Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Redirect Virus and Ransomware PLEASE HELP ! [Closed]


  • This topic is locked This topic is locked

#16
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,603 posts

Hi Achilles7

 

Have you managed to run my previous instructions? Haven't heard from you for a couple of days.

 

Thanks


  • 0

Advertisements


#17
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Sorry Bruce, for some reason I did not receive an email notification of your last post.  I thought I was still waiting on you....I'll run your latest now.


  • 0

#18
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2015 01
Ran by SCOTT at 2015-05-06 17:21:23 Run:5
Running from C:\Users\SCOTT\Desktop
Loaded Profiles: SCOTT (Available profiles: SCOTT & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe
 C:\Program Files\WinZip
 C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll
 C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll
 C:\Users\All Users\Microsoft\Secure
 C:\Users\SCOTT\AppData\Local\Agkworks\VirtMobileSpi.dll
 C:\Users\SCOTT\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\3.0.4\background.js
 C:\Users\SCOTT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\361326ca-7fc63ffa
 C:\Users\SCOTT\Downloads\cbsidlm-tr1_9-Replay_Media_Catcher-SEO2-10644938.exe
 C:\Users\SCOTT\Downloads\DK Marketing.rar
 C:\Users\SCOTT\Downloads\fvd-converter-release.exe
 C:\Users\SCOTT\Downloads\streamtransport_setup(1).exe
 C:\Users\SCOTT\Downloads\streamtransport_setup.exe
 C:\Windows\Installer\110672fd.msi
*****************

C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe => Moved successfully.
C:\Program Files\WinZip => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll => Moved successfully.
C:\Users\All Users\Microsoft\Secure => Moved successfully.
C:\Users\SCOTT\AppData\Local\Agkworks\VirtMobileSpi.dll => Moved successfully.
C:\Users\SCOTT\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\3.0.4\background.js => Moved successfully.
"C:\Users\SCOTT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\361326ca-7fc63ffa" => File/Directory not found.
C:\Users\SCOTT\Downloads\cbsidlm-tr1_9-Replay_Media_Catcher-SEO2-10644938.exe => Moved successfully.
C:\Users\SCOTT\Downloads\DK Marketing.rar => Moved successfully.
C:\Users\SCOTT\Downloads\fvd-converter-release.exe => Moved successfully.
C:\Users\SCOTT\Downloads\streamtransport_setup(1).exe => Moved successfully.
C:\Users\SCOTT\Downloads\streamtransport_setup.exe => Moved successfully.
C:\Windows\Installer\110672fd.msi => Moved successfully.

==== End of Fixlog 17:21:25 ====


Edited by Achilles7, 06 May 2015 - 03:35 PM.

  • 0

#19
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

[2015.05.06 17:27:32.971] - Begin
[2015.05.06 17:27:32.971] -
[2015.05.06 17:27:32.972] -     ....................................
[2015.05.06 17:27:32.972] -   ..::::::::::::::::::....................
[2015.05.06 17:27:32.973] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Filecoder.Q
[2015.05.06 17:27:32.974] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 3.2.0.2
[2015.05.06 17:27:32.975] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Aug  5 2013
[2015.05.06 17:27:32.975] -  .::EE:::::::::::::SS:.EE..........TT......
[2015.05.06 17:27:32.976] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2015.05.06 17:27:32.977] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2015.05.06 17:27:32.977] -     ....................................
[2015.05.06 17:27:32.977] -
[2015.05.06 17:27:32.977] - --------------------------------------------------------------------------------
[2015.05.06 17:27:32.977] -
[2015.05.06 17:27:32.977] - INFO: OS: 6.1.7601 SP1
[2015.05.06 17:27:32.978] - INFO: Product Type: Workstation
[2015.05.06 17:27:32.978] - INFO: WoW64: True
[2015.05.06 17:27:32.978] - INFO: Machine guid: 8C8EC859-967F-434F-8F7A-DD3179B74EB5
[2015.05.06 17:27:32.978] -
[2015.05.06 17:27:34.832] -
[2015.05.06 17:27:34.832] - Usage:
[2015.05.06 17:27:34.833] - ESETFilecoderQCleaner.exe [options] <filename(s) or directory name(s)>
[2015.05.06 17:27:34.833] -
[2015.05.06 17:27:34.833] - Options:
[2015.05.06 17:27:34.834] -   /s - Silent mode.
[2015.05.06 17:27:34.835] -   /f - Forced clean.
[2015.05.06 17:27:34.835] -   /d - Debug mode.
[2015.05.06 17:27:34.840] -   /n - Only list files for cleaning (don't clean).
[2015.05.06 17:27:34.840] -   /h or /? - Show usage.
[2015.05.06 17:27:34.841] -
[2015.05.06 17:27:34.842] -   /a - detect key for encrypting; put some encoded files (best doc(x) or xls(x) files) in one directory; start with *'s keys
[2015.05.06 17:27:34.843] -   /b - use external keyfile "decoder.keys"
[2015.05.06 17:27:34.843] -   /k [num] - use key
[2015.05.06 17:27:34.844] -
[2015.05.06 17:27:34.844] - End
 


