Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Decryption Help Please :)


  • This topic is locked This topic is locked
7 replies to this topic

#1 veronemilie

veronemilie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 01 October 2015 - 10:58 AM

Hi, 1st Post :) I am looking for help to Decrypt files from ransomware on my friends computer I removed the 4 ransomware with Malwarebytes but now I need help decrypting. Not sure which version of ransomware he got. Malwarebytes lists them simply as Trojan.FileCryptor.Trace My friend being a computer noob (just knows how to get to his e-mail & Facebook games) didn't have any backups of any kind :P Hoping you can help me get his family pictures decrypted :) The ransomware seems to have resized his files as well as adding a file extension ( .aaa ) to all of his files Here are the FRST Scans :) Thanks
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:30-09-2015
Ran by Valued Customer (administrator) on VALUED-088C23B8 (01-10-2015 11:13:11)
Running from C:\Documents and Settings\Valued Customer\My Documents\Downloads
Loaded Profiles: Valued Customer (Available Profiles: Valued Customer)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(SigmaTel, Inc.) C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
(Dell Inc.) C:\WINDOWS\system32\WLTRAY.EXE
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(BVRP Software) C:\Program Files\Digital Line Detect\DLG.exe
(Microsoft Corporation) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(www.shadowexplorer.com) C:\Program Files\ShadowExplorer\sesvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SigmatelSysTrayApp] => C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [2498560 2009-10-07] (Dell Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [176128 2005-10-07] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Dell QuickSet] => C:\Program Files\Dell\QuickSet\quickset.exe [1228800 2007-07-20] (Dell Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6134544 2015-09-22] (AVAST Software)
HKU\S-1-5-21-854245398-1417001333-1801674531-1003\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-05-03] (Google Inc.)
HKU\S-1-5-21-854245398-1417001333-1801674531-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6495144 2015-09-16] (Piriform Ltd)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-09-22] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk [2010-08-16]
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk [2010-08-16]
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{8F5D960D-7B23-47BC-A530-3F7C696087C4}: [DhcpNameServer] 192.168.2.1 192.168.2.1
Tcpip\..\Interfaces\{9E08C210-F846-43BD-A1A2-98ECBFCE15C1}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-854245398-1417001333-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-854245398-1417001333-1801674531-1003 -> DefaultScope {65EB9B33-1EE1-4EC0-8690-2BE8F1FC8061} URL = hxxp://www.google.ca/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_enCA482
SearchScopes: HKU\S-1-5-21-854245398-1417001333-1801674531-1003 -> {65EB9B33-1EE1-4EC0-8690-2BE8F1FC8061} URL = hxxp://www.google.ca/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_enCA482
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-09-22] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-19] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-19] (Google Inc.)
Toolbar: HKU\S-1-5-21-854245398-1417001333-1801674531-1003 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-07-19] (Google Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
 
