Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

All files locked by Nemucod :( crypted: pls. Help!

This is a discussion on All files locked by Nemucod :( crypted: pls. Help! within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hello, I am from TSF Hardware Maintenance Team, and I have a Customer PC that I believe is infected with

Closed Thread
Thread Tools Search this Thread
Old 08-23-2016, 06:04 AM   #1
TSF Enthusiast
Join Date: Aug 2012
Location: Big Bear, Calif., USA
Posts: 2,020
OS: XPsp3-Win8.1,Win10v1709FCU, Ubuntu16.04,Zorin,ISOLinux, Android4.3,CiscoIOS

My System


I am from TSF Hardware Maintenance Team, and I have a Customer PC that I believe is infected with NEMUCOD Ransomware. The Ransomware virus has locked all the Customer files in all accounts with the ".Crypted" suffix. It has also locked all his files on his external usb 1TB hard drive as well as a small 64GB flash drive too. Customer has had this problem for a over a month; and I believe I'm the 2nd or 3rd Tech he's hired to fix his problem. He has 20 years worth of business files, excel spreadsheets and word docs, along with at least 50 folders worth of archived family photos in his My Pictures folder he cannot access. All the photo folders are empty; he tells me they have tons of photos in them; he doesn't remember how many GB worth. He's very desperate, and has done everything he can think of including installing several fix-it programs including antispyware Pro and several others which I've removed per your instructions.

Briefly here's what I've tried to fix the problem, and I'm of course looking for further help:

1.) Customer gave me copy of a DECRYPT.TXT file on his desktop with detailed instructions on how to unlock his files from virus author. Author demands payment of 0.44092 bitcoins [$253.37 USD] to unlock files. Gave Customer 3 days to unlock or decrypt key to be destroyed. Customer opted not to pay as he heard from friends it's a scam and doesn't believe virus author would unlock his files even after payment. I confirmed this information in that DECRYPT.TXT file still on his desktop.

2.) Isolated PC from network, and ran local tools including TrendMicro Ransomware Decrypter program to try and find and remove virus and unlock his files. No success.

3.) Upon further research, went to EMSISOFT.COM, a Ransomware help site and downloaded their Ransomware Decrypter tool specifically for the NEMUCOD Ransomware. Their decrypter file works; but only 1 file at a time, and I must have a copy of the non-encrypted file to decrypt each locked file. Was able to do this partially as a test by retrieving unlocked copies of a file (used .xls to test) from the Windows.old directory (he had unsuccessfully tried to upgrade to W10 last year and this year and both attempts failed). EMSISOFT decrypter does work and unlocks a test .xls file ok. However, he has 123,000+ files in his Windows.old directory and with this decrypter, those are the only files I can recover, and then only 1 at a time--a very tedious procedure.

4.) I have placed a help request to the EMSISOFT support team to help me back on Thur. 8/18/2016. It's been over 72 hrs. and I have not heard a response back of any kind, and have bumped the request twice; 1 time >24 hrs., 2nd time >48 hrs. Their forum threads appear active and other people are getting help, but I know from working on TSF that your response time limit is 72 hrs., so I don't know why they aren't responding unless their site has a problem. Therefore I am here looking for help from you guys desperately!

5.) I do have access to Win7 boot media for all versions of Win7 as you asked. I repair computers for a living and have most tools Techs use to do so. Customer computer is a PC-Clone from ZT Systems bought at Costco about 6 years ago. It has an Intel i7-cpu879 [email protected] Has 12GB PC3-10600 Kingston RAM, and an internal Hitachi HDS721010CLA332-ATA 1TB hard drive. HDD passed GSmartControl in UBCD diags both short and extended tests as did MEMTEST, 8 PASSES no errors found.

I am looking for a tool or help to unlock ALL his files on his C: drive, and if that works, I can then connect his external usb 1TB drive and his flash drive and attempt to unlock and recover those files as well.

Follows the 2 files dds.txt and attach.txt as requested from the dds.scr tool downloaded from your instructions.


******DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17840
Run by Owner at 5:21:28 on 2016-08-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12247.9482 [GMT -7:00]
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe
C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://bing/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe
BHO: Candle Jar: {10bdb19e-8d73-42cf-81d3-8d5a9021cb3a} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\urlredir.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"https://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\d9c3780.lnk - C:\Windows\System32\cmd.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Windows\System32\LavasoftTcpService.dll
Trusted Zone: localhost
Trusted Zone: webcompanion.com
TCP: NameServer =
TCP: Interfaces\{641A7779-4719-4979-A321-EB184F63A0A2} : DHCPNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\msosb.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Skype for Business Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\urlredir.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnie.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xqzad1mu.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - bing
FF - plugin: c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll
FF - plugin: c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrlui.dll
FF - plugin: C:\Windows\System32\Macromed\Flash\NPSWF64_22_0_0_209.dll
============= SERVICES / DRIVERS ===============
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-20 203776]
R2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2015-11-12 3189488]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 HP DS Service;HP DS Service;C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [2011-10-17 13824]
R2 HP LaserJet Service;HP LaserJet Service;C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2012-12-4 174592]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-11-14 114688]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2015-11-12 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-11-14 1255736]
=============== Created Last 30 ================
2016-08-19 19:37:57 -------- d-----w- C:\Users\Owner\RANSOMWARE REMOVAL TOOLS
2016-08-19 11:47:17 -------- d---a-w- C:\$Anvi Rescue Disk$
2016-08-17 23:44:16 -------- d-----w- C:\Windows\pss
2016-08-17 23:02:34 -------- d-----w- C:\MAINTENANCE
2016-08-17 20:34:03 -------- d-sh--w- C:\found.005
2016-07-30 00:01:56 -------- d-sh--w- C:\found.004
==================== Find3M ====================
2016-08-02 01:40:17 796352 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-08-02 01:40:17 142528 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-08-02 01:40:07 19527360 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2016-06-14 02:31:06 484008 ------w- C:\Windows\System32\MpSigStub.exe
============= FINISH: 5:21:44.63 ===============

Thanks for looking at my issue!
Attached Files
File Type: txt attach.txt (9.9 KB, 18 views)
BIGBEARJEDI is offline  
Sponsored Links
Old 08-27-2016, 11:51 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
chemist's Avatar

Microsoft Most Valuable Professional
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10

Firstly, we don't give advice to people 'in the business'. This forum is oriented toward helping the end user.

Secondly, and unfortunately, there is no way to recover those files.

He has 20 years worth of business files, excel spreadsheets and word docs, along with at least 50 folders worth of archived family photos in his My Pictures folder he cannot access
It always amazes us why, someone with their 'life' on their machine, would have no backups.
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help removing search engines from Chrome launch
Every time I launch Chrome in Windows 8 I am greeted with two AVG search tabs and one MSN tab. I want none of those and I can't find where they are set in Chrome. Is this some sort of trojan that installed them? How do I get rid of them so I just launch with a blank tab?
bauhsoj Resolved HJT Threads 10 07-14-2014 08:31 PM
[SOLVED] services.exe trojan ?!
My AVG anti-virus was beginning to detect a trojan (filepath - C:\Windows\System32\services.exe) but it is white-listed so I cannot delete it. I ran Malwarebytes as well, but that did not seem to help. AVG says the "Threat Name" is "Trojan horse Patched_c.LXT". AVG is also detecting a...
Stagaz_630 Resolved HJT Threads 14 08-08-2012 03:33 PM
[SOLVED] File/Folder Issues
So last night my computer had some virus or something called "Windows Fix Disk" which deleted all of my files and folders or maybe it hid them I am not sure. I used a systemrestore from about 2-3 days ago. Now I am having issues with folders/files. All of my favorites do not show up In my...
jts1992 Resolved HJT Threads 17 04-17-2011 08:44 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Post a Question

» Site Navigation
 > FAQ
Powered by vBadvanced CMPS v3.2.3

All times are GMT -7. The time now is 01:12 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts