Jump to content


  • Content Count

  • Joined

  • Last visited

About MrWashingToad

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Then not much I can do at this point except wait for justice to find them, and hope the unlock keys are done, then.
  2. Indeed. I tried multiple times to get Malwarebytes to run in the full Premium mode (as I stated previously, the system was running Malwarebytes Premium when this occurred, and has a lifetime license, was updated on Friday (attack occurred sometime over weekend). I have attached the other logs I could provide above. Note - I WAS able to get the infected drive imaged to another drive, so now I can play with it whilst keeping the original data drive safe. However, as this happened during a weekend backup run, it corrupted all local copies of my data on that computer, the network attached storage drive backups, AND the online backup as that was set to run at the end of the backup sequence.
  3. Ok, nearly a full 48 hours now, and no replies at all, thanks - really feel like I'm being helped. I've attempted multiple times to get Malwarebytes and Malwarebytes Chameleon to load correctly, but they all fail install; OR, install, but do not allow premium features (real time protection) to turn on. Have checked with the MalwareHunterTeam website, uploaded the .hta ransom note there, and it came back as 1) Dharma, and 2) Phobos. Additionally, all the files are labeled as 'FRENDI' files, and are labeled ID-C602BF82.[withdirimugh1982@aol.com].Frendi. I've located a hidden folder under the C drive that I didn't make, it has 2 files in it and is labeled: C:\Recovery\36db1731-fe3f-11e7-8c3b-fd77c61fa398\ file 1: boot.sdi.ID-C602BF82.[withdirimugh1982@aol.com].Frendi [3,865KB] file2: Winre.wim.ID-C602BF82.[withdirimugh1982@aol.com].Frendi [165,213KB] I have done nothing to the original hard drive. I removed it from the hardware, and used a computerless disk imager to image that drive to a spare hard drive, and am playing with the clone in order to attempt installations. I've also reached out to CoveWare, and had a chat with one of their staff. I have provided them download links to the recovery files, and other info as well, however, since I'm not a business, and just a personal user - they won't take me on as a customer, but I've provided them everything in hopes I can get an decryptor program, or at least help them recover for someone else.
  4. Had updated copy of Malwarebytes Premium (lifetime license user) installed on Windows Server 2008r2. Note this is a personal server, not a business server, I just have software I use requiring the use of Windows Server base code in order to run stuff I need. Last I did on server on Friday March 29th was go ahead and let Skype update. Then logged out my RDP session. Go to login this morning, Monday April 1st, and the RDP won't connect. Walk over to the system console and login manually locally, and it pops up with 'Phobos Ransomware', and was encrypting files. I immediately checked all other computers on network, and ensured all shared drives were no longer shared, initiated Malwarebytes 3 full scans, and then Norton Antivirus full system scans on all computers. The only computer I don't have Norton also installed on, is that server - b/c I can't afford their overpriced 'Endpoint solutions' software for servers, so I have been using ClamWin free antivirus. Which has worked OK, since I don't open anything I don't make myself, nor go to websites that are sketchy. Following the Malware Removal topic: Malwarebytes 3 is already installed, but was encrypted on the computer. Tried installing from a USB drive, however it wants to restart computer instead of installing the software. Tried installing to the USB drive, same thing. Current antivirus let infection thru, I ALREADY had Malwarebytes Premium running and updated on the computer - this ALSO let in the ransomware. Have not attempted temp file cleaners. Farbar recovery information: Attached. Made sure to click and add the other items as well. Copying the files to USB, I snagged what I could to see if I could get a hit. I did on the ProcessHacker 2 files. Malwarebytes Premium on my normal workstation let them thru with no problems. Norton AV scan identified them, but recommended exclusion. Threat identified as: Hacktool.ProcHack!g1 Have attached those files as well for additional information. Addition.txt FRST.txt Shortcut.txt Process Hacker 2.zip PS.zip encrypted stuff.zip
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.