virus decode@india.com

system · March 4, 2015, 8:18pm

Hello !
Since yesterday 6 PM, i’d lost all my files (word,excel,photos,pdf, etc …) All seem have been crypted by this virus: decode@india.com. I say this because all these files have been renamed with something ending by india.com. Searches done with Avast or other products find nothing.
Before trying to recover my files, i need to kill this virus and i don’t know how. There are some proposals on the net but I’m not very confident.
Does someone know this malware and the way to supress it ?
Thanks in advance !
Regards

Eddy · March 4, 2015, 8:27pm

Is is ransomware, follow these instructions please:
https://forum.avast.com/?topic=53253.0

Pondus · March 4, 2015, 8:32pm

Since yesterday 6 PM, i'd lost all my files (word,excel,photos,pdf, etc ......)

but you have a backup ..... or not?

system · March 5, 2015, 3:37am

Hello!
Thanks for these first answers.
1-i’m leaving now for travel and i’ll work on this problem beginning the 25th.
2-i have backup, but a little bit old
See you again after the 25th
Regards

system · March 23, 2015, 2:17pm

Hello ! I’m back.
I installed and run malwarebytes. 146 items were put in quarantine. Computer was rebooted.
What’s the next step ?
Thanks for your help.
fdelatre

Eddy · March 23, 2015, 2:24pm

See reply #1

system · March 24, 2015, 9:49am

Hello ! I did the job.
1 - MalwareBytes: 160 files in quarantine. Two log txt recovered.
2 - FARBAR recovery: Two files recovered: FRST and additions
3- asuMBR: two files log recovered.
More, i discovered two virus files on root C: fud.bmp and mail.txt.id-5771043697_fud@india.com
I send four in this reply, the others in the next one

system · March 24, 2015, 9:56am

last missing files (I hope)
Thanks

essexboy · March 24, 2015, 6:23pm

Before I proceed with this fix were you able to recover your backups. As I am about to remove the encrypted files to quarantine.

The only way the encrypted files can be restored is if you pay the ransom and I would not recommend that

I will also provide a link for a free backup programme with instructions on how to use it

Imaging link : http://www.geekstogo.com/forum/topic/345434-macrium-reflect-imaging-tool/

