[Bruce1270]

Hi Achilles7

 

Have you managed to run my previous instructions? Haven't heard from you for a couple of days.

 

Thanks

[Advertisements]

Sorry Bruce, for some reason I did not receive an email notification of your last post.  I thought I was still waiting on you....I'll run your latest now.

[Achilles7]

Sorry Bruce, for some reason I did not receive an email notification of your last post.  I thought I was still waiting on you....I'll run your latest now.

[Achilles7]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
Ran by SCOTT at 2015-05-06 17:21:23 Run:5
Running from C:\Users\SCOTT\Desktop
Loaded Profiles: SCOTT (Available profiles: SCOTT & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe
 C:\Program Files\WinZip
 C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll
 C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll
 C:\Users\All Users\Microsoft\Secure
 C:\Users\SCOTT\AppData\Local\Agkworks\VirtMobileSpi.dll
 C:\Users\SCOTT\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\3.0.4\background.js
 C:\Users\SCOTT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\361326ca-7fc63ffa
 C:\Users\SCOTT\Downloads\cbsidlm-tr1_9-Replay_Media_Catcher-SEO2-10644938.exe
 C:\Users\SCOTT\Downloads\DK Marketing.rar
 C:\Users\SCOTT\Downloads\fvd-converter-release.exe
 C:\Users\SCOTT\Downloads\streamtransport_setup(1).exe
 C:\Users\SCOTT\Downloads\streamtransport_setup.exe
 C:\Windows\Installer\110672fd.msi
*****************

C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe => Moved successfully.
C:\Program Files\WinZip => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll => Moved successfully.
C:\Users\All Users\Microsoft\Secure => Moved successfully.
C:\Users\SCOTT\AppData\Local\Agkworks\VirtMobileSpi.dll => Moved successfully.
C:\Users\SCOTT\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\3.0.4\background.js => Moved successfully.
"C:\Users\SCOTT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\361326ca-7fc63ffa" => File/Directory not found.
C:\Users\SCOTT\Downloads\cbsidlm-tr1_9-Replay_Media_Catcher-SEO2-10644938.exe => Moved successfully.
C:\Users\SCOTT\Downloads\DK Marketing.rar => Moved successfully.
C:\Users\SCOTT\Downloads\fvd-converter-release.exe => Moved successfully.
C:\Users\SCOTT\Downloads\streamtransport_setup(1).exe => Moved successfully.
C:\Users\SCOTT\Downloads\streamtransport_setup.exe => Moved successfully.
C:\Windows\Installer\110672fd.msi => Moved successfully.

==== End of Fixlog 17:21:25 ====

Edited by Achilles7, 06 May 2015 - 03:35 PM.

[Achilles7]

[2015.05.06 17:27:32.971] - Begin
[2015.05.06 17:27:32.971] -
[2015.05.06 17:27:32.972] -     ....................................
[2015.05.06 17:27:32.972] -   ..::::::::::::::::::....................
[2015.05.06 17:27:32.973] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Filecoder.Q
[2015.05.06 17:27:32.974] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 3.2.0.2
[2015.05.06 17:27:32.975] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Aug  5 2013
[2015.05.06 17:27:32.975] -  .::EE:::::::::::::SS:.EE..........TT......
[2015.05.06 17:27:32.976] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2015.05.06 17:27:32.977] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2015.05.06 17:27:32.977] -     ....................................
[2015.05.06 17:27:32.977] -
[2015.05.06 17:27:32.977] - --------------------------------------------------------------------------------
[2015.05.06 17:27:32.977] -
[2015.05.06 17:27:32.977] - INFO: OS: 6.1.7601 SP1
[2015.05.06 17:27:32.978] - INFO: Product Type: Workstation
[2015.05.06 17:27:32.978] - INFO: WoW64: True
[2015.05.06 17:27:32.978] - INFO: Machine guid: 8C8EC859-967F-434F-8F7A-DD3179B74EB5
[2015.05.06 17:27:32.978] -
[2015.05.06 17:27:34.832] -
[2015.05.06 17:27:34.832] - Usage:
[2015.05.06 17:27:34.833] - ESETFilecoderQCleaner.exe [options] <filename(s) or directory name(s)>
[2015.05.06 17:27:34.833] -
[2015.05.06 17:27:34.833] - Options:
[2015.05.06 17:27:34.834] -   /s - Silent mode.
[2015.05.06 17:27:34.835] -   /f - Forced clean.
[2015.05.06 17:27:34.835] -   /d - Debug mode.
[2015.05.06 17:27:34.840] -   /n - Only list files for cleaning (don't clean).
[2015.05.06 17:27:34.840] -   /h or /? - Show usage.
[2015.05.06 17:27:34.841] -
[2015.05.06 17:27:34.842] -   /a - detect key for encrypting; put some encoded files (best doc(x) or xls(x) files) in one directory; start with *'s keys
[2015.05.06 17:27:34.843] -   /b - use external keyfile "decoder.keys"
[2015.05.06 17:27:34.843] -   /k [num] - use key
[2015.05.06 17:27:34.844] -
[2015.05.06 17:27:34.844] - End
 

[Achilles7]

The files on the External Hard Drive are still encrypted.

[Bruce1270]

Hi Achilles7

We'll try a different decrypter which has just been released.

Please note: There is no guarantee that your files can be decrypted. It is very often there is no decryption possible.

• Download Nathan Scott's StopPirates_Decrypter.exe from here. to your desktop.
• Select the file, right click and select Run as Administrator
  
• Once you start the decrypter, you need to enter the 6 digit identifier assigned to your files, in your case 235485, select the drive to scan, and then click on Decrypt.
  
  Please let me know in your next post if the decryption was successful or not.

[Achilles7]

Hi Bruce, I ran StopPirates and it decrypted 90% of the files.  I did not remove the encrypted files. Should I do the rest manually?

[Bruce1270]

Hi Achilles7

That's some good news. Hang fire just now and I'll have a chat with my instructor about our next steps before we finish.

Thanks

[Achilles7]

Cool.  Thanks!

[Bruce1270]

Hi Achilles7

I think we've gone about as far as we can with the decryption.

There is no requirement to keep the encrypted files so you can delete these.

Please run a fresh FRST log so we can check if anything is left.

• Please run Farbars Recovery Scan Tool again. Run FRST by right clicking on it and selecting Run as Administrator. Allow it to update if it wants to.
• Please tick the Addition.txt box under Optional Scan.
• Press Scan button.
• It will make logs FRST.txt & Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.
  
  Thanks

[Achilles7]

Hey Bruce,  Actually a lot of the decrypted files are not playing correctly. The StopPirates created an identical file but changed the file type to mp4 but once they start to play they stop and will not go past a few seconds playing. What else can we try?

[Bruce1270]

Hi Achilles7
 

Actually a lot of the decrypted files are not playing correctly.

I fear you may have lost them.    As a long shot you could try downloading a new codec pack from here to see if that helps.

We are almost finished cleaning your machine so let's continue....

Please run a fresh FRST log following the instructions in Post #25 and copy/paste the logs in your next reply.

Thanks

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Bruce1270]

Hi Achilles7
 
Glad you returned.
 
Please continue with running a fresh FRST log.

• Please run Farbars Recovery Scan Tool again. Run FRST by right clicking on it and selecting Run as Administrator. Allow it to update if it wants to.
• Please tick the Addition.txt box under Optional Scan.
• Press Scan button.
• It will make logs FRST.txt & Addition.txt in the same directory the tool is run.
• Please copy and paste the FRST.txt and Addition.txt to your reply.
  
  Thanks

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.