[thisisu]

Just FYI you can run FRST through OTLPE but it is not needed as you have the information required from the OTL log to boot successfully. You can also see some of the encrypted files here. Good luck.

[Quads]

I am using this script attached to take the items / files etc. and then create the correct Winlogon registry keys for XP

Quads

[Crush]

Hi guys,

I have a user with this cr@p. http://www.pchelpforum.com/xf/threads/u ... ed.134606/

I've removed most of the malware but there are tons of files that have been edited with a wonky extension or given a locked-* prefix. Anyone know of a way to fix this?

[Quads]

Does neither of these 2 tools work??

2 Tools available, You have to make sure you have broiken and deleted the actual Ransomware files first before running the drycrypt tools for your personal files.

matsnu1decrypt.exe

When you run it, it asks for an unencrypted file and the corresponding encrypted version, all you need is one unencrypted copy and it's corrosponding encrypted version, whether you get the unencrypted version from another PC or from a backup set . Point it to the relevant files via the usual file selection, once it works out the encryption used for your copy of the wide Fake Police ransom family it will scan the rest of the Hard drive(s) for the rest of the encrypted files and decrypt all of those whether just one more file or over 1,000 files.

But make sure you have enough Hard Drive space available otherwise the output files will = 0kb in size.

Looks like it uses the same random-ish encryption key for all the files that it affects on a particular machine, hence by providing just one original and its corresponding encrypted version the tool is able to decrypt all files on that system..

After you make sure you have all the files back and YAY!!!!!!!! you have to delete the encrpted versions yourself.


Tool number 2 is http://support.kaspersky.com/faq/?qid=208286527
Instructions on that page, for this wider family.

Quads

[markusg]

@Crush
the user has windows 7, so you can use shadow explorer, to restore the files on c:

[Crush]

Does neither of these 2 tools work??

2 Tools available, You have to make sure you have broiken and deleted the actual Ransomware files first before running the drycrypt tools for your personal files.

matsnu1decrypt.exe

When you run it, it asks for an unencrypted file and the corresponding encrypted version, all you need is one unencrypted copy and it's corrosponding encrypted version, whether you get the unencrypted version from another PC or from a backup set . Point it to the relevant files via the usual file selection, once it works out the encryption used for your copy of the wide Fake Police ransom family it will scan the rest of the Hard drive(s) for the rest of the encrypted files and decrypt all of those whether just one more file or over 1,000 files.

But make sure you have enough Hard Drive space available otherwise the output files will = 0kb in size.

Looks like it uses the same random-ish encryption key for all the files that it affects on a particular machine, hence by providing just one original and its corresponding encrypted version the tool is able to decrypt all files on that system..

After you make sure you have all the files back and YAY!!!!!!!! you have to delete the encrpted versions yourself.


Tool number 2 is http://support.kaspersky.com/faq/?qid=208286527
Instructions on that page, for this wider family.

Quads

Thanks Quads. I've tried the Kaspersky tool.

[Win32:Virut]

Gimemo

2828dac3bf73f56bd82a5160e1473300

https://www.virustotal.com/file/155f7a3 ... /analysis/

Gimemo2.7z

password: infected
(296.14 KiB) Downloaded 73 times

[kareldjag/michk]

hi
True police alert VS fake police alert
https://www.europol.europa.eu/content/n ... mware-1583

Rgds

[DWS94]

police virus
National Police
Illegal Activity Detected!
Your operating system is blocked for violation of the laws of the Kingdom of the Netherlands!
Your IP address is: [XXXXXX]. IP address is detected and registered in the National Police of the Kingdom of the Netherlands. The user of this IP address......

Ransom virus-------Korps Landelijke Politiediensten ransomware :!:
Virus infection after you will lose to the system control. The emergence of a window require you to pay the ransom money... ...

https://www.virustotal.com/file/b323846 ... 342786676/
http://blog.teesupport.com/how-to-remov ... val-guide/

MD5: C27BA649EFFC31E73D15D1474EBB7960

[Cody Johnston]

This one is new to me. It looks kinda like Reveton but does not load the same way. No webcam module on this one either. Only MoneyPak accepted as payment. These are in U.S.



Creates 2 exe files -

Code: Select all

%appdata%\<Random.exe>
%userprofile%\<Random.exe>

Loads up via registry instead of ctfmon shortcut:

Code: Select all

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
<Random> = %appdata%\<Random.exe>

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
Windows Update Server = %userprofile%\<Random.exe>

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
<Random> = %appdata%\<Random.exe>

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = %appdata%\<Random.exe>

SHA256: cacdbffd53c111737c6fe8d10bbe5973ab1c0bf5379748156684d3f0a1c251c1
VT: 24/42
https://www.virustotal.com/file/cacdbff ... 342842317/

EDIT: Updated image link