DesignerScott 0 Posted December 29, 2016 Report Share Posted December 29, 2016 My Computer has been encrypted...paid the ransom buy never got a decrypt key..really hope to get the data back. Scan 12.29.2016.txt FRST.txt Addition.txt Link to post Share on other sites
Kevin Zoll 309 Posted December 29, 2016 Report Share Posted December 29, 2016 Hello, I do not see any encrypted files in your logs. However, from what I did see this appears to be Nemucod. Do the following: Download AdwCleaner and save it on your desktop. Close all open programs and Internet browsers (you may want to print our or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer. Download Junkware Removal Tool and save it on your desktop. Run the tool by double-clicking it. The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log is saved to your desktop and will automatically open. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Run: [] => [X] HKLM\...\Policies\Explorer: [NoViewOnDrive] 0 HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0 HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0 HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0 HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0 HKLM\...\Policies\Explorer: [NoViewContextMenu] 0 HKLM\...\Policies\Explorer: [NoShellSearchButton] 0 HKLM\...\Policies\Explorer: [NoFind] 0 HKLM\...\Policies\Explorer: [NoFile] 0 HKLM\...\Policies\Explorer: [HideClock] 0 HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0 HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0 HKLM\...\Policies\Explorer: [NoSetFolders] 0 HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKLM\...\Policies\Explorer: [NoSetTaskbar] 0 HKLM\...\Policies\Explorer: [NoDeletePrinter] 0 HKLM\...\Policies\Explorer: [NoDFSTab] 0 HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0 HKLM\...\Policies\Explorer: [NoLogoff] 0 HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0 HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0 HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKLM\...\Policies\Explorer: [NoResolveSearch] 0 HKLM\...\Policies\Explorer: [NoSaveSettings] 0 HKLM\...\Policies\Explorer: [NoHardwareTab] 0 HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0 HKLM\...\Policies\Explorer: [NoDesktop] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Run: [Crypted] => C:\Users\Scott\AppData\Local\Temp\a.txt [1353 2016-06-20] () <===== ATTENTION HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [NoDispAppearancePage] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [NoDispBackgroundPage] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\system: [NoDispSettingsPage] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoViewOnDrive] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableLocalMachineRun] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableCurrentUserRun] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoShellSearchButton] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoFind] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoFile] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [HideClock] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoTrayContextMenu] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoTrayItemsDisplay] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoSetFolders] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoSetTaskbar] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoDeletePrinter] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoDFSTab] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoChangeStartMenu] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoLogoff] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoWindowsUpdate] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoEncryptOnMove] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoResolveSearch] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoSaveSettings] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoHardwareTab] 0 HKU\S-1-5-21-342701103-1805865764-1336293501-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0 CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION URLSearchHook: HKLM-x32 - InternetHelper3.7 Toolbar - {8e2479de-6096-41f3-90ab-83be9946aa2d} - C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll No File URLSearchHook: HKU\S-1-5-21-342701103-1805865764-1336293501-1000 - InternetHelper3.7 Toolbar - {8e2479de-6096-41f3-90ab-83be9946aa2d} - C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll No File SearchScopes: HKLM-x32 -> DefaultScope {7296AE86-9E1F-4E3A-855A-C107B3E7BB7F} URL = SearchScopes: HKU\S-1-5-21-342701103-1805865764-1336293501-1000 -> {61C5EC4E-0D77-485D-93F3-BDDC76994670} URL = BHO: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll => No File BHO-x32: InternetHelper3.7 Toolbar -> {8e2479de-6096-41f3-90ab-83be9946aa2d} -> C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll => No File Toolbar: HKLM-x32 - InternetHelper3.7 Toolbar - {8e2479de-6096-41f3-90ab-83be9946aa2d} - C:\Users\Scott\AppData\LocalLow\InternetHelper3.7\prxtbInt2.dll No File Toolbar: HKU\S-1-5-21-342701103-1805865764-1336293501-1000 -> No Name - {8E2479DE-6096-41F3-90AB-83BE9946AA2D} - No File Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - No File R2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [38440 2013-09-19] (Just Develop It) [File not signed] <==== ATTENTION 2013-11-19 11:23 - 2013-01-14 08:34 - 0007680 _____ () C:\Users\Scott\AppData\Local\[email protected]!