• Внимание. Восстановление баз 1С7, 1C8 и Mssql после атаки шифровальщика, подробности и отзывы читайте в профильной теме.

Решена без расшифровки Прошу помочь с шифровальщиком .id-F221B8A0.[3441546223@qq.com].ncov

Статус
В этой теме нельзя размещать новые ответы.

Azamatbz

Новый пользователь
Сообщения
13
Реакции
0
Баллы
11
Был взломан сервер Windows 7 через RDP. Все файлы были зашифрованы и имеют расширение .id-F221B8A0.[3441546223@qq.com].ncov.
Зашифрованные файлы и оригиналы этих файлов в архиве "Зашифрованные файлы и оригиналы.7z" с паролем "vir".
Сделал логи с помощью программы FRST.
Файл вирус с которого запустился вирус пока не удалось найти.
Прошу помощь в восстановлении файлов, если такое возможно.
 

Вложения

  • Зашифрованные файлы и оригиналы.7z
    416.2 KB · Просмотры: 1
  • Addition.txt
    43 KB · Просмотры: 1
  • FRST.txt
    27 KB · Просмотры: 1

akok

Команда форума
Администратор
Сообщения
19,518
Реакции
13,432
Баллы
2,203
Увы, для этого вымогателя пока нет способа дешифровки данных.
 

akok

Команда форума
Администратор
Сообщения
19,518
Реакции
13,432
Баллы
2,203
Пароли на RDP смените на более сложные + нужны последние патчи безопасности ++ используйте актуальную ОС для важных компонентов.

AmmyyAdmin -ваша?

Все администраторы легитимны?
ftp (S-1-5-21-2526124442-3170026717-2596826691-1010 - Administrator - Enabled) => C:\Users\ftp.RKKSERVERPC
SERVER (S-1-5-21-2526124442-3170026717-2596826691-1000 - Administrator - Enabled)
Администратор (S-1-5-21-2526124442-3170026717-2596826691-500 - Administrator - Enabled) => C:\Users\Администратор
Гость (S-1-5-21-2526124442-3170026717-2596826691-501 - Limited - Enabled)

Порты сами открывали?
FirewallRules: [{490E7C28-69FC-4748-9B59-153561C04D7F}] => (Allow) LPort=1641
FirewallRules: [{AB41D49C-555E-4CF5-814B-EEC58A8D0DB9}] => (Allow) LPort=1541
FirewallRules: [{4ECE243B-D171-448C-8392-2511A2C800FD}] => (Allow) LPort=475
FirewallRules: [{EF77E05D-A6C4-4F3F-8DFB-6BBD695E6895}] => (Allow) LPort=475
FirewallRules: [{902227A0-912E-4422-9AAB-AF2130C2A0EF}] => (Allow) LPort=80

