GT500

No, newer variants with online ID's will remain undecryptable until the private keys kept by the criminals are made public.

Yes, that should be an offline ID. Make a backup of your files, and try running the decrypter once every week or two to see if we've been able to add the private key for this variant to our database. Once it's added to the database, the decrypter should be able to decrypt your files.

It may be a newer version of ChernoLocker that our decrypter doesn't support yet. I'll ask our malware analysts to be certain.

Maoloa, however I suspect that may be a false positive.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

OK, thanks for letting us know. Core parking shouldn't be an issue on modern editions of Windows, at least as long as you have a high performance power plan selected, however if you want to verify this then the tool at the following link should help: https://coderbag.com/product/quickcpu You may also be able to find more information and settings in the advanced CPU tweaking utilities available directly from Intel and AMD. https://downloadcenter.intel.com/download/24075/Intel-Extreme-Tuning-Utility-Intel-XTU https://www.amd.com/en/technologies/ryzen-master

That's an online ID.

It looks like there may be 2 ransomwares using this extension right now, and GlobeImposter 2.0 does appear to be one of them. Do the encrypted files all have names that end in .[[email protected]].bajonx?

This is an online ID. Your ransom note contains an online ID.

Out of curiosity, how much CPU usage does Task Manager attribute to each of the following processes (In Windows 10 check the Details tab in Task Manager): a2guard.exe a2start.exe a2service.exe

Here's how to send us debug logs: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click Advanced in the menu at the top. Scroll to the bottom of the Advanced section, and change the option for Debug logging to Enabled for 1 day. After that, close the Emsisoft Anti-Malware window. Reproduce the issue you are having (do something that causes the 100% CPU usage). Once you have reproduced the issue, open Emsisoft Anti-Malware again. Click on the little icon in the lower-left (right above the question mark) that looks like little chat bubbles. Click on the button that says Send an email. Select the logs on the right that show today's dates (if you try to send too many logs, then we may not receive them). Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message). If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time). Click on Send now at the bottom once you are ready to send the logs. Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Offline public keys are embedded into the ransomware itself for use in encryption. Offline private keys can be found in decrypters sent by the criminals to those with offline ID's who have paid the ransom. The decrypters are only available to us when the victims with offline ID's who have paid the ransom send them to us. Once we have an offline private key, we add it to our database so that our decrypter can use it.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

First and foremost, always make sure you have the latest security updates for everything (especially Windows and your web browsers). Also, if you have plugins/extension installed for your web browsers that you don't use or don't really need, then uninstall them. Especially Adobe Flash, Java, and Adobe Acrobat Reader as those are probably the three most exploited plugins in existence. Note that if you need to keep Java, but don't need the plugin for your web browser, you can configure Java settings to disable Java in your web browsers. Use a paid Anti-Virus software. Most of them have free trials, so feel free to find one you like. We offer a 30-day free trial of Emsisoft Anti-Malware if you'd like to try it. Don't download anything from sources you don't know you can trust. STOP/Djvu usually comes from pirated software and fake movie and music downloads, however there are other threats that come from many different sources (fake/malicious e-mails, ads in websites, shady download sites, compromised websites, etc). Always use an ad blocker in your web browser. We usually recommend uBlock Origin since it tends to be more efficient. Note that it only officially supports Firefox, Google Chrome, and Opera (although there is a third-party port for Microsoft Edge and the Google Chrome version works in Vivaldi). Make regular backups of all files, however keep in mind that if the computer has access to the backups then so does the ransomware. For that reason, I always recommend saving backups on some sort of removable media (USB flash drives, USB hard drives, tape drives, etc) so that you can leave the backups disconnected when not in use. Note that most companies that have a backup policy that involves using removable media also use multiple drives, that way they can use a different drive for their backups every day (at least for a few days until they start over again with the first drive). Also note that many consider cloud storage to be a good alternative as well, however there have been cases where criminals have compromised systems to manually infect them with ransomware, and have logged in to the cloud backup system and manually deleted all backups, so this method isn't necessarily the safest either. You can find more security tips at the following links: 7 steps you can take this weekend to protect your data and boost your privacy How to protect your company’s backups from ransomware Protection Guides

That's a newer variant, so unfortunately we'd need to know your private key to be able to decrypt your files, and the criminals keep the private keys in a database that no one else has access to (so there's no way we could get it).

That's a driver, so the most likely culprits would either be an infection or your Anti-Virus software. If you download the following ZIP archive, are you able to extract it? It's the exact same thing, just in a ZIP archive instead of a self-extracting RAR archive. https://dl.emsisoft.com/EmsisoftEmergencyKit.zip

It's possible that the Windows Security Center doesn't delete those registry entries. I know there are some entries created by Windows that don't get deleted when you uninstall software, however I don't have a list of all of them, so someone from Microsoft might have to explain the functionality there.

This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

It's not necessary to reinstall Windows, as most Anti-Virus software will remove the STOP/Djvu ransomware, including our free (for home/non-commercial use) Emsisoft Emergency Kit. Granted you can reinstall if you'd like to. I recommend making a backup of your encrypted files first, so that you can keep them somewhere safe in case they can be decrypted at some point in the future.

You don't need to reformat your computer's hard drive. Most Anti-Virus software will remove the STOP/Djvu ransomware, including our free (for home/non-commercial use) Emsisoft Emergency Kit. Of course, removing the ransomware doesn't decrypt your files. Assuming your encrypted files have an online ID, there's nothing we can do to help with decryption since .domn is one of the newer variants that uses RSA keys.

There's more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

You're welcome.

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

@Sturm have you tried adding an exclusion for il-2.exe to see if that has any effect on the issue? I keep my entire Steam folder excluded, as there are some games that don't respond well to the hooks Emsisoft Anti-Malware opens (Garry's Mode for instance). If you'd like to try it, then here's how: Open Emsisoft Anti-Malware. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle). Click on Exclusions in the menu at the top. The exclusions section contains two lists (Exclude from scanning and Exclude from monitoring). Look for the box right under where it says Exclude from scanning. Click on the Add File button right below the Exclude from scanning box. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK. Scroll down to the box under Exclude from monitoring and click the Add File button right below that box. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK. Close Emsisoft Anti-Malware. Note: If a program you have excluded is running, then you will need to close it and reopen it for the exclusion to take effect. In some cases you will need to restart your computer before this will happen.

Full/complete memory dumps are always preferred when dealing with a BSoD. Sometimes minidumps are OK, however there are plenty of times where they don't contain enough information to be certain about what happened. Correct. When you do have a memory dump for us, I recommend encrypting it when you ZIP it (or RAR or 7z if you prefer), and send me the password in a private message. It will, after all, contain everything that was in memory when the computer crashed.