ACCDFISA – RansomWare – Removal Notes + More

UPDATE (2/26/12 @ 8:20PM CST): Lawrence Abrams has posted a guide to removing this infection over at BleepingComputer.com: http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program His post includes notes that were not included in this post and also provides a much more automated process for removal. If you are removing this infection, I would consider his post a must-read! Do not consider your system fully repaired until you have thoroughly read through his removal instructions.

NOTE: It would be really useful to take a look at the previous post by Joe P. regarding this RansomWare infection here: http://blog.nfocustech.com/2012/02/accdfisa-ransomware/

In addition, JSnell has posted some useful information on BleepingComputer.com regarding his experience with removing this infection: http://www.bleepingcomputer.com/forums/topic443725.html

 

  • THE PROCESS DESCRIBED IN THIS POST WAS PERFORMED IN A WINDOWS SERVER 2008 R2 ENVIRONMENT. Unfortunately, I do not have access to another version of Windows Server to test this procedure on. The process should be fairly similar for each edition of Windows Server. Your comments and feedback will be very useful in providing information regarding how this process varies on other systems.
  • EVERY REFERENCE MADE TO THE “C: DRIVE” REFERS TO THE DRIVE THAT HOLDS THE CONTENTS OF THE WINDOWS SERVER OPERATING SYSTEM. This could very well vary for your system and should be adjusted appropriately.

 

Disclaimers / Additional Notes (PLEASE, PLEASE READ):

  1. I would STRONGLY urge you to take a backup of the system as soon as possible, even if it is still infected. Although, we have learned a good bit about this infection over the past week, we still do not fully understand each and every step of its progression. Finding a way to backup the infected system before ever beginning the removal process would be ideal (i.e. cloning all hard drives that have been infected). However, I realize that this may not be easily feasible on all systems. For that reason, I will include a note in the post where the next easiest backup point is. Please listen to my word of advice and take a backup at this point if at all possible. In addition, this would be a great time to put a plug in for off-site backups if you have not already implemented one. Based on the information that has been found so far, off-site backups would not have been affected by this infection as long as the location being backed up to is not mapped as a local drive for some strange reason.
  2. The steps described in this post are intended for those who have experience managing Microsoft Server systems. Please do not make any changes to your system if you are unsure of what you are doing, as you could cause major problems. Under no circumstance am I responsible for any damage that occurs to your data.
  3. Unfortunately, it appears that this particular infection deletes some types of files from the very beginning, such as Exchange and SQL database files. I’m honestly not sure what the best procedure would be to try and recover these files. The only suggestion I have is to run a program such as GetDataBack that has the ability to check for deleted files that haven’t been overwritten by the file system yet. Keep in mind that the more activity that occurs on the server, the less likely you are to have success with such a process. Therefore, I would suggest attempting this by connecting the server’s hard disk drives to another system and then run whatever type of recovery software you wish to from that system.
  4. I am certainly not a virus removal expert, but I hope that the information I have learned through trial and error will help others. I will do my best to help everyone I can who is suffering from this particular infection. Please leave your feedback in the comments so that I can correct the information in this post as needed.
  5. There are some specific references to certain software products in this article. I do not have any affiliation with the companies or groups who produce such software, but their products have worked successfully for me while trying to remove this infection. Any software mentioned in the post is the property of their respective owners and they deserve the credit for their functioning.

 

Getting Started:

Let’s jump right into it. If you are reading this post, it is likely that the screen shown below is the first sign of an infection you came across, other than a loss of network connectivity. It states something to the effect of “the server has been used to access illegal content on the internet and was shut down by the ACCDFISA, an acronym for the Anti Cyber Crime Department of Federal Internet Security Agency.”

It then asks for a $100 in order for the attacker to send you a code that allows you to access your system once again. After going through the executable file that causes this particular splash screen to load, I was able to recover a code that seems to successfully disable this screen from appearing at startup. However, I do not wish to publish it or the procedure involved in recovering this code at this time, as I cannot prove that inputting the code does not cause some additional problem, such as removing a security feature or enabling the infection to proceed further with some type of harmful action. The next steps should provide a perfectly adequate way to disable this initial screen and move forward with the virus removal.

