File recovery from ransomware infection

[waynebinukq]

Hi Guys

I hope you can help; I appear to have been the victim of some form of ransomware variant of cryptolocker.

My system no longer has the infection but it has left in its wake a whole lot of my files and years of photos encrypted.

The ransom ware demands I pay 0.5 bit coin for the decryption key.

I’m no computer genius and would really appreciate some help with decrypting the files if possible.

I have read the forum rules re posting regarding this topic and can provide the results from the Farbar scan tool if you require this.

The affected folders have been left with two new files instructing me what to do next to decrypt my files, the text of which is below.

I would be forever grateful if someone could help me out here as I’m gutted regarding the loss of the family photos and really don’t want fund any criminals to regain them.

Yours hopefully

Wayne

********************************************************************************************************************************************
Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

1. Type the address Edit in your Internet browser.
It opens the Tor site.

2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle',
install and run it.\

3. Now you have Tor Browser. In the Tor Browser open the Edit
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.

4. Copy and paste the following public key in the input form on server. Avoid missprints.
NCU5B3-NUKQTQ-O6NQFL-UMQNCT-4BLVDC-MGDXZT-S72TVP-UHMG5I
FMWS6F-7RGRZN-TG6IP4-GRILS7-SVHLJB-Z6RVXW-7NP6K2-UF4I5L
GOZ6T3-AEYCNG-K2I2A3-52KSFZ-BJCYLO-ZKXSA7-MDVTZY-OQL7TF
5. Follow the instructions on the server.
********************************************************************************************************************************************

[tashi]

Hello waynebinukq,

Sorry to hear the computer was infected.

I have read the forum rules re posting regarding this topic and can provide the results from the Farbar scan tool if you require this.

Could you provide the log please, then I will merge your posts and remove mine as helpers look for a zero response.

Best regards.

[waynebinukq]

Hi, the addition log file from Farbar scan tool is now attached.

It will not allow me to upload the FRST file as it exceeds the file limit of 48.8kb

Shall I just copy the text into the thread?

Many thanks

Wayne

[tashi]

Hi waynebinukq,

Shall I just copy the text into the thread?

Yes please.

• Press Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log into your topic
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please attach that along with the FRST.txt into your reply.

aswMBR Log

Important! Please do NOT perform any fix options offered in aswMBR, we just need to see the report.

Please download aswMBR to your desktop.

• Double click the aswMBR icon to run it.
• If a prompt stating: The computer supports "Virtualization Technology" appears select Yes
• Click the Scan button to start scan.
• If you are asked to update the Avast Virus database please allow it to do so.
• When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply with the Farbar (FRST) log.

http://forums.spybot.info/showthread...ull=1#post1150

[waynebinukq]

Hi tashi,

The text content exceeds the limit of 200000 characters, do you require I add several reply’s in order to fit all the text in?

I’m not sure if this information will help as Windows has been re-installed by a friend and the infection seems to be gone now, I can provide an example of the encrypted .jpg files if this will help with decryption?

Sorry if I'm causing you any hassle.

Wayne

[waynebinukq]

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-01-21 15:29:50
-----------------------------
15:29:50.350 OS Version: Windows 6.1.7601 Service Pack 1
15:29:50.350 Number of processors: 4 586 0xF0B
15:29:50.350 ComputerName: HOMEPC-PC UserName: HomePC
15:29:50.911 Initialize success
15:29:51.208 VM: initialized successfully
15:29:51.208 VM: Intel CPU supported
15:29:54.142 VM: supported disk I/O ataport.SYS
15:31:17.547 AVAST engine defs: 15012100
15:31:19.310 The log file has been saved successfully to "C:\Users\HomePC\Desktop\aswMBR.txt"


aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-01-21 15:29:50
-----------------------------
15:29:50.350 OS Version: Windows 6.1.7601 Service Pack 1
15:29:50.350 Number of processors: 4 586 0xF0B
15:29:50.350 ComputerName: HOMEPC-PC UserName: HomePC
15:29:50.911 Initialize success
15:29:51.208 VM: initialized successfully
15:29:51.208 VM: Intel CPU supported
15:29:54.142 VM: supported disk I/O ataport.SYS
15:31:17.547 AVAST engine defs: 15012100
15:31:19.310 The log file has been saved successfully to "C:\Users\HomePC\Desktop\aswMBR.txt"
15:31:37.499 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-7
15:31:37.515 Disk 0 Vendor: ST2000DL001-9VT156 CC97 Size: 1907729MB BusType: 3
15:31:37.515 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-3
15:31:37.515 Disk 1 Vendor: OCZ-OCTANE 1.14 Size: 244198MB BusType: 3
15:31:37.531 Disk 1 MBR read successfully
15:31:37.531 Disk 1 MBR scan
15:31:37.640 Disk 1 Windows 7 default MBR code
15:31:37.640 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:31:37.640 Disk 1 default boot code
15:31:37.671 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 244096 MB offset 206848
15:31:37.687 Disk 1 scanning sectors +500115456
15:31:37.702 Disk 1 scanning C:\Windows\system32\drivers
15:31:46.033 Service scanning
15:32:06.190 Modules scanning
15:32:06.190 Disk 1 trace - called modules:
15:32:06.206 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
15:32:06.206 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x85d788f0]
15:32:06.221 3 CLASSPNP.SYS[8c7c259e] -> nt!IofCallDriver -> [0x85c73408]
15:32:06.221 5 ACPI.sys[8c2c43d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x858b1030]
15:32:06.486 AVAST engine scan C:\Windows
15:32:07.298 AVAST engine scan C:\Windows\system32
15:35:48.819 AVAST engine scan C:\Windows\system32\drivers
15:35:56.296 AVAST engine scan C:\Users\HomePC
15:38:11.474 AVAST engine scan C:\ProgramData
15:39:09.095 Disk 1 statistics 3292118/0/0 @ 14.52 MB/s
15:39:09.095 Scan finished successfully
15:39:37.459 Disk 1 MBR has been saved successfully to "C:\Users\HomePC\Desktop\MBR.dat"
15:39:37.771 The log file has been saved successfully to "C:\Users\HomePC\Desktop\aswMBR.txt"

[tashi]

Hello Wayne,

I’m not sure if this information will help as Windows has been re-installed by a friend and the infection seems to be gone now, I can provide an example of the encrypted .jpg files if this will help with decryption?

When was Windows re-installed, please be specific. Where are the infected/encrypted files held?

Sorry if I'm causing you any hassle.

Wayne

No hassle, we are all here to help.