Leaderboard


Popular Content

Showing content with the highest reputation since 12/26/19 in Posts

  1. 2 points
    @Amigo-A All variants of ChernoLocker do not leave a ransom note. It is a Python compiled script that just displays a message box when done, and opens a URL in the browser. url = f.decrypt('gAAAAABd5uHecSzXalJbhS48cQlhKynkcDotLAv8c3TD0jBkUvDQb-Z5snS7XgONHXqiNd5Czd94vCQix280kyHSjNnAwzgl66vYj_-YyTtPnNxTN3YjP-tZdQtd1bqe1WyRwrD-2m0xvruurd37CbHVSf2cTy-yCDCTN-MadttLITlVisEFMcKstpwHOUi-KV6YZ-7MmWcz2aaB1WmgSDNs_SN2buoKTg==') # url = 'https://platinumdatasolutionsltd.co.ke/wp-content/uploads/2018/11/landing-screenshot-img-9-768.jpg' webbrowser.open_new_tab(url) win32ui.MessageBox("All Your Files have now been encrypted with the strongest encryption\nYou need to purchase the encryption key otherwise\nyou won't recover your files\nRead the Browser tab on ways to recover your files\nMake Sure you dont loose this Email as you it will be loosing it will be fatal \nWrite it in a notepad and keep it safe \nEmail: [email protected]", 'YOUR FILES HAVE BEEN ENCRYPTED') @Raúl Try re-downloading the decryptor for v1.0.0.2 now. I've added support for your variant.
  2. 2 points
    @ferko85 Let’s deal with the active malware infection before attempting to recover your files. Download to your Desktop: Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download FRST from the infected system, FRST can be saved to and run from a USB flash drive. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to the disclaimer. NOTE: DO NOT change any of the default settings. If you do we will just close your logs and ask for new ones ran with FRST's default settings. Press the Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt
  3. 1 point
    Bom dia, boa tarde ou boa noite amigos, Agradecia que ajudou os meus ficheiros foram encriptados com o "ransomware" em 19 deste mês, já passei o kit do emsisoft no PC. acontece que os arquivos (imagem, vídeo e texto) continuam encriptados com a extensão "KODC e" NOSU A chave que foi adicionada pelos usuários por esta informação é: 0197nTsddWz89FpQxEfauas77thXAVHplctS6hWM5M3QvtYdI Exigem o pagamento de US $ 499, que já passou por US $ 980! Obrigado. Fixlog.txt FRST.txt Addition.txt
  4. 1 point
    Eu tambem estou aguardando para resolver este problema do "kodc" e do "nosu"
  5. 1 point
    I have the same virus on my computer. I wish the solution to be found as soon as possible.
  6. 1 point
    We had a similar report in the BleepingComputer ransomware forum by one @wpuerta. Demonslay though it was because he wasn't connected to the internet while running the decrypter. I tried running the decrypter on some files with internet disconnected and got this error for each file: File: C:\Users\LDH\Pictures\Test\.MKOS with Offline Keys\NOTULEN RAPAT 26 Agustus 2019.pdf.mkos Error: The remote name could not be resolved: 'decrypter.emsisoft.com' This is what I would have expected in such a case.
  7. 1 point
    That's a newer variant, not and older variant. I assume the decrypter told you otherwise? We're looking in to why the decrypter is making that mistake, however our assumption at the moment is that it is defaulting to saying that when it can't connect to our database.
  8. 1 point
    As an addendum to what I said above, the loadpoints for the ransomware were missing in the log, and were more than likely already removed by the decrypter (it doesn't delete the ransomware, but will prevent it from running again).
  9. 1 point
    Don't worry about that. It's more important to run the fixlist with FRST. If anything new gets installed, Kevin will deal with it in the next log.