 

Steps to Disable Initial Splash Screen:

  1. Download some type of live Windows disc that allows you access to the hard drive and allows you to make security setting changes to folders. My disc of choice was Hiren’s BootCD (download location: http://www.hirensbootcd.org/download/ ), which includes a bootable version of “Mini Windows XP”. After downloading the zip, extract it and burn the .iso file included to a disc using your favorite disc image burning utility. You will then want to insert the disc into the system and boot from it. In the first screen that appears after booting from the disk, select the second option in the list that states “Mini Windows Xp”.
  2. Once Mini Windows Xp has loaded, navigate to C:\ProgramData (which is a hidden folder) using My Computer. Right-click on the “local” folder and select properties. Next, select the Security tab and select “Advanced”. Now, uncheck “Inherit from parent the permission entries…”, click “Copy” when the next dialog box pops up, and then click “OK” to save these changes. You can now remove all users except for “SYSTEM”.  For the user “SYSTEM”, select “Deny” for the “Full Control” setting. This should prevent the splash screen from loading, as this folder contains the file that the splash screen loads from.
              Note 1: Some may ask why we are not just deleting this folder. There are two answers: ( 1) we may need some of the files in this folder later and (2) this prevents any other virus-related service or executable from recreating the files in this directory.
    Note 2: JSnell, who has recorded his experience with this virus in a post on BleepingComputer.com, mentioned that he was able to perform these steps by booting into safe mode. The reason why I did not go that route is because we were not able to boot into safe mode on the originally infected machine. Also, based on looking through certain files that this virus executes, it appears that it attempts to disable the safe mode boot option.
  3. Next, click okay to exit the properties dialog and save the new security settings. Remove Hiren’s BootCD from the disc tray. You can now select “Shutdown” from the “Start” menu, select the “Restart” option from the drop-down menu, and then click “OK”. Allow the system to reboot into Normal mode.

 

Steps to Disable the Loading of Virus-Related Services and Startup Entries:

  1.  Once the system has rebooted in Normal mode, login using an administrative account so that registry entries can be edited.
    IMPORTANT: Now would be a perfect time to complete a backup of some sort if your backup software of choice is still functioning properly. If such software is not functioning properly, consider using the built-in backup function in Windows server or some other freeware option to create a successful backup. So far, I haven’t run into an issue with losing data at this point, but it is always better to be safe than sorry!
  2. Click on the “Start” menu and select “Run”. Open the registry editor by typing “regedit” and clicking “OK”
  3. BEFORE making any changes, be sure to backup the registry by selecting “Export…” from the “File” menu. Next choose the location where you would like the registry backup saved and type in a file name for it. BE SURE that the radio button next to “All” is selected in the “Export range” section at the bottom of the window. You can now click “Save”.
  4. The following entries now need to be removed from the registry. Right-click on each of the entries listed below and select “Delete”. When asked to confirm the deletion, select “Yes”.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\svchost
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofms
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiServiceSysHost
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\netprofms
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WdiServiceSysHost
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netprofms
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WdiServiceSysHostNOTE: You may receive an error when selecting the last two and when trying to delete them. Just click okay if the errors appear and still attempt to delete them.
  5. DO NOT SKIP THIS STEP. After deleting completing the above step and exiting out of the registry editor, reboot the system. This should prevent the virus-related processes from starting once the reboot is complete.

 

Backing Up the Virus-Related Folders/Files:

  1.  VERY IMPORTANT. Log back on to the system after the reboot. Find and copy the following folders and files to a backup location of your choice. I would suggest creating a new folder to place them all in so that you do not misplace them. These folders and files will be absolutely crucial to recovering encrypted data if they turn out to be needed. I would even suggest copying these files to a second external location just in case something happens to the first copy. Here is the list of folders and files:
    >C:\ProgramData\local      (This is a hidden folder. In order to copy this folder, you will have to double-click on it first and select “Take Ownership” or change the permissions manually before copying the folder. This is due to the fact that we took away our right to access this folder earlier when we booted into Mini Windows XP.)
    >C:\decrypt      (this is a hidden folder)
    >C:\Windows\SysWOW64\dcomcnfgui.exe
    >C:\Windows\SysWOW64\ucsvcsh.exe
  2. The final file you need will most likely be called “sys100s.exe”. You will also need to backup this file along with the ones listed above. The only way to locate this file is to do a search of the C: drive, as it will probably be found in a user’s internet cache files (where Internet Explorer stores its temporary files). When running the search on the C: drive, I would suggest only searching for “sys100” and not including the final “s” or the “.exe” file extension, as it is possible that there may be different derivatives of this file whose filenames slightly vary.NOTE: Don’t worry about deleting any of the files from the C: drive at this time, as they should not be causing any problems. We will go back in the very end once we have confirmed everything is resolved and remove them.

 

Restoring TCP/IP Settings:

  1.  At this time, the TCP/IP settings can be reset for whichever network adapters were affected. If you’re not sure of how to do this, proceed to the Control Panel, select Network and Internet, and then select Network Connections. Right-click on the network adapter of your choice and select Properties. Once the next dialog loads, select “Internet Protocol Version 4 (TCP/IPv4)” and then select “Properties”. Once the next dialog loads, you should see that the IP address, default gateway, an etc. have been changed by the virus. You can now change these options back to whatever static settings they should be or select the radio button next to “Obtain an IP address automatically” and “Obtain DNS server address automatically”. Repeat this process if you have more than one adapter that was affected.

 

“Decrypting AES Files” (Extracting Password-Protected RAR Archives):

  • The attackers would love for you to think that all of your files have been encrypted using the AES algorithm. In reality, every file that has an .aes extension has been placed in its own password-protected RAR archive.
  • There is a “decrypter” program that is included with the virus. I have had mixed results running this program. One time it deleted files when I input files that I had recovered and another time it actually extracted the files back to their correct locations. However, for the same reason I did not provide a code for the initial splash screen, I will also not provide any of these codes, as it could cause permanent damage to your system.
  • If you just need to extract a couple of files using a RAR archive extractor, I’ll save you the trouble of reading through the next steps and tell you that the password that worked for me is the following: 1a2vn57b348741t92451sst0a391ba72
  • There is a chance that the password shown directly above and in Step 5 of this section is dynamically generated on each infected system. If this turns out to be the case, I will post instructions for how to find this password.

NOTE: I am completely aware that the process I describe below is extremely cumbersome. However, this is the easiest process I can think of at the moment. If you have a better idea of how to go about this process, please post it in the comments below and if I am able to verify that it works, I will modify this section.

  1. Download whatever RAR archive extractor you prefer and install it on the affected system. The only requirement is that it support password-protected archives (which may be all of them, I’m not sure). In our case, 7-zip File Manager worked well. It can be downloaded here: http://www.7-zip.org/ . The following steps will involve using 7-zip to extract the necessary files. The process will vary with other programs.
  2. Create a folder to make a copy of all of the archived files to. Also, create a folder somewhere to extract all the RAR archives to. These can be on the system itself or on an external device. Just be sure that the drive that these folders are located on is large enough to hold a copy of all of the archived and extracted files. It appears that the files were not compressed when they were placed into archives, so whatever size is shown in the search results (described below) is the size they will be when extracted.
  3. Open up Computer and continue to the root of whichever drive you which to extract files from first. In the search box, type “*.aes” (without the quotation marks) and allow the search to fully complete. On the original system that I worked with that was infected, the search returned approximately 15,000 files and took about an hour to an hour and a half to complete.
  4. Once you are sure that the search has discovered all the archived files on that drive, select all of the files (CTRL + A) and copy the files (CTRL + C). Then navigate to the folder that you created in Step 2 that was created to hold a copy of all of the archived files. Paste (CTRL + V) the files into this folder.
  5. Open up 7-zip File Manager and navigate to the same folder that you just pasted all of the files into. Then select all (CTRL + A) of the files and click the Extract button near the top-left of the program window. In the dialog windows that appears, set the “Extract to:” path to the folder that you created in Step 2 to extract files to. For “Path mode:”, select “Full pathnames” from the drop-down menu. In the password box, type in: 1a2vn57b348741t92451sst0a391ba72
  6. Select “OK” and wait for 7-zip to finish extracting all of the files.
  7. Once the extraction completes, navigate to the folder that you extracted to and select all (CTRL + A) of the folders and files. Copy (CTRL + C) the folders and files.
  8. Navigate to the root of the drive that you pulled the archives from and paste (CTRL + V) the folders and files there. (Be sure that you have enough space on the drive to paste all of the extracted files.) If you are asked if you want to merge folders, select “Yes”. If there are quite a few, I would check the “Do this for all current items” option.
  9. Steps 2 through 8 of this section will need to be repeated for each drive that needs files recovered from it.

