Hi,

End of the day yesterday, my Outlook stopped working then I found out most of the data on my Hard Drive got renamed with zepto extension; I posted some enquiry/ feedback on my Avast! account, as this is how I got help in the past, but this time no reaction from Avast!, nobody else seems to be able to help so far.
I managed to partially retrive my e-mail data, but I don’t know what to do next.
Is there anybody who could help further?
This is quite urgent as most of my work is done via e-mail.

thanks,

PhD

https://forum.avast.com/index.php?topic=53253.0
Zepto is a variant of Locky.

Hi Eddy,

thanks for replying.
I’m not familiar with this forum.
I assume you suggest I follow the steps at the link you posted? Right?
We already ran Malwarebytes and Spybot S&D so I’ll continue on with the next steps.
Should I reboot my computer in Safe Mode or it doesn’t matter at this stage?

Yes, follow the steps described there and attach the requested log files to your next post.
Do not boot into safe mode to run the tools.

Ok I’m running in bit more difficulties than expected: so far I managed to recreate my Outlook account and can now send and receive; for the rest, I found out that I can’t start: Task Manager. i must have tried at least 9 different ways to do so and still no luck.
I managed to run Spybot which removed about 1500 file anfd reported the following a minute ago:

[i] 16-08-15 20:07:21 TFileScanHTTPDaemon Listening on port 21323
[i] 16-08-15 20:07:21 TFileScanHTTPDaemon Successfully started listening on port 21323.
SDFileScanLibrary.dll [2016-08-15 20:07:27] Loaded databases.
[i] 16-08-17 12:26:54 TFileScanHTTPDaemon Listening on port 21323
[i] 16-08-17 12:26:54 TFileScanHTTPDaemon Successfully started listening on port 21323.
SDFileScanLibrary.dll [2016-08-17 12:26:54] Loaded databases.
SDFileScanLibrary.dll [2016-08-17 12:28:41] Started scanning C:\Windows\System32\Taskmgr.exe.
SDFileScanLibrary.dll [2016-08-17 12:28:47] Scanned file C:\Windows\System32\Taskmgr.exe is clean.
[i] 16-08-17 17:51:17 TFileScanHTTPDaemon Listening on port 21323
[i] 16-08-17 17:51:17 TFileScanHTTPDaemon Successfully started listening on port 21323.
SDFileScanLibrary.dll [2016-08-17 17:51:17] Loaded databases.

Unfortunately, after several attempts I still can’t run: Malwarebytes Anti-Malware. When I click the application nothing happens. I’m stuck at this point. Looked at a few suggestions on Internet but none worked.

Please only follow the instructions if you want help.

Ok moving on to Farbar.
Thanks.

See logs from Farbar Recovery Scan Tool attached

Adding FRST.txt as well, sorry.

And attached the aswMBR.txt file

To begin with, please understand that we can remove the malware from your system but we can not decrypt your files. Most experts say that the best way to start on this is to make an image of your system so that IF a way to decrypt the files is ever discovered, you can load the image and get you file back from the image.

You may also want to consider that, if you have a back up of your personal data files (documents, pictures, etc.), it may be better to format your hard drive and re-install Windows. There is considerable malware on this system and while we always strive to clean as best we can, there is no guarantee that all the malware can be removed and / or the damage undone.

With those two points in hand we can begin …

Did you know that System Restore is disabled?

If you did not do this intentionally, please check the following:

Go to Start and type System in the search box.

Click on System (under Control Panel or Settings) and then on System Protection.

Click on Configure and then select Turn on system protection.

Click Apply and then OK.

In the System Protection screen, is Protection now On for the drive?

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Define Ext
File Extractor
File Extractor Packages
TidyNetwork.com
Wondershare Helper Compact 2.5.0
Wondershare Video Converter Ultimate(Build 7.3.0.3)

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on 

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

Yes I understand that unfortunately.
Yes I know that Syetem Restore is disabled as this is one of the first thing I tried to do.
This was not done on purpose as I used this feature on earlier versions and know it is useful.
I tried the steps you suggested, but when doing so, I see that my OS & Program (C:) drive has protection on, Data (F): and RECOVERY (D:) are off. Under System Protection all buttons are greyed except: OK and Cancel, so I cannot click on Configure.
I also tried to do this as Administrator since it says this had been desactivated by my Administrator, but the view is the same.

I’m proceeding with your other instructions.

You will find the requested file attached.

Good news: after running Farbar, as you indicated, I could turn System Protection on for drive (F:); (C:) was already on.
I also, now, could launch the Task Manager which was not starting before.
Thanks.
I’ll now try again to run: Malwarebytes Anti-Malware which was not launching before.
Let me know if other actions are required.

Ok, this time Malwarebytes started and completed succesfully. I don’t think I’ll need any of the quarantined files, but I did not remove them yet, in case you say else.
I have attached the 3 logs that were produced.
Everything seems to work properly, now, including the fact that I receive much less spams than in the past
I placed all the encrypted files in a separate folder that I’ll backup later on, but before connecting another drive, I’d like to be sure it won’t get infected.
For the same reason I did not yet restore the files from my last backup.

Glad to hear that you have control of your system once more; the malware had looped some of the controls back into themselves so that was the first order of business. It also looks like Malwarebytes cleaned a lot of the remainders out; let’s see what AdwCleaner finds and we will then check for any left overs before letting you restore anything.

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

- [b]Vista/7/8 users:[/b] Right click the [b]AdwCleaner[/b] icon on the desktop, click [b]Run as administrator[/b] and accept the UAC prompt to run AdwCleaner.

You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v5016_zpsf8ln0fea.png

- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it will ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

- On reboot a log will be produced; please attach that in your next reply. This report is also saved to [b]C:\AdwCleaner\AdwCleaner[C#].txt[/b]

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

Ok, here is the log attached.

Mostly remnants in that log so let us see what FRST shows as active (if anything).

If you still have a Addition.txt log file on your desktop, please delete it now.

Start FRST64 that is on your Desktop by right clicking and selecting “Run as Administrator”.

The tool will start to run. When the tool opens click Yes to the UAC prompt.

Select Additional.txt in the Optional Scans section of FRST64.

Press the Scan button.

It will make two logs (FRST.txt and addition.txt) on your Desktop. Please attach the logs in your next reply.

Here attached the requested files; I did not receive a UAC prompt though.

Yes; your UAC has been turned off. I was going to fix this in the final cleanup of removing our tools but it looks as though something tried to sneak in recently, so let’s see if we can turn the UAC back on. You can read about the UAC and how to change the levels here. Basically, you go to the Control Panel, User Accounts, Change User Account Control settings. There you can move a slider to select the level of notification you would like; the default level is the second one (the level marker is enhanced to show default). Once this is done and active, please continue with the script below.

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
C:\Users\pduval\AppData\Local\Temp\libeay32.dll
C:\Users\pduval\AppData\Local\Temp\msvcr120.dll
C:\Users\pduval\AppData\Local\Temp\sqlite3.dll
Task: {60CA1986-25F3-44EF-9CFB-6B3769605CE0} - \eycurkh -> No File <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by double clicking on the FRST64.exe file. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.