atrisa
Members-
Posts
8 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by atrisa
-
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
Thank you very much for your attention -
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
Yes, registration is done -
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
-
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
The following page will appear after running the Messenger2go file: By running Messenger2go.15.1908.1rhmsn.exe you will get the previous result -
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
Thanks Threads Tagged with: STOP Ransomware (.STOP, .Puma, .Djvu, .Promo, .Drume) Help & Support Topic It currently has offline key activity Can I hope files with online keys can also be recovered? -
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
In post # 1 the .herad file extension is correct -
.HERAD Extension File Ransom Virus
atrisa replied to atrisa's topic in Resolved Malware Removal Logs
Hello Thank you very much for your attention. Result from the site: https://id-ransomware.malwarehunterteam.com/ Is as follows: --------------------------------------------------------------- This ransomware may be decryptable under certain circumstances. Please refer to the appropriate guide for more information. Identified by ransomnote_email: gorentos@bitmessage.ch sample_extension: .herad sample_bytes: [0x94B1D - 0x94B37] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D Click here for more information about STOP (Djvu) --------------------------------------------------------------- Result from STOPDecrypter v 2.1.0.24 Is as follows: --------------------------------------------------------------- MACs: 30:85:A9:9B:BE:1B, 00:15:83:15:A3:10 STOPDecrypter v2.1.0.24 OS Microsoft Windows NT 6.2.9200.0, .NET Framework Version 4.0.30319.42000 No key for ID: l8W6QXRo2iHXkh0b9xJHq1nBTLlIbeGnxD7av9Y6 (.herad ) Unidentified ID: l8W6QXRo2iHXkh0b9xJHq1nBTLlIbeGnxD7av9Y6 (.herad ) MACs: 30:85:A9:9B:BE:1B, 00:15:83:15:A3:10 Decrypted 0 files, skipped 4 --------------------------------------------------------------- Result from Malwarebytes version 3 Is as follows: --------------------------------------------------------------- Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/26/19 Scan Time: 2:45 PM Log File: 77a0194a-c7ea-11e9-84cc-3085a99bbe1b.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11270 License: Trial -System Information- OS: Windows 10 (Build 17763.678) CPU: x64 File System: NTFS User: DESKTOP-A79UCQH\cyber -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 312943 Threats Detected: 67 Threats Quarantined: 0 Time Elapsed: 16 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 32 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ParetoLogic Registration3, No Action By User, [3222], [457731],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{850EA901-7BF6-47CB-9AD7-9879D6B11017}, No Action By User, [3222], [457731],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{850EA901-7BF6-47CB-9AD7-9879D6B11017}, No Action By User, [3222], [457731],1.0.11270 PUP.Optional.SpeedyPC, HKU\S-1-5-21-709982592-2884008671-4219726286-1001\SOFTWARE\SpeedyPC Software, No Action By User, [1543], [396736],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [350], [327193],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\REI_AxControl.DLL, No Action By User, [350], [327193],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKU\S-1-5-21-709982592-2884008671-4219726286-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, No Action By User, [350], [327197],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, No Action By User, [350], [327193],1.0.11270 PUP.Optional.SpeedyPC, HKLM\SOFTWARE\WOW6432NODE\SpeedyPC Software, No Action By User, [1543], [396735],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, No Action By User, [350], [336077],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F9B60A6B-ECD7-4933-9C2B-C36C2F017CD7}, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{F9B60A6B-ECD7-4933-9C2B-C36C2F017CD7}, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ParetoLogic Update