• Внимание. Восстановление баз 1С7, 1C8 и Mssql после атаки шифровальщика, подробности и отзывы читайте в профильной теме.

    Внимание. Восстановление архивов RAR и ZIP, образов Acronis и виртуальных машин, баз почтовых программ после атаки шифровальщика, подробности и отзывы читайте в профильной теме.

В работе CryLock Helpme! Email phandaledr@onionmail.org

Sandor

Команда форума
Администратор
Супер-Модератор
Ассоциация VN/VIP
Преподаватель
Сообщения
10,875
Реакции
2,940
Hello,

Please wait for a while. We are trying to define the type of ransome. It is different from the one we could easily decrypt.
 

Sandor

Команда форума
Администратор
Супер-Модератор
Ассоциация VN/VIP
Преподаватель
Сообщения
10,875
Реакции
2,940
While you wait please get us logs:

Dowload Farbar Recovery Scan Tool (or from the mirror) and save it to your Desktop. Rename file FRST64.exe to FRST64English.exe and run it.

Press Scan button and wait.
At the end of scan you'll get FRST.txt and Addition.txt in the same folder you start program from. Attach these logs to your next post.
 

longcd45

Новый пользователь
Сообщения
4
Реакции
0
can you check for me, please.
Thank!
 

Вложения

  • Addition.txt
    23.2 KB · Просмотры: 1
  • FRST.txt
    18.2 KB · Просмотры: 1
  • B6.rar
    558.9 KB · Просмотры: 1

Sandor

Команда форума
Администратор
Супер-Модератор
Ассоциация VN/VIP
Преподаватель
Сообщения
10,875
Реакции
2,940
If you can find this file
C:\Users\IEUser\Documents\B6\svchost.exe
please pack it (or zip it) with password and send it me in privat message.

After that please do following:

  • Disable any antivirus until reboot.
  • Hilight following code (or just press "Copy" button in right corner):
    Код:
    Start::
    HKLM\...\Run: [svchost] => C:\Users\IEUser\Documents\B6\svchost.exe [669696 2022-10-26] () [File not signed] <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
    HKLM\...\Policies\system: [legalnoticecaption] WARNING!!!
    HKLM\...\Policies\system: [legalnoticetext] YOUR SYSTEM IS ON THE OUTER EDGES OF THE GALAXY. YOU HAVE BEEN HACKED, CONTACT US FOR ASSISTANCE.
    HKU\S-1-5-21-3362513661-1936243222-2702562252-500\...\Run: [4238336F0BB9109014556D0C84BF5B81] => C:\Users\IEUser\Documents\B6\svchost.exe [669696 2022-10-26] () [File not signed] <==== ATTENTION
    HKU\S-1-5-21-3362513661-1936243222-2702562252-500\...\Run: [6E0E9B22BDC52B2BD8286071E6E4B56E] => c:\Users\Administrator\AppData\Local\Temp\1\how_to_decrypt.hta [12357 2022-11-22] () [File not signed] <==== ATTENTION
    IFEO\utilman.exe: [Debugger] C:\Windows\system32\cmd.exe
    2011-10-10 00:11 - 2011-10-10 00:11 - 000012303 _____ () C:\Program Files\how_to_decrypt.hta
    2011-10-10 00:22 - 2011-10-10 00:22 - 000012303 _____ () C:\Program Files (x86)\how_to_decrypt.hta
    2011-10-10 00:00 - 2011-10-10 00:00 - 000012303 _____ () C:\Program Files\Common Files\how_to_decrypt.hta
    2011-10-10 00:11 - 2011-10-10 00:11 - 000012303 _____ () C:\Program Files (x86)\Common Files\how_to_decrypt.hta
    2011-10-10 00:24 - 2011-10-10 00:24 - 000012303 _____ () C:\Users\Administrator\AppData\Roaming\how_to_decrypt.hta
    2011-10-10 00:24 - 2011-10-10 00:24 - 000012303 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\how_to_decrypt.hta
    2011-10-10 00:23 - 2011-10-10 00:23 - 000012303 _____ () C:\Users\Administrator\AppData\Local\how_to_decrypt.hta
    FirewallRules: [{FCCC6065-B87E-4907-949F-CAA074E00D03}] => (Allow) LPort=1755
    FirewallRules: [{A8C2C7CD-1E7E-42B6-8F7A-12869B26FE53}] => (Allow) LPort=41775
    FirewallRules: [{AD9CB65D-2BCF-466C-A7C0-06CB8C6F3C14}] => (Allow) LPort=1750
    End::
  • Copy highlighted code.
  • Run FRST64English as administrator.
  • Press Fix button and wait. Program will create Fixlog.txt. Attach it to your next post after system restart.
Reboot system manually.

Read details in this guide.
 

Sandor

Команда форума
Администратор
Супер-Модератор
Ассоциация VN/VIP
Преподаватель
Сообщения
10,875
Реакции
2,940
As I suggest before this is not CryLock, but it is WaspLocker.
Unfortunately there is no decryption for this.
 

Sandor

Команда форума
Администратор
Супер-Модератор
Ассоциация VN/VIP
Преподаватель
Сообщения
10,875
Реакции
2,940
Just clarification about the type of ransom - this is CryLock generic. And it is not decryptable, unfortunately.
 
Сверху Снизу