japowell11

Infected and Encrypted

Recommended Posts

Hello @japowell11,

 

Welcome to the Emsisoft Support Forums.

Let's make sure of what we're dealing with.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides:

https://www.emsisoft.com/ransomware-decryption-tools/

Please be sure to read the information link on the results page, as whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

You might try undelete software such as Recuva from Piriform, or if your files are very important, it may be worth talking to a company that specializes in negotiating with the criminals that created the ransomware, such as Coveware, at https://www.coveware.com/. They are one of the few companies that do this completely transparently and honestly.

If the identification process shows a ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.

Share this post


Link to post
Share on other sites
Quote

C:\Program Files\Windows Mail\default_list.xml     detected: Gen:Variant.Razy.591608 (B) [krnl.xmd]
C:\Windows\Help\tmp5212.dat     detected: Trojan.GenericKD.32615876 (B) [krnl.xmd]
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\rep880_.exe     detected: Trojan.GenericKD.32523048 (B) [krnl.xmd]
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\rep870_.exe     detected: Trojan.GenericKD.32523048 (B) [krnl.xmd]

This is one of Oled Ransomware we know. 

Put these folders Help and Temp in the archives with all the contents.

In the archives settings, set the password 'infected'. Do not open or run anything.

Upload the archive to the file sharing site so that experts download it for research.

Share this post


Link to post
Share on other sites
Quote

TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.93332 - TeamViewer)

TeamViewer 9 - is a very old version of the program, which is vulnerable, therefore it can pose a security risk.

Hackers also use it for covert installation and remote attack. You need to remove it and install a new version if you need it.

Share this post


Link to post
Share on other sites

Also attach a ransom note and several encrypted files. 

Look still, it can be 'txt' or 'html' files with a different name, which may not be similar by a ordinary ransom note.

Share this post


Link to post
Share on other sites
21 hours ago, Amigo-A said:

Put these folders Help and Temp in the archives with all the contents.

You can add files and folders to an archive by right-clicking on them, going to Send to, and selecting Compressed (zipped) folder. You can also use something like 7-Zip or WinRAR if you prefer.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.