FireFox:
========
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-22] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-22] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-08-16]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-09-22]
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\45.0.2454.99\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\45.0.2454.99\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\45.0.2454.99\pdf.dll => No File
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll => No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Avast SafePrice) - C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2015-10-01]
CHR Extension: (Avast Online Security) - C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-09-23]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-06]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-27]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-09-22]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-09-22]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-22] (AVAST Software)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 sesvc; C:\Program Files\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [2232320 2009-10-07] (Dell Inc.) [File not signed]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ADM8511; C:\WINDOWS\System32\DRIVERS\ADM8511.SYS [20160 2001-08-17] (ADMtek Incorporated)
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24016 2015-09-22] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [76000 2015-09-22] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-09-22] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49776 2015-09-22] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [789296 2015-09-22] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [434184 2015-09-22] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [157888 2015-09-22] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-09-22] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [208664 2015-09-22] (AVAST Software)
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2649216 2009-10-07] (Broadcom Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-10-01] (Malwarebytes Corporation)
R2 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [12400 2011-11-03] (Macrovision Europe Ltd) [File not signed]
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S0 cerc6; no ImagePath
S4 IntelIde; no ImagePath
S3 NETw5x32; system32\DRIVERS\NETw5x32.sys [X]
S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
U1 WS2IFSL; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-01 11:12 - 2015-10-01 11:13 - 00000000 ___DC C:\FRST
2015-10-01 10:42 - 2015-10-01 10:42 - 00000000 ____D C:\Documents and Settings\Valued Customer\Application Data\Dropbox
2015-10-01 10:34 - 2015-10-01 10:53 - 00000000 ____D C:\Program Files\Dropbox
2015-10-01 10:34 - 2015-10-01 10:45 - 00000000 ____D C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Dropbox
2015-10-01 10:34 - 2015-10-01 10:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Dropbox
2015-10-01 10:11 - 2015-10-01 10:12 - 00000707 _____ C:\WINDOWS\nsw.log
2015-10-01 10:11 - 2015-10-01 10:12 - 00000375 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2015-10-01 10:04 - 2015-10-01 10:05 - 00007626 _____ C:\WINDOWS\DPINST.LOG
2015-10-01 09:56 - 2015-10-01 09:56 - 00006790 _____ C:\WINDOWS\FaxSetup.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00006625 _____ C:\WINDOWS\iis6.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00005816 _____ C:\WINDOWS\ocgen.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00004591 _____ C:\WINDOWS\tsoc.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00002484 _____ C:\WINDOWS\comsetup.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00001917 _____ C:\WINDOWS\imsins.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00001844 _____ C:\WINDOWS\msmqinst.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00001800 _____ C:\WINDOWS\ntdtcsetup.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00001592 _____ C:\WINDOWS\netfxocm.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00000719 _____ C:\WINDOWS\MedCtrOC.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00000479 _____ C:\WINDOWS\msgsocm.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00000469 _____ C:\WINDOWS\ocmsn.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00000311 _____ C:\WINDOWS\tabletoc.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00000000 _____ C:\WINDOWS\setuperr.log
2015-10-01 09:56 - 2015-10-01 09:56 - 00000000 _____ C:\WINDOWS\setupact.log
2015-10-01 09:48 - 2015-10-01 10:41 - 00021031 _____ C:\WINDOWS\setupapi.log
2015-09-24 20:52 - 2015-10-01 10:06 - 00000000 ____D C:\Documents and Settings\Valued Customer\Desktop\Picture
2015-09-24 20:52 - 2015-10-01 10:06 - 00000000 ____D C:\Documents and Settings\Valued Customer\Desktop\hunting and family
2015-09-23 00:04 - 2015-10-01 10:25 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2015-09-23 00:04 - 2015-10-01 10:24 - 00000000 ____D C:\Program Files\CCleaner
2015-09-23 00:04 - 2015-09-23 01:48 - 00000000 ____D C:\Program Files\Recuva
2015-09-23 00:04 - 2015-09-23 00:04 - 00001512 _____ C:\Documents and Settings\All Users\Desktop\Recuva.lnk
2015-09-23 00:04 - 2015-09-23 00:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Recuva
2015-09-23 00:04 - 2015-09-23 00:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
2015-09-22 21:36 - 2015-09-22 21:37 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2015-09-22 20:56 - 2015-09-22 20:56 - 00000000 ____D C:\Documents and Settings\Valued Customer\Application Data\www.shadowexplorer.com
2015-09-22 20:53 - 2015-10-01 11:03 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-09-22 20:53 - 2015-09-22 20:53 - 00001560 _____ C:\Documents and Settings\Valued Customer\Desktop\ShadowExplorer.lnk
2015-09-22 20:53 - 2015-09-22 20:53 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\ShadowExplorer
2015-09-22 20:52 - 2015-09-22 20:53 - 00000000 ____D C:\Program Files\ShadowExplorer
