Kevin Zoll

Emsisoft Employee
  • Content count

    17417
  • Joined

  • Last visited

  • Days Won

    141

Kevin Zoll last won the day on February 10

Kevin Zoll had the most liked content!

Community Reputation

266 Excellent

5 Followers

About Kevin Zoll

  • Rank
    Malware Removal Support
  • Birthday 04. Dec 1960

Contact Methods

  • Website URL
    http://www.malwareteks.com/

Profile Information

  • Gender
    Male
  • Location
    Depauville, NY, USA
  • Interests
    Computer Security, Malware Research, Malware Removal, Computer Programming, Website Design

System Information

  • Operating System
    Windows 10
  • Firewall or HIPS Software
    Windows Firewall
  • Other Security Software
    WinPatrol Plus

Recent Profile Visitors

156028 profile views
  1. Hello, Often cleaning up the infection prior to decrypting is a mistake. Some ransomware variants relay information stored on the drive and in the registry for reliable decryption. I would like to get a couple of logs to see if there may be something blocking decryption. For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop. For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to the disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  2. Your logs look pretty good with the exception of a few minor issues. Do the following: Download AdwCleaner and save it on your desktop. Close all open programs and Internet browsers (you may want to print our or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer. Download Junkware Removal Tool and save it on your desktop. Run the tool by double-clicking it. The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log is saved to your desktop and will automatically open. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKU\S-1-5-21-1571174415-2491470523-252373691-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1 ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Geen bestand HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restrictie <======= AANDACHT HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = Task: {3C510CAD-A936-430B-8C36-F96AAAA948FD} - System32\Tasks\{70FE6F44-17EA-4808-BD71-55BB7F311FCA} => pcalua.exe -a J:\Autorun.exe -d J:\ Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.
  3. Changing tools: Download RogueKiller from one of the following links and save it to your desktop: Link 1 Link 2 Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool (Vista/7/8/10 users: Right-click and select Run As Administrator). Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything! Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex) The highest number of [X], is the most recent Scan
  4. RK should produce a TXT report that is saved to the Windows Desktop. If it did not then something went wrong. Please run it again.
  5. Unless you are having problems, it is time to do the final steps. Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your desktop. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin Download to your Desktop: - CCleaner Portable UnZip CCleaner Portable to a folder on your Desktop named CCleaner Run CCleaner Open the CCleaner Folder on your Desktop and double-click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit) Click "Options" and choose "Advanced" Uncheck "Only delete files in Windows Temp folders older than 24 hours" Then go back to "Cleaner" and click the "RunCleaner" button. Exit CCleaner. You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delte the EEK for in the of your System Srive, normally C:\EEK Run Windows Update and update your Windows Operating System. Articles to Read: How to Protect Your Computer From Malware How to keep you and your Windows PC happy Web, email, chat, password and kids safety 10 Sources of Malware Infections That should take care of everything. Safe Surfing!
  6. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Winlogon: [Userinit] userinit.exe,,c:\program files (x86)\microsoft\desktoplayer.exe HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 2017-03-18 23:32 - 2017-03-18 23:32 - 00002932 _____ C:\Windows\System32\Tasks\{E7A9CD2E-5F47-4387-ACAF-B2176D41EAFE} 2017-03-18 23:14 - 2017-03-18 23:14 - 00002932 _____ C:\Windows\System32\Tasks\{D97B9E20-CC66-4388-A7B2-CB74241DC3B1} 2017-03-18 23:13 - 2017-03-18 23:13 - 00002932 _____ C:\Windows\System32\Tasks\{DB6F22AE-51BB-4733-8EA0-D05E5AC5A890} 2017-03-18 23:13 - 2017-03-18 23:13 - 00002932 _____ C:\Windows\System32\Tasks\{8A3AEBB3-9BC6-4C97-A040-CFBEC9EB145A} 2017-03-18 23:13 - 2017-03-18 23:13 - 00002932 _____ C:\Windows\System32\Tasks\{5CD2383A-6FED-4EFB-AC96-1BA9926F4EAC} 2017-03-18 23:13 - 2017-03-18 23:13 - 00002932 _____ C:\Windows\System32\Tasks\{44BF2A5B-1874-4B93-ACED-21A3A191D35F} 2017-03-18 23:11 - 2017-03-18 23:11 - 00002932 _____ C:\Windows\System32\Tasks\{7E42AB03-CA36-4049-B4E8-C8FC2E1D55B7} 2017-03-18 23:04 - 2017-03-18 23:04 - 00002932 _____ C:\Windows\System32\Tasks\{BD4B8FE2-3566-4579-9420-FEB386120F05} 2017-03-18 23:04 - 2017-03-18 23:04 - 00002932 _____ C:\Windows\System32\Tasks\{ADBFB934-6D29-4D6F-A702-7ACCC67E17BE} 2017-03-18 23:04 - 2017-03-18 23:04 - 00002932 _____ C:\Windows\System32\Tasks\{147B2BC0-848D-4330-BD91-BF990A30DF30} 2017-03-18 15:47 - 2017-03-20 17:45 - 0000310 _____ () C:\Program Files (x86)\metadata 2017-03-18 15:47 - 2017-03-21 17:41 - 0000040 _____ () C:\Program Files (x86)\settings.dat 2017-03-20 14:28 - 2017-03-20 14:28 - 0007605 _____ () C:\Users\Grace\AppData\Local\Resmon.ResmonCfg 2017-03-11 00:52 - 2017-03-11 00:52 - 0237736 _____ (Enigma Software Group USA, LLC.) C:\Users\Grace\AppData\Local\Temp\esg_cleanup.exe 2017-03-16 15:12 - 2017-03-16 15:12 - 0000000 _____ () C:\Users\Grace\AppData\Local\Temp\vlc-2.2.4-win32.exe Task: {261AA4CD-31E2-4984-AFBC-CC35B1D272EA} - \Gherotyreiferdom Engine -> No File <==== ATTENTION C:\Program Files (x86)\Common Files\Microsoft Shared\Help\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Microsoft Shared\Smart