  • 0

#20
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

The files on the External Hard Drive are still encrypted.


  • 0

#21
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,603 posts
Hi Achilles7

We'll try a different decrypter which has just been released.

Please note: There is no guarantee that your files can be decrypted. It is very often there is no decryption possible.
  • Download Nathan Scott's StopPirates_Decrypter.exe from here. to your desktop.
  • Select the file, right click and select Run as Administrator
    decrypter.jpg
  • Once you start the decrypter, you need to enter the 6 digit identifier assigned to your files, in your case 235485, select the drive to scan, and then click on Decrypt.

    Please let me know in your next post if the decryption was successful or not.

  • 0

#22
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Hi Bruce, I ran StopPirates and it decrypted 90% of the files.  I did not remove the encrypted files. Should I do the rest manually?


  • 0

#23
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,603 posts
Hi Achilles7

That's some good news. Hang fire just now and I'll have a chat with my instructor about our next steps before we finish.

Thanks
  • 0

#24
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Cool.  Thanks!


  • 0

#25
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,603 posts
Hi Achilles7

I think we've gone about as far as we can with the decryption.

There is no requirement to keep the encrypted files so you can delete these.

Please run a fresh FRST log so we can check if anything is left.
  • Please run Farbars Recovery Scan Tool again. Run FRST by right clicking on it and selecting Run as Administrator. Allow it to update if it wants to.
  • Please tick the Addition.txt box under Optional Scan.
  • Press Scan button.
  • It will make logs FRST.txt & Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

    Thanks

  • 0

Advertisements


#26
Achilles7

Achilles7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Hey Bruce,  Actually a lot of the decrypted files are not playing correctly. The StopPirates created an identical file but changed the file type to mp4 but once they start to play they stop and will not go past a few seconds playing. What else can we try?


  • 0

#27
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,603 posts

Hi Achilles7
 

Actually a lot of the decrypted files are not playing correctly.


I fear you may have lost them. :(   As a long shot you could try downloading a new codec pack from here to see if that helps.

We are almost finished cleaning your machine so let's continue....

Please run a fresh FRST log following the instructions in Post #25 and copy/paste the logs in your next reply.

Thanks


  • 0

#28
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#29
Bruce1270

Bruce1270

    Trusted Helper

  • Malware Removal
  • 1,603 posts
Hi Achilles7
 
Glad you returned. :)
 
Please continue with running a fresh FRST log.
  • Please run Farbars Recovery Scan Tool again. Run FRST by right clicking on it and selecting Run as Administrator. Allow it to update if it wants to.
  • Please tick the Addition.txt box under Optional Scan.
  • Press Scan button.
  • It will make logs FRST.txt & Addition.txt in the same directory the tool is run.
  • Please copy and paste the FRST.txt and Addition.txt to your reply.

    Thanks

  • 0

#30
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP