DesignerScott

CLOSED Computer has been encrypted

Recommended Posts

Hello,

I do not see any encrypted files in your logs.  However, from what I did see this appears to be Nemucod.

Do the following:

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.


Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [NoViewOnDrive] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [NoFile] 0
HKLM\...\Policies\Explorer: [HideClock] 0
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0
HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKLM\...\Policies\Explorer: [NoSetFolders] 0
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoLogoff] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoSaveSettings] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM\...\Policies\Explorer: [NoDesktop] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Run: [Crypted] => C:\Users\Scott\AppData\Local\Temp\a.txt [1353 2016-06-20] () <===== ATTENTION
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: HKLM-x32 - InternetHelper3.7 Toolbar - {8e2479de-6096-41f3-90ab-83be9946aa2d} - C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll No File
URLSearchHook: HKU\S-1-5-21-342701103-1805865764-1336293501-1000 - InternetHelper3.7 Toolbar - {8e2479de-6096-41f3-90ab-83be9946aa2d} - C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll No File
SearchScopes: HKLM-x32 -> DefaultScope {7296AE86-9E1F-4E3A-855A-C107B3E7BB7F} URL = 
SearchScopes: HKU\S-1-5-21-342701103-1805865764-1336293501-1000 -> {61C5EC4E-0D77-485D-93F3-BDDC76994670} URL = 
BHO: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll => No File
BHO-x32: InternetHelper3.7 Toolbar -> {8e2479de-6096-41f3-90ab-83be9946aa2d} -> C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll => No File
Toolbar: HKLM-x32 - InternetHelper3.7 Toolbar - {8e2479de-6096-41f3-90ab-83be9946aa2d} - C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll No File
Toolbar: HKU\S-1-5-21-342701103-1805865764-1336293501-1000 -> No Name - {8E2479DE-6096-41F3-90AB-83BE9946AA2D} -  No File
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} -  No File
R2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [38440 2013-09-19] (Just Develop It) [File not signed] <==== ATTENTION
2013-11-19 11:23 - 2013-01-14 08:34 - 0007680 _____ () C:\Users\Scott\AppData\Local\[email protected]!-bc6bf27b-4ed9-48b4-8e92-498580c2ab89.tmp
2013-11-19 11:23 - 2013-01-14 08:34 - 0007168 _____ () C:\Users\Scott\AppData\Local\[email protected]!-45acab51-e522-43f6-b401-f26a377fb77c.tmp
C:\Users\Scott\AppData\Local\Temp\a.txt
Task: {2D6E5685-0C5E-4D11-B331-1D206687601E} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {4F9E5823-4CC1-43DD-B754-A13FDE8024D4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {60D96F01-3815-4692-B9F1-1E27B0E8F773} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {7AE5A30D-5052-4EB6-82B1-3A731FA98C81} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {94BA0DA3-3B16-49F5-ABF6-649D9D8FFC05} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A77CC52C-741C-48BC-9324-4413C7DD1F1E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {C2AB7BAC-4737-4D6E-8528-829242F8E3FF} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {CCE1FEE6-890A-46C8-84B8-E6B3F9EA5013} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {EB02F6AA-DCDC-454E-A3CC-6D80B4B6DA0C} - System32\Tasks\hpUrlLauncher.exe_{2E832A5D-F260-4B7F-87A6-9AA009573E6B} => C:\Users\Scott\AppData\Local\Temp\7zS149F\utils\hpUrlLauncher.exe <==== ATTENTION
Task: {F39B8738-A9D1-421B-A4DB-CC0A68137286} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F71942C6-296E-4520-866C-F7E157BFF690} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {F80D6FB9-C2AA-46D2-92A3-D25A0B173CEB} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
2013-09-19 14:32 - 2013-09-19 14:32 - 01102336 _____ () C:\Program Files (x86)\MyPC Backup\x64\System.Data.SQLite.dll
2016-12-28 20:41 - 2016-12-28 20:41 - 00011776 _____ () C:\Users\Scott\AppData\Local\Temp\nsa2A59.tmp\System.dll
2016-12-28 20:41 - 2016-12-28 20:41 - 00018432 _____ () C:\Users\Scott\AppData\Local\Temp\nsa2A59.tmp\UAC.dll
2016-12-28 20:41 - 2016-12-28 20:41 - 00011776 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\System.dll
2016-12-28 20:41 - 2016-12-28 20:41 - 00018432 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\UAC.dll
2016-12-28 20:41 - 2016-12-28 20:41 - 00009728 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\nsDialogs.dll
2016-12-28 20:41 - 2016-12-28 20:41 - 00037376 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\InetBgDL.dll
AlternateDataStreams: C:\ProgramData\TEMP:AD022376 [125]
AlternateDataStreams: C:\ProgramData\TEMP:D346F792 [128]
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\Software\Classes\exefile: "%1" %* <===== ATTENTION
HKU\S-1-5-21-342701103-1805865764-1336293501-1000\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
C:\Users\Scott\AppData\Local\Temp\nsa2A59.tmp
C:\Users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\bza53rbj.default-1384890202183\Extensions\[email protected]
C:\Program Files (x86)\mozilla firefox\nsprotector.js
C:\WINDOWS\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
C:\WINDOWS\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
C:\Users\Scott\AppData\Local\Microsoft\Windows\INetCache\IE\O8MA7OJ8\00[1].png

