Encryption Trojan - what is it and how can you remove it and save the data?

Fa
5

On a laptop of the acquaintance, an encryption Trojan has installed.

When the laptop starts up, there appears a screenshot of the message that the acquaintance probably got black-and-white on his first visit and it opens a text file that says what happened to his laptop or his data. That means, the screenshot shows exactly the same text of the txt file, only on a black background and white text.

Each text file as well as image file bears the name

-! Recover -erbcq ++

The text file says that it is an RSA-4096 Encription.

I'm completely unexplored in the field and therefore need your help.

What could the Trojan be called and what can be done about it?

How the Trojan came on it - I'm not surprised that - his antivirus program was either disabled or the Trojan disabled it - at least was the last anti-virus definition of 2016 … I miss the words. It is still an old Windows XP computer.

The data on it would be important to him.

Meaning, if you could decrypt the data again, I would burn it to CD and rewrite the system completely.

Dr

The text file says that it is an RSA-4096 Encription.

Since I do not have a working glass ball and had the "patient" itself not in front of me, I'm going from some modified form of TeslaCrypt. But you can't tell me more from here.

The only thing you can do is restore the system to an earlier time point. However, assuming an early recovery point and still not sure if that alone is enough to save some of the data can. The child has already fallen into the well anyway, so worth a try.

Unlock the box, then press F8 to enter Safe Mode with Command Prompt. At the command prompt enter cd restore and confirm with Enter. Then enter rstrui.exe, confirm again with Enter and finally click through the Restore dialog. The rest is actually self-explanatory.

Check for questions again!

Fa

Many thanks for your response. I also suspected that with TeslaScript.

Yesterday I also looked at the patient for the first time, which is why I can't say much about it myself. Would a photo help with the txt file in which the message is displayed? In it is a web address where you can then get the key (certainly not just for a thank you).

Or what else can I read out for info for you?

That with the recovery point, I had in mind. My Windows XP past is already a few years back. Yesterday I also searched for it in the control panel but did not find anything right away.

Will try it once with your guide. Anyway, many thanks and a nice Christmas.

Fa

Enclosed a photo of the txt-file, which opens immediately after the start. I'm looking for it with the recovery point, which was hopefully created.

Encryption Trojan - what is it and how can you remove it and save the data
Fa

Tries… : )

Dr

Would a photo help with the txt file in which the message is displayed?

Can't do anything with the text. As I said, you can at most try to load a restore point. With a little luck you can save your own files. The holidays few had written only now.

PC hacked with encryption trojan. But how? Lo Longingbruno
  • 15 answers
Remove Mrs Major.exe? Am Amaris
  • 39 answers
Can a Trojan disappear by itself? Ke Kelvinmaeve
  • 8 answers
Trojans in email? Ma Margin518
  • 2 answers
Remove bitlocker by deleting partition? El Ellisglorious
  • 4 answers
How do you know if you have a trojan? Tr Truck5
  • 4 answers
Android studio why can't I run the project on my mobile phone?

Android studio why can't I run the project on my mobile phone?
Laptop keeps restarting and stuck in update?

Laptop keeps restarting and stuck in update?
Connect the printer to the laptop / PC?

Connect the printer to the laptop / PC?