-bc6bf27b-4ed9-48b4-8e92-498580c2ab89.tmp 2013-11-19 11:23 - 2013-01-14 08:34 - 0007168 _____ () C:\Users\Scott\AppData\Local\[email protected]!-45acab51-e522-43f6-b401-f26a377fb77c.tmp C:\Users\Scott\AppData\Local\Temp\a.txt Task: {2D6E5685-0C5E-4D11-B331-1D206687601E} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {4F9E5823-4CC1-43DD-B754-A13FDE8024D4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {60D96F01-3815-4692-B9F1-1E27B0E8F773} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {7AE5A30D-5052-4EB6-82B1-3A731FA98C81} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {94BA0DA3-3B16-49F5-ABF6-649D9D8FFC05} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {A77CC52C-741C-48BC-9324-4413C7DD1F1E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {C2AB7BAC-4737-4D6E-8528-829242F8E3FF} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {CCE1FEE6-890A-46C8-84B8-E6B3F9EA5013} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {EB02F6AA-DCDC-454E-A3CC-6D80B4B6DA0C} - System32\Tasks\hpUrlLauncher.exe_{2E832A5D-F260-4B7F-87A6-9AA009573E6B} => C:\Users\Scott\AppData\Local\Temp\7zS149F\utils\hpUrlLauncher.exe <==== ATTENTION Task: {F39B8738-A9D1-421B-A4DB-CC0A68137286} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {F71942C6-296E-4520-866C-F7E157BFF690} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {F80D6FB9-C2AA-46D2-92A3-D25A0B173CEB} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION 2013-09-19 14:32 - 2013-09-19 14:32 - 01102336 _____ () C:\Program Files (x86)\MyPC Backup\x64\System.Data.SQLite.dll 2016-12-28 20:41 - 2016-12-28 20:41 - 00011776 _____ () C:\Users\Scott\AppData\Local\Temp\nsa2A59.tmp\System.dll 2016-12-28 20:41 - 2016-12-28 20:41 - 00018432 _____ () C:\Users\Scott\AppData\Local\Temp\nsa2A59.tmp\UAC.dll 2016-12-28 20:41 - 2016-12-28 20:41 - 00011776 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\System.dll 2016-12-28 20:41 - 2016-12-28 20:41 - 00018432 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\UAC.dll 2016-12-28 20:41 - 2016-12-28 20:41 - 00009728 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\nsDialogs.dll 2016-12-28 20:41 - 2016-12-28 20:41 - 00037376 _____ () C:\Users\Scott\AppData\Local\Temp\nst347A.tmp\InetBgDL.dll AlternateDataStreams: C:\ProgramData\TEMP:AD022376 [125] AlternateDataStreams: C:\ProgramData\TEMP:D346F792 [128] HKU\S-1-5-21-342701103-1805865764-1336293501-1000\Software\Classes\exefile: "%1" %* <===== ATTENTION HKU\S-1-5-21-342701103-1805865764-1336293501-1000\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION C:\Users\Scott\AppData\Local\Temp\nsa2A59.tmp C:\Users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\bza53rbj.default-1384890202183\Extensions\[email protected] C:\Program Files (x86)\mozilla firefox\nsprotector.js C:\WINDOWS\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb C:\WINDOWS\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb C:\Users\Scott\AppData\Local\Microsoft\Windows\INetCache\IE\O8MA7OJ8\00[1].png Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
DesignerScott 0 Posted December 29, 2016 Author Report Share Posted December 29, 2016 the files are definitely in encrypted here is an example of a file does the work above still seem to be the best options after seeing the files below?? this is just a fraction of the files effected. Thanks Scott Addtional Cover sheet notes..docx.crypted As-Built Master Bedroom.docx.crypted authorization.docx.crypted Authorization.pdf.crypted Bradenstein Dwg Files.zip.crypted Brandenstein Plan Check Elevations.pdf.crypted Brandenstein Plan Check Floorplan.pdf.crypted Brandenstein Plan CVR_SITE (1a).pdf.crypted Brandenstein T-24 Forms.pdf.crypted Brandenstein T-24 Report.pdf.crypted Brandenstein_AB_Lwr_Lvl_Plan_111213 AB_LWR LVL BDRM (revised).pdf.crypted Brandenstein_Elev_111213 MSTR BTH ELEV 1 (revised).pdf.crypted Brandenstein_Plan_011514 - Standard.zip.crypted Link to post Share on other sites