  • Отключите до перезагрузки антивирус.
  • Выделите следующий код:
    Код:
    Start::
    CreateRestorePoint:
    VirusTotal: C:\Windows\System32\1344.exe
    () [File not signed] C:\Windows\System32\1344.exe
    HKLM\...\Run: [1344.exe] => C:\Windows\System32\1344.exe [94720 2020-06-01] () [File not signed]
    2020-06-01 14:29 - 2020-06-02 11:05 - 000013916 _____ C:\Windows\system32\Info.hta
    2020-06-01 14:18 - 2020-06-01 14:18 - 000094720 _____ C:\Windows\system32\1344.exe
    FirewallRules: [{8B733245-D3E1-4F3F-BC89-B9D5253BE32C}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8c.exe => No File
    FirewallRules: [{65337EC3-2808-49CE-BB3E-27B893F3F466}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8c.exe => No File
    FirewallRules: [{2B2F5B56-1AE2-4C57-81F5-DDBDFCA0ED21}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8c.exe => No File
    FirewallRules: [{AA9B3449-3C81-4E8C-BCA0-476AE287B28D}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8c.exe => No File
    FirewallRules: [{45DCC9D4-7073-4D26-B27D-570D9A84DA88}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8s.exe => No File
    FirewallRules: [{E6CE5BD7-479A-408B-9E23-AC2FE6649B1C}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8s.exe => No File
    FirewallRules: [{10DC1129-6E1C-4994-A308-AC6F58E80377}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8s.exe => No File
    FirewallRules: [{0622C490-B9DA-4B30-B305-B08C5BDDA685}] => (Allow) C:\Program Files (x86)\1cv8\8.3.6.2100\bin\1cv8s.exe => No File
    FirewallRules: [{AB951043-69A2-4AED-B1CD-9AB72ACBA943}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8s.exe => No File
    FirewallRules: [{30BA91E5-7BA0-49AD-A55A-E36885A8963C}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8s.exe => No File
    FirewallRules: [{D9B42E58-5012-4512-90F0-DBAB8C12E403}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8s.exe => No File
    FirewallRules: [{4A579D9F-91B1-43D8-8748-67932DB05D62}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8s.exe => No File
    FirewallRules: [{36118E5E-0C10-4260-B465-3C21880C924B}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8s.exe => No File
    FirewallRules: [{A643A015-C821-4DA2-918A-C2BE15E0F8DF}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8s.exe => No File
    FirewallRules: [{A18235AF-8EF0-450D-91BD-770CE3589516}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8s.exe => No File
    FirewallRules: [{BBCB3E0B-0952-4E83-AD44-0981B6990BA7}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8s.exe => No File
    FirewallRules: [{4EC96A0F-56D1-43CA-ACDA-7AAD9089F4D2}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8s.exe => No File
    FirewallRules: [{A386AE3E-BDCC-4929-8883-D4006ADC97E2}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8s.exe => No File
    FirewallRules: [{85E521CD-9F08-4E54-A874-5BD7E59438DE}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8s.exe => No File
    FirewallRules: [{97CB1FAA-A1B1-4381-8477-C2AA2695F784}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8s.exe => No File
    FirewallRules: [{6DF8AE2F-52A0-43FC-8998-F3D79EDFE37E}] => (Allow) C:\Program Files (x86)\1cv82\common\1cestart.exe => No File
    FirewallRules: [{899DA9B2-B130-4D75-84B1-5BBD8ABAEB62}] => (Allow) C:\Program Files (x86)\1cv82\common\1cestart.exe => No File
    FirewallRules: [{076BD07B-981B-4FFA-A9CC-A8EF66CF88E2}] => (Allow) C:\Program Files (x86)\1cv82\common\1cestart.exe => No File
    FirewallRules: [{F1749529-CA69-4673-B7C9-35C710CE911F}] => (Allow) C:\Program Files (x86)\1cv82\common\1cestart.exe => No File
    FirewallRules: [{30CC0EA8-769D-49BB-A2FD-4E86A34CFAD3}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8s.exe => No File
    FirewallRules: [{8C38D360-A50B-42F1-93DB-C900458658D6}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8s.exe => No File
    FirewallRules: [{9510A66A-E83F-4072-BD83-11687D3C115E}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8s.exe => No File
    FirewallRules: [{E97F845B-4A6B-48C6-A284-D18100EA253F}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8s.exe => No File
    FirewallRules: [{2DF8CAD4-2139-4576-A3B6-11B130C5B460}] => (Allow) C:\Program Files (x86)\1cv8\common\1cestart.exe => No File
    FirewallRules: [{E50DDECA-704E-4DE6-A516-C9F90670D521}] => (Allow) C:\Program Files (x86)\1cv8\common\1cestart.exe => No File
    FirewallRules: [{C1D5ED83-A8EB-4260-90B0-BDC05E3D1A07}] => (Allow) C:\Program Files (x86)\1cv8\common\1cestart.exe => No File
