|
Post by anthonyw on Jun 2, 2015 11:13:46 GMT -8
Please help.
I am using XP professional 32-bits.
My computer has been infected by virus. Most of my files being encrypted to .xtbl file format. This only affect files stored in my local drive-C: & E:, while files & folders in my desktop remain unharmed.
And the attacker actually left a readme.txt file in my local drive with following message..
"Ваши файлы были зашифрованы. Чтобы расшифровать их, Вам необходимо отправить код: 0FA1C3DC72226AF540AC|0 на электронный адрес decode0098@gmail.com или decode00987@gmail.com . Далее вы получите все необходимые инструкции. Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.
All the important files on your computer were encrypted. To decrypt the files you should send the following code: 0FA1C3DC72226AF540AC|0 to e-mail address decode0098@gmail.com or decode00987@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data."
I scanned my computer using Malwarebytes and removed quite a numbers of threats. I believe (but I might be wrong) the virus has been removed as I tried creating a few ms.office document file in the computer and so far it is not been encrypted.
But I desperately need help and advice on how to decrypt those encrypted files. I am just a normal computer user, not knowing much on the technical part of this. So I really appreciate if someone in this forum can help me up. Many thanks in advance.
|
|
|
Post by anthonyw on Jun 2, 2015 11:25:17 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jun 2, 2015 11:55:27 GMT -8
1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. 2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from. 3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to. Hopefully, this will help you to restore all encrypted files or at least some of them. (These instructions are from deletemalware.blogspot.ca/2013/10/remove-cryptolocker-virus-and-restore.html . It is dealing with Cryptolocker (which is different from the ransomware you have) but the process is the same. The use of ShadowExplorer is explained in Step2. Do not worry about the other steps on that page.)
|
|
|
Post by anthonyw on Jun 2, 2015 20:48:40 GMT -8
|
|
|
Post by anthonyw on Jun 5, 2015 9:03:44 GMT -8
Please advice what should be my next step. Thanks.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jun 5, 2015 20:26:54 GMT -8
Scan with IDTool Please download IDTool by Nathan and save the file to the desktop. It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop. [/b] to start the tool. IDTool needs Micorsoft .NET Framework environment to work properly, so if prompted to download & install it please agree. Wait patiently until the tool will collect necessary data. Once the main console is loaded, please press Rescan Computer and Generate a New Report. When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums. Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience. [/ul] Please include that contents in your next reply.
|
|
|
Post by anthonyw on Jun 6, 2015 2:04:52 GMT -8
here is the report...
Infection Detection Tool v1.6 - Nathan Scott -------------------------------------------- Date/Time: 6/6/2015 6:04:25 PM Operating System: Windows XP Service Pack: Service Pack 2 Version Number: 5.1 Product Type: Workstation -------------------------------------------- [Detected Flags]
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jun 9, 2015 18:34:21 GMT -8
anthonyw,
I have tried everything and searched malware removalist boards for a method to decrypt the files. I'm sorry but there is no known way to decrypt the files. Your logs show that the malware has removed itself from your system so new files will not be encrypted.
|
|
|
Post by anthonyw on Jun 11, 2015 8:49:48 GMT -8
hi dbrisen,
Is okay. I appreciated your time and effort spent in helping me. Thank you very much.
|
|