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

so i am following your instructions ...

did adwcleaner....attached is the report...

did the Junkware Removal tool....it gove me an update box in black and white...then ask for updates...hit enter

asks for restoration point   needs answer here as nothing happens at this point....what do i do???

Share this post


Link to post
Share on other sites

Sorry I am bit frustrated here....I have ran all the things in the directions....saved all the logs to the desktop...

Directions now say>>>>>

Close Notepad.  I did this

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. Where ids this sup[posed to be saved to???

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait. I can find the FRST file but not an FRST64 file!!! Where is this? or is it under another title/name?

SO I found the original download, which gives me the dialog box and the "FIX" option but it says there is no Fixlist.txt!

I have tried putting it in the C: drive does not work

I have dropped into the FRST file on the c drive, lands in Hives and does not work!

SO not sure how to get the fixlist.txt into the dialo box to get it to fix!

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Share this post


Link to post
Share on other sites

So I finally figured out that the fixlist.txt file needed to be in the same download file as the frst64.exe file.

so I went to the file folder and placed the fixlist.txt file under use/scott/download

then I went to the download icon on file and opened the FRST64.exe file; opened file to ad to hard drive

The FARBAR Recovery Scan dialog box opened; clicked fix once as instructed and it began the fix without rejecting the option as it had in the past when it could not find the fixlist.txt file

completed the fix in about 90 seconds

gave the recovery report as noted and attached below

Nothing asked for updates or restarts.

I restarted the computer Hoping that that id have access to all my files again.

No Such Luck 4 hours of running all the fixes suggested and I am still fully encrypted.

all the repoarts are attched above files that were given copies of files are still crypted.

not sure what to think at this point.

Scott

 

 

 

Fixlog report.txt

AdwCleaner[C0] Log Report.txt

JRT log report.txt

fixlist2.txt

Share this post


Link to post
Share on other sites

OK,

Use the Nemucod decryption tool again.

After that:

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
 

Share this post


Link to post
Share on other sites

So I finally figured out that the fixlist.txt file needed to be in the same download file as the frst64.exe file.

so I went to the file folder and placed the fixlist.txt file under use/scott/download

then I went to the download icon on file and opened the FRST64.exe file; opened file to ad to hard drive

The FARBAR Recovery Scan dialog box opened; clicked fix once as instructed and it began the fix without rejecting the option as it had in the past when it could not find the fixlist.txt file

completed the fix in about 90 seconds

gave the recovery report as noted and attached below

Nothing asked for updates or restarts.

I restarted the computer Hoping that that id have access to all my files again.

No Such Luck 4 hours of running all the fixes suggested and I am still fully encrypted.

all the repoarts are attched above files that were given copies of files are still crypted.

not sure what to think at this point.

Scott

 

 

 

Share this post


Link to post
Share on other sites

Kevin,

I ran all the reports again and they all say there are no threats.  I have copied and re-pasted the fixtxt in the downlaod section of the computer.  I opened the frst64 application , hit the fix button and the program ran "running"  now for almost 24 hrs....do I just let that go??

Share this post


Link to post
Share on other sites

Terminate the FRST fix.  Something is keeping ti from running the fix.

Changing tools.

Download RogueKiller from one of the following links and save it to your desktop:

Share this post


Link to post
Share on other sites

Scott,

Looks like an Explorer Tool Bar that is not necessary.

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Registry Tab and select the following items:
      [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{042DA63B-0933-403D-9395-B49307691690} (C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll) -> Found
      [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} (C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll) -> Found
    • Click the Delete button.

  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete log.


Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites

Scott,

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scan logs to your reply.