Version3, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{24077C0C-8648-4609-9368-FA8E438CF370}, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{24077C0C-8648-4609-9368-FA8E438CF370}, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ParetoLogic Update Version3 Startup Task, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}, No Action By User, [350], [327206],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [350], [332494],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [350], [332494],1.0.11270 PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, No Action By User, [350], [332494],1.0.11270 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SpeedyPC, C:\ProgramData\SpeedyPC Software\SpeedyBackup, No Action By User, [1543], [340762],1.0.11270 PUP.Optional.SpeedyPC, C:\PROGRAMDATA\SPEEDYPC SOFTWARE, No Action By User, [1543], [340762],1.0.11270 File: 33 PUP.Optional.ParetoLogic, C:\WINDOWS\TASKS\ParetoLogic Registration3.job, No Action By User, [3222], [457731],1.0.11270 PUP.Optional.ParetoLogic, C:\WINDOWS\SYSTEM32\TASKS\ParetoLogic Registration3, No Action By User, [3222], [457731],1.0.11270 PUP.Optional.SpeedyPC, C:\ProgramData\SpeedyPC Software\SpeedyBackup\NagData.dat, No Action By User, [1543], [340762],1.0.11270 PUP.Optional.ParetoLogic, C:\WINDOWS\TASKS\PARETOLOGIC UPDATE VERSION3.job, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, C:\WINDOWS\SYSTEM32\TASKS\PARETOLOGIC UPDATE VERSION3, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, C:\WINDOWS\TASKS\PARETOLOGIC UPDATE VERSION3 STARTUP TASK.job, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.ParetoLogic, C:\WINDOWS\SYSTEM32\TASKS\PARETOLOGIC UPDATE VERSION3 STARTUP TASK, No Action By User, [3222], [370963],1.0.11270 PUP.Optional.Reimage, C:\WINDOWS\REIMAGE.INI, No Action By User, [350], [412667],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\APPDATA\ROAMING\Microsoft\Windows\Recent\STOPDecrypter (2).lnk, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (2).ZIP, No Action By User, [0], [392687],1.0.11270 HackTool.Cain, C:\PROGRAM FILES (X86)\CAIN\ABEL.EXE, No Action By User, [9185], [29604],1.0.11270 HackTool.Cain, C:\PROGRAM FILES (X86)\CAIN\ABEL64.EXE, No Action By User, [9185], [29604],1.0.11270 PUP.Optional.PasswordTool.Cain, C:\USERS\CYBER\Desktop\Cain.lnk, No Action By User, [14972], [299928],1.0.11270 PUP.Optional.PasswordTool.Cain, C:\PROGRAM FILES (X86)\CAIN\CAIN.EXE, No Action By User, [14972], [299928],1.0.11270 Generic.Malware/Suspicious, C:\$RECYCLE.BIN\S-1-5-21-709982592-2884008671-4219726286-1001\$RMVR4EX.TMP\BTMFYQAYMJ.EXE, No Action By User, [0], [392686],1.0.11270 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-709982592-2884008671-4219726286-1001\$RUO147J.EXE, No Action By User, [350], [331559],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOCUMENTS\STOPDECRYPTER.ZIP, No Action By User, [0], [392687],1.0.11270 Ransom.HiddenTear, C:\USERS\CYBER\DOWNLOADS\HIDDEN-TEAR-MASTER.ZIP, No Action By User, [8721], [124721],1.0.11270 PUP.Optional.Reimage, C:\USERS\CYBER\DOWNLOADS\REIMAGEREPAIR.EXE, No Action By User, [350], [331559],1.0.11270 Generic.Malware/Suspicious, C:\USERS\CYBER\DOWNLOADS\WANAKIWI_0.2 (1).ZIP, No Action By User, [0], [392686],1.0.11270 Generic.Malware/Suspicious, C:\USERS\CYBER\DOWNLOADS\WANAKIWI_0.2.ZIP, No Action By User, [0], [392686],1.0.11270 Generic.Malware/Suspicious, C:\USERS\CYBER\DOWNLOADS\HIDDEN-TEAR-MASTER.ZIP, No Action By User, [0], [392686],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (7).ZIP, No Action By User, [0], [392687],1.0.11270 Generic.Malware/Suspicious, C:\USERS\CYBER\DOWNLOADS\CAIN AND ABEL CA_SETUP.EXE, No Action By User, [0], [392686],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER.ZIP, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (1).ZIP, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (5).ZIP, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (8).ZIP, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (3).ZIP, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (6).ZIP, No Action By User, [0], [392687],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\STOPDECRYPTER (9).ZIP, No Action By User, [0], [392687],1.0.11270 Generic.Malware/Suspicious, C:\USERS\CYBER\DOWNLOADS\HASHCRACKER FOR GURON18 - [C0D3D BY JULIA (JULIA.PCRET@EXPLOIT.IM)] - 20170211.ZIP, No Action By User, [0], [392686],1.0.11270 MachineLearning/Anomalous.100%, C:\USERS\CYBER\DOWNLOADS\HOW TO COMPARE FILES.RAR, No Action By User, [0], [392687],1.0.11270 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) --------------------------------------------------------------- Result from AdwCleaner Is as follows: --------------------------------------------------------------- # ------------------------------- # Malwarebytes AdwCleaner 7.4.0.0 # ------------------------------- # Build: 07-23-2019 # Database: 2019-08-21.1 (Cloud) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 08-26-2019 # Duration: 00:00:11 # OS: Windows 10 Pro # Cleaned: 46 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** Deleted C:\Program Files (x86)\Cain Deleted C:\Program Files (x86)\Common Files\PARETOLOGIC Deleted C:\Program Files (x86)\PARETOLOGIC Deleted C:\ProgramData\PARETOLOGIC Deleted C:\ProgramData\SpeedyPC Software Deleted C:\Users\cyber\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cain Deleted C:\Users\cyber\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PARETOLOGIC ***** [ Files ] ***** Deleted C:\Users\cyber\Downloads\ReimageRepair.exe Deleted C:\Users\cyber\Downloads\SpyHunter-Installer.exe Deleted C:\Windows\Reimage.ini ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** Deleted C:\Windows\System32\Tasks\PARETOLOGIC REGISTRATION3 Deleted C:\Windows\System32\Tasks\PARETOLOGIC UPDATE VERSION3 Deleted C:\Windows\System32\Tasks\PARETOLOGIC UPDATE VERSION3 STARTUP TASK Deleted C:\Windows\Tasks\PARETOLOGIC REGISTRATION3.JOB Deleted C:\Windows\Tasks\PARETOLOGIC UPDATE VERSION3 STARTUP TASK.JOB Deleted C:\Windows\Tasks\PARETOLOGIC UPDATE VERSION3.JOB ***** [ Registry ] ***** Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484} Deleted HKCU\Software\ParetoLogic Deleted HKCU\Software\cain Deleted HKCU\Software\speedypc software Deleted HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{850EA901-7BF6-47CB-9AD7-9879D6B11017} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F9B60A6B-ECD7-4933-9C2B-C36C2F017CD7} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{24077C0C-8648-4609-9368-FA8E438CF370} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{850EA901-7BF6-47CB-9AD7-9879D6B11017} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F9B60A6B-ECD7-4933-9C2B-C36C2F017CD7} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Update Version3 Startup Task Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\paretologic registration3 Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\paretologic update version3 Deleted HKLM\Software\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A} Deleted HKLM\Software\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484} Deleted HKLM\Software\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB} Deleted HKLM\Software\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4} Deleted HKLM\Software\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546} Deleted HKLM\Software\Classes\REI_AxControl.ReiEngine Deleted HKLM\Software\Classes\REI_AxControl.ReiEngine.1 Deleted HKLM\Software\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36} Deleted HKLM\Software\Classes\uus3url-pl Deleted HKLM\Software\Reimage Deleted HKLM\Software\Wow6432Node\ParetoLogic Deleted HKLM\Software\Wow6432Node\\Classes\AppID\REI_AxControl.DLL Deleted HKLM\Software\Wow6432Node\\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A} Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4} Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546} Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36} Deleted HKLM\Software\Wow6432Node\speedypc software ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Preinstalled Software ] ***** No Preinstalled Software cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [5641 octets] - [26/08/2019 15:07:40] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## --------------------------------------------------------------- Addition.txt FRST.txt -
Hi, All my computer files have been infected and the .heard extension has been added to all files. Please help to resolve the problem. Thank you