2015-09-22 20:52 - 2015-09-22 20:52 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-09-22 20:52 - 2015-09-22 20:52 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-09-22 20:51 - 2015-09-22 20:52 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-09-22 20:51 - 2015-09-22 20:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-09-22 20:51 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-09-22 20:51 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-09-22 17:04 - 2015-09-22 17:04 - 00000000 ____D C:\Documents and Settings\Valued Customer\Application Data\AVAST Software
2015-09-22 17:03 - 2015-09-22 17:03 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2015-09-22 17:03 - 2015-09-22 17:03 - 00000000 __HDC C:\WINDOWS\$NtUninstallWdf01009$
2015-09-22 17:03 - 2015-09-22 17:03 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software
2015-09-22 17:03 - 2008-11-07 18:55 - 00016928 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsgXP_2k3.dll
2015-09-22 17:02 - 2015-10-01 10:38 - 00000382 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-09-22 17:02 - 2015-09-22 17:01 - 00208664 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2015-09-22 17:02 - 2015-09-22 17:01 - 00157888 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
2015-09-22 17:02 - 2015-09-22 17:01 - 00057888 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2015-09-22 17:01 - 2015-09-22 17:01 - 00789296 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2015-09-22 17:01 - 2015-09-22 17:01 - 00434184 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2015-09-22 17:01 - 2015-09-22 17:01 - 00313472 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2015-09-22 17:01 - 2015-09-22 17:01 - 00076000 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2015-09-22 17:01 - 2015-09-22 17:01 - 00055200 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2015-09-22 17:01 - 2015-09-22 17:01 - 00049776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2015-09-22 17:01 - 2015-09-22 17:01 - 00043112 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2015-09-22 17:01 - 2015-09-22 17:01 - 00024016 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2015-09-22 16:58 - 2015-09-22 16:58 - 00000000 ____D C:\Program Files\AVAST Software
2015-09-22 16:55 - 2015-09-22 16:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-01 11:18 - 2010-08-16 11:14 - 00000000 ____D C:\Documents and Settings\Valued Customer\Local Settings\Temp
2015-10-01 11:13 - 2012-05-03 20:09 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-10-01 10:48 - 2012-05-03 20:10 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-01 10:42 - 2010-08-16 06:46 - 00734036 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-10-01 10:41 - 2010-08-16 11:00 - 01873204 _____ C:\WINDOWS\WindowsUpdate.log
2015-10-01 10:38 - 2008-04-13 19:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-10-01 10:37 - 2014-12-27 21:33 - 00000242 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-10-01 10:37 - 2012-05-03 20:10 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-01 10:37 - 2010-08-16 11:09 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-10-01 10:37 - 2010-08-16 06:48 - 00000157 ____C C:\WINDOWS\wiadebug.log
2015-10-01 10:37 - 2010-08-16 06:48 - 00000049 ____C C:\WINDOWS\wiaservc.log
2015-10-01 10:13 - 2010-08-16 11:09 - 00032368 _____ C:\WINDOWS\SchedLgU.Txt
2015-10-01 10:12 - 2010-08-16 11:14 - 00000178 ___SH C:\Documents and Settings\Valued Customer\ntuser.ini
2015-10-01 10:06 - 2014-03-22 19:16 - 00000000 ____D C:\Documents and Settings\Valued Customer\My Documents\My Games
2015-10-01 10:06 - 2012-12-29 18:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2015-10-01 10:06 - 2011-10-17 12:30 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Westwood
2015-10-01 10:06 - 2011-08-30 19:39 - 00000000 ____D C:\Documents and Settings\Valued Customer\My Documents\Command and Conquer Generals Zero Hour Data
2015-10-01 10:06 - 2011-08-25 19:26 - 00000000 ____D C:\Documents and Settings\Valued Customer\My Documents\Command and Conquer Generals Data
2015-10-01 10:06 - 2011-07-07 12:28 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Intel PROSet Wireless
2015-10-01 10:06 - 2010-08-16 13:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Dell QuickSet
2015-10-01 10:06 - 2010-08-16 13:18 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
2015-10-01 10:06 - 2010-08-16 13:16 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\DW WLAN
2015-10-01 10:06 - 2010-08-16 10:58 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Games
2015-10-01 10:06 - 2010-08-16 10:56 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2015-10-01 10:05 - 2011-07-07 12:28 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Intel
2015-10-01 10:05 - 2011-07-07 12:28 - 00000000 ____D C:\Documents and Settings\Default User\Application Data\Intel
2015-10-01 10:05 - 2011-07-07 12:27 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Intel
2015-09-24 18:08 - 2012-10-06 18:22 - 00000000 ____D C:\WINDOWS\Minidump
2015-09-24 18:08 - 2010-08-16 11:14 - 00000000 ____D C:\Documents and Settings\Valued Customer
2015-09-22 20:12 - 2011-10-17 12:19 - 00000000 ____D C:\Documents and Settings\Valued Customer\WINDOWS
2015-09-22 20:12 - 2010-08-16 13:03 - 00000000 ____D C:\Documents and Settings\Valued Customer\Start Menu\Programs\Dell Inc
2015-09-22 20:12 - 2010-08-16 11:14 - 00000000 ___RD C:\Documents and Settings\Valued Customer\Start Menu\Programs\Accessories
2015-09-22 17:18 - 2012-05-03 20:15 - 00000000 ____D C:\Documents and Settings\Valued Customer\Local Settings\Application Data\Temp
2015-09-22 16:50 - 2012-12-29 18:04 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-09-22 16:14 - 2012-05-03 20:09 - 00780488 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-09-22 16:14 - 2012-05-03 20:09 - 00142536 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-09-22 16:13 - 2015-08-22 21:13 - 18306248 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-09-12 14:02 - 2014-12-27 20:59 - 00000000 ____D C:\WINDOWS\system32\MRT
 
