Lost pictures - RSA-2048 could use some help

[ratedm 0]

Hi All, I'm on a friends PC, they came to me because their machine was infected a few months ago and it looks like the pictures were encryped.  They took the PC to Geeksquad and it looks like they removed the malware but said they would be unable to get the pictures back.  There was a txt file in the documents folder called restore_files_dkoke with instructions, it says the files have been encrypted using RSA-2048, I will attach that file here as well.  I tried running RECUVA and SHADOWEXPLORER with no luck on the scans.

I followed the instructions and ran the Emsisoft emergency kit and Farbar recovery scan tool, all files are attached

 

Thanks you in advance for the help.

restore_files_dkoke.txt

FRST.txt

Addition.txt

scan_161228-214258.txt

[Kevin Zoll 309]

Geek Squad did not finish the job, and the files are decryptable.  This is TelsaCrypt 2.x

https://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/

To take care of what Geek Squad missed:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2015-11-09 16:07 - 2015-11-09 16:07 - 0000378 _____ () C:\Program Files (x86)\temp995.bat
2015-08-09 16:11 - 2015-08-09 16:11 - 0004247 _____ () C:\Users\Liliana\AppData\Roaming\Microsoft\restore_files_dkoke.html
2015-08-09 16:11 - 2015-08-09 16:11 - 0002144 _____ () C:\Users\Liliana\AppData\Roaming\Microsoft\restore_files_dkoke.txt
CustomCLSID: HKU\S-1-5-21-4161049501-2482404774-2236404718-1001_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\hlink.dll => No File <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-4161049501-2482404774-2236404718-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Liliana\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
Task: {0D8A891D-890C-4808-84D8-2F436AB14653} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {1274336E-AB06-46B6-A48C-0671C5557CC6} - \Microsoft\Windows\TaskScheduler\Maintenance Configurator -> No File <==== ATTENTION
Task: {1687544D-7247-4F5A-965A-A6E920E55278} - \Microsoft\Windows\TaskScheduler\Manual Maintenance -> No File <==== ATTENTION
Task: {2056846B-B463-4987-9336-C2DFCE4BEBA3} - \Apple\AppleSoftwareUpdate -> No File <==== ATTENTION
Task: {44A6EA24-A324-4619-9C7D-82F100720364} - \Hewlett-Packard\HP Support Assistant\Pending HPSA Messages Reminder -> No File <==== ATTENTION
Task: {47BFE674-5DFA-4395-B88C-47D28D6E5597} - \Microsoft\Windows\Maintenance\WinSAT -> No File <==== ATTENTION
Task: {5173872C-2323-4962-B0C3-D7E916CC8508} - \Hewlett-Packard\HP Support Assistant\PC Health Analysis -> No File <==== ATTENTION
Task: {5734EF6E-DDE4-41BC-A5E3-BCB661EADC49} - \Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start -> No File <==== ATTENTION
Task: {63D8F188-C77F-4C2B-878A-86612DDC90CC} - \Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon -> No File <==== ATTENTION
Task: {6F02587F-8A2B-4552-97F6-DEEF229E335B} - \Microsoft\Windows\TaskScheduler\Idle Maintenance -> No File <==== ATTENTION
Task: {8C246458-10E5-4DCB-A96E-B2AEA193713C} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {9CC95A60-E2B5-40D8-A3A5-C1F73A87FEEE} - \CLMLSvc_P2G8 -> No File <==== ATTENTION
Task: {AACFFA5E-440A-49E5-B16D-717446C9234F} - \Microsoft OneDrive Auto Update Task-S-1-5-21-4161049501-2482404774-2236404718-1001 -> No File <==== ATTENTION
Task: {B021672C-95F7-43B9-AF61-A26525B8A6F7} - \Hewlett-Packard\HP Support Assistant\Update Check -> No File <==== ATTENTION
Task: {B36D0556-2F7F-454E-8A2F-98C624B65B8A} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker -> No File <==== ATTENTION
Task: {B7992938-01F1-4F40-A0EC-0D23D2F0F152} - \Microsoft\Windows\TaskScheduler\Regular Maintenance -> No File <==== ATTENTION
Task: {BB920F1C-32AF-4048-A639-AECF5DABA351} - \CLVDLauncher -> No File <==== ATTENTION
Task: {C7C89705-3438-49DE-90E9-E39D84953AA7} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan -> No File <==== ATTENTION
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - \Microsoft\Windows\SettingSync\BackupTask -> No File <==== ATTENTION
Task: {F61C1098-6385-4992-9119-CE0F68340314} - \Microsoft\Windows\Servicing\StartComponentCleanup -> No File <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[ratedm 0]

thank you so much, here is the fix log

Fixlog.txt

[ratedm 0]

i was able to get all the pictures back with the link above!!! 

[Kevin Zoll 309]

21 hours ago, ratedm said:

i was able to get all the pictures back with the link above!!! 

Good to hear that you got your pictures back.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.
 

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.