Ransomware File Recovery Help Please

Hello, I have read on another thread that I should attach logs of a Ransomware removal here for help in possible recovery. Is there anybody out there who can help me please, I am really losing a lot of data here that cannot be replaced so I am in trouble.

Thanks in advance.

Mark

Hello, please follow this Guide and attach all missing logfiles :

https://forum.avast.com/index.php?topic=53253.0

When done a malware expert will assist you in further steps :slight_smile:

Should be TeslaCrypot which has been successfully cracked you may have hope to get your files back. But no guarantee.

http://blogs.cisco.com/security/talos/teslacrypt

Do not rename log files.

Hello,

MBAM has been targeted the TeslaCrypt files, thus danges should be over now. Nevertheless, diagnostic logs should be posted for furure analysist.

Files:
Ransom.TeslaCrypt, C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe, Quarantined, [e6dd3053504992a41a40bb444cb5827e], 
Ransom.TeslaCrypt, C:\Users\Maritza Elphick\Documents\patkrramitxk.exe, Quarantined, [f7cc5a297f1a96a03d1d847bdd24926e], 
Ransom.TeslaCrypt, C:\Users\Maritza Elphick\Documents\qwwnupvhsexn.exe, Quarantined, [1fa43d466c2d54e2cf8b5ba411f03bc5], 
Ransom.TeslaCrypt, C:\Windows\suocmniibark.exe, Quarantined, [259eb2d163362d09b1a902fdb05128d8], 

I also have to inform you that the TC’s new varinat (that creates .xxx, .ttt, .micro, and .mp3 extensions) can not be recovered or encrypted at this moment, unfortunately.

For some older TC’s varinat (ecc, ezz, exx, xyz, zzz, aaa, abc, ccc, or vvv) may have chanse for unlocking by using TeslaCrack,TeskaDecoder or simular tool. Follow this thread for future informations.

BC’s article:
http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/

Yes, almost forgot, Kaspersky’s Rannoh Decryptor can recover data encrypted by the older TC variant. Contact KAV’s chat support for assist.

Please find logs as requested.

I anxiously await your responses please…

Hi…am…malware is still active. MBAM didn’t do his job right…
Deploy my fix now!, post me FixLog and then run anather Scan and post fresh FRST.txt to see is malware still active.
Bdw, logs shows .mp3 version of TC malware, thus above rules apply. You may follow this thread, so if anytime soon fix for this varinat appears, you shall read it here: BC’s thread

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CreateRestorePoint:
Folder: C:\Users\Maritza Elphick\AppData\Local\{78CBE183-2F91-4A4A-A6C0-A46FF4A135AA}

CloseProcesses:
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [pjhsragtcjlk] => C:\Windows\system32\cmd.exe /c start "" "C:\Windows\suocmniibark.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [mffawcigamfp] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [uttlkvskmyid] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\qwwnupvhsexn.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [jorsndvfmxpc] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [gweefdxypbyq] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [fdxypbyqyclf] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\qwwnupvhsexn.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [fxkxocjpvngs] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\patkrramitxk.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\Run: [ftwftwfhyhhj] => C:\Windows\system32\cmd.exe /c start "" "C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe"
HKU\S-1-5-21-1663352267-3056065835-2979566487-1001\...\MountPoints2: {cd197f81-a088-11e4-825d-3010b3749e9d} - "G:\SETUP.EXE" 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR DefaultSuggestURL: Default -> hxxp://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
S2 0111931457263525mcinstcleanup; C:\Windows\TEMP\011193~1.EXE -cleanup -nolog [X]