==================== Files in the root of some directories =======
 
2015-08-18 18:28 - 2015-08-18 18:28 - 0004550 _____ () C:\Documents and Settings\Valued Customer\Application Data\restore_files_mgqre.html
2015-08-18 18:28 - 2015-08-18 18:28 - 0002253 _____ () C:\Documents and Settings\Valued Customer\Application Data\restore_files_mgqre.txt
2015-08-16 20:12 - 2015-08-16 20:12 - 0004550 _____ () C:\Documents and Settings\Valued Customer\Application Data\restore_files_tygon.html
2015-08-16 20:12 - 2015-08-16 20:12 - 0002253 _____ () C:\Documents and Settings\Valued Customer\Application Data\restore_files_tygon.txt
2012-11-19 02:32 - 2013-11-03 19:36 - 0007680 ____C () C:\Documents and Settings\Valued Customer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-08-18 18:30 - 2015-08-18 18:30 - 0004550 _____ () C:\Documents and Settings\Valued Customer\Local Settings\Application Data\restore_files_mgqre.html
2015-08-18 18:30 - 2015-08-18 18:30 - 0002253 _____ () C:\Documents and Settings\Valued Customer\Local Settings\Application Data\restore_files_mgqre.txt
2015-08-16 20:13 - 2015-08-16 20:13 - 0004550 _____ () C:\Documents and Settings\Valued Customer\Local Settings\Application Data\restore_files_tygon.html
2015-08-16 20:13 - 2015-08-16 20:13 - 0002253 _____ () C:\Documents and Settings\Valued Customer\Local Settings\Application Data\restore_files_tygon.txt
 
Some files in TEMP:
====================
C:\Documents and Settings\Valued Customer\Local Settings\Temp\OLMAPI32.DLL
C:\Documents and Settings\Valued Customer\Local Settings\Temp\{0B974571-3494-4E08-9C60-5C0A071A7758}-45.0.2454.101_45.0.2454.99_chrome_updater.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of FRST.txt ============================
 
Attached File  Addition.txt   21.35KB   2 downloads


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 02 October 2015 - 09:54 AM

Hello and welcome to the Malware Removal Logs area :)

My name is Alexstrasza and I will assist you with your problem. You can call me Alex :)

Please allow me some time to review your logs and I will be back with more instructions.

#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 03 October 2015 - 09:55 AM

Hello veronemilie,

I'm afraid I must give you the bad news - your friend was infected with a variant of TeslaCrypt. Bleeping Computer has a discussion thread about it here.

Unfortunately there is no solution for this ransomware yet. Since your friend has no backups, Recuva and Shadow Explorer have all failed, the only option is to pay the ransom if he wants his files back.

My advice is to avoid paying the ransom, but I understand that he will have to pay if those photos are very important. Otherwise he can save the encrypted files to a safe location and wait for a solution in the future.

Aside from that, the logs are clean and showed no remaining signs of infection. Do you have any other questions?

Regards,
Alex

#4 veronemilie

veronemilie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 03 October 2015 - 12:47 PM

Thanks I was afraid it would be something like that :( I have the files backed up onto Dropbox & will subscribe to the thread in hopes a solution is found one day :) Thank you for your help :)



#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 04 October 2015 - 02:47 AM

Hello veronemilie,

If I may: Your friend is using Windows XP. Support for Windows XP from Microsoft has officially ceased on April 8th, 2014 - which means that any vulnerabilities found after this date will no longer be patched, leaving your machine open to exploits by malware.

I recommend that your friend upgrade to Windows 7, 8 or 10 if it is possible.

If he still wishes to continue using Windows XP, please see here for a list of tips on how to keep your machine safe.

You can also see here for some information regarding antivirus software for Windows XP. Personally I also think that your friend might want to switch to a paid antivirus seeing that Avast Free failed to protect him from TeslaCrypt.

If you need to ask anything else, please do not hesitate to do so.

Regards,
Alex

#6 veronemilie

veronemilie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 04 October 2015 - 04:24 PM

I will be switching him to Lubuntu & the Avast I installed after he brought me the computer he used to have an outdated McAfee & no malware protection. Avast found another separate virus & removed it ;) The computer & hardware won't handle any newer versions of Windows ;)



#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:54 AM

Posted 05 October 2015 - 05:25 AM

Hello veronemilie,

It's good to hear that you are migrating your friend to Linux. :)

Here is a guide for getting started with Lubuntu, just in case your friend needed help with getting used to the OS.

If you or your friend has any questions, the experts in Bleeping Computer's Linux & Unix section will be happy to help with your problems.

Feel free to ask if you have any question left - otherwise I will consider this resolved.

Regards,
Alex

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:54 AM

Posted 07 October 2015 - 06:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users