Help decrypt wirus

micmos14 · 18 Sierpień 2015 19:07

Witam. Dostałem lapka do przeczyszczenia, wiele syfu już usunąłem, ale został syf z nazwami help decrypt.

Są to pliki których nie sposób usunąć ręcznie, gdyż jest ich mnóstwo. Pliki zmieniły rozszerzenie na zzz. Rozumiem, że wirus poszyfrował pliki i nici z ich odzyskania :(. Tu są logi. Da się to usunąć?

Addition : http://wklej.org/id/1777057/

Shortcut : http://wklej.org/id/1777058/

FRST : http://wklej.org/id/1777061/

Atis · 18 Sierpień 2015 19:37

Nie ma możliwości odszyfrowania plików:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

HKLM\...\Run: [5F8F847DA2E13EF] => C:\Users\Bogdan\AppData\Roaming\svcccf.exe
HKU\S-1-5-18\...\RunOnce: [Del5483357] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del33289926] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del2430043] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del18861768] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del21618384] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del6499641] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del18781163] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [Del19125956] => cmd.exe /Q /D /c del "C:\Windows\TEMP\0.del" <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1896457116-3361256612-4196287922-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
FF ExtraCheck: C:\Program Files\mozilla firefox\firefox.cfg [2015-08-09] <==== ATTENTION
2015-08-17 22:01 - 2013-10-10 15:39 - 00000000 ____ D C:\AdwCleaner
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{4E77131D-3629-431C-9818-C5679DC83E81}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}\InprocServer32 -> C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\advpack.dll No File <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1896457116-3361256612-4196287922-1000_Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 -> no filepath
Task: {10514E47-DBBE-4D48-849E-FFE3144E96DC} - System32\Tasks\{00C01E66-50AA-440F-A57A-2EC0A7973AEE} => C:\Users\Bogdan\Desktop\MineCraft.exe
Task: {285C5E80-E658-47D3-9B8D-D2510EEF9E13} - System32\Tasks\{BD9828E3-1C60-4EAD-A752-EAA8A7ADF3A8} => pcalua.exe -a C:\Users\Bogdan\Desktop\MinecraftZyczu.exe -d C:\Users\Bogdan\Desktop
Task: {3D1EE363-3DC3-4D0C-BEA2-020AE7DDE064} - System32\Tasks\{461861AC-8762-464B-AEA5-08D15296730E} => pcalua.exe -a C:\Users\Bogdan\Desktop\blokada\MinecraftZyczu.exe -d C:\Users\Bogdan\Desktop\blokada
Task: {4A1636B5-650A-4165-81F2-9511BC26BEAF} - System32\Tasks\{3623CCBC-B24E-4DB6-9C30-F6CF76C48F4D} => I:\Gry\MineCraft.exe
Task: {51201F54-45ED-4196-8B7D-A0BA2C854AA9} - System32\Tasks\{D2197352-139D-4A12-9E6C-A292D7DF2C14} => pcalua.exe -a C:\Users\Bogdan\Downloads\Soda_PDF_2012_Installer.exe -d "C:\Program Files\Mozilla Firefox"
Task: {798A48B7-956D-425C-8BF7-F177EAA37E1D} - System32\Tasks\{1CEB416C-0A1B-402D-A57C-8D1CDCF980A8} => Firefox.exe http://ui.skype.com/ui/0/5.5.0.124/pl/go/help.faq.installer?LastError=1618
Task: {AE1A516C-AD03-40CE-A54F-46D8E7FD9259} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\20.1.0.24\SymErr.exe
Task: {D0CD35B4-8F90-4E7F-BDDE-AD608A3686EB} - System32\Tasks\{9BB3A999-0873-4D29-AA6D-8E82235A0393} => I:\Gry\MineCraft.exe
Task: {E9047151-3B0A-4BC8-9695-8E4C87DE4DB0} - System32\Tasks\{493D6639-8BB9-4392-BE0C-6326BA33751B} => Firefox.exe http://www.skype.com/go/downloading?source=lightinstaller&amp;ver=5.5.0.117&amp;LastError=404
Task: {F5953DEA-3603-4D05-A4E2-0F5B2D5C436F} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\20.1.0.24\SymErr.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
C:\Users\Bogdan\AppData\Roaming\*.exe
Folder: C:\5fa071e8
CMD: del /q /s C:\HELP_DECRYPT.*
CMD: del /q /s D:\HELP_DECRYPT.*
CMD: del /q /s C:\help_restore_files_*
CMD: del /q /s D:\help_restore_files_*
EmptyTemp:

Uruchom FRST i kliknij Fix. Pokaż raport z usuwania Fixlog.

Kliknij Scan i pokaż nowy raport z FRST bez Addition i Shortcut.