 

Final Steps / Cleanup:

  1. I would suggest rebooting the system at this point just to make sure that everything is in working order.
  2. If you are positive that all of your files have been successfully extracted and put back in their place, you can once again search each drive for all of the .aes files, select them all, and delete them.
  3. You can now delete the virus-related folders and files that you made a copy of in the section “Backing Up the Virus-Related Folders/Files”. These no longer serve a purpose by staying on your system. However, I would not delete the backup of these files that you made, just in case it is needed.

 

Afterthoughts:

  • No one seems to be sure what exactly initiates the download of the sys100s.exe file that begins the visual activities of the virus and archives files on the system. The only way to be 100% sure that the virus is removed from you system is to reinstall your edition of Windows Server. I’m hoping that we can soon track this virus back further and find exactly what the root cause/security flaw is that is allowing such an infection through. One theory so far is that there could possibly be a keylogger that is capturing user credentials. This is based on the fact that Joe P., who wrote the previous post on this blog concerning this RansomWare infection, was able to see in his client’s server logs where a successful login occurred right before the symptoms of the virus began appearing. This is obviously very concerning that there was not a failed login attempt before this successful one. I will attempt to keep everyone updated if I learn anymore information about this infection.
  • Please leave your feedback and comments below, as this is the only way I have of knowing that the removal process is working successfully for others. I apologize if I have gone into way too much detail in this post, but I am just trying to put out as much information as I can about this infection so that hopefully it helps as many people as possible.

 

31 Responses to “ACCDFISA – RansomWare – Removal Notes + More”

  1. Larry says:

    In my case a keylogger was most likely not used. Based on our security event logs for the server, they got into our 2008 TS via the local admin account which nobody ever uses to log in with.

    • Timothy T. says:

      Do your logs happen to show any failed login attempts to that local admin account or any other account around that same time?

      • Larry says:

        After taking some time to learn how to filter the event logs by elements of the content of the detail, the security event logs clearly revealed 2 things: 1) this infection involved a brute force attack from multiple locations over a period of 4 days, and 2 those locations must have shared data because 3 different locations were able to penetrate without ever having first failed. It’s also interesting how attacks from 8 of the 20 IPs had exactly 561 failed attempts followed by 1 successful penetration. The summary data follows:

        Brute force attempts ranged from 2/18, 10:16:58am -> 2/22, 4:19:02am
        Successful penetrations ranged from 2/19, 12:40:21am -> 2/22, 4:19:12am

        178.178.19.91 (Russia) – 0 failed attempts – 7 penetrations
        64.191.42.11 (United States) – 0 failed attempts – 1 penetration
        178.75.127.183 (Russia) – 0 failed attempts – 1 penetration

        211.115.71.89 (Seoul, Korea) – 561 failed attempts – 1 penetration
        125.7.234.165 (Korea) – 561 failed attempts – 1 penetration
        78.178.61.102 (Ankara, Turkey) – 561 failed attempts – 1 penetration
        96.54.8.141 (Vancouver, Canada) – 561 failed attempts – 1 penetration
        83.235.176.56 (Athens, Greece) – 561 failed attempts – 1 penetration
        58.210.79.242 (Zhejiang, China) – 561 failed attempts – 1 penetration
        93.109.249.38 (Nicosia, Cyprus) – 561 failed attempts – 1 penetration
        173.14.125.157 (Richmond, Virginia) – 561 failed attempts – 1 penetration
        72.32.84.87 (Ft. Lauderdale, Florida) – 88 failed attempts – 1 penetration
        220.189.255.61 (Zhejiang, China) – 19 failed attempts – 1 penetration
        65.102.121.203 (Great Falls, Montana) – 3 failed attempts – 1 penetration

        69.176.116.178 (Meridian Mississippi) – 53 failed attempts – 0 penetrations
        178.75.102.78 (Russia) – 3 failed attempts – 0 penetrations
        188.212.152.9 (Romania) – 2 failed attempts – 0 penetrations
        93.114.46.160 (Bucuresti, Romania) – 1 failed attempts – 0 penetrations
        93.114.46.158 (Bucuresti, Romania) – 1 failed attempts – 0 penetrations
        213.234.213.246 (Moscow, Russia) – 1 failed attempts – 0 penetrations

        The last one to penetrate before all the successful logon events stopped was 220.189.255.61 (Seoul, Korea), but I suspect that the infection was actually installed from 178.178.19.91 (Russia) who had 7 penetrations spanning 2/19, 3:56:24pm -> 2/22, 2:50:49am and who was the second to the last to penetrate.