  • Downvote 1

Share this post


Link to post
Share on other sites

Scott,

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2017-01-09 01:56 - 2017-01-09 01:56 - 00000000 __HDC C:\ProgramData\{A328A61B-C332-4C8C-A740-42F7F71DC398}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002120 _____ C:\WINDOWS\System32\Tasks\{912C80DB-B259-457F-AC85-02010E5922D1}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{E590A9A1-279F-45DD-8AD9-F32F27D96742}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{CF6D2FCB-5F62-45F9-AFD2-DD6D7214CBFB}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{94326218-ED0E-4CEB-9982-298DBAB5A9C9}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{8CF4C5AE-CFFD-41BE-96EC-6F79AD7A1B40}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{0E033676-9557-4B2B-8ED8-0186DD5D3F84}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{04237A82-0FEB-451F-A88E-5E00D035F4E7}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{ED8F24F2-4FFF-437C-9BFB-F101E1E638A5}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{E2693CD6-EB40-4CA9-AE05-45614A65EBE4}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{5D5D7119-5E4A-4965-A1A5-F8A8C893708A}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{597858B2-B771-4623-A6B5-BD9E0B72CC43}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{593C5D46-788B-453B-8055-C20655F6F2A1}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{536E2BFB-ECE9-4CDB-A75C-8C34A5BE8B0C}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{3094F651-2002-4D72-9F87-BBFAA33A32A4}
2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{1CF2BCA2-EE89-425B-A66E-C6F784F6481F}
Task: {3B99A753-414D-472F-93CF-1AE36A5C7AAE} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Kevin Zoll

  • Malware Removal Support
  •  
  • Kevin Zoll
  • Emsisoft Employee
  • 248
  • 17255 posts
  • LocationDepauville, NY, USA
  • OS:Windows 10
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Scott,

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scan logs to your reply.

Kevin

I replied to email but apparently it did ot go thru.....

all the files and reports are run and attched.... for your review...hopefully this will help.

Scott

FRST scan report 1.24.2016.txt

rk_3BFA.tmp1.24.2017.txt

rk_63D6.tmp Rogue Report.txt

rk_77AD.tmp 1-24-2016.txt

scan_170124-162116 1.24.2016.txt

Share this post


Link to post
Share on other sites
  •  

Kevin Zoll

  • Malware Removal Support
  •  
  • Kevin Zoll
  • Emsisoft Employee
  • 248
  • 17255 posts
  • LocationDepauville, NY, USA
  • OS:Windows 10
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Scott,

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scan logs to your reply.

My Reply of 1/27/2016

Kevin

all of the scans you asked for were attached along with the RogueKiller Reports

Scott

FRST scan report 1.24.2016.txt 

THIS IS THE FRST REPORT I RAN ON 1-24-2017

rk_3BFA.tmp1.24.2017.txt

rk_63D6.tmp Rogue Report.txt

rk_77AD.tmp 1-24-2016.txt

scan_170124-162116 1.24.2016.txt    

THIS IS THE SCAN REPORT ON 1-24-2017 

Both reports said they found nothing in them. I am reattaching them Belowf

 

 

 

 

scan_170124-162116 1.24.2016.txt

FRST scan report 1.24.2016.txt

Share this post


Link to post
Share on other sites

Scott,

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites

Scott,

Do not reply to notification emails.  Reply directly to your forum topic or send me a PM to open it if I closed the topic.

OK, let's attempt decryption again.

Download the Nemucod decrypter from https://decrypter.emsisoft.com/download/nemucod

Usage Guide: https://decrypter.emsisoft.com/howtos/emsisoft_howto_nemucod.pdf

Share this post


Link to post
Share on other sites

Kevin,

I can safely say that I have recovered the vast majority of the files!!!!!!!!!!!!!!!!!!!!!

Have no Clue how tot hnak you.

There are now duplicate files for everything, an encrypted file and a new unlocked file. 

Most everything opened, with the exception of quite a few PDF files as Adobe says the file is damaged and cannot be opened. This includes  some pictures but not all of them.

Not sure what next we should do if anyhting.

please advise.

Scott

 

Share this post


Link to post
Share on other sites

Scott,

The system should be malware free.  Your logs have been looking pretty good and the last stuff I removed should have been the last of it. As far as decryption that is not without errors. The larger the file the greater the likelihood of errors during decryption.  Some encryption methods are flawed when it comes to encrypting large files, files greater than 2 GB, The encryption is not done properly making it impossible to decrypt the file.

You can delete all the encrypted files that were successfully decrypted.

Share this post


Link to post
Share on other sites

Kevin,

Most of the files that do not open are PDF files of scanned items or Photos and are not large files, way under that limit. 

When I try to open them I get the Adobe Error Message: Files are damaged and cannot be opened.

If that is something that cannot be fixed, I can live with that.

Otherwise everything else is working again.

Cannot thank you enough.....

Scott

Share this post


Link to post
Share on other sites
21 hours ago, DesignerScott said:

Kevin,

Most of the files that do not open are PDF files of scanned items or Photos and are not large files, way under that limit. 

When I try to open them I get the Adobe Error Message: Files are damaged and cannot be opened.

If that is something that cannot be fixed, I can live with that.

Otherwise everything else is working again.

Cannot thank you enough.....

Scott

 

Can you share some files which are not working and the file pair you are using to decrypt them? We will take a look and see if we can help.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.