  10. 1 point
    Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242\EC67.tmp.exe C:\Users\Pichau\AppData\Local\23a01ab6-aae4-44e5-8f6b-35b0928eb242 C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2\dreamtrips_mix1.exe C:\Users\Pichau\AppData\Local\Temp\54qaqikdlt2 C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\0ZnTo1JjqgmJNDsv8MsX.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5\eJw05ABKDl=.exe C:\Users\Pichau\AppData\Local\Temp\S5fX7jAo5 C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf\fish.exe C:\Users\Pichau\AppData\Local\Temp\ekdbia10oqf C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln\ytbticket.exe C:\Users\Pichau\AppData\Local\Temp\ha240abk4ln C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim\forinstalls.exe C:\Users\Pichau\AppData\Local\Temp\w0wicrk1rim C:\Windows\windows.vbs Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  11. 1 point
    @Reggia99 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. (Psiphon Inc. -> ) C:\Users\ELITE\Downloads\psiphon3(1).exe.orig HKU\S-1-5-21-2733843967-2851411726-668708617-1000\...\Run: [5a712307fa1e2cbcc5e79fcd80d9f09d] => "C:\Users\ELITE\AppData\Local\Temp\systm.exe" .. <==== ATTENTION 2020-01-24 11:54 - 2020-01-24 11:58 - 006978160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe 2020-01-24 11:54 - 2020-01-24 11:55 - 006658160 _____ C:\Users\ELITE\Downloads\psiphon3(1).exe.orig 2020-01-20 14:24 - 2020-01-24 11:58 - 000000000 ____D C:\Users\ELITE\AppData\Roaming\Psiphon3 Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed.
  12. 1 point
    @Vicky I replied to your support thread just a bit ago. See my instructions in my reply to your post in that thread.
  13. 1 point
    Done. I need to Delete or move to Quarantine?
  14. 1 point
    Here's the message in the drop down files over there. @Amigo-A I am surprised you know Bulgarian so clearly, never knew people from my country in this forum.But here some airbrushes for Photoshop and other smaller things to demonstrate the problem. Added zip archive, small exe file from driver for my laptop and log file for a Virtual Airline software. I am not able to upload anything else, most of my data is EXE's and MP4's in that hard drive. And all of them are too big to upload here. _readme.txt 20_Architect_PS_Brushes_abr_vol_5.zip.topi tfdi_installer.log.topi BrightnessFix.exe.topi
  15. 1 point
    If the topic is in the "Help, my files are encrypted!" or the "Help, my PC is infected!" sections of the forums, then only authorized helpers can view or download file attachments in those sections (with the exception of images/pictures).
  16. 1 point
    Can you help me restore my data,infacted dvju rasomware kodc
  17. 1 point
    Unfortunately there's nothing we can do with newer variants of STOP/Djvu that have an online ID. Since newer variants use RSA keys, they're impervious to known attacks, and the keys are too complex to brute force (even the most powerful super computer would take thousands of years to do it). That's an online ID as well. If your ID is an offline ID, then once we're able to find the private key for this variant (which we may have already), then our decrypter should be able to decrypt your files. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ If you want to open a new topic to have your computer checked for remnants of the ransomware, then please feel free to do so. We'll need logs from FRST to look at in order to write a script, and this script will tell FRST what to delete. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  18. 1 point
    Only authorized helpers can download and view the logs. They are in plain text format, and can't spread infections.
  19. 1 point
    I would recommend you the anti-virus protection that is carried out in your country, it will take into account virus and hacker threats that are aimed at objects of national infrastructure and much more. On these pages you can download a comprehensive anti-virus protection free of charge for 30 days, which can eliminate virus infection and protect your PC from many threats. At the end of the trial, you can download another antivirus product and use it also for 30 days. The previous one will need to be deleted so that there is no conflict. https://norton.com/downloads?inid=nortoncom_nav_downloads_products-services:home https://www.kaspersky.com/internet-security https://www.avast.com/internet-security https://www.avira.com/en/downloads https://www.bitdefender.com/solutions/internet-security.html https://www.mcafee.com/consumer/en-gb/store/m0/catalog/mtp_521/mcafee-total-protection-trial.html https://www.eset.com/int/home/free-trial/ also https://www.emsisoft.com/en/home/antimalware/#anti-ransomware
  20. 1 point
    If the malware is active, then it can encrypt files offline. To do this, it uses the built-in encryption key. Free scanners cannot provide security. If you want, you can supply any comprehensive anti-virus product (free for 30 days). During this time, you can eliminate malicious activity and evaluate the protection provided.
  21. 1 point
    According to logs, Windows Defender tried to remove malware, but something crawled anyway. You need to wait for a specialist to give a script to remove malware. Otherwise, encryption may be rerunned. --- But for now, you can do the following: Deinstall all scanners: SpyHunter, AdwCleaner, Avira, WinDefender. Then download the EEK tool and check the system disk with it. http://dl.emsisoft.com/EmsisoftEmergencyKit.exe Save the scan result and attach it to the message. You can also take a screenshot of the detections.
  22. 1 point
    Farbar Recovery Scan Tool is quite safe. He generates reports for specialists. I can view them, but if be need a script to deactivate and remove malware, it is better to get it from specialists the support team.
  23. 1 point
    for all The instruction for everyone is general. Reports need to be attached to your new post. Kevin Zoll or GT500 will look at the reports and say what to do.
  24. 1 point
    Hello @mado with t1 - offline iD But so that you can decrypt your files, developers need to add support for the variant with the .kodc extension to the Emsisoft Decryptor. While this is the latest version of STOP Ransomware and there is no data that can be added for decryption. You need to wait until this is done. First you need scan PC to deactivate the malware end eliminate re-encryption processes. We saw active malware processes in PCs other affected users that encrypted new files in real time after the encryption is already done. This is much worse than the first, because new encryption may begin to use the online key.
  25. 1 point
    0198nTsddv06YHbhNNHIA4FoWgk8Exu5sTjk6CwEDVSQZ35t1 that is my ID got kodc extension ransomware vrius is offline key ? in case yes i run the emisoft decryptor it did not works please is there any solution ?
  26. 1 point
    ID Ransomware is very accurate on determining between Maoloa vs .GlobeImposter 2.0 in most cases; they both have very unique ways of representing the victim's ID in the ransom note and in the encrypted file. In several cases, however, victims have been uploading an encrypted file from GlobeImposter 2.0 with a ransom note from Maoloa, or vice versa; this means they were hit by both. This can confuse the results, and there's not much I can do about that. Doesn't matter. Many ransomware (especially Maoloa and GlobeImposter 2.0) use dozens upon dozens of extensions; they are sold as a kit for criminals to distribute on their own, so they can specify whatever extension they want (among other things like the ransom note). If you give us the URL after submitting the files to ID Ransomware, it gives us a hash we can use to lookup your files on the backend and confirm.
  27. 1 point
    @ferko85 What day did the encryption happen?
  28. 1 point
    It's possible that the Windows Security Center doesn't delete those registry entries. I know there are some entries created by Windows that don't get deleted when you uninstall software, however I don't have a list of all of them, so someone from Microsoft might have to explain the functionality there.
  29. 1 point
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  30. 1 point
    It's not necessary to reinstall Windows, as most Anti-Virus software will remove the STOP/Djvu ransomware, including our free (for home/non-commercial use) Emsisoft Emergency Kit. Granted you can reinstall if you'd like to. I recommend making a backup of your encrypted files first, so that you can keep them somewhere safe in case they can be decrypted at some point in the future.
  31. 1 point
    It's not possible to know for certain what caused it without a memory dump. It may be safe to assume that the issue more than likely originated in another driver, which caused a fault in tcpip.sys and thus a BSoD, however there's no way to say for certain. I would believe the assumption that Anti-Virus causes such BSoD's is based on the fact that most of them use some sort of network filter driver, however Anti-Virus is not the only software that loads drivers related to networking, and it could be an issue with any such software. Keep in mind that tcpip.sys is a vital part of the Windows Operating System, and has been for a long time. If a build of Emsisoft Anti-Malware had such a serious compatibility issue, it would never pass through QA.
  32. 1 point
    End of support for Windows 7 should have no effect on whether or not your files can be decrypted. You could make a backup of your encrypted files and upgrade to a Windows 10 computer, and if a method for decrypting your files were to be released then it should still work.
  33. 1 point
    It depends completely on how this script is executed; in a "normal" malware scenario it will be dropped or downloaded, which will lead it to be blocked.
  34. 1 point
    @Jana519 We have published version 1.0.0.2 of the STOPdjvu decrypter that resolves the issue of it not running. You can download the new decrypter from https://www.emsisoft.com/ransomware-decryption-tools/download/stop-djvu
  35. 1 point
    Unfortunately I can't access that topic. I have checked the files and I suspect the issue is with the powershell script (mal.ps1). A script like that one is usually the result of being dropped by other malware or ending up on the system using exploit code, which will be blocked. To simulate that correctly in a test you would need to find out what malware dropped this script and run that instead.
  36. 1 point
    Probier doch mal noch mals zu deinstallieren, Neustart, und dann mit dem Tool "Emsiclean" alle Reste von EAM vollständig zu entfernen. Nach neustart EAM erneut installieren. Möglicherweise bringt das was. Das Emsiclean -Tool findest du auf der Emsi-Seite. Die Adresse habe ich im Moment nicht, schaue aber gern noch mal nach und poste sie hier.
  37. 1 point
    Botnets and exploits are detectable by the Behavior Blocker. Network protection, assuming you mean threats originating from outside the PC, are handled by Windows Firewall and EAM keeps unknown applications from modifying Windows Firewall settings.
  38. 1 point
    EAM, HMPA and Heimdal is overkill, plus I believe HMPA is still a bit buggy. If I were to use something alongside EAM it would be OSArmour or Malwarebytes Anti-exploit.
  39. 1 point
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  40. 1 point
    OK. If anything changes, then let us know.
  41. 1 point
    Tesorion do not abandon the decryption they started. They move on. https://www.tesorion.nl/nemty-2-2-and-2-3-analysis-of-their-cryptography-and-a-decryptor-for-some-file-types/ I hope that they will process version 2.4 soon too.
  42. 1 point
    This month's update gets you a series of little changes that make Emsisoft products and services more convenient to use and more secure. The post New in 2020.1: Improved usability & Google Authenticator support appeared first on Emsisoft | Security Blog. View the full article
  43. 1 point
    Hallo, Gleichfalls, danke. Claude
  44. 1 point
    I know it's not quite the same thing, but there is an "Add file" button in the quarantine that you can use to delete pretty much any file (files that are in use may require a reboot). Anyway, I'll go ahead and pass on your suggestions.
  45. 1 point
    This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  46. 1 point
    These are both newer variants of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  47. 1 point
    Yeah, anyone who doesn't keep a low profile while doing stuff like that tends to draw unwanted attention to themselves. Sadly that does kind of make collaboration more difficult, and forces malware analysts to stick to private communication with others they already know in the industry, or into using anonymous means of communicating publicly.
  48. 1 point
    @Najeeb Ur Rehman, Thank you for contacting Emsisoft Support. If your files where encrypted using an online encryption key, then It is not possible to decrypt the files without paying the ransom. Which is not something we recommend you do.
  49. 1 point
    Emsisoft Anti-Malware earns VB100 in December 2019 tests by certification body Virus Bulletin. The post Emsisoft earns VB100 in December 2019 tests appeared first on Emsisoft | Security Blog. View the full article
  50. 0 points
    You have created a new topic, it is better to stick to it so that help is individual.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up