Kevin Zoll

Emsisoft Employee
  • Content count

  • Joined

  • Last visited

  • Days Won


Kevin Zoll last won the day on January 14

Kevin Zoll had the most liked content!

Community Reputation

248 Excellent


About Kevin Zoll

  • Rank
    Malware Removal Support
  • Birthday 04. Dec 1960

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Depauville, NY, USA
  • Interests
    Computer Security, Malware Research, Malware Removal, Computer Programming, Website Design

System Information

  • Operating System
    Windows 10
  • Firewall or HIPS Software
    Windows Firewall
  • Other Security Software
    WinPatrol Plus

Recent Profile Visitors

154597 profile views
  1. Hello, How long ago did this occur? This particular Ransomware family was short lived and the command and control servers are no longer online. Karma encrypted files cannot be decrypted.
  2. I have forwarded that information to our decryption tool developer. Hopefully, he will have a solution in a day or two.
  3. Run a scan with EAM, for that profile and send me the scan report.
  4. Thanks, Forwarded the sample to our analysts.
  5. Hello, If you have the private encryption key, then you should not need another key to decrypt the files, as long as you were sent the decryption tool.
  6. Hello, If you have the malware executable that would be helpful. Please zip the file and attach it to your reply.
  7. Hello Hiramaky, Welcome to the Emsisoft Support Forums. My name is Kevin, and I will be helping you with fixing your problems. All users of the Emsisoft Support Forums who are in need of Malware Removal assistance are required to complete the procedures listed below: NOTE: You will want to print these instructions for reference, as you will perform all scans with all browsers closed. The majority of our support staff work Monday-Friday. We try very hard to answer all posts within 24-hours of the posting, but be aware that if you post anytime in the late afternoon or evening on Friday, or anytime on Saturday or Sunday, you will not receive an answer until Monday. Also, be aware that our support technicians may not be in the same time zone as you, therefore there could be several hours difference between when you post and the technician working your support case is available. Take note of some guidelines for this support request: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Furthermore, you should not be taking any advice relating to this computer from any other source throughout the course of this fix. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean." We do not want to clean you part-way, only to have the system re-infect itself. Do not start a new topic. The logs that you post should be attached to the reply. Set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Download to your Desktop: - Emsisoft Emergency Kit - Farbar Recovery Scan Tool NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. NOTE: If you are unable to download the tools from the infected system, the tools can be saved to and run from a USB flash drive. All scans are to be run in Normal Mode. Do not run anything in "Safe Mode", unless you are instructed to do so by the Malware Removal Specialist handling your case. Do not force Safe Mode. Instructions on How to Boot to "Safe Mode" can be found at: http://www.malwarete...kb/SafeMode.php Let's get started: Install and Run Emsisoft Emergency Kit (EEK): Double click EmergencyKitScanner.exe to install EEK When the installation of EEK is complete the Emergency Kit scanner will run. NOTE: Make sure to enable PUPs detection. Click "Yes" to Update Emsisoft Emergency Kit Under "Scan" click-on "Malware Scan". IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted. Save the scan log somewhere that you can find it. Exit Emsisoft Emergency Kit. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Create a new topic in our Help, my PC is infected! forum and attach the following logs to your post: Emsisoft Emergency Kit log (C:\EEK\Reports\) FRST.txt Addition.txt (NOTE: if you need to attach the logs to a reply to an existing topic, then you will need to use the More Reply Options button to the lower-right of where you type in your reply in order to see the controls for attaching files) The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.
  8. Only one way to make sure it has been removed. From the User account ANITA: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Reg: reg delete "HKEY_USERS\S-1-5-21-2691987798-3832064240-2107043441-1002_CLASSES\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}" /f Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.
  9. Scott, Looks like an Explorer Tool Bar that is not necessary. Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i]. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished". Click the Registry Tab and select the following items:[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{042DA63B-0933-403D-9395-B49307691690} (C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} (C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll) -> Found Click the Delete button. Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex) The highest number of [X], is the most recent Delete log.
  10. Hello Felix, Unfortunately, it is not possible to decrypt files that have been encrypted by CryptoWall.
  11. @felix Do not piggyback another support request in this part of the support forums. Even if they appear to be this same issue. Any files that are encrypted with Dharma Ransomware (a new variant of CrySiS) will have an .[<email>].dharma, .[<email>].wallet or .<email>.zzzzz extension appended to the end of the encrypted data filename and leave ransom notes named README.txt, README.jpg as explained here. Unfortunately, there is no known way, at this time, to decrypt files encrypted by Dharma variants without paying the ransom. Our crypto malware experts who analyze these infections suspect another cyber-criminal forked the code and generated their own keys which were not part of the leaked master decryption keys for the original CrySiS variants, see here.
  12. Can you please send me the detection report from EAM that shows exactly what was detected. Your other logs do not show what may be causing the alert.
  13. This particular infection is NMoreira 2.0. To have any chance of reversing the encryption algorithm we would need the installer responsible for installing the ransomware.
  14. I only saw a couple of encrypted files in the logs. If the decrypter cannot determine the encryption key, then the files cannot be decrypted.
  15. Thread closed.