    FirewallRules: [{7409E8AE-ABF0-4A8C-B295-4D017A5FD5CB}] => (Allow) C:\Program Files (x86)\1cv8\common\1cestart.exe => No File
    FirewallRules: [{D7EEE3B9-C5EE-4B7D-84C4-563CBB859631}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8c.exe => No File
    FirewallRules: [{721F048F-EDDA-4E3B-936B-A899348FD0B5}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8c.exe => No File
    FirewallRules: [{20D9E9C1-DE5C-4AA7-896D-1242BAC030CE}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8c.exe => No File
    FirewallRules: [{DDAD0B3A-77EB-47B7-AE5F-B39EE9F9E2D5}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.83\bin\1cv8c.exe => No File
    FirewallRules: [{E8BC4968-EEF7-4EF5-878B-870E9D5AF894}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8c.exe => No File
    FirewallRules: [{0AA79F74-0110-4759-A56B-3A8BCDC23A8D}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8c.exe => No File
    FirewallRules: [{BAAD2DFF-C522-4EF8-AE43-02A5F18AAF74}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8c.exe => No File
    FirewallRules: [{88D3E70B-25D0-482D-87E2-C46762B6EF92}] => (Allow) C:\Program Files (x86)\1cv82\8.2.19.121\bin\1cv8c.exe => No File
    FirewallRules: [{9F6B0C16-6265-44E0-B1BC-57856C56F5E4}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8c.exe => No File
    FirewallRules: [{E366AAB7-0E93-427F-99E9-EB088F8DC1CC}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8c.exe => No File
    FirewallRules: [{BD468CEC-2144-4B35-8B2E-C52823E2ECE9}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8c.exe => No File
    FirewallRules: [{061ED656-C535-46F5-AE7E-89250B06DA9B}] => (Allow) C:\Program Files (x86)\1cv82\8.2.18.109\bin\1cv8c.exe => No File
    FirewallRules: [{A0651B8B-7CDF-477C-9160-06E5E672E365}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8c.exe => No File
    FirewallRules: [{3775E5BB-67A0-4388-B63A-A2C6B75B622D}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8c.exe => No File
    FirewallRules: [{E239A1CE-1B78-4821-81EE-5B38D7116FB5}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8c.exe => No File
    FirewallRules: [{ABC8ACE5-7166-4D7D-999F-0BDA77253634}] => (Allow) C:\Program Files (x86)\1cv8\8.3.5.1383\bin\1cv8c.exe => No File
    FirewallRules: [{5FDAD246-DAAE-4C50-B165-C160B9E1BCEE}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
    FirewallRules: [{666E0685-A0A9-4220-AE8C-6A67E0E18F76}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
    FirewallRules: [{AEED0AA1-ECFD-4CA8-A047-5780EB83C1CF}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
    FirewallRules: [{6CD82B84-F3D2-4150-839A-7F50F5DEE1E5}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
    FirewallRules: [{66314FFF-33EF-4BDF-9756-6F9442BED157}] => (Allow) C:\Users\SERVER\Documents\1C-Connect\bin\BPh_RDA\rms\rutserv.exe => No File
    FirewallRules: [{39DDFCDA-82E0-43D5-94EF-20E335197D70}] => (Allow) C:\Users\SERVER\Desktop\AnyDesk.exe => No File
    FirewallRules: [{D4058E94-5E15-46A0-850A-0BE644E39974}] => (Allow) C:\Users\SERVER\Desktop\AnyDesk.exe => No File
    FirewallRules: [{FF7719E7-7D70-41A5-AFBC-A32A93C9D6DA}] => (Allow) C:\Users\SERVER\Desktop\AnyDesk.exe => No File
    FirewallRules: [{43C7B0A7-64BF-4028-BDA4-270CEE67E516}] => (Allow) C:\Users\SERVER\Desktop\AnyDesk.exe => No File
    FirewallRules: [{5B63A8EE-51D3-4E2F-8590-4E8ED7D77048}] => (Allow) C:\Users\SERVER\Desktop\AnyDesk.exe => No File
    FirewallRules: [{6EA51703-3C84-4F5B-9F9F-B5441600A82C}] => (Allow) C:\Users\SERVER\Desktop\AnyDesk.exe => No File
    FirewallRules: [{9C23838C-A0B1-46B4-88F4-6CC6E5B5CEF5}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
    FirewallRules: [{C8619723-BC4F-4EF3-A62E-35DB75D3E51E}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe => No File
    FirewallRules: [{DCFF91F1-9DEE-4C01-BD24-F5EA04A1406D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
    FirewallRules: [{C4D18B6E-7C63-4C10-B8C0-AD3CA30CD550}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe => No File
    FirewallRules: [{3394C8F2-A2D8-4278-AC7B-700B23D2DD2E}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No File
    End::
  • Скопируйте выделенный текст (правой кнопкой - Копировать).
  • Запустите FRST (FRST64) от имени администратора.
  • Нажмите Fix и подождите. Программа создаст лог-файл (Fixlog.txt). Прикрепите его к своему следующему сообщению.
Компьютер перезагрузите вручную.

Подробнее читайте в этом руководстве.
 
Статус
В этой теме нельзя размещать новые ответы.
Сверху Снизу