All Activity

This stream auto-updates     

  1. Today
  2. Unfortunately, the note on the purchase of JURASIK-DECRYPT was not provided, nor here, nor on the BC forum.
  3. Hello, I'm very interested to know if EAM protect me enough against cryptocurrency mining malware ? I only find this old this old blog (October,11, 2017) https://blog.emsisoft.com/en/28817/cryptocurrency-mining-malware/, but I don't know if since this date there are some changes ?
  4. ANY NEWS MR GT500 OF A SOLUTION TO MY PROBLEM...
  5. My computer infected filename.fedasot Please help me for resolving this ransomware. I find tool but not
  6. How u decrypt this file extension?
  7. i run another scan with frst64 asyou say so last scan file is attach with with t his rply FRST.txt
  8. So now i have to run scan with frst64 or press fix button
  9. As Amigo-A said, that is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware: https://id-ransomware.malwarehunterteam.com/ If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be split into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  10. OK, good. That fix appears to have been more successful. Let's verify that it removed everything by running another scan with FRST. If everything has gone well, the logs should show no further signs of infection.
  11. See the quoted information below:
  12. Yesterday
  13. Yes, the system is infected and we need to deal with the infection. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. ( ) [File not signed] C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe () [File not signed] C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp\wepgwdgyb2x.tmp HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-1467488971-3136232132-3031571334-1000\...\Run: [1033734] => C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe [991555 2019-05-23] ( ) [File not signed] HKU\S-1-5-21-1467488971-3136232132-3031571334-1000\...\Run: [KGFRH26AKSJ39OR] => "C:\Program Files\PIMTW8AM7I\PIMTW8AM7.exe" GroupPolicy: Restriction - Chrome <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {094B6384-D554-4918-BBB7-9AEA4F942DFA} - \SaFubZhGCfsOVm -> No File <==== ATTENTION Task: {3F8B2663-3794-4E76-8548-B1C54F4443EB} - \nTrHDwdmtxKxoszUObi2 -> No File <==== ATTENTION Task: {B95B24C6-7EDF-4861-B750-D0C7078FEBA1} - \OUpEptiVIdUqL2 -> No File <==== ATTENTION Task: {BA02737B-86B2-45E9-B022-4AB49D85FD1A} - System32\Tasks\TmSipvT => C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\TmSipvT\TmSipvT.dll",TmSipvT <==== ATTENTION Task: {CF1A735C-A113-476A-9BD8-D983A9BB52C8} - \fstZwSPTafElMco2 -> No File <==== ATTENTION Task: {F2F57705-35E2-4C58-8E22-09A36610E517} - \fizLPSktsROBAcwlw2 -> No File <==== ATTENTION SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] 2019-05-23 16:07 - 2019-05-25 05:58 - 000000000 ____D C:\Program Files\PIMTW8AM7I 2019-05-23 16:07 - 2019-05-23 16:07 - 000000000 ____D C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr 2019-05-23 15:57 - 2019-05-23 15:57 - 000003574 _____ C:\Windows\System32\Tasks\{3D41FDB2-4320-4EFD-9FC9-83A72ED3A206} 2019-05-23 15:50 - 2019-05-25 06:17 - 000016694 _____ C:\Windows\System32\Tasks\TmSipvT 2019-05-23 15:50 - 2019-05-20 14:29 - 000000000 ____D C:\Program Files (x86)\TmSipvT 2019-05-23 15:41 - 2019-05-25 05:57 - 000000000 ____D C:\Program Files\ZDNkYWMzZmFlNjJhNW 2019-05-23 15:38 - 2019-05-23 15:38 - 000000000 ____D C:\ProgramData\{BAD27D28-BDC4-637D-BCA0-FEEFBC47A7BE} 2019-05-23 15:38 - 2019-05-23 15:38 - 000000000 ____D C:\ProgramData\{419F7D00-BDEC-9830-94A0-B3149447EA45} 2019-05-22 03:43 - 2019-05-22 03:43 - 000000000 ____D C:\Users\ztl\Desktop\DDR - Memory Card Recovery Crack 2019-05-22 03:42 - 2019-05-23 16:07 - 000000000 ____D C:\Users\ztl\Desktop\DDR - Memory Card Recovery_Crack 2019-05-22 03:41 - 2019-05-22 03:42 - 000682246 _____ C:\Users\ztl\Downloads\DDR - Memory Card Recovery_Crack.zip 2019-04-30 01:51 - 2019-04-30 01:51 - 000000000 ____D C:\ProgramData\{72278A76-2A4C-36A0-3437-23BA34D07AEB} 2019-04-30 01:51 - 2019-04-30 01:51 - 000000000 ____D C:\ProgramData\{4F5FE989-49B3-0BD8-CB54-5B87CBB302D6} 2019-04-29 06:38 - 2019-04-29 06:38 - 000000000 ____D C:\4550e16ef551f1e2e5586a58faa2 2019-04-29 06:11 - 2019-04-29 06:11 - 000000000 ____D C:\1505a9811e8dc1099c1ee0701832 2019-05-23 16:07 - 2019-05-23 16:07 - 000991555 _____ ( ) [File not signed] C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe 2019-05-23 15:50 - 2019-05-20 14:29 - 003090944 _____ () [File not signed] C:\Program Files (x86)\TmSipvT\TmSipvT.dll 2019-05-25 05:59 - 2008-10-15 16:44 - 000205312 _____ () [File not signed] C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\itdownload.dll 2019-05-25 05:59 - 2019-05-25 05:59 - 000715776 _____ () [File not signed] C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp\wepgwdgyb2x.tmp 2019-05-25 05:59 - 2016-04-17 19:16 - 000221184 _____ (Mitrich Software) [File not signed] C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\idp.dll 2019-05-25 05:59 - 2017-05-03 11:31 - 000043520 _____ (Vincenzo Giordano) [File not signed] C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\psvince.dll C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr\wepgwdgyb2x.exe C:\Users\ztl\AppData\Roaming\ci4pu1lgfyr C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp\wepgwdgyb2x.tmp C:\Users\ztl\AppData\Local\Temp\is-5AQ5N.tmp C:\Program Files\PIMTW8AM7I\PIMTW8AM7.exe C:\Program Files\PIMTW8AM7I C:\Program Files (x86)\TmSipvT\TmSipvT.dll C:\Program Files (x86)\TmSipvT C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\idp.dll C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\itdownload.dll C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmp\psvince.dll C:\Users\ztl\AppData\Local\Temp\is-17UKO.tmpClose Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  14. To identify the Ransomware and confirm my information, you can use the service ID Ransomware. He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device.
  15. This variant of STOP Ransomware with .rectot extension appeared 3 days ago. See my posts and post GT500 in next topic - in the same order. This also applies to your case. It's first best to check PC and make sure that no malware components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it. Let us know about the results.
  16. WELA Hello. This is also the result of the STOP Ransomware attack. The variant with .forasom extension was spreaded before (since May 6, 2019) See my posts above and post GT500 - in the same order. This also applies to your case.
  17. Could you help me? My data has lost by .forasom? I really need your help, thank you
  18. hi How to remove Rectot ransomware or How to encrypt the files that are the ransomware rectot encrypt my file feeds? https://malwaretips.com/blogs/remove-rectot/
  19. scan_190525-055127.txtFRST.txtAddition.txt
  20. I don't see any leftovers from the STOP/Djvu ransomware, however I do some some files related to pirated software that I highly recommend getting rid of.
  21. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.
  22. Hopefully it won't be much longer before he's able to find the offline ID and key for this variant of STOP/Djvu.
  23. Last week
  24. I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future.
  25. You may have already seen this, but Demonslay335 on the BleepingComputer forums said that this is JSWorm 2.0, and that our decrypter for it has been updated: https://www.bleepingcomputer.com/forums/t/698141/jsworm-ransomware-jsworm-jurasik;-jsworm-decrypttxt-support/#entry4792780 You can find the decrypter here: https://www.emsisoft.com/decrypter/jsworm-20
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up