DesignerScott 0 Posted December 29, 2016 Author Report Share Posted December 29, 2016 so i am following your instructions ... did adwcleaner....attached is the report... did the Junkware Removal tool....it gove me an update box in black and white...then ask for updates...hit enter asks for restoration point needs answer here as nothing happens at this point....what do i do??? AdwCleaner[C0] Log Report.txt Link to post Share on other sites
DesignerScott 0 Posted December 29, 2016 Author Report Share Posted December 29, 2016 so i am following your instructions ... did adwcleaner....attached is the report... did the Junkware Removal tool....it gove me an update box in black and white...then ask for updates...hit enter asks for restoration point needs answer here as nothing happens at this point....what do i do??? Link to post Share on other sites
DesignerScott 0 Posted December 29, 2016 Author Report Share Posted December 29, 2016 never mind it now seems to be running something on its own.... Link to post Share on other sites
DesignerScott 0 Posted December 29, 2016 Author Report Share Posted December 29, 2016 Sorry I am bit frustrated here....I have ran all the things in the directions....saved all the logs to the desktop... Directions now say>>>>> Close Notepad. I did this NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. Where ids this sup[posed to be saved to??? NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. I can find the FRST file but not an FRST64 file!!! Where is this? or is it under another title/name? SO I found the original download, which gives me the dialog box and the "FIX" option but it says there is no Fixlist.txt! I have tried putting it in the C: drive does not work I have dropped into the FRST file on the c drive, lands in Hives and does not work! SO not sure how to get the fixlist.txt into the dialo box to get it to fix! If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Link to post Share on other sites
DesignerScott 0 Posted December 29, 2016 Author Report Share Posted December 29, 2016 So I finally figured out that the fixlist.txt file needed to be in the same download file as the frst64.exe file. so I went to the file folder and placed the fixlist.txt file under use/scott/download then I went to the download icon on file and opened the FRST64.exe file; opened file to ad to hard drive The FARBAR Recovery Scan dialog box opened; clicked fix once as instructed and it began the fix without rejecting the option as it had in the past when it could not find the fixlist.txt file completed the fix in about 90 seconds gave the recovery report as noted and attached below Nothing asked for updates or restarts. I restarted the computer Hoping that that id have access to all my files again. No Such Luck 4 hours of running all the fixes suggested and I am still fully encrypted. all the repoarts are attched above files that were given copies of files are still crypted. not sure what to think at this point. Scott Fixlog report.txt AdwCleaner[C0] Log Report.txt JRT log report.txt fixlist2.txt Link to post Share on other sites
Kevin Zoll 309 Posted December 30, 2016 Report Share Posted December 30, 2016 OK, Use the Nemucod decryption tool again. After that: Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Link to post Share on other sites
Kevin Zoll 309 Posted January 3, 2017 Report Share Posted January 3, 2017 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Kevin Zoll 309 Posted January 12, 2017 Report Share Posted January 12, 2017 Support thread opened at original posters request. Try using the Nemucod decryption tool again. Link to post Share on other sites
DesignerScott 0 Posted January 13, 2017 Author Report Share Posted January 13, 2017 So I finally figured out that the fixlist.txt file needed to be in the same download file as the frst64.exe file. so I went to the file folder and placed the fixlist.txt file under use/scott/download then I went to the download icon on file and opened the FRST64.exe file; opened file to ad to hard drive The FARBAR Recovery Scan dialog box opened; clicked fix once as instructed and it began the fix without rejecting the option as it had in the past when it could not find the fixlist.txt file completed the fix in about 90 seconds gave the recovery report as noted and attached below Nothing asked for updates or restarts. I restarted the computer Hoping that that id have access to all my files again. No Such Luck 4 hours of running all the fixes suggested and I am still fully encrypted. all the repoarts are attched above files that were given copies of files are still crypted. not sure what to think at this point. Scott Link to post Share on other sites
DesignerScott 0 Posted January 13, 2017 Author Report Share Posted January 13, 2017 Kevin, I ran all the reports again and they all say there are no threats. I have copied and re-pasted the fixtxt in the downlaod section of the computer. I opened the frst64 application , hit the fix button and the program ran "running" now for almost 24 hrs....do I just let that go?? Link to post Share on other sites