        • Larry says:

          It also appears that the following list of accounts were referenced during the brute force attempts. Of them, only ServerName\administrator and ServerName\guest actually exist and the guest account is disabled.

          RECEPTION\Administrator
          ServerName\1
          ServerName\123
          ServerName\Administrator
          ServerName\Guest
          ServerName\a
          ServerName\actuser
          ServerName\adm
          ServerName\admin
          ServerName\admin1
          ServerName\admin2
          ServerName\aspnet
          ServerName\backup
          ServerName\console
          ServerName\daniel
          ServerName\david
          ServerName\james
          ServerName\john
          ServerName\michael
          ServerName\mike
          ServerName\office
          ServerName\owner
          ServerName\pos
          ServerName\pos1
          ServerName\pos2
          ServerName\pos3
          ServerName\pos4
          ServerName\robert
          ServerName\root
          ServerName\sale
          ServerName\sales
          ServerName\scanner
          ServerName\server
          ServerName\sql
          ServerName\staff
          ServerName\support
          ServerName\support_388945a0
          ServerName\sys
          ServerName\test
          ServerName\test1
          ServerName\test2
          ServerName\test3
          ServerName\user
          ServerName\user1
          ServerName\user2
          ServerName\user3
          ServerName\user4
          ServerName\user5
          TOSHIBA\administrator
          administrator

  2. Marcin Wisniowski says:

    Hallelujah!

    All is saved. This worked better than a love charm! There is a river of thanks flowing from Mt. Everest unto your hands Tim. Thank you!

  3. Marcin Wisniowski says:

    In my client’s case it was a brute force attack. I found logs of a multitude of failed Terminal Server logon attempts preceding a successful logon. The password and username were categorically weak: admin and Password1 respectively. I’ve also found DUBrute on the desktop suggesting that they, at least, have planned to instigate further attacks from this computer.

    • Joe P. says:

      Marcin, I’ve been going through the security logs on a few other servers and pulled IP addresses of some of the attack sources. Each of the five I just pulled have open RDP ports. It does look like they’re using compromised terminal servers to run the DUBrute scans. The failed logon names I pulled where identical across multiple server logs…

    • Joe P. says:

      Marcin,

      Did you happen to find the password list that was used by the DUBrute software? I watched some of the videos on youtube and see that it has a IP list, a username list, and a password list that it attacks with. It logs successful results to a text file on the system. I’m interested if there was a password file on the server with dubrute.exe.

  4. Joe P. says:

    There was a brute force attack about two days before the infection. However, the password that was used was eleven characters long and had all four complexities. The attack went on a few hours and then would stop for a few more. This went on for nearly two days with the source IP changing between seperate attacks. It is easy to say that someone had a list of addresses where port 3389 was open and began a brue force attack. I wonder just how the password would have been in a password list…

  5. Marcin Wisniowski says:

    I have developed a short and easy way to automate the decryption process. You need to make sure that you have 7zip installed and the 7z.exe executable in the %PATH% or that you provide a full path to the executable in the following command:

    for /f “tokens=*” %i in (‘dir *.aes /a /b /s’) do cd “%~pi” & 7z.exe e -p1a2vn57b348741t92451sst0a391ba72 “%i” & del /q “%i”

    This needs to be run from a command line run as administrator once from the root of every drive where the encrypted files reside.

    This does not do any error checking…if needed you can slap:
    & echo %i %errorlevel% >> decrypt.log

    It will create decrypt.log in the directory from which the command is run, presumably the root of a drive, and record the file name and affix a 0 for sucess and 1 for failure.

    This will also delete the encrypted file after it has been decrypted/extracted ( del /q “%i” ). If you want to be on the safe side you can remove that, but make sure you have enough space to accommodate the files to be extracted.

    And once more…Thank you Tim!

