[OkayOkayOkay]

Step 1: I uninstalled CCleaner. 

 

Step 2: I'm not sure. I don't think so? I put some files onto a memory stick.

I presume simone-2 is the guest account??

 

Step 3: I'm completing this now.

[Advertisements]

Step 2: I'm not sure. I don't think so? I put some files onto a memory stick.

 

 

So do you have all your encrypted documents saved somewhere or do you still need help to gather those up?

 

I presume simone-2 is the guest account??

 

No. This appears to be another Administrator account. If you never sign in the computer with simone-2, we should get rid of this account.

[BrianDrab]

Step 2: I'm not sure. I don't think so? I put some files onto a memory stick.

 

 

So do you have all your encrypted documents saved somewhere or do you still need help to gather those up?

 

I presume simone-2 is the guest account??

 

No. This appears to be another Administrator account. If you never sign in the computer with simone-2, we should get rid of this account.

[OkayOkayOkay]

I still need to back my files up.

 

I only use Simone. I only have a Simone and Guest account. Strange one. I am going to upload the FixLog into a SendSpace link that I will private message you now as it is too big.

 

The search:

 

Farbar Recovery Scan Tool (x64) Version:20-08-2015
Ran by simone (2015-08-22 15:50:46)
Running from C:\Users\simone\Desktop
Boot Mode: Normal

================== Search Registry: "globalUpdate,esgiguard,Shredder" ===========

====== End of Search ======

[BrianDrab]

Thanks for the info. Let's identify all your corrupted documents and then we'll move them to a folder for you.

 

Step#1 - File Identification
1. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
2. Copy/paste or type *.aaa  into the Search box of the FRST window.
3. Click the Search Files button.
4. When the search is done it will open a notepad window with the results. Can you copy/paste the contents of this window into your next post?

 

Step#2 - Rootkit Scan
1. Download aswMBR to your desktop.
2. Right-click on aswMBR.exe and select Run as administrator to run it.
3. If you get a question about Virtualization Technology, answer Yes.
4. If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
5. Click the "Scan" button to start scan.
6. On completion of the scan click "Save log", save it to your desktop and post in your next reply.
NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

 

Items for your next post

1. FRST Search results

2. aswMBR Scan Results

 

 

[OkayOkayOkay]

Finally worked this out! Posting on the thread is easier...

 

Sorry it took so long.

 

 

 Search.txt   235bytes   231 downloads

 

 aswMBR.txt   4.07KB   258 downloads

[BrianDrab]

The search isn't showing any of your encrypted documents. As an example, in your downloads folder there used to be a whole bunch of encrypted files. Two examples follow. Are they not there? Did you happen to move these?

 

C:\Users\simone\Downloads\referral assignmentBB.pdf.aaa

C:\Users\simone\Downloads\referral assignmentBB (1).pdf.aaa

[OkayOkayOkay]

They're still there. Weird that it didn't show up...

[OkayOkayOkay]

The example you gave in your previous comment is still there but no longer an AAA file, and it's a standard PDF. I think today was the deadline day for my ransom payment. Could they have removed some files without our knowledge? Or maybe a cleaner tool got rid of them? Not sure. Majority of them are still there I think. My 'Sam' document with word files etc are still there as AAA files.

[BrianDrab]

No, nothing should have removed them. OK, please try the following instead.

 

1. Click your Start button and type cmd in the search box.

2. Right-click on cmd in the search results and select Run as administrator. Answer Yes if prompted.

3. Copy and paste the following lines into the command-prompt window, one at a time, hitting enter after each.

cd\

dir /B *.aaa /s > %userprofile%\desktop\files.txt && notepad files.txt

 

4. When the scan is complete a notepad file will open. Please copy/paste the contents of this file into your next post.

[OkayOkayOkay]

No scan comes up. It said it couldn't find the fixlist file...it's still on my desktop though? and isn't blank.

[BrianDrab]

couldn't find the fixlist

 

I never specified a fixlist file? It should have been named files.txt. Notepad didn't open when it was complete?

[BrianDrab]

Actually I see the issue. Could you post the files.txt file that should be on your desktop?

 

Thanks.

[OkayOkayOkay]

It's the zip folder you sent me

Attached Files

•  fixlist.zip   185.48KB   447 downloads

[BrianDrab]

Hmmm, unfortunately we are missing each other. Follow the below steps exactly and hopefully it should clear some things up.

 

1. Click your Start button and type cmd in the search box.

2. Right-click on cmd in the search results and select Run as administrator. Answer Yes if prompted.

3. Copy and paste the following lines into the command-prompt window, one at a time, hitting enter after each.

cd\

dir /B *.aaa /s > %userprofile%\desktop\files.txt && notepad %userprofile%\desktop\files.txt

 

4. Eventually a notepad file will open. Please copy/paste the contents of this file into your next post.

[OkayOkayOkay]

It worked.

Attached Files

•  files.txt notepad.zip   273.45KB   336 downloads