GT500

Emsisoft Employee
  • Content Count

    10978
  • Joined

  • Days Won

    313

Everything posted by GT500

  1. The error message you posted from the decrypter says it's an old variant. I'll have to ask about that, and see why it's detecting it as an older variant. Obviously if it's a newer variant, you won't be able to decrypt files if you have an online ID.
  2. Was the decrypter unable to decrypt your files? We may not have the private key for .kodc offline ID's key.
  3. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ The private keys for this ransomware are out of our reach for the moment. That being said, there's always a possibility that they may be publicly released at some point in the future, especially if law enforcement is able to bring the criminals behind the ransomware to justice.
  4. Try the following: Hold down the Windows logo key on your keyboard, and tap R to open the Run dialog. Type (or copy and paste) %LocalAppData% into the field, and click OK. Look for a folder with a long name that seems like it's made up of completely random numbers and letters separated by dashes. Rename this folder, and then restart your computer. If the ransomware stops encrypting everything, then you got the right folder. If it doesn't, then you may need to go back and try again. Below is an example of what the folder may look like. In this example there are two folders, and I would believe one had the Azorult password stealing trojan in it (STOP/Djvu will download and run this trojan in order to steal your passwords), and the other folder had the ransomware in it. It also shows a malicious PowerShell script, which I would believe is what was used to download Azorult.
  5. @MrSalazar Please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2020-01January-24/MrSalazar/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop, or wherever the FRST64 file is. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
  6. The encrypted files you attached are all fairly small. Did you try it on any larger files (for instance something a few megabytes in size)?
  7. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. Have you uploaded file pairs via our submission form? There's an explanation at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. Have you uploaded file pairs via our submission form? There's an explanation at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. At first glance your computer appears to be clean. I do recommend removing any pirated software though, as that's where STOP/Djvu infections come from.
  11. If the topic is in the "Help, my files are encrypted!" or the "Help, my PC is infected!" sections of the forums, then only authorized helpers can view or download file attachments in those sections (with the exception of images/pictures).
  12. Yes, that should be an offline ID. If the decrypter isn't able to decrypt your files right now, then try running it once every week or two to see when we've added the private key for this variant of STOP/Djvu.
  13. Unfortunately there's nothing we can do with newer variants of STOP/Djvu that have an online ID. Since newer variants use RSA keys, they're impervious to known attacks, and the keys are too complex to brute force (even the most powerful super computer would take thousands of years to do it). That's an online ID as well. If your ID is an offline ID, then once we're able to find the private key for this variant (which we may have already), then our decrypter should be able to decrypt your files. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ If you want to open a new topic to have your computer checked for remnants of the ransomware, then please feel free to do so. We'll need logs from FRST to look at in order to write a script, and this script will tell FRST what to delete. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  14. Only authorized helpers can download and view the logs. They are in plain text format, and can't spread infections.
  15. This is a newer variant of STOP/Djvu. Since you have an offline ID, once we can find the decryption key for this variant and add it to our database you should be able to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  16. In the end that's up to you and how vital it is that you have your data back quickly, however we would always recommend waiting at least to find out if it's decryptable, especially in the case of a ransomware like this where there's an existing decrypter for older variants.
  17. I agree, that does look normal. I've passed your new logs on to QA as well.
  18. Is my key a online key? Who can help me That's an online ID.
  19. This registry export (.reg file) on Github should enable if for you: https://gist.githubusercontent.com/tkarpinski/1566071/raw/077c1927d5289e7c232ff54887ada17c927c565c/EnableLinkedConnections.reg I assume you'll need to restart your computer after importing it into your registry, however I haven't tested this. If anyone wants an explanation of why this is necessary, then you can find one at the following link: https://serverfault.com/a/185885
  20. FRST doesn't tell you if your computer is clean. It just saves logs that an expert can analyze, and then the expert will tell you if your computer is clean or write a script to remove any further threats.
  21. The e-mail address has been used by the Dharma/Cezar ransomware, however sometimes more than one ransomware will use the same e-mail address. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can confirm whether or not this is Dharma: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  22. You keep debug logging on all the time, correct? So the logs contain information about the updates that aren't being reflected by EAM's status on the overview screen? Also, if you double-click on an entry in the forensics log for an update, does it say the update was successful, and does it show any files were downloaded? I've passed the logs on to QA, so if they need anything else I'll let you know.
  23. It is a newer variant of ChernoLocker. Would it be possible to attach the logs from GridinSoft Anti-Malware to a reply? We need a copy of the ransomware that was removed from your computer, and I was told that GridinSoft Anti-Malware's logs will contain hashes that will allow us to find it. Once we get a copy of the ransomware, we should be able to update our decrypter.
  24. No, newer variants with online ID's will remain undecryptable until the private keys kept by the criminals are made public.
  25. Yes, that should be an offline ID. Make a backup of your files, and try running the decrypter once every week or two to see if we've been able to add the private key for this variant to our database. Once it's added to the database, the decrypter should be able to decrypt your files.