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2412} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=412&sr=0&q={searchTerms}
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2412} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=412&sr=0&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1784959927-733198148-3530112195-1001 -> {03299B1B-01C3-4D92-9E54-EBED5BA135A5} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites02_14_18_ie&cd=2XzuyEtN2Y1L1QzuzytD0F0B0AyCtB0FtAtB0A0Bzz0A0CtAtN0D0Tzu0SzzyEzytN1L2XzutBtFtBtDtFyDtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyE0D0BzytAyBtBtDtGzz0CtByDtGtA0FyBzytGyBtA0B0DtGyCtCtDzyzytA0D0E0Dzz0C0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0EtBtD0AzyyD0FtG0Czy0EzztG0DtD0BtCtGtDtB0F0DtGtDtC0Azz0CyCyByD0D0Czyzz2Q&cr=1768539612&ir=
SearchScopes: HKU\S-1-5-21-1784959927-733198148-3530112195-1001 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2412} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=412&sr=0&q={searchTerms}
BHO: No Name -> {10921475-03CE-4E04-90CE-E2E7EF20C814} ->  No File
BHO-x32: Interest recogniser for Moovida (powered by Spointer) -> {E2A7BD67-0EAF-497f-B05B-748D7BF3C421} -> C:\Program Files (x86)\Fluendo\Moovida\spointer\extensions\moovida_air_ie.dll No File
Toolbar: HKLM-x32 - searchweb - {CDB982ED-F9D6-4E3B-B94B-96F705D35AD1} - C:\Program Files (x86)\searchweb\tbunsl674F.tmp\tbcore3.dll No File
Toolbar: HKU\.DEFAULT -> No Name - {CDB982ED-F9D6-4E3B-B94B-96F705D35AD1} -  No File
FF Plugin HKU\S-1-5-21-1784959927-733198148-3530112195-1001: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10174.dll No File
2015-03-24 08:50 - 2015-03-24 08:50 - 00000000 ____D () C:\Users\Francis\AppData\Local\{3FB146FB-5123-4C3A-B575-DB68341863C5}
2015-03-23 15:34 - 2015-03-23 15:34 - 00000000 ____D () C:\Users\Francis\AppData\Local\{EEF1FDDB-8AAD-4C4E-969E-00AC19195440}
2015-03-23 13:48 - 2015-03-23 13:48 - 00000000 ____D () C:\Users\Francis\AppData\Local\{0652EE92-2376-4592-B2CD-9844463E1248}
2015-03-23 13:44 - 2015-03-23 13:44 - 00000000 ____D () C:\Users\Francis\AppData\Local\{D34F0D36-4B9E-42C1-B2C5-720C26FE0D9E}
2015-03-04 18:59 - 2015-03-04 19:00 - 00000000 ____D () C:\Users\Francis\AppData\Local\{B0233C10-7889-4F1C-B7FB-11504F2EC44C}
2015-03-04 11:54 - 2015-03-04 11:54 - 00000000 ____D () C:\Users\Francis\AppData\Roaming\QuickScan
2015-03-04 06:59 - 2015-03-04 06:59 - 00000000 ____D () C:\Users\Francis\AppData\Local\{6F5F8672-BEE0-4DC8-B1A5-96D80CCE69B0}
2015-03-03 18:32 - 2015-03-03 18:32 - 00000000 ____D () C:\Users\Francis\AppData\Local\{54CCCD94-0F00-4561-AE27-190F55F0FC24}
2015-03-03 07:42 - 2015-03-03 18:47 - 00188005 _____ () C:\Users\Francis\Downloads\C_Deputés VF (1).pdf.id-5771043697_fud@india.com
2015-03-03 06:31 - 2015-03-03 06:31 - 00000000 ____D () C:\Users\Francis\AppData\Local\{A14F4BFC-F989-4DCD-93FA-77E83671F0BD}
2015-03-02 17:14 - 2015-03-03 18:38 - 00035823 _____ () C:\Users\Francis\Documents\!cid_CF978025304F40D68FA96A00B06F9C71@FRANCISACER.jpg.id-5771043697_fud@india.com
2015-03-02 06:49 - 2015-03-02 06:49 - 00000000 ____D () C:\Users\Francis\AppData\Local\{1496DEAD-DAE7-4C72-B24C-8E84038273C3}
2015-03-01 18:48 - 2015-03-01 18:48 - 00000000 ____D () C:\Users\Francis\AppData\Local\{00BC6EC6-D88C-4D59-A9A4-E73F37FA4167}
2015-03-01 06:25 - 2015-03-03 18:47 - 00188005 _____ () C:\Users\Francis\Downloads\C_Deputés VF.pdf.id-5771043697_fud@india.com
2015-03-01 05:47 - 2015-03-01 05:47 - 00000000 ____D () C:\Users\Francis\AppData\Local\{4C32ABB6-2097-4607-81BD-6DBA7AEDEB02}
2015-02-28 05:58 - 2015-02-28 05:58 - 00000000 ____D () C:\Users\Francis\AppData\Local\{03BAD2D6-CC7F-4511-8EB1-10E54FBD1311}
2015-02-27 06:55 - 2015-02-27 06:55 - 00000000 ____D () C:\Users\Francis\AppData\Local\{22CCC74D-DE89-426A-9B80-E40F3EFAB1F4}
2015-02-26 03:00 - 2015-02-26 03:01 - 00000000 ____D () C:\Users\Francis\AppData\Local\{9563EA65-E653-46E2-98B8-0BDBB3904B27}
2015-02-25 07:30 - 2015-02-25 07:30 - 00000000 ____D () C:\Users\Francis\AppData\Local\{CADBAC18-B34A-4293-970B-BCC68743406D}
2015-02-24 09:22 - 2015-03-03 18:47 - 00026372 _____ () C:\Users\Francis\Downloads\justificatif (2).pdf.id-5771043697_fud@india.com
2015-02-24 05:52 - 2015-02-24 05:52 - 00000000 ____D () C:\Users\Francis\AppData\Local\{103FD962-709B-4C79-83CD-60FEC49F2E6E}
2015-02-23 07:19 - 2015-02-23 07:19 - 00000000 ____D () C:\Users\Francis\AppData\Local\{34F9E606-B20C-4B2A-9492-071C6EF22482}
2015-02-22 08:33 - 2015-02-22 08:33 - 00000199 _____ () C:\Windows\system32\2015-02-22-07-32-59.094-AvastVBoxSVC.exe-4388.log
2015-02-22 08:32 - 2015-02-22 08:32 - 00000000 ____D () C:\Users\Francis\AppData\Local\{0D740A93-CBD4-48A5-8FF4-29DABAFB9412}
2015-03-03 19:00 - 2013-12-22 18:07 - 01038717 _____ () C:\Users\Francis\7905966_LOOK_Garantie_Soleil_24oct2013.pdf.id-5771043697_fud@india.com
2015-03-03 18:59 - 2013-12-22 18:07 - 00089457 _____ () C:\Users\Francis\etkD1459315_1312090941148620.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2015-02-13 14:46 - 01004159 _____ () C:\Users\Francis\Downloads\doc0002.PDF.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-12-09 06:17 - 00015748 _____ () C:\Users\Francis\Downloads\FA001591.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-12-08 08:48 - 00100059 _____ () C:\Users\Francis\Downloads\ticket.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-10-01 05:41 - 01978456 _____ () C:\Users\Francis\Downloads\21614c5e59932da24e92784616451ee0.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-09-24 06:32 - 00007716 _____ () C:\Users\Francis\Downloads\justificatif (1).pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-07-28 05:23 - 10050418 _____ () C:\Users\Francis\Downloads\Ultimate-DRM-Removal-last.zip.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-02-28 06:37 - 00018340 _____ () C:\Users\Francis\Downloads\ImprimÃ© fiscal unique au 2014-02-24.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-02-21 08:08 - 00950722 _____ () C:\Users\Francis\Downloads\DSC_0013.JPG.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-01-12 18:26 - 00015604 _____ () C:\Users\Francis\Downloads\TITOU VOITURE.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-01-12 18:23 - 00447651 _____ () C:\Users\Francis\Downloads\TITOU cerfa_13754_02.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2014-01-09 06:18 - 02548130 _____ () C:\Users\Francis\Downloads\CASIO EXH50_ZS200_M29_FA_120919_F.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2013-12-23 08:09 - 00007700 _____ () C:\Users\Francis\Downloads\justificatif.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2013-11-21 08:43 - 00015076 _____ () C:\Users\Francis\Downloads\http___www.villatech.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2013-06-20 08:30 - 00013876 _____ () C:\Users\Francis\Downloads\MrDELATRE.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2013-06-20 08:19 - 00156625 _____ () C:\Users\Francis\Downloads\FACTURE kenya DELATRE.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2013-06-20 08:19 - 00154537 _____ () C:\Users\Francis\Downloads\FACTURE kenya ferbos.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2013-06-20 08:19 - 00153985 _____ () C:\Users\Francis\Downloads\FACTURE kenya loustaunau.pdf.id-5771043697_fud@india.com
2015-03-03 18:47 - 2012-04-12 09:52 - 00735215 _____ () C:\Users\Francis\Downloads\Win7LogonBackgroundChanger.zip.id-5771043697_fud@india.com
2015-03-03 18:47 - 2012-01-11 07:12 - 00346027 _____ () C:\Users\Francis\Downloads\freemiupnp (1).zip.id-5771043697_fud@india.com
2015-03-03 18:47 - 2011-01-09 07:21 - 00030541 ___SH () C:\Users\Francis\Downloads\Folder.jpg.id-5771043697_fud@india.com
2015-03-03 18:47 - 2011-01-09 07:21 - 00007444 ___SH () C:\Users\Francis\Downloads\AlbumArtSmall.jpg.id-5771043697_fud@india.com
2015-03-03 18:42 - 2014-02-21 07:44 - 02748276 _____ () C:\Users\Francis\Documents\Spa-en-bois-Bain-nordique-Hot-tub-Brochure.pdf.id-5771043697_fud@india.com
2015-03-03 18:42 - 2012-11-09 06:43 - 00011268 _____ () C:\Users\Francis\Documents\travaux MIURA.wps.id-5771043697_fud@india.com
2015-03-03 18:42 - 2011-04-03 16:15 - 02842322 _____ () C:\Users\Francis\Documents\TravelGuide_fr_GuideDeVoyage.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2014-10-01 05:43 - 01254384 _____ () C:\Users\Francis\Documents\philips.dect2111s_12_dfu_fra.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2013-04-23 05:14 - 10855900 _____ () C:\Users\Francis\Documents\Prposition.LCL.rtf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2013-02-05 06:48 - 01191766 _____ () C:\Users\Francis\Documents\Notice-utilisation-ST60 -Tridata-fr.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2013-02-05 06:45 - 01488166 _____ () C:\Users\Francis\Documents\Notice-utilisation-ST6000.fr.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2013-02-01 07:20 - 03514827 _____ () C:\Users\Francis\Documents\Pro715_QRG_fr.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2011-04-14 09:25 - 00996317 _____ () C:\Users\Francis\Documents\montgo.sinistre.1.jpg.id-5771043697_fud@india.com
2015-03-03 18:40 - 2011-04-14 09:25 - 00745612 _____ () C:\Users\Francis\Documents\montgo.sinistre.2.jpg.id-5771043697_fud@india.com
2015-03-03 18:40 - 2011-04-03 16:19 - 04204841 _____ () C:\Users\Francis\Documents\nouveau.mexique.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2011-01-09 06:04 - 02278264 _____ () C:\Users\Francis\Documents\Samsung U900.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2010-11-09 07:26 - 00378591 _____ () C:\Users\Francis\Documents\PLU.pdf.id-5771043697_fud@india.com
2015-03-03 18:40 - 2010-05-28 05:49 - 00028404 _____ () C:\Users\Francis\Documents\nmeafaq.txt.id-5771043697_fud@india.com
2015-03-03 18:39 - 2014-04-08 17:27 - 00719055 _____ () C:\Users\Francis\Documents\Electrolux_RM6xx0_RM6xx1.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2014-02-23 05:48 - 02186678 _____ () C:\Users\Francis\Documents\Mode_emploi_RivieraCE340A.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2013-07-19 05:35 - 03277537 _____ () C:\Users\Francis\Documents\Guide_Spa_Meilleurchoix.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2013-02-05 06:47 - 04344806 _____ () C:\Users\Francis\Documents\Manuel-AUTOHELM-6000-BARRE-FRANCHE.fr.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2013-01-31 07:10 - 06711139 _____ () C:\Users\Francis\Documents\lexmarkpro710.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2013-01-25 05:39 - 00137570 _____ () C:\Users\Francis\Documents\Emeric Miralles - Pour Vincent le clochard (1).pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2012-01-13 09:43 - 00160008 _____ () C:\Users\Francis\Documents\INFORAD-V4E-Certificat-33917.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2011-08-09 06:19 - 00077590 _____ () C:\Users\Francis\Documents\Facture.TOHATSU.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2011-04-14 06:59 - 02066359 _____ () C:\Users\Francis\Documents\HP.deskjet.5150.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2011-03-28 11:34 - 00536987 _____ () C:\Users\Francis\Documents\dvd_flick_documentation_www.loisirsfr.com.pdf.id-5771043697_fud@india.com
2015-03-03 18:39 - 2010-10-24 21:15 - 01235089 _____ () C:\Users\Francis\Documents\dossier_hiver_lege_26.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2015-01-07 06:46 - 00032597 _____ () C:\Users\Francis\Documents\Devis.effraction.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2014-04-01 06:58 - 00081713 _____ () C:\Users\Francis\Documents\delatre02 implantation (1).pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2013-11-07 05:14 - 00066521 _____ () C:\Users\Francis\Documents\ATTESTATION NAVIGATION DE PLAISANCE.2014@infonie.fr.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2013-08-10 05:32 - 05219497 _____ () C:\Users\Francis\Documents\cadaujac.superficies.rtf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2013-08-10 05:29 - 00172739 _____ () C:\Users\Francis\Documents\2013-08-10 062947.RTF.id-5771043697_fud@india.com
2015-03-03 18:38 - 2013-06-18 05:08 - 00008116 _____ () C:\Users\Francis\Documents\adresses180613.csv.id-5771043697_fud@india.com
2015-03-03 18:38 - 2012-12-07 09:14 - 00572856 _____ () C:\Users\Francis\Documents\Dossier de Diagnostic Technique N°2012-10-326-DELA.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2012-11-05 09:08 - 02511380 _____ () C:\Users\Francis\Documents\cerfa_12100.1.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2012-11-05 08:54 - 02512162 _____ () C:\Users\Francis\Documents\cerfa_12100.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2012-06-08 06:02 - 00017412 _____ () C:\Users\Francis\Documents\accuseReception2012.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2012-05-05 07:29 - 00481303 _____ () C:\Users\Francis\Documents\ASPES.LA3833.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2011-10-03 13:12 - 03668637 _____ () C:\Users\Francis\Documents\10182.pdf.id-5771043697_fud@india.com
2015-03-03 18:38 - 2011-10-03 13:12 - 00194203 _____ () C:\Users\Francis\Documents\10182V2000.dwg.id-5771043697_fud@india.com
2015-03-03 18:38 - 2011-03-28 13:55 - 01069752 _____ () C:\Users\Francis\Documents\Châteaux_Pessac-Léognan_2010[1].pdf.id-5771043697_fud@india.com
Task: {F7C8BC7B-91ED-433D-BEFD-9F865E4EDC88} - System32\Tasks\AppCloudUpdater => C:\Users\Francis\AppData\Roaming\APPCLO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\AppCloudUpdater.job => C:\Users\Francis\AppData\Roaming\APPCLO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp: 
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

system · March 26, 2015, 8:26am

Hello !
Thanks to spend time on my problem. I understand what to do but, I’m a little bit confusing.
My last (good?) backup is from 11/9/13. So, i’m sure to loose a lot of very important files.
I’m not very happy to pay the ransom, but maybe it works ?
Have you heard of people choosing this way with success ?
I’m desperate for my files, so …
Thanks for advice

essexboy · March 26, 2015, 3:05pm

Yes for crooks they are honest in that way. But, you should really get into the habit of backing up fairly regularly. The programme is free and a small external USB drive would be less than £50

system · April 3, 2015, 6:05am

Hello !
I had a touch with crooks. They ask for 2.2 bitcoins. I’ll not pay because i succeed in recovering the major parts of my files with the function shadow explorer of windows seven. Now I feel worried about two subjects.
1- How can I be sure that the ransonware is eradiqued ? Is your answer 24 march the answer ?
2- As Avast seems to be inoperant, what antivirus is able to prevent these kinds of virus.
Thanks again
Regards !

essexboy · April 3, 2015, 1:05pm

No av is protection against ransomware as it changes on a daily basis. But, you can protect against it

What problems are you experiencing now ?

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

virus decode@india.com

Announcements