pc's the server is still running and I ran the scanners.

 

 

scan_161222-093249.txt

Addition.txt

FRST.txt

[Kevin Zoll 309]

Hello,

This system appears to be a victim of Nemucod.

Decryption tool download page: https://decrypter.emsisoft.com/nemucod

Usage Guide: https://decrypter.emsisoft.com/howtos/emsisoft_howto_nemucod.pdf

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-1297813860-651119852-3588835907-1164\...\MountPoints2: {e0136360-cde5-11e2-89af-806e6f6e6963} - E:\setup.exe
HKU\S-1-5-21-1297813860-651119852-3588835907-1189\...\MountPoints2: {e0136360-cde5-11e2-89af-806e6f6e6963} - E:\setup.exe
IFEO\sethc.exe: [Debugger] c:\windows\fonts\2008.exe
Startup: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt [2010-11-20] ()
GroupPolicyScripts: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1296 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1297 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1298 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1299 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1300 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1297813860-651119852-3588835907-1301 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
"silsvc" => service was unlocked. <===== ATTENTION
C:\Users\admin\AppData\Local\Temp\tch.exe
C:\Users\crown\AppData\Local\Temp\fuflxpnl.dll
C:\Users\Mohrgreg\AppData\Local\Temp\Abspdf.exe
C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfu.dll
C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfui.dll
C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\Mohrgreg\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\Mohrgreg\AppData\Local\Temp\cdintf.dll
C:\Users\Mohrgreg\AppData\Local\Temp\InstallAX.exe
C:\Users\Mohrgreg\AppData\Local\Temp\niqup4zz.dll
C:\Users\Mohrgreg\AppData\Local\Temp\PDFPRT400.exe
C:\Users\Mohrgreg\AppData\Local\Temp\x3rohnvv.dll
C:\Users\Mohrgreg\AppData\Local\Temp\xmllite.dll
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETHC.EXE" /v "DEBUGGER" /f
C:\Users\admin\Downloads\xdedicrdppatch (1).exe
C:\Users\admin\Downloads\xdedicrdppatch.exe
C:\Users\crown\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UTC0V7CH\SFInstaller_SFFZ_filezilla_8992693_[1].exe
C:\Users\crown\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FOYBYHY4\SFInstaller_SFFZ_filezilla_8992693_[1].exe
C:\Users\usera\Downloads\xdedicrdppatch.exe

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[GregM 0]

If I can;t find two files, one before encryption and one after, what can i do?

It appears that all non-encrypted copies have been removed.

[Kevin Zoll 309]

If you do not have a copy of an original and its encrypted copy, then the tool will not work.  Your only other recourse is to pay the ransom.