Jump to content

Windows 10 PC invected with Crypto virus ZEPTO Version


Recommended Posts

Hello, My windows 10 PC has been infected for a couple weeks. I have the zeptovirus version and this is what my screen looks like http://virusguides.com/zepto-virus-zepto-file-extension-removal/

 I have followed the instructions and ran Malwarebytes premium, rogukiller, and hitman pro with no success. the black screen of death with red text is still there. Please help if anyone can to remove this from my computer. Hopefully shadowexplorer will help me recover some of my files also

 

Attached are my FARBAR files commonly requested

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello Ruxpin and welcome to Malwarebytes,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



Let me see those logs.. Alo give an update on any remaining issues or concerns.....

Thank you,

Kevin.....

 

Fixlist.txt

Link to post
Share on other sites

Hello Kevin, thanks so much for the info. Please find attached below what you asked for. I followed the instructions to a tee.  When I ran Sophos, it took off two threats but could not take off the third. so I had to rerun it and it still won't remove it. Its called "Mal/OddZip-A" I attached a screen shot with additional log in the attached word document. 

Please let me know anything else I should do. I still see the black screen with red font which I also screenshot in the word doc for you.  It could just  be a saved image on bootup screensaver that I need to delete or does it mean the malware virus is still on my computer? 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/7/2016
Scan Time: 4:20 AM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.07.07.02
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: George McCune

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 314025
Time Elapsed: 59 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Zemana AntiMalware 2.21.2.139 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/7/7
Operating System       : Windows 10 64-bit
Processor              : 8X Intel(R) Core(TM) i7 CPU  920 @ 2.67GHz
BIOS Mode              : Legacy
CUID                   : 12B6FC2D6EC42E4EA0172F
Scan Type              : Deep Scan
Duration               : 59m 45s
Scanned Objects        : 439951
Detected Objects       : 3
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

systemtweaker.exe
Status             : Scanned
Object             : %userprofile%\documents\downloads\systemtweaker.exe
MD5                : 73B18E4621E55C64FAEFBE8ACE2B051E
Publisher          : Uniblue Systems
Size               : 4974192
Version            : 2.0.1.7
Detection          : Scareware:Win32/NonBeneficialWindowsOptimizer!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\documents\downloads\systemtweaker.exe

systemtweaker(2).exe
Status             : Scanned
Object             : %userprofile%\documents\downloads\systemtweaker(2).exe
MD5                : 73B18E4621E55C64FAEFBE8ACE2B051E
Publisher          : Uniblue Systems
Size               : 4974192
Version            : 2.0.1.7
Detection          : Scareware:Win32/NonBeneficialWindowsOptimizer!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\documents\downloads\systemtweaker(2).exe

SWDUMon.sys
Status             : Scanned
Object             : %localappdata%\slimware utilities inc\driverupdate\swdumon.sys
MD5                : 04CF20310145DEC63D5387BEAFF77D9A
Publisher          : SlimWare Utilities Inc.
Size               : 13920
Version            : -
Detection          : Scareware:Win32/FakeOptimizer!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %localappdata%\slimware utilities inc\driverupdate\swdumon.sys


Cleaning Result
-------------------------------------------------------
Cleaned               : 3
Reported as safe      : 0
Failed                : 0
 

2016-07-07 12:30:00.664    Sophos Virus Removal Tool version 2.5.5
2016-07-07 12:30:00.664    Copyright (c) 2009-2014 Sophos Limited. All rights reserved.