Kevin Zoll 309 Posted January 14, 2017 Report Share Posted January 14, 2017 Terminate the FRST fix. Something is keeping ti from running the fix. Changing tools. Download RogueKiller from one of the following links and save it to your desktop: 32-Bit: http://www.adlice.com/download/roguekiller/?wpdmdl=59&ind=aHR0cDovL2Rvd25sb2FkLmFkbGljZS5jb20vYXBpP2FjdGlvbj1kb3dubG9hZCZhcHA9cm9ndWVraWxsZXImdHlwZT14ODY 64-Bit: http://www.adlice.com/download/roguekiller/?wpdmdl=59&ind=aHR0cDovL2Rvd25sb2FkLmFkbGljZS5jb20vYXBpP2FjdGlvbj1kb3dubG9hZCZhcHA9cm9ndWVraWxsZXImdHlwZT14NjQ Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator). Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything! Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex) The highest number of [X], is the most recent Scan Link to post Share on other sites
DesignerScott 0 Posted January 16, 2017 Author Report Share Posted January 16, 2017 So I stop Frst64 Repair after 72 hours...as suggested I download the RogueKiller 64 bit program and ran the scan....did not fix anything just saved the Report which is now attached.... Let me know if this helps ina ny way. Scott rk_63D6.tmp Rogue Report.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 17, 2017 Report Share Posted January 17, 2017 Scott, Looks like an Explorer Tool Bar that is not necessary. Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i]. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished".Click the Registry Tab and select the following items:[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{042DA63B-0933-403D-9395-B49307691690} (C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} (C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll) -> Found Click the Delete button. Attach the RogueKiller report to your next reply.The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex) The highest number of [X], is the most recent Delete log. Link to post Share on other sites
Kevin Zoll 309 Posted January 20, 2017 Report Share Posted January 20, 2017 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Kevin Zoll 309 Posted January 25, 2017 Report Share Posted January 25, 2017 Scott, Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scan logs to your reply. 1 Link to post Share on other sites
Kevin Zoll 309 Posted January 26, 2017 Report Share Posted January 26, 2017 Scott, Copy the below code to Notepad; Save As fixlist.txt to your Desktop. 2017-01-09 01:56 - 2017-01-09 01:56 - 00000000 __HDC C:\ProgramData\{A328A61B-C332-4C8C-A740-42F7F71DC398} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002120 _____ C:\WINDOWS\System32\Tasks\{912C80DB-B259-457F-AC85-02010E5922D1} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{E590A9A1-279F-45DD-8AD9-F32F27D96742} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{CF6D2FCB-5F62-45F9-AFD2-DD6D7214CBFB} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{94326218-ED0E-4CEB-9982-298DBAB5A9C9} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{8CF4C5AE-CFFD-41BE-96EC-6F79AD7A1B40} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{0E033676-9557-4B2B-8ED8-0186DD5D3F84} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002062 _____ C:\WINDOWS\System32\Tasks\{04237A82-0FEB-451F-A88E-5E00D035F4E7} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{ED8F24F2-4FFF-437C-9BFB-F101E1E638A5} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{E2693CD6-EB40-4CA9-AE05-45614A65EBE4} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{5D5D7119-5E4A-4965-A1A5-F8A8C893708A} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{597858B2-B771-4623-A6B5-BD9E0B72CC43} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{593C5D46-788B-453B-8055-C20655F6F2A1} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{536E2BFB-ECE9-4CDB-A75C-8C34A5BE8B0C} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{3094F651-2002-4D72-9F87-BBFAA33A32A4} 2016-12-31 04:49 - 2016-12-31 04:49 - 00002050 _____ C:\WINDOWS\System32\Tasks\{1CF2BCA2-EE89-425B-A66E-C6F784F6481F} Task: {3B99A753-414D-472F-93CF-1AE36A5C7AAE} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
DesignerScott 0 Posted January 26, 2017 Author Report Share Posted January 26, 2017 Kevin Zoll Malware Removal Support Emsisoft Employee 248 17255 posts LocationDepauville, NY, USA OS:Windows 10 HIPS:Windows Firewall Other:WinPatrol Plus Posted Tuesday at 16:11 · Report post Scott, Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scan logs to your reply. Kevin I replied to email but apparently it did ot go thru..... all the files and reports are run and attched.... for your review...hopefully this will help. Scott FRST scan report 1.24.2016.txt rk_3BFA.tmp1.24.2017.txt rk_63D6.tmp Rogue Report.txt rk_77AD.tmp 1-24-2016.txt scan_170124-162116 1.24.2016.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 27, 2017 Report Share Posted January 27, 2017 Scott, Please see my previous post. Link to post Share on other sites