Hosts:
C:\Windows\suocmniibark.exe
C:\Users\Maritza Elphick\Documents\*.exe
C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe
C:\Users\Maritza Elphick\Documents\qwwnupvhsexn.exe
C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe
C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe
C:\Users\Maritza Elphick\Documents\qwwnupvhsexn.exe
C:\Users\Maritza Elphick\Documents\patkrramitxk.exe
C:\Users\Maritza Elphick\Documents\oprggxarqivp.exe
C:\Windows\TEMP\*.EXE
C:\Users\Maritza Elphick\AppData\Local\*.tmp
C:\Users\Maritza Elphick\Desktop\*.tmp
2016-03-04 14:57 - 2016-03-04 14:57 - 00000254 _____ C:\Users\Maritza Elphick\Documents\recover_file_amitxkmbt.txt
2016-03-04 14:52 - 2016-03-04 14:52 - 00011710 _____ C:\Users\Public\Documents\_RECOVERY_+ltihq.html
2016-03-04 14:52 - 2016-03-04 14:52 - 00011710 _____ C:\Users\Maritza Elphick\AppData\Local\Apps\_RECOVERY_+ltihq.html
2016-03-04 14:52 - 2016-03-04 14:52 - 00011710 _____ C:\ProgramData\_RECOVERY_+ltihq.html
2016-03-04 14:52 - 2016-03-04 14:52 - 00001961 _____ C:\Users\Public\Documents\_RECOVERY_+ltihq.txt
2016-03-04 14:52 - 2016-03-04 14:52 - 00001961 _____ C:\Users\Maritza Elphick\AppData\Local\Apps\_RECOVERY_+ltihq.txt
2016-03-04 14:52 - 2016-03-04 14:52 - 00001961 _____ C:\ProgramData\_RECOVERY_+ltihq.txt
2016-03-04 14:50 - 2016-03-04 14:50 - 00000254 _____ C:\Users\Maritza Elphick\Documents\recover_file_dnvnxgiqk.txt
2016-03-04 14:47 - 2016-03-04 14:47 - 00011710 _____ C:\Users\Public\Documents\_RECOVERY_+dodfm.html
2016-03-04 14:47 - 2016-03-04 14:47 - 00011710 _____ C:\Users\Maritza Elphick\AppData\Local\Apps\_RECOVERY_+dodfm.html
2016-03-04 14:47 - 2016-03-04 14:47 - 00011710 _____ C:\ProgramData\_RECOVERY_+dodfm.html
2016-03-04 14:47 - 2016-03-04 14:47 - 00001961 _____ C:\Users\Public\Documents\_RECOVERY_+dodfm.txt
2016-03-04 14:47 - 2016-03-04 14:47 - 00001961 _____ C:\Users\Maritza Elphick\AppData\Local\Apps\_RECOVERY_+dodfm.txt
2016-03-04 14:47 - 2016-03-04 14:47 - 00001961 _____ C:\ProgramData\_RECOVERY_+dodfm.txt
2016-03-04 14:44 - 2016-03-04 14:44 - 00000254 _____ C:\Users\Maritza Elphick\Documents\recover_file_litwjbaib.txt
2016-02-28 16:04 - 2016-02-28 16:04 - 00000254 _____ C:\Users\Maritza Elphick\Documents\recover_file_nmjuyyggo.txt
2016-03-04 14:47 - 2016-03-04 14:47 - 0011710 _____ () C:\ProgramData\_RECOVERY_+dodfm.html
2016-03-04 14:47 - 2016-03-04 14:47 - 0064157 _____ () C:\ProgramData\_RECOVERY_+dodfm.png
2016-03-04 14:47 - 2016-03-04 14:47 - 0001961 _____ () C:\ProgramData\_RECOVERY_+dodfm.txt
2016-03-04 14:52 - 2016-03-04 14:52 - 0011710 _____ () C:\ProgramData\_RECOVERY_+ltihq.html
2016-03-04 14:52 - 2016-03-04 14:52 - 0064157 _____ () C:\ProgramData\_RECOVERY_+ltihq.png
2016-03-04 14:52 - 2016-03-04 14:52 - 0001961 _____ () C:\ProgramData\_RECOVERY_+ltihq.txt

EmptyTemp:
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Attached the fixlog as requested… I also ran the repair again and attached that log.

Has that solved the problem? Anything else to do to possibly recover data?

regards,

mark

Forget about getting the data back if you don’t have a clean backup.
There are currently no de-cryptors for the latest cryptoware malware.

that is really really sad news indeed!

:‘( :’( :‘( :’( :cry:

how do I know if I am rid the malware?

how do I know if I am rid the malware?
When @magna86 tell you

@elphick.mark

You will need to follow my guide to dot. You have been run FRST fix two times, I asked only one run. Thus, posted log tells me nothing…
Post original FixLog from the first run, located at C:\FRST\Logs folder.

Next, I didn’t tell you to re-run aswMBR, but to re-run FRST and post fresh FRST.txt reprot for re-analysist…

And finally, you will need to read my lines, as I have written everything with links that you need to know.

My appologies Magna, but the computer shut down during the first scan and I had to start again.

Attached is the very first FixLog in that folder, is that what you are looking for? I have also posted the FRST file in case you wanted that as well.
Please assist me, I am grateful for your time and effort.

You’ve posted the old FRST log. Let’s try again …

Please download fresh copy of the Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Tool need to be savet to your Desktop!

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. [*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

Please find the files generated after the scan from my desktop.

I trust this is what you were looking for? What next?

Well, elphick.mark, these posted logs shows no presence of ransomware (TC) nor any other active malware. We removed the malware from system.
Logs are clean.

Thus, the consequences of infection remains. As said before, data can’t be decrypted or unlocked with any key at this moment.

Pack your files in one place and hope some solutions in any future. Follow BC thread and BC’s articles and you will know if solutions is near.

As avast! isn’t very good at detectiong new ransomware malware, my advice is to heighten your security ecosystem. You may wanna take a peek at this software;

CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker, Tesla Crypt and simular clones. App creates powerfull GPO for security working…

Malwarebytes has new tool as well, still beta thou but … you know…
https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

I am also seeing that you are using DropBox. You may also take a peek at OneDrive by Microsoft or GoogleDrive by Google for backup.

The following will implement some post-cleanup procedures:

http://www.mcshield.net/pg/images/arrow.png
Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Good luck man.

Thanks very much for your patience and help.

I cannot express how frustrating it is to have lost this data, and I live in hope that somebody comes up with a fix for it soon! :cry:

regards,

mark

Your Welcome. I’m sorry for not being able to do more with your data.

IMO, explot for new TeslaCrypt (method for restoring crypted files) may not come so soon (time within few weaks or so…) but some people are working hard to find some kind of hole in malware itself.