[DanielX]

Hello,

I have a computer (Acer) here who has a MBRlock ransomware infection. When I booted the system I got a black screen with orange letters in English and something that looked like Italian. I tried the Kaspersky Rescue Disk to remove this MBRLock. Kaspersky said that the Trojan-Ransom.Boot.Mbro.d was desinfected. I rebooted the system. Acer Recovery is now the only partition that is able to boot.

Trying stuff like bootrec.exe /rebuildbcd returns a message: Windows installations found: 0.
/fixmbr and /bootfix doens't work either.

When I use a Linux LiveCD or the Kasperksy Rescue Disk filemanager I can browse through all files on what is (in Windows terms) C:\ (ACER) and what is D:\ (DATA). On the DATA partition I found a .txt-file named: HOW TO DECRYPT FILES.txt

Attention! All your files are encrypted!
You are using unlicensed programms!
To restore your files and access them,
send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail Koeserg@gmail.com. During the day you receive the answer with the code.

You have 5 attempts to enter the code. If you exceed this
of all data irretrievably spoiled. Be
careful when you enter the code!

With Ubuntu Live a made a back-up of the MBR. I was wondering if somebody can adjust it so Windows Vista can boot again?
I added the MBR als an attachment.

Thanks in advance,

Daniel

[360Tencent]

http://news.drweb.com/show/?i=2356&lng=en&c=14

[EP_X0FF]

With Ubuntu Live a made a back-up of the MBR.

Backup of what? Original MBR before infection and "removal" or after?

[Blitskrieg]

Hello.

Probably important Acer boot data was damaged by mbr trojan (there were precedents). You could try to use fixmbr.

[markusg]

he has used fixmbr.

[Blitskrieg]

he has used fixmbr.

But attached MBR-backup contains non-standard Acer boot code.

[Maxstar]

FYI: Ransomcrypt Decryption Script
http://www.f-secure.com/weblog/archives/00002349.html