DesignerScott 0 Posted January 27, 2017 Author Report Share Posted January 27, 2017 Posted Wednesday at 20:48 · Report post Kevin Zoll Malware Removal Support Emsisoft Employee 248 17255 posts LocationDepauville, NY, USA OS:Windows 10 HIPS:Windows Firewall Other:WinPatrol Plus Posted Tuesday at 16:11 · Report post Scott, Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scan logs to your reply. My Reply of 1/27/2016 Kevin all of the scans you asked for were attached along with the RogueKiller Reports Scott FRST scan report 1.24.2016.txt THIS IS THE FRST REPORT I RAN ON 1-24-2017 rk_3BFA.tmp1.24.2017.txt rk_63D6.tmp Rogue Report.txt rk_77AD.tmp 1-24-2016.txt scan_170124-162116 1.24.2016.txt THIS IS THE SCAN REPORT ON 1-24-2017 Both reports said they found nothing in them. I am reattaching them Belowf scan_170124-162116 1.24.2016.txt FRST scan report 1.24.2016.txt Link to post Share on other sites
DesignerScott 0 Posted January 27, 2017 Author Report Share Posted January 27, 2017 Kevin, Did not see the repair email before I sent the reports prior..sorry about that. Si did as requested...attached is the fix log report hopefully good news in this report. Next Step? Scott Fixlog.1.27.2017.11.29am.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 28, 2017 Report Share Posted January 28, 2017 Scott, Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
Kevin Zoll 309 Posted January 31, 2017 Report Share Posted January 31, 2017 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Kevin Zoll 309 Posted February 7, 2017 Report Share Posted February 7, 2017 Scott, Do not reply to notification emails. Reply directly to your forum topic or send me a PM to open it if I closed the topic. OK, let's attempt decryption again. Download the Nemucod decrypter from https://decrypter.emsisoft.com/download/nemucod Usage Guide: https://decrypter.emsisoft.com/howtos/emsisoft_howto_nemucod.pdf Link to post Share on other sites
DesignerScott 0 Posted February 7, 2017 Author Report Share Posted February 7, 2017 Kevin, I can safely say that I have recovered the vast majority of the files!!!!!!!!!!!!!!!!!!!!! Have no Clue how tot hnak you. There are now duplicate files for everything, an encrypted file and a new unlocked file. Most everything opened, with the exception of quite a few PDF files as Adobe says the file is damaged and cannot be opened. This includes some pictures but not all of them. Not sure what next we should do if anyhting. please advise. Scott Link to post Share on other sites
Kevin Zoll 309 Posted February 7, 2017 Report Share Posted February 7, 2017 Scott, The system should be malware free. Your logs have been looking pretty good and the last stuff I removed should have been the last of it. As far as decryption that is not without errors. The larger the file the greater the likelihood of errors during decryption. Some encryption methods are flawed when it comes to encrypting large files, files greater than 2 GB, The encryption is not done properly making it impossible to decrypt the file. You can delete all the encrypted files that were successfully decrypted. Link to post Share on other sites
DesignerScott 0 Posted February 7, 2017 Author Report Share Posted February 7, 2017 Kevin, Most of the files that do not open are PDF files of scanned items or Photos and are not large files, way under that limit. When I try to open them I get the Adobe Error Message: Files are damaged and cannot be opened. If that is something that cannot be fixed, I can live with that. Otherwise everything else is working again. Cannot thank you enough..... Scott Link to post Share on other sites
Kevin Zoll 309 Posted February 7, 2017 Report Share Posted February 7, 2017 You could try using a different file pair and see if that will successfully decrypt the files. Link to post Share on other sites
Sarah W 26 Posted February 8, 2017 Report Share Posted February 8, 2017 21 hours ago, DesignerScott said: Kevin, Most of the files that do not open are PDF files of scanned items or Photos and are not large files, way under that limit. When I try to open them I get the Adobe Error Message: Files are damaged and cannot be opened. If that is something that cannot be fixed, I can live with that. Otherwise everything else is working again. Cannot thank you enough..... Scott Can you share some files which are not working and the file pair you are using to decrypt them? We will take a look and see if we can help. Regards, Sarah Link to post Share on other sites
Kevin Zoll 309 Posted February 13, 2017 Report Share Posted February 13, 2017 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts