Hello Avast support team,
my computer is infected with weekendwarriior55.com . Most of my files are encrypted. I have backed some them up, but some are not. I am sending you the required logs. Could you help me to decrypt some of the files?
Thanks
I will quarantine the encrypted files on the desktop as they may not be able to be decrypted
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKLM-x32\...\Run: [ROC_roc_dec12] => "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 HKLM-x32\...\Run: [ROC_ROC_JULY_P1] => "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 HKLM-x32\...\Run: [ROC_roc_ssl_v12] => "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 HKLM-x32\...\Run: [MarineAquarium3Free_57 Browser Plugin Loader 64] => C:\Program Files (x86)\MarineAquarium3Free_57\bar\1.bin\57brmon64.exe HKU\S-1-5-21-3138439853-4066643949-2391822931-1001\...\RunOnce: [avg_spchecker] => "C:\Program Files (x86)\AVG\AVG9\Notification\SPChecker1.exe" /start Startup: C:\Users\Krasi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50DD.tmp [2015-12-02] () Startup: C:\Users\Krasi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lock.bmp [2015-12-02] () URLSearchHook: HKLM-x32 - BS Player Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player\prxtbBS_2.dll (Conduit Ltd.) URLSearchHook: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 - BS Player Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player\prxtbBS_2.dll (Conduit Ltd.) SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_uid=7248141837164400&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms} SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_uid=7248141837164400&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_uid=7248141837164400&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms} SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_uid=7248141837164400&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms} SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1750559 SearchScopes: HKLM-x32 -> {cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=HJxdm093YYbg&ptnrS=HJxdm093YYbg&ptb=B2A28D10-76D2-459B-92B0-5876A8023EBC&ind=2012083117&n=77edf3ad&psa=&st=sb&searchfor={searchTerms} SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_uid=7248141837164400&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms} SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> {0D8D614C-426F-4A68-8ECB-C00533FB4A87} URL = hxxp://search.avg.com/route/?d=4b04e791&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={CF8CEED0-3565-4B80-B20D-904CC7F2C215}&mid=18bde8007e76d967ed15a663be2a50a7-74936fda5f6d3065fd35d1b3139f5045328212ec&lang=en&ds=AVG&pr=fr&d=2013-01-02 21:42:33&v=13.2.0.4&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_uid=7248141837164400&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms} SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1750559 SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> {cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8} URL = hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=HJxdm093YYbg&ptnrS=HJxdm093YYbg&ptb=B2A28D10-76D2-459B-92B0-5876A8023EBC&ind=2012083117&n=77edf3ad&psa=&st=sb&searchfor={searchTerms} SearchScopes: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> {E844E945-FBB1-46D7-8B64-645C9024B5E1} URL = hxxp://search.pomagalo.com?keywords={searchTerms}&source=ie BHO-x32: BS Player Toolbar -> {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} -> C:\Program Files (x86)\BS_Player\prxtbBS_2.dll [2011-05-09] (Conduit Ltd.) Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKLM-x32 - BS Player Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player\prxtbBS_2.dll [2011-05-09] (Conduit Ltd.) Toolbar: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> No Name - {FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5} - No File Toolbar: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> No Name - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File Toolbar: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Toolbar: HKU\S-1-5-21-3138439853-4066643949-2391822931-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File FF Plugin-x32: @pages.tvunetworks.com/WebPlayer -> C:\Windows\system32\TVUAx\npTVUAx.dll [No File] FF Plugin-x32: @videolan.org/vlc,version=1.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File] FF user.js: detected! => C:\Users\Krasi\AppData\Roaming\Mozilla\Firefox\Profiles\sxv1iud7.default\user.js [2012-08-09] CHR Plugin: (AVG Internet Security) - C:\Users\Krasi\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll => No File CHR Plugin: (MindSpark Toolbar Platform Plugin Stub) - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\NP4zStub.dll => No File CHR Plugin: (VLC Multimedia Plug-in) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll => No File CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File CHR Plugin: (TVU Web Player for FireFox) - C:\Windows\system32\TVUAx\npTVUAx.dll => No File 2015-12-02 15:50 - 2015-12-02 15:50 - 00401830 _____ C:\Users\Krasi\AppData\Roaming\lock.bmp 2015-11-25 17:11 - 2015-12-02 14:57 - 01660362 _____ C:\Users\Krasi\Desktop\estestveni-idei-Nosene-na-bebeto-zashto-kak.pdf.id-1313301745_av666@weekendwarrior55.com 2015-11-25 17:11 - 2015-12-02 14:57 - 01140287 _____ C:\Users\Krasi\Desktop\estestveni-idei-MnogokratniPeleni-zashto-kak.pdf.id-1313301745_av666@weekendwarrior55.com 2015-11-25 10:16 - 2015-12-02 14:57 - 00475276 _____ C:\Users\Krasi\Desktop\Tax_Relief_for_parents.zip.id-1313301745_av666@weekendwarrior55.com 2015-11-24 22:38 - 2015-12-02 14:57 - 00939748 _____ C:\Users\Krasi\Desktop\IMG_5086.JPG.id-1313301745_av666@weekendwarrior55.com 2015-11-24 22:38 - 2015-12-02 14:57 - 00934274 _____ C:\Users\Krasi\Desktop\IMG_5087.JPG.id-1313301745_av666@weekendwarrior55.com 2015-11-24 22:38 - 2015-12-02 14:57 - 00791069 _____ C:\Users\Krasi\Desktop\IMG_5085.JPG.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:59 - 2013-09-18 22:30 - 02063033 _____ C:\Users\???????\Downloads\Addison Wesley - Refactoring - Improving the Design of Existing Code.pdf.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:59 - 2011-12-01 00:41 - 00000232 ____H C:\Users\Krasi\Documents\~$равей господине.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2015-10-19 10:35 - 00000232 ____H C:\Users\Krasi\Desktop\~$uchilishta za roditeli.xlsx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2015-10-19 10:34 - 00016378 _____ C:\Users\Krasi\Desktop\разходи.xlsx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2015-10-19 10:34 - 00000232 ____H C:\Users\Krasi\Desktop\~$хранителен режим Краси.xlsx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2015-10-19 10:34 - 00000232 ____H C:\Users\Krasi\Desktop\~$разходи.xlsx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2015-01-11 16:36 - 00000232 ____H C:\Users\Krasi\Desktop\~$sni_DVD_Penchevi.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2014-10-04 13:27 - 00000232 ____H C:\Users\Krasi\Desktop\~$ъжностна характеристика финансов мениджър.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2014-03-31 22:32 - 00000232 ____H C:\Users\Krasi\Desktop\~$_d i k.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2014-01-22 10:26 - 00000232 ____H C:\Users\Krasi\Desktop\~$нни за апартамент Гео Милев.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2014-01-08 19:55 - 00000232 ____H C:\Users\Krasi\Desktop\~$_008_01.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2012-09-25 22:42 - 00000232 ____H C:\Users\Krasi\Desktop\~$ихотворение за Пламката.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2012-09-25 22:02 - 00000232 ____H C:\Users\Krasi\Desktop\~$К СЕ ПРАВИ БИЗНЕС.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2012-09-23 11:06 - 00000232 ____H C:\Users\Krasi\Desktop\~$st E-trade M1.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2011-11-12 01:29 - 00000232 ____H C:\Users\Krasi\Desktop\~$ture Homes.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2011-10-16 23:10 - 00000232 ____H C:\Users\Krasi\Desktop\~$к да си приготвим идеалните гофрети.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:58 - 2011-07-03 00:18 - 00000232 ____H C:\Users\Krasi\Desktop\~$tski pesni.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2013-05-07 08:01 - 00000000 ____D C:\Users\Krasi\AppData\Roaming\TeamViewer 2015-12-02 14:57 - 2012-02-07 20:50 - 00000232 ____H C:\Users\Krasi\Desktop\~$ni_Stoykova_CV_English.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2012-01-29 16:04 - 00000232 ____H C:\Users\Krasi\Desktop\~$ortat e zdrave.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2012-01-15 14:30 - 00000232 ____H C:\Users\Krasi\Desktop\~$smo do Jane.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2012-01-07 18:25 - 00000232 ____H C:\Users\Krasi\Desktop\~$arieta.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-12-18 11:26 - 00000232 ____H C:\Users\Krasi\Desktop\~$iting.toni.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-12-10 11:44 - 00000232 ____H C:\Users\Krasi\Desktop\~$kstove na pesni.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-11-13 00:31 - 00000232 ____H C:\Users\Krasi\Desktop\~$PLICATION FORM.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-11-12 01:29 - 00000232 ____H C:\Users\Krasi\Desktop\~$mework_future homes.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-06-26 19:00 - 00000232 ____H C:\Users\Krasi\Desktop\~$ple pie.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-02-22 19:55 - 00000232 ____H C:\Users\Krasi\Desktop\~$govornosti na vatreshniq bankov kontrol.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2010-10-10 12:37 - 00000232 ____H C:\Users\Krasi\Desktop\~$klad za deinostta 2009.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2013-05-07 08:01 - 00000000 ____D C:\Users\Krasi\AppData\Roaming\TeamViewer 2015-12-02 14:57 - 2012-02-07 20:50 - 00000232 ____H C:\Users\Krasi\Desktop\~$ni_Stoykova_CV_English.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2012-01-29 16:04 - 00000232 ____H C:\Users\Krasi\Desktop\~$ortat e zdrave.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2012-01-15 14:30 - 00000232 ____H C:\Users\Krasi\Desktop\~$smo do Jane.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2012-01-07 18:25 - 00000232 ____H C:\Users\Krasi\Desktop\~$arieta.doc.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-12-18 11:26 - 00000232 ____H C:\Users\Krasi\Desktop\~$iting.toni.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-12-10 11:44 - 00000232 ____H C:\Users\Krasi\Desktop\~$kstove na pesni.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-11-13 00:31 - 00000232 ____H C:\Users\Krasi\Desktop\~$PLICATION FORM.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-11-12 01:29 - 00000232 ____H C:\Users\Krasi\Desktop\~$mework_future homes.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-06-26 19:00 - 00000232 ____H C:\Users\Krasi\Desktop\~$ple pie.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2011-02-22 19:55 - 00000232 ____H C:\Users\Krasi\Desktop\~$govornosti na vatreshniq bankov kontrol.docx.id-1313301745_av666@weekendwarrior55.com 2015-12-02 14:57 - 2010-10-10 12:37 - 00000232 ____H C:\Users\Krasi\Desktop\~$klad za deinostta 2009.doc.id-1313301745_av666@weekendwarrior55.com Task: {4B593FAD-70F9-43A4-B30E-8A9C5EC3CDCC} - System32\Tasks\iMeshNAG => C:\Users\Krasi\AppData\Local\Temp\iMesh_setup.exe <==== ATTENTION Task: C:\Windows\Tasks\iMeshNAG.job => C:\Users\Krasi\AppData\Local\Temp\iMesh_setup.exe <==== ATTENTION Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
NEXT
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
Scan with IDTool
Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
[*]Enter the IDTool directory, right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/IDToolbyNathan.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
[*]Wait patiently until the tool will collect necessary data
[*]Once the main console is loaded, please press Rescan Computer and Generate a New Report.
[*]When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
[*]Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience
Please include that contents in your next reply.
FINALLY
http://i.imgur.com/y3MMIrs.png
Previous Versions
[*]Right-click the file/folder and click Properties.
[*]Click Previous Versions.
[*]This tab will list all copies of the file and the date they were backed up.
[*]To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
[*]If you wish to restore the selected file and replace the existing one, click Restore
[*]If you wish to view the contents of the file before restoring, click Open.
http://i.imgur.com/MzmiIl9.gif
ShadowExplorer
[*]Please download http://www.shadowexplorer.com/uploads/ShadowExplorer-0.9-portable.zip]ShadowExplorer and save the file to your Desktop
[*]Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract
[*]Right-Click ShadowExplorer.exe and select
http://i.imgur.com/AVOiBNU.jpg
Run as administrator to run the programme.
[*]You will see a drop-down menu with the shadow copies of all partitions and disks present.
[*]Click C:\ from the drop-down menu.
[*]To the right, pick a date prior to the infection from the drop-down menu.
[*]To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.
http://i.imgur.com/J8xQM97.png
File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.
[]
http://i.imgur.com/fSA1TL4.png
R-Studio
[]
http://i.imgur.com/C08PZmH.png
Photorec
[*]
http://i.imgur.com/uc6sByo.png
Recuva
Thanks a lot for the detailed information. Will do the required steps. Hope it will work.