Tag\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\Services\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\System\ado\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\System\en-US\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\System\msadc\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Common Files\System\Ole DB\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\Internet Explorer\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\MSBuild\0_HELP_DECRYPT_FILES.html C:\Program Files (x86)\WinRAR\0_HELP_DECRYPT_FILES.html C:\Program Files\Common Files\Microsoft Shared\Stationery\0_HELP_DECRYPT_FILES.html C:\Program Files\Common Files\Services\0_HELP_DECRYPT_FILES.html C:\Program Files\Common Files\System\ado\0_HELP_DECRYPT_FILES.html C:\Program Files\Common Files\System\en-US\0_HELP_DECRYPT_FILES.html C:\Program Files\Common Files\System\msadc\0_HELP_DECRYPT_FILES.html C:\Program Files\Common Files\System\Ole DB\0_HELP_DECRYPT_FILES.html C:\Program Files\Internet Explorer\0_HELP_DECRYPT_FILES.html C:\Program Files\NVIDIA Corporation\0_HELP_DECRYPT_FILES.html C:\ProgramData\Logic Handler\0_HELP_DECRYPT_FILES.html C:\ProgramData\Microsoft Help\0_HELP_DECRYPT_FILES.html C:\ProgramData\Microsoft\eHome\0_HELP_DECRYPT_FILES.html C:\ProgramData\Microsoft\IlsCache\0_HELP_DECRYPT_FILES.html C:\ProgramData\Microsoft\OFFICE\0_HELP_DECRYPT_FILES.html C:\ProgramData\Microsoft\User Account Pictures\0_HELP_DECRYPT_FILES.html C:\ProgramData\NVIDIA Corporation\GeForce Experience\0_HELP_DECRYPT_FILES.html C:\ProgramData\NVIDIA Corporation\NetService\0_HELP_DECRYPT_FILES.html C:\ProgramData\NVIDIA\0_HELP_DECRYPT_FILES.html C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\0_HELP_DECRYPT_FILES.html C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\0_HELP_DECRYPT_FILES.html C:\ProgramData\SecuROM\DFA\0_HELP_DECRYPT_FILES.html C:\ProgramData\Wondershare Video Editor\Resources\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\Adobe\Color\Profiles\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\CallofDuty4MW\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\CallofDuty4MW\players\profiles\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\CallofDuty4MW\updates\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017021810.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017021819.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017021912.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017022317.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017022617.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017022619.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017022708.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017022708.001\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030217.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030418.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030610.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030616.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030616.001\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030712.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030818.000\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\ElevatedDiagnostics\460911090\2017030818.001\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\PunkBuster\COD4\pb\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Local\Wondershare\WSHelper\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\Microsoft\Clip Organizer\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\Microsoft\OIS\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\Microsoft\PowerPoint\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\Microsoft\Templates\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\Microsoft\UProof\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\Profiles\Kerhale.default\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\SecuROM\UserData\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\vlc\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\WinRAR\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\WinSAPSvc\0_HELP_DECRYPT_FILES.html C:\Users\Grace\AppData\Roaming\WinSAPSvc\winsap_update\0_HELP_DECRYPT_FILES.html C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\0_HELP_DECRYPT_FILES.html Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.
  7. I have moved this to the appropriate forum.
  8. In order for the encryption tool to work, you need an original copy of a file and its encrypted counterpart. Most people have a copy of at least one original, unaltered file, somewhere. An email attachment or stored on a USB thumb drive.
  9. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running.
  10. The file I need has a TXT file extension and not JSON.
  11. Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
  12. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
  13. If you still have fixlist.txt the FRST did not load it and run it. Make sure that both FRST64.exe and fixlist.txt are in the same folder with each other. They are both supposed to be on the Windows Desktop.
  14. Changing tools. Download RogueKiller from one of the following links and save it to your desktop: Link 1 Link 2 Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool (Vista/7/8/10 users: Right-click and select Run As Administrator). Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything! Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex) The highest number of [X], is the most recent Scan
  15. I am going to have you run two tools that target adware and junkware in general. Download AdwCleaner and save it on your desktop. Close all open programs and Internet browsers (you may want to print our or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer. Download Junkware Removal Tool and save it on your desktop. Run the tool by double-clicking it. The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log is saved to your desktop and will automatically open. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.