Closed Ransomware prevents running the decrypter

[HowardM 0]

Fabian,

Please find attached the log files from the FRST.

I look forward to your next instructions.

Thank you.

FRST.txt

Addition.txt

[HowardM 0]

I had originally opened a thread in the Ransomware section, as I am trying to run the Amnesia2 decryptor, but it flashes on the screen and then goes away.  After a few correspondences with Fabian, he stated:

Quote

 

Your system is probably still infected by malware. Some ransomware families added some "anti-decrypter" functionality and try to kill our decrypters in a futile attempt to prevent their victims from getting back their files. I suggest to follow the steps outlined here:

https://support.emsisoft.com/announcement/2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

EEK will not run on Windows 2003. So you can skip that step. After the system was cleaned from the infections, the decrypter should work as expected.

 

 

And so Fabian directed me here.

Please let me know what I should do next.

 

Thank you,
Howard.

[Sarah W 26]

Hi Howard,

First of all, please download this security patch as currently your system is vulnerable to pretty much anyone accessing it. You still need to reboot after doing so. If possible, I would disconnect from the internet whilst doing so. Once done continue with the steps below:

We need to run a fix with FRST:

• Please download the attached fixlist.txt file and save it to the same location as FRST
  Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• fixlist.txt
• Run FRST.exe/FRST64.exe and press the Fix button just once and wait
• If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
• When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

 

You will also need to attach a zipped file with the format Date_Time.zip which FRST created on the desktop to your next reply.

Regards,

Sarah

[HowardM 0]

Hi Sarah,

I am following your instructions and downloading the Windows security patch, etc.

I will update you as soon as I have completed the items you have instructed to be performed.

 

Thank you,
Howard.

[HowardM 0]

Hi Sarah,

I have successfully downloaded and installed the Windows security patch.  I have tried several times to download the fixlist.txt file included in your last post; however, it doesnt work.  When I try to download the fixlist.txt file I receive an error:  

Sorry, there is a problem

The page you are trying to access is not available for your account.

Error code: 2C171/1

Contact Us

 

... Please let me know how to proceed.

Thank you,
Howard.

P.S.  I am attempting to download the file on the machine it was created for.

[Sarah W 26]

Hi Howard,

Sorry, I forgot users could not download from this forum.

• Click Start.
• Choose All Programs -> Accessories -> Notepad.
• Notepad opens.
• Copy the context below and paste into Notepad:

Zip: C:\WINDOWS\WinDebug_32.exe
2017-06-23 06:34 - 2017-06-23 06:34 - 00023915 ____N C:\WINDOWS\WinDebug_32.exe
IFEO\Magnify.exe: [Debugger] cmd.exe
IFEO\sethc.exe: [Debugger] cmd.exe

• Choose File -> Save from the menu bar (Ctrl + S).
• The Save As dialog box appears.
• Save your file to the downloads folder.
• Name your document as fixlist.
• In the Save as type drop-down box, be sure your document is saved as a text document.
• Click Save.
• Then continue with the FRST instructions above.

Regards,

Sarah

[HowardM 0]

Hi Sarah,

I have completed the Fix with FRST.   Please find the fixlog.txt file attached, as you instructed.

Regards,
Howard.

Fixlog.txt

[Sarah W 26]

Hi Howard,

Can you attach 01.07.2017_09.52.33.zip to your next reply?

Are you able to run the Amnesia2 decrypter now?

Regards,

Sarah

[HowardM 0]

Hi Sarah,

What's my next step?

Regards,
Howard.

[HowardM 0]

Hi Sarah,

Where do I find the " 01.07.2017_09.52.33.zip" file?

Regards,
Howard.

[HowardM 0]

Hi Sarah,

When I attempt to run the Amnesia2 decrypter ... the license terms windows comes up, I click on yes, then the main decrypter window comes up but seems to freeze and I can NOT run the program, and the computer eventually beeps and the program closes.

What's next?

Regards,
Howard.

P.S.   Where do I find the " 01.07.2017_09.52.33.zip" file, that you are asking for?

 

[HowardM 0]

Hi Sarah,

I located the ZIP file you requested ... please find it attached.

Thank you,
Howard.

01.07.2017_09.52.33.zip

[HowardM 0]

Hi Sarah,

I'm waiting for your reply and instructions.  The Amnesia2 decrypter gets further than it did initially, but as I explained in a previous post, still stops responding and the program closes.

I hoping that you can respond shortly, as I've literally been awake for over 24 hours, and have working on this since 6:00pm last night (and its now 10:30am where I'm at).

Thank you,
Howard.

[HowardM 0]

Hi Sarah,

Are you looking at the ZIP file I sent you? ... Can I expect a response soon?

I so very much appreciate the help from you and Emsisoft, and don't want to bother you; but I am anxious to get the decrypter working, and as I stated previously I am just waiting on your response (and have been awake for over 28 hours now).

Thank you again for all your help,
Howard.

[Sarah W 26]

Hi Howard,

When you say it stops responding and closes, are you trying to interact with it before that? What stage is it at when it closes (a screenshot would be useful)?

Regards,

Sarah

[HowardM 0]

Hi Sarah,

Yes ... I do try to interact with the decrypter before it closes.  I am now able to click on the License Terms window (where are prior to the recent things that you had me do, the License Terms screen would only flash on the screen and then close) ... I click on "YES" on the License Terms window ... If I do click on "YES", then the main decrypter program screen loads, but shortly after that it will close.  However, if I wait too long and do not click on "YES" the License Term screen closes on its own. 

[HowardM 0]

Hi Sarah,

Please find attached a PDF with screenshots.   You will see that I get past the License Terms window, and to the main decrypter screen.  Also, you will notice that I have included a screenshot of the Microsoft error message I receive after logging off the server session and then back on (the Microsoft message comes up after logging back on to the server).

Screenshots - Brooks - Amnesia2 decrypter not loading.pdf

[HowardM 0]

Hi Sarah,

What's my next step... I'm anxious to get the decryptor working and running.

Thank you,

Howrd

[Fabian Wosar 390]

Any chance I can get remote access to that system via TeamViewer to see why it crashes? You can email me the details here: [email protected] Thanks.

[HowardM 0]

Hi Fabian,

It's a Windows 2003 Small Business Server.  Would it be easier (and better) if I just create an admin user with RDP credentials?  (rather than installing Teamviewer on the server?) ... However, If you prefer to still use TeamViewer, than I would be happy to install it and forward you the credentials.  Please let me know.

Look forward to your response.

Regards,
Howard.

[Fabian Wosar 390]

Yeah, no. RDP will just get you into even more trouble than you are already.  Let's stick to TeamViewer please

[HowardM 0]

Ok ... I will install TeamViewer on the Server now, and email the Partner ID and Password shortly.

Thank you,
Howard.

 

[HowardM 0]

Hi Fabian,

I have emailed you the information as requested.

Thank you again for all your and Sarah's help in this matter.

Regards,
Howard.

P.S.  My contact information, including my mobile phone number are included in the email.  Feel free to call me directly if you would like.