2016-07-07 12:30:00.664    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-07-07 12:30:00.664    Windows version 6.2 SP 0.0  build 9200 SM=0x100 PT=0x1 WOW64
2016-07-07 12:30:00.664    Checking for updates...
2016-07-07 12:30:00.695    Update progress: proxy server not available
2016-07-07 12:30:10.294    Option all = no
2016-07-07 12:30:10.294    Option recurse = yes
2016-07-07 12:30:10.294    Option archive = no
2016-07-07 12:30:10.294    Option service = yes
2016-07-07 12:30:10.294    Option confirm = yes
2016-07-07 12:30:10.294    Option sxl = yes
2016-07-07 12:30:10.294    Option max-data-age = 35
2016-07-07 12:30:10.294    Option EnableSafeClean = yes
2016-07-07 12:30:10.903    Downloading updates...
2016-07-07 12:30:10.904    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement SAVIW32 LATEST 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement IDE527 LATEST 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement IDE528 LATEST 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement IDE529 LATEST 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement IDE530 LATEST 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement IDE531 LATEST 
2016-07-07 12:30:10.904    Update progress: [I49502] Found supplement IDE532 LATEST 
2016-07-07 12:30:10.904    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-07-07 12:30:10.904    Update progress: [I19463] Syncing product SAVIW32 70
2016-07-07 12:30:17.507    Update progress: [I19463] Syncing product IDE527 142
2016-07-07 12:30:21.856    Option vdl-logging = yes
2016-07-07 12:30:22.658    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-07-07 12:30:22.658    Machine ID:    65b9d5562cf54b6da53eee6442d382e3
2016-07-07 12:30:22.658    Component SVRTcli.exe version 2.5.5
2016-07-07 12:30:22.658    Component control.dll version 2.5.5
2016-07-07 12:30:22.658    Component SVRTservice.exe version 2.5.5
2016-07-07 12:30:22.658    Component engine\osdp.dll version 1.44.1.2250
2016-07-07 12:30:22.658    Component engine\veex.dll version 3.65.0.2250
2016-07-07 12:30:22.658    Component engine\savi.dll version 9.0.1.2250
2016-07-07 12:30:22.658    Component rkdisk.dll version 1.5.30.0
2016-07-07 12:30:22.658    Version info:    Product version    2.5.5
2016-07-07 12:30:22.658    Version info:    Detection engine    3.65.0
2016-07-07 12:30:22.658    Version info:    Detection data    5.26
2016-07-07 12:30:22.658    Version info:    Build date    4/5/2016
2016-07-07 12:30:22.658    Version info:    Data files added    589
2016-07-07 12:30:22.658    Version info:    Last successful update    (not yet updated)
2016-07-07 12:30:22.689    Installing updates...
2016-07-07 12:30:23.306    Error level 1
2016-07-07 12:30:23.344    Update progress: [I19463] Syncing product IDE528 127
2016-07-07 12:30:23.344    Update progress: [I19463] Syncing product IDE529 135
2016-07-07 12:30:23.344    Update progress: [I19463] Syncing product IDE530 191
2016-07-07 12:30:23.344    Update progress: [I19463] Syncing product IDE531 1
2016-07-07 12:30:23.344    Update progress: [I19463] Syncing product IDE532 1
2016-07-07 12:30:31.696    Update successful
2016-07-07 12:30:44.732    Option all = no
2016-07-07 12:30:44.732    Option recurse = yes
2016-07-07 12:30:44.732    Option archive = no
2016-07-07 12:30:44.732    Option service = yes
2016-07-07 12:30:44.732    Option confirm = yes
2016-07-07 12:30:44.732    Option sxl = yes
2016-07-07 12:30:44.732    Option max-data-age = 35
2016-07-07 12:30:44.732    Option EnableSafeClean = yes
2016-07-07 12:30:45.302    Option vdl-logging = yes
2016-07-07 12:30:45.318    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-07-07 12:30:45.318    Machine ID:    65b9d5562cf54b6da53eee6442d382e3
2016-07-07 12:30:45.318    Component SVRTcli.exe version 2.5.5
2016-07-07 12:30:45.318    Component control.dll version 2.5.5
2016-07-07 12:30:45.318    Component SVRTservice.exe version 2.5.5
2016-07-07 12:30:45.318    Component engine\osdp.dll version 1.44.1.2250
2016-07-07 12:30:45.318    Component engine\veex.dll version 3.65.0.2250
2016-07-07 12:30:45.318    Component engine\savi.dll version 9.0.1.2250
2016-07-07 12:30:45.318    Component rkdisk.dll version 1.5.30.0
2016-07-07 12:30:45.318    Version info:    Product version    2.5.5
2016-07-07 12:30:45.318    Version info:    Detection engine    3.65.0
2016-07-07 12:30:45.318    Version info:    Detection data    5.26
2016-07-07 12:30:45.318    Version info:    Build date    4/5/2016
2016-07-07 12:30:45.318    Version info:    Data files added    589
2016-07-07 12:30:45.318    Version info:    Last successful update    7/7/2016 5:30:31 AM

2016-07-07 13:14:24.154    Could not open C:\hiberfil.sys
2016-07-07 13:14:26.344    Could not open C:\pagefile.sys
2016-07-07 13:22:39.362    Could not open C:\swapfile.sys
2016-07-07 13:24:15.765    Could not open C:\Users\George McCune\AppData\Local\Google\Chrome\User Data\Default\Current Session
2016-07-07 13:29:19.979    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\ditcdjd.zip
2016-07-07 13:29:19.979    Disinfection not offered
2016-07-07 13:29:33.304    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\IMPORTANT-INFO.zip
2016-07-07 13:29:33.304    Disinfection not offered
2016-07-07 13:29:33.621    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\INFO.zip
2016-07-07 13:29:33.621    Disinfection not offered
2016-07-07 13:29:54.646    >>> Virus 'Mal/Phish-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\PayPal Verify_Form.zip
2016-07-07 13:29:54.646    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:29:54.646    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:07.880    >>> Virus 'Mal/Phish-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\PayPal.com_Account_Confirmation_Form.pdf.zip
2016-07-07 13:30:07.880    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:07.880    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:18.890    >>> Virus 'Mal/Phish-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\PayPal_Account_Update_Form.pdf.zip
2016-07-07 13:30:18.890    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:18.890    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:24.017    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\SECURE-INFO.zip
2016-07-07 13:30:24.017    Disinfection not offered
2016-07-07 13:30:24.092    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\Secure_Details.zip
2016-07-07 13:30:24.092    Disinfection not offered
2016-07-07 13:30:34.062    >>> Virus 'Mal/Phish-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\Verification Form _ ID 916722246.html
2016-07-07 13:30:34.062    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:34.063    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:42.361    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\{6E764237-3E14-4029-9AE8-DC634CE9E8B5}\Secure_Details.zip
2016-07-07 13:30:42.361    Disinfection not offered
2016-07-07 13:30:52.278    >>> Virus 'Mal/Phish-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\{92EFCECA-60B6-4697-9B9D-2C3AC3791E1C}\PayPal Verify_Form.zip
2016-07-07 13:30:52.278    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:52.278    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 13:30:57.880    >>> Virus 'Mal/OddZip-A' found in file C:\Users\George McCune\Desktop\Old Dell Desktop\Documents and Settings\George McCune\Local Settings\Application Data\IM\Identities\{E89AE8A8-ECA9-4BB6-993F-FBAECAFF6EA7}\Message Store\Attachments\{F4E9452C-E813-45BC-915E-CE941CC0A4FF}\IMPORTANT-INFO.zip
2016-07-07 13:30:57.880    Disinfection not offered
2016-07-07 14:16:36.584    >>> Virus 'Mal/Generic-S' found in file C:\Windows\assembly\NativeImages_v4.0.30319_32\SevenZipSharp\41aca269929ac546014f180cfca0593f\SevenZipSharp.ni.dll
2016-07-07 14:16:36.584    >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 14:16:36.584    >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-3111244324-2812534583-2988401279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
2016-07-07 14:21:01.185    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-07-07 14:21:01.201    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-07-07 14:21:04.815    Could not open C:\Windows\System32\config\BBI
2016-07-07 14:21:05.379    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-07-07 14:21:05.433    Could not open C:\Windows\System32\config\RegBack\SAM
2016-07-07 14:21:05.448    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-07-07 14:21:05.495    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-07-07 14:21:05.517    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-07-07 14:34:58.071    The following items will be cleaned up:
2016-07-07 14:34:58.071    Mal/Phish-A
2016-07-07 14:34:58.071    Mal/Generic-S
2016-07-07 14:34:58.071    Mal/OddZip-A
2016-07-07 14:34:58.071    Mal/OddZip-A
2016-07-07 14:34:58.071    Mal/OddZip-A
2016-07-07 14:34:58.071    Mal/OddZip-A
2016-07-07 14:34:58.071    Mal/OddZip-A
2016-07-07 14:34:58.071    Mal/OddZip-A
2016-07-07 14:34:58.071    Mal/OddZip-A
 

Fixlog.txt

Malwarebytes.docx

Link to post
Share on other sites

1 minute ago, Ruxpin said:

Not sure but probably before then. This is my Dads computer and he said he has had the black screen show up a few days before 6/30/16 around 6/27/16 he thinks. Also, I have copies of the files on carbonite in the cloud, so just need to get the virus off so we can restore them. Was thinking of just doing a fresh install but thought I would try this first to avoid the headache of reinstalling everything. Thoughts? 

Also, I have copies of the files on carbonite in the cloud, so just need to get the virus off so we can restore them. Was thinking of just doing a fresh install but thought I would try this first to avoid the headache of reinstalling everything. Thoughts? 

Link to post
Share on other sites

When I boot up it goes to the black screen with red letters first, but Im able to scroll the mouse to the bottom and get to the win 10 menu fine. Then open applications, outlook, Chrome, etc over it. It just stays on the background. I checked my screen saver settings and it shows NONE as I thought maybe it saved a image there automatically

Link to post
Share on other sites

Well the problem is your fles are still encrypted, do you have a backup for all encrypted data? Also i`m not really sure what effect the background image has... Can you navigate here C:\Windows\web In there you will find 3 folders, look inside screen first, does that hold the ransom image?

Link to post
Share on other sites

I just checked window/web and couldn't find the ransom image but the other default images are there. weird any other idea where it could be? 

 

I have a backup of all the C Drive  files with carbonite.com and when I spoke with them they said to not call them to restore the backup unti the cryptovirus has been removed from the PC  I also have a backup internal harddrive attached that is all encrypted so we probably cant decrypt those until a future fix comes out. Its from an old computer drive of files over 5 years old. 

 

 

Link to post
Share on other sites

Ransomware infections are not usually hard to remove, the damage is done with encryption. To recover your encrypted data either the ransom has to be paid or you have a back up.... Even paying the ransom does not always help...

If you right click on your new Desktop image and select personalise do you see the ransom screen in the available images?

Link to post
Share on other sites

ya thats what I figured. luckily we have a backup of the more important files in the cloud. 

 

When I right click desktop and go to personalize the ransom image is there to select, but I can't find it on the C: drive per your instructions. 

Link to post
Share on other sites

Navigate here: C:\Users\Username\AppData\Local\Microsoft\Windows\Themes\custom.theme that should show the ransom theme, simply right click direct on it and select delete... " Username" will be the account holder name....

You will need to to show hidden files/folders to see appdata folder: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.