  6. Sorry I have not responded sooner, but I did analyze the samples I received, but was away. Writing up a formal guide on removing this was not possible over my limited connection. I put up a guide a few minutes ago on how to remove this malware.

    http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

    Some extra notes not included in your guide that visitors should be aware of:

    The Control Code to disable the login screen before the desktop shows is 7534919801679213. So that should make it easier than have to use a bootable image/cd of some sort.

    This infections attempts to remove the SafeBoot key which makes it so you cant access safe mode. This didn’t have an affect on some newer OSes when testing, but caused XP and win 2000 to blue screen when attempting to access Safe mode. That safeboot key should be restored.

    I also outlined a similar method as those described by Marcin using winrar. I use a slightly different method, but for the most part they are the same.

    I also created three batch files that can be used to automate this a bit:

    http://download.bleepingcomputer.com/bats/kill-accdfisa.bat – This will shutdown and delete the services and kill the RUN entry.

    http://download.bleepingcomputer.com/bats/decrypt-aes.bat – This will perform a similar step as the one Marcin described.

    http://download.bleepingcomputer.com/bats/archive-aes.bat – This will archive any AES files found on the drive and move them to \aes-backup folder.

    Great job everyone on beating this one!

    • Timothy T. says:

      Thanks so much Lawrence for the very comprehensive guide! I will add a link to your post over at Bleeping Computer at the very top of this one shortly. I definitely speak for everyone when I say thank you for spending the time to analyze this infection.

      • Matt says:

        Timothy,
        I seem to have gotten a new strain of this virus today. It is similar but slightly different screenshots and verbiage. Also, the Rar password provided is not working. How did you come up with the Rar Password? I am totally stuck here.
        Thanks!

  7. They have may have randomized it then.

    Whatever infection files you can find. If you have a sample encrypted file and the malware files themselves, it would be helpful in analysis.

    Any files located here?

    C:\ProgramData\local\

    If so, I need all of them.

  8. Also if you submit samples, please include your email in submission comments so I can get back to you.

    • Matt says:

      Lawrence,
      Unfortunately the server is at a remote location and it just shut down on its own so I lost connectivity. Someone is bringing it to my location tonight so I will be able to send you more files and info. I will upload the one rarred file that I had copied off to another machine.
      Thanks,
      Matt

  9. Matt says:

    Larry,
    I am uploading the virus files now as well as some of the data files that were “encrypted”.
    Thanks!

  10. Mattb says:

    I have the same thing that matt has. I got it this morning too. there is nothing in the program data folder. This thing is ridiculous! Mine is on a 2k3 server. the best I’ve been able to do today was to get it to boot into safe mode with networking. I was able to get a valid IP and get it online in safemode, but once I rebooted I was right back to the splashscreen. None of the files in this guide are there.

  11. Brannon says:

    All,

    The ones referencing the new strain may be talking about this one which hit our server as well Sunday night. We basically had to perform a fresh install using new drives and load backups.

    http://www.bleepingcomputer.com/forums/topic446111.html

    • Tony says:

      HELP!

      This ransomware hit my document management server. When I use the password the document said to use it comes back as wrong password. How can I find out the password?

      • Thanks to Arief Prabowon of Emsisoft, we can now retrieve the passwords.

        Please contact me at http://www.bleepingcomputer.com/contactus.php with your reference number from decrypt.exe so I can send the password to your email.

        • Bilal says:

          the passwords are not working for us to open the Rar files.
          I have no decrypt.exe program.
          The server where this issue was reported @ has been formatted however i have the data folder that i’m interested in fixing..

          How do i go about the finding the password?
          Any tool? or should i send you one of the .dat file to examine? but the issue is, would this be a diff password for each file? or ONE password witin one server.

          • Tony says:

            I am in the same boat as Bilal. I have no Decrypt.EXE

            I have NOT formatted my drive however. Can anybody help?

  12. Jason says:

    I had this happen on a server at my house. Sad to say I formatted C: before getting anything off of it. I did not realize that it had rared anything. Only now that I have removed all traces did I find that all of my family pictures on a second drive have been renamed and rared. I have tried the two passwords that I could find on the web and neither work to extract the files. If anyone can offer any assistance I would be eternally in your debt. This is the worst possible thing next to deletion that could have happened to this drive.

Leave a Response