HowardM 0 Posted July 1, 2017 Report Share Posted July 1, 2017 I have gone to id-ransomware.malwarehunterteam.com and identified that the computer (a Windows Server 2003 Small Business Server) is infected with the Amnesia2 Ransomware. I have downloaded your Amnesia2 decryption tool; however, when I double click the executable ... the license terms window briefly flashes on the screen, the computer beeps, and the license terms screen is gone and there is nothing for me to click on or do. I have tried this several times with the same results. Including, I have rebooted the server and tried it, with the same results. Please help me get your decryption tool to work on this machine. Thank you, Howard Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 1, 2017 Report Share Posted July 1, 2017 Your system is probably still infected by malware. Some ransomware families added some "anti-decrypter" functionality and try to kill our decrypters in a futile attempt to prevent their victims from getting back their files. I suggest to follow the steps outlined here: https://support.emsisoft.com/announcement/2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/ EEK will not run on Windows 2003. So you can skip that step. After the system was cleaned from the infections, the decrypter should work as expected. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Since you have stated that the EEK will not run on Windows 2003, I'm not exactly sure what you want me to do? Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 1, 2017 Report Share Posted July 1, 2017 Then you didn't check the thread I linked. The "Let's get started:" bit being the most important one. It consists of three major steps, two of which you can still do even with EEK not working on Windows 2003. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 I did check the thread you linked, and read it several times before replying the last time. The first step of the Let's get started" was to run the EEK tool; so I wasn't sure, since that was the first step, if it meant I should or could continue on to the next 2 steps. I am assuming by your reply that you want me to run the other tool and upload the log files to this thread. Thank you for your help, Howard. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 1, 2017 Report Share Posted July 1, 2017 No, please create a new thread in the appropriate section. The malware removal guys don't check this forum. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Fabian, After my most recent post (uploading the log files from the FRST), I noticed your post about creating a new thread. I'm not sure I understand why you want me to create a new thread? ... The problem I am having is decrypting the ransomware. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Fabian, Please excuse my naiveness in this area. Please let me know what I need to do in order to get the proper assistance from Emsisoft. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 1, 2017 Report Share Posted July 1, 2017 I don't deal with malware removal. We have a dedicated team for that. The reason why those are treated in a different section of a forum is that for privacy reasons we apply stronger restrictions when it comes to downloading files there. These logs can contain a lot of private information, so having them in less restricted areas of the forum is a bad idea. In either case, I have split out your logs into a dedicated thread so one of the malware removal guys can take care of it. You can find the topic here: Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Fabian, Thank you for your help. I will go to the new thread and continue there. Thanks again, Howard. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 1, 2017 Report Share Posted July 1, 2017 Don't worry about it. I asked someone of our team with more experience in malware removal than me to look into it ASAP. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Thank you again! I am anxiously awaiting their reply. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Hi Fabian, I went through several steps as per Sarah's instructions, and the Amnesia2 decrypter program goes further and gets to the main screen, but still closes and will not run. It's been over an hour since her last reply. Can I expect to hear from someone soon? Thank you, Howard. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 1, 2017 Report Share Posted July 1, 2017 Yes. Please understand that it is weekend and that people may be living in different timezones than you. It is dinner time in most European countries. In general, we try to answer within 24 hours. Quote Link to post Share on other sites
HowardM 0 Posted July 1, 2017 Author Report Share Posted July 1, 2017 Hi Fabian, Thank you for the update. I am very appreciative for all the help, and do completely understand. I just wasn't sure what happened, because Sarah and I were messaging back and forth (minutes apart) and then I didn't hear back. I am of course anxious to get this issue resolved, but again I am so appreciative for yours and Sarah's help, and hopeful that your Amnesia2 decrypter will run successfully, once we can get passed whatever is stopping it from running. Thank you again, Howard. Quote Link to post Share on other sites
HowardM 0 Posted July 8, 2017 Author Report Share Posted July 8, 2017 Hi Fabian, Thanks again for your help the other day, and remotely logging into the server via TeamViewer. As per your suggestion, I did run the Decrypter from one of the workstations. The Amnesia2 Decrypter has been running for several days (and is still running). On a happy note, several of the critical data files in the company's main program have successfully been decrypted. There is a specific data file, called PO.dat, that was either some how skipped or was unsuccessful. I have tried to copy the "PO.dat.amnesia" file to another directory and run the decrypter from another workstation on the network, and the following happens: I am able to open the decrypter program on the workstation, select the new folder with just that file in it, and when I click "Decrypt" on the Amnesia2 Decrypter program it almost immediately comes back "Finished!" in the results window without anything else being displayed (no file names or anything else) in the log. And then when I go to that folder, the file name is still "PO.dat.amnesia" with no new file. Any suggestions or ideas of why it appears that the decrypter is not evening trying to decrypt this file (PO.DAT.amnesia)? ... I should also mention that as a test, I also copied a file (HISTORY.DAT.amnesia) that had already successfully been decrypted, into the same new directory and ran the decrypter from this same workstation on that same folder ... and the decrypter showed that it was working on decrypting the "HISTORY.DAT" file in the results screen. Regards, Howard. Quote Link to post Share on other sites
HowardM 0 Posted July 10, 2017 Author Report Share Posted July 10, 2017 Hi Fabian, I'm just following up on my previous post, realizing it was over the weekend. I'm just hoping to get some guidance some time Monday morning. As mentioned in my previous post, the PO.DAT file (currently PO.DAT.amnesia), is one of the last critical data files we are hoping to get decrypted. By the way, The Amnesia2 decrypter is still running, so my client is still partially down (been down since the the ransomware attach on 6/28/17). I was able to get them partially back up and running at the end of this past week with some of the data already decrypted; however, this PO.DAT file is critical to their business operation at the moment. Really hoping to get your (your company's) assistance with this particular file. We are so grateful for all your help already, and thank you again for looking into what we hope to be the last piece to assisting us in getting the system back to a state in which we can then continue on the road to getting back to full functionality. Thank you, Howard. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 10, 2017 Report Share Posted July 10, 2017 Can you get me an unencrypted file (can be empty) of the same format or can you tell me which application created it so I can look up format specifications to see if I can teach the decrypter to recognise said format? Quote Link to post Share on other sites
HowardM 0 Posted July 10, 2017 Author Report Share Posted July 10, 2017 Hi Fabian, Please find attached both the encrypted version of the file, PO.DAT.amnesia, and a freshly created (empty) version of the file, PO.DAT. Looking forward to your response. Thank you, Howard. PO.DAT.amnesia PO.DAT Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 10, 2017 Report Share Posted July 10, 2017 That file isn't even encrypted but just renamed ... Quote Link to post Share on other sites
HowardM 0 Posted July 10, 2017 Author Report Share Posted July 10, 2017 Hi Fabian, The file PO.DAT, that we are trying to decrypt, holds purchase order data as you might assume by the name (PO.DAT). It is one of many data files for an old version (ver 6.51c) of a Point of Sale software called Retail Pro. I believe that this old version of the actual Retail Pro program was written in Turbo Pascal. I'm not sure if this will also help you at all, but there is also an "Archived Purchase Order" file that Retail Pro has, which did successfully decrypt. For your reference I have attached both the encrypted version of the archived PO file (POA.DAT.amnesia) and the decrypted version of the file (POA.DAT). Regards, Howard. POA.DAT POA.DAT.amnesia Quote Link to post Share on other sites
HowardM 0 Posted July 10, 2017 Author Report Share Posted July 10, 2017 Hi Fabian, Just saw your post right after I sent you my last post. Thank you ... I will try to put the file in the program (after renaming it) and see if it is readable/usable ... Thank you again! Regards Howard. Quote Link to post Share on other sites
HowardM 0 Posted July 10, 2017 Author Report Share Posted July 10, 2017 Hi Fabian, You were 100% right ... I renamed the PO.DAT.amnesia file to PO.DAT and it worked perfectly in the program. Can't thank you enough for all your help. You and your company have been incredible through out this entire process. I will be recommending the Emsisoft company to all my IT Associates and clients! Regards, Howard. Quote Link to post Share on other sites
Fabian Wosar 390 Posted July 10, 2017 Report Share Posted July 10, 2017